Privacy Policy

The data controller for your personal data is Sams Care, operated by Sepideh Sadig Baheran, NMC-registered Independent Nurse Prescriber, practising in the United Kingdom.

Contact us regarding data protection matters at: sb.samscare@gmail.com

We are registered with the Information Commissioner’s Office (ICO) as required under the UK Data Protection Act 2018.

When you submit a prescription request or use our services, we collect:

• Identity data: full name, date of birth
• Contact data: email address, phone number
• Special category health data (Article 9 UK GDPR): medical conditions, known allergies, current medications, relevant clinical history
• Clinical data: details of the medication or treatment requested, indications, red flags declared
• Consent records: GDPR consent timestamp, IP address hash, consent version
• Communications: messages sent between you and our clinical team
• Technical data: IP address (hashed), browser type, access timestamps (for security audit purposes only)

Special category data:Health and medical information is classified as “special category” data under Article 9 of the UK GDPR. We only process this data with your explicit consent, which you provide when submitting a request. You may withdraw consent at any time, though this may prevent us from providing clinical services.

We process your data for the following purposes and legal bases:

We do not use your data for marketing, sell your data to third parties, or use it for automated decision-making that produces legal effects without clinical oversight.

Medical and clinical records are retained for 8 years from the date of your last interaction with us, in compliance with NMC standards for prescribers and NHS/professional body guidance on medical records retention.

For patients who were under 18 at the time of treatment (note: we do not treat under-18s, but in the event of an error), records would be retained until age 25, or 8 years — whichever is longer.

After the retention period expires, your data will be securely and permanently deleted from all systems including backups.

We share your data only where necessary with the following trusted third-party processors, all operating under appropriate data processing agreements:

We may also disclose data where required by law, court order, or to regulatory bodies such as the NMC, CQC, or police in connection with a criminal investigation.

As a data subject under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights:

To exercise any right, email us at sb.samscare@gmail.com. We may ask you to verify your identity before responding.

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

We would always appreciate the opportunity to address your concerns directly before you approach the ICO.

All data is encrypted at rest and in transit using industry-standard TLS 1.3 and AES-256 encryption. Access to patient records is restricted to authorised clinical staff only, protected by multi-factor authentication.

Prescription documents and uploaded files are stored in a private, non-public storage bucket. Access is governed by time-limited signed URLs and role-based access controls.

All actions on patient records are recorded in an immutable audit log, including who accessed what and when.

We use only essential cookies required for authentication and session management. We do not use advertising or tracking cookies. Please see our Cookie Policy for full details.

We may update this policy from time to time. Material changes will be communicated by updating the “Last updated” date at the top of this page. Continued use of our services after a change constitutes acceptance of the updated policy.