01 Who we are
This Privacy Policy applies to Practice Presence Ltd ("Practice Presence", "we", "us", "our"), a company registered in England and Wales and a wholly-owned subsidiary of Hayati Medical Solutions Ltd, our parent company.
Practice Presence is the data controller for personal data we collect about you when you visit our website, contact us, or engage us to provide online presence services to your medical practice. Where we process personal data relating to your patients on your behalf, we act as a data processor and you remain the data controller.
Our registered office address and ICO registration details are available on request and will be confirmed in any service agreement we enter into with you.
Two privacy roles, two different responsibilities: we are the controller for data about you (the doctor or business contact). We are the processor for data about your patients that may pass through our systems. Section 5 explains the patient-data side in more detail.
02 Data we collect
We collect different types of personal data depending on how you interact with us. The table below summarises the main categories.
| Category | What this includes |
|---|---|
| Identity & contact | Your name, professional title, GMC number, specialty, practice name, work address, email, mobile number |
| Account & engagement | Service Agreement details, package selected, billing contact, designated approval contact, communication history |
| Financial | Bank details for invoicing and direct debits (we do not store full card details — payment processing is handled by regulated third parties) |
| Marketing content | Photographs, voice notes, videos, biographical material, and any other content you provide for use in your online presence |
| Website usage | Form submissions (name, email, message), IP address, device type, browser, pages visited, referrer source — collected via privacy-friendly analytics |
| Patient data (as processor) | Patient names and contact details where required for review-request systems; testimonials and case studies (only with patient consent in writing) |
03 How we use your data
We use personal data for the following purposes:
- Providing the Services — building and maintaining your website, managing your Doctify and Google profiles, creating and scheduling content, and operating the review-collection system;
- Communicating with you — answering enquiries, sending content for Approval, providing performance reports, handling billing queries;
- Billing and payment — issuing invoices, collecting Setup and Monthly Fees, maintaining accounting records as required by law;
- Improving our service — analysing aggregated, anonymised data to understand what content performs well and refine our approach;
- Marketing — with your consent, sending you occasional updates about our services. You can unsubscribe at any time;
- Legal and regulatory — complying with our legal obligations, responding to regulators or courts, and dealing with disputes.
04 Our legal basis for processing
Under UK GDPR, we must have a lawful basis for processing your personal data. Depending on the activity, our basis is one of the following:
- Contract — to take steps before entering into and to perform our Service Agreement with you (most service-related processing falls under this basis);
- Legal obligation — to comply with UK tax, accounting, anti-money-laundering, and other regulatory requirements;
- Legitimate interests — to operate, secure, and improve our business, and to send relevant business communications (we have considered your interests and rights and believe this processing does not unfairly affect you);
- Consent — for marketing communications, optional cookies, and any use of your image, voice, or testimonial. You can withdraw consent at any time.
05 Patient data — our role as processor
Where we process personal data relating to your patients on your behalf — for example, sending automated post-consultation review-request messages — we act as a data processor. You remain the data controller for that data and are responsible for the lawful basis on which it is shared with us.
When we process patient data, we will:
- Process the data only on your documented written instructions;
- Ensure that personnel processing the data are bound by confidentiality;
- Implement appropriate technical and organisational security measures (see section 9);
- Not engage another processor without your prior written consent;
- Assist you in responding to data subject requests and security incidents;
- Delete or return all patient data on termination of our engagement, at your option;
- Make available all information necessary to demonstrate our compliance with this section.
We will never include patient-identifiable information in published Content unless the patient has given express written consent in a form approved in advance by us.
Your responsibility as controller: before sharing patient contact details with us for review-request systems, you must have a lawful basis under UK GDPR (typically legitimate interests or consent) and have informed your patients via your own privacy notice. We can advise but the controller obligation is yours.
06 Sharing your data
We do not sell your personal data. We share it only with the following categories of recipients, and only where necessary:
- Service providers acting on our behalf — for example, our hosting provider, email platform, scheduling tools, analytics provider, accounting software, and payment processor. All are bound by written contracts requiring them to protect your data;
- Platforms you ask us to manage — Doctify, Google Business Profile, Instagram, Facebook, TikTok. Each has its own privacy policy that applies once data is passed to them;
- Our parent company, Hayati Medical Solutions Ltd — for shared back-office support, governance, and legitimate group operations, on terms equivalent to those in this Policy;
- Professional advisers — lawyers, accountants, auditors, insurers — bound by professional confidentiality;
- Regulators and authorities — where we are required to disclose by law, court order, or regulatory request;
- A buyer or successor — in the event we sell, merge, or restructure our business.
07 International transfers
Most of our processing takes place within the UK or European Economic Area (EEA). Where some service providers (for example, certain analytics or hosting tools) process data outside the UK and EEA, we ensure appropriate safeguards are in place — typically the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or transfer to a country covered by an adequacy decision.
You can request details of the specific safeguards in place for any transfer by contacting us at [email protected].
08 How long we keep your data
We keep personal data only for as long as necessary for the purpose for which it was collected. Typical retention periods are:
- Enquiry and contact data — up to 24 months from last contact, then deleted unless you become a client;
- Client account data — for the duration of our engagement plus six years after termination, in line with HMRC and contractual record-keeping requirements;
- Financial records — six years after the end of the relevant tax year;
- Marketing data — until you withdraw consent or three years of inactivity, whichever is sooner;
- Patient data (as processor) — only as long as needed for the specific processing task, then deleted or returned to you in line with our processing instructions.
09 Security
We take security seriously and use a combination of technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS) for all data passing between you, us, and our service providers;
- Encryption at rest where supported by our hosting and storage providers;
- Access controls — only personnel who need access for their role can access personal data, and we use strong, unique passwords and multi-factor authentication;
- Confidentiality obligations on all employees and subcontractors;
- Regular software updates, daily backups, and monitoring;
- Vendor due-diligence on the security practices of our processors and partners.
No system is 100% secure. If we become aware of a personal data breach affecting your data, we will notify you and (where required) the Information Commissioner's Office without undue delay (see section 12).
10 Your rights
Under UK GDPR, you have the following rights in respect of your personal data:
- Access — to ask us for a copy of the personal data we hold about you;
- Rectification — to ask us to correct inaccurate or incomplete data;
- Erasure — to ask us to delete your data, subject to limitations (e.g. legal record-keeping);
- Restriction — to ask us to limit our processing in certain circumstances;
- Portability — to receive your data in a structured, commonly-used format;
- Object — to object to processing based on legitimate interests, including direct marketing;
- Withdraw consent — where processing is based on consent, you can withdraw at any time;
- Complain — to the Information Commissioner's Office (see section 14).
To exercise any of these rights, email us at [email protected]. We will respond within one month. We may need to verify your identity before fulfilling a request.
11 Cookies and analytics
Our website uses a small number of cookies and similar technologies. These fall into the following categories:
- Essential cookies — required for the site to function (e.g. session security). These do not require consent;
- Analytics cookies — to understand how visitors use the site so we can improve it. We use a privacy-friendly analytics tool that does not track individuals across sites and does not require a cookie banner under most interpretations of UK PECR. We do not use Google Analytics or other ad-tech trackers;
- Marketing cookies — we do not currently use marketing or advertising cookies. If we ever do, we will update this policy and ask for your consent first.
You can disable cookies in your browser at any time, though some site features may stop working as expected.
12 Data breaches
If a personal data breach occurs and is likely to result in a risk to your rights and freedoms, we will:
- Notify the affected individuals and the Information Commissioner's Office without undue delay, and in any event within 72 hours where required by law;
- Where we are acting as your processor (for patient data), notify you within 48 hours of becoming aware so that you can fulfil your own controller obligations;
- Take immediate steps to contain the breach, investigate the cause, and prevent recurrence.
13 Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. The "Last updated" date at the top of the page shows when it was last revised. Material changes affecting active clients will be communicated by email.
14 Contact and complaints
If you have any questions about this Privacy Policy, want to exercise your rights, or wish to make a complaint, please contact us first so we can try to resolve the matter:
Practice Presence Ltd
A subsidiary of Hayati Medical Solutions Ltd
Email: [email protected]
Website: practicepresence.co.uk
If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk
Version 1.0 · Last updated 2 May 2026. By using our website or engaging our services you confirm you have read and understood this Privacy Policy.