Privacy Policy
Last updated: April 13, 2026 — Version 2.0
1. Data Controller
GeraClinic is operated by Gera Systems (“we”, “us”, “our”), registered in England and Wales. We are the data controller for personal data collected through this platform.
- Website: geraclinic.com
- Data Protection contact: privacy@gera.services
This policy applies under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where health data is concerned, it is treated as special category data under UK GDPR Article 9.
2. What Personal Data We Collect
2.1 Identity and Contact Data
Full name, date of birth, email address, phone number, home address, profile photo.
2.2 Health and Medical Data (Special Category)
Medical history, symptoms, diagnoses, prescriptions, lab test results, consultation notes, recordings (where consented), and any information you share with healthcare professionals through the platform. This is special category data under UK GDPR Article 9 and is processed only with your explicit consent or where necessary to protect vital interests.
2.3 Transaction and Payment Data
Payment method type, last four digits of cards, billing address, consultation fees paid, subscription status, and refund history. Full card numbers are not stored by us.
2.4 Usage and Technical Data
IP address, browser type, device identifiers, pages visited, session duration, crash logs, and referral URLs.
2.5 Location Data
Approximate location from IP address. Precise GPS location only when you grant permission via our mobile app (used to show nearby clinics and pharmacies).
2.6 Communications
Support messages, feedback, and correspondence. Consultation recordings only where you have given explicit prior consent.
3. Why We Collect Your Data and Legal Basis
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) |
| Facilitating telemedicine consultations | Contract + Explicit Consent (Art. 6(1)(b) + Art. 9(2)(a)) |
| Sharing health data with your chosen doctor | Explicit Consent (Art. 9(2)(a)) |
| Processing payments | Contract (Art. 6(1)(b)) |
| Fraud prevention and platform security | Legitimate Interests (Art. 6(1)(f)) |
| Compliance with healthcare and tax regulations | Legal Obligation (Art. 6(1)(c)) |
| Platform analytics and improvement | Legitimate Interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) — opt out any time |
4. How Long We Keep Your Data
| Data Type | Retention Period | Reason |
|---|---|---|
| Medical records and consultation notes | 8 years from last consultation (adults); until age 25 for minors | NHS Records Management Code of Practice |
| Payment and financial records | 6 years | HMRC / Taxes Management Act 1970 |
| Account data (after closure) | 2 years | Dispute resolution |
| Analytics data | 13 months rolling | ICO guidance |
| Support communications | 3 years | Legitimate interest |
5. Who We Share Your Data With
We do not sell your personal data. We share data only as necessary:
- Healthcare professionals — doctors and clinicians you book through GeraClinic, strictly with your consent and only the data required for your consultation
- Pharmacy partners — prescription details when you request dispensing (with your consent)
- Railway (backend infrastructure hosting)
- Neon (PostgreSQL database, EU region)
- Vercel (web application hosting)
- Stripe (payment processing — they do not receive health data)
- PostHog (EU Cloud — product analytics; no health data)
- Sentry (EU — error monitoring; no health data)
- Resend (transactional email)
- Legal and regulatory authorities — when required by law or court order
Health data is never shared with analytics or advertising platforms. All processors are bound by GDPR-compliant Data Processing Agreements.
6. International Data Transfers
Data may be processed in the UK, EEA, and US. Transfers outside the UK use UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses. Health data is processed only in UK/EEA regions.
7. Your Rights Under UK GDPR
You have the right to: access your data (including your full medical record held by us), rectify inaccuracies, request erasure (subject to medical record retention obligations), restrict processing, receive a portable copy, object to processing, and withdraw consent.
To exercise any right, email privacy@gera.services with “Data Rights Request” in the subject line. We respond within one calendar month.
You may also complain to the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.
8. Cookies
We use strictly necessary cookies (session, security), functional cookies (language, preferences), and — with your consent — analytics cookies (PostHog). We do not use advertising cookies on GeraClinic. See our Cookie Policy for full details.
9. Children's Privacy
GeraClinic is intended for users aged 18 and over. Users aged 16–17 may access the platform with verifiable parental or guardian consent. Gillick competence applies for healthcare decisions for users under 16 in exceptional circumstances. We do not knowingly collect data from children under 13.
10. Security
We apply TLS 1.2+ encryption in transit, AES-256 encryption at rest, role-based access controls, multi-factor authentication on all admin systems, continuous monitoring via Sentry, and regular OWASP Top 10 audits. In the event of a data breach, we notify the ICO within 72 hours and affected users without undue delay.
11. Changes to This Policy
Material changes will be communicated by email and platform notice at least 30 days before taking effect. The “Last updated” date above shows when this version was published.
12. Contact Us
- Data Protection: privacy@gera.services
- Support: support@geraclinic.com
- Website: geraclinic.com