Privacy Policy
Last Updated: April 16, 2026
1. Introduction
Welcome to DoctorCert UK ("we," "us," or "our"). We are committed to protecting your personal data and respecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This privacy policy explains how we collect, use, store, and protect the information you provide when using our online medical certificate service. It applies to all users of our website and services.
We act as the Data Controller for your personal information. Our contact details for data protection enquiries are set out in Section 11 below.
2. Personal Data We Collect
We collect and process the following categories of personal data when you use our service:
- Identity Data: Your full name and date of birth.
- Contact Data: Email address and mobile telephone number.
- Health Data (Special Category Data): Information regarding your medical condition, symptoms, and reason for requesting a medical certificate, as provided by you during the booking process and any subsequent clinical review.
- Service Data: Details of your certificate request, including requested dates of coverage and clinical notes recorded by the reviewing doctor.
- Transaction Data: Payment information necessary to process your order. We do not store full payment card numbers; payment processing is handled by a PCI-DSS compliant third-party payment provider.
- Communications Data: Records of correspondence between you and our team or clinicians, including any consent you provide.
- Diagnostic Data: Limited technical information needed to keep the service secure and reliable, such as error details, route paths, browser or device information, and timestamps. We configure our monitoring tools to avoid collecting form contents, clinical notes, certificate text, full query strings, cookies, or payment session identifiers.
- Usage Data: If you consent to analytics cookies, limited technical data about visits to our public pages, such as page views, browser and device information, referral source, broad location information, and high-level interactions with page content.
- Advertising Measurement Data: If you consent to advertising measurement cookies, limited click and campaign identifiers may be used to understand which adverts lead to paid requests. We do not use these cookies to collect form contents, clinical notes, health information, or payment session identifiers, and we do not use them for remarketing or personalised adverts.
We do not collect identity verification documents or billing addresses. Optional analytics and advertising measurement cookies are disabled by default and only activated if you choose to allow them.
3. Lawful Basis for Processing
We rely on the following lawful bases under UK GDPR to process your personal data:
- Performance of a Contract (Article 6(1)(b)): Processing is necessary to provide you with the medical certificate service you have requested and paid for.
- Provision of Health Care (Article 9(2)(h)): Your health data (special category data) is processed for the provision of health care by or under the responsibility of a health professional who is subject to professional obligations of confidentiality. Our clinicians are registered with the General Medical Council (GMC) and bound by GMC confidentiality guidance.
- Legal Obligation (Article 6(1)(c)): We may process your data where required to comply with legal or regulatory requirements, including medical record-keeping obligations.
- Legitimate Interests (Article 6(1)(f)): We process limited data for the purposes of fraud prevention, service improvement, and maintaining the security of our systems, where these interests do not override your rights and freedoms.
- Consent (Article 6(1)(a)): Where we process your data based on consent, including optional cookies and optional communications, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
4. How We Use Your Data
We use your personal data for the following purposes:
- To process your medical certificate request and facilitate clinical review by a GMC-registered doctor.
- To generate and deliver your medical certificate.
- To process your payment and issue receipts.
- To communicate with you about your request, including sending your certificate and any follow-up correspondence.
- To maintain clinical records as required by applicable regulations and professional standards.
- To monitor service reliability, investigate technical errors, and protect the security of the platform.
- To prevent fraud, resolve disputes, and enforce our terms of service.
- Where you consent to analytics cookies, to understand how visitors use our public pages so we can improve site content, navigation, and performance.
- Where you consent to advertising measurement cookies, to understand which adverts lead to paid requests so we can measure advertising performance.
We do not use your personal data for automated decision-making or profiling. We do not sell your data to any third party, nor do we use it for marketing purposes without your explicit consent.
5. Data Sharing
We share your personal data only where necessary for the purposes set out in this policy and with the following categories of recipients:
- Our Clinicians: GMC-registered doctors who review your case and issue certificates. They are bound by professional duties of confidentiality.
- Payment Processors: A PCI-DSS compliant third-party payment provider processes your payment securely on our behalf.
- Infrastructure and Service Providers: We use trusted third-party service providers for hosting, data storage, email delivery, and other operational functions. These providers act as data processors under written agreements and process your data only on our instructions.
- Security and Reliability Providers: We use service monitoring tools to detect errors, uptime problems, and failed scheduled jobs. These tools are configured to minimise personal data and exclude clinical form contents wherever possible.
- Service Measurement Providers: If you consent to optional cookies, limited public-page usage information and advertising measurement data may be processed by service measurement providers acting on our behalf.
- Legal and Regulatory Authorities: We may disclose your data where required by law, court order, or regulatory obligation, or where necessary to protect the safety of any person.
We do not share your health data with your GP, employer, or any third party unless you specifically request and authorise us to do so.
6. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes for which it was collected and to comply with applicable legal and regulatory obligations.
- Medical Records: Clinical records, including case details, clinical notes, and issued certificates, are retained in accordance with applicable UK healthcare record-keeping requirements and professional guidance. These records may need to be retained for a significant period after the service is provided.
- Transaction Records: Payment and billing records are retained for as long as required to comply with financial and tax regulations.
- Account and Contact Data: Retained for as long as necessary to administer your requests and communicate with you, and subsequently for as long as required by applicable retention obligations.
When personal data is no longer required for any lawful purpose, it will be securely deleted or anonymised.
7. Data Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or damage. These measures include:
- Encryption of data in transit and at rest.
- Access controls restricting data to authorised personnel on a need-to-know basis.
- Regular review of our security practices and procedures.
- Use of trusted, security-certified infrastructure providers.
While we take all reasonable precautions, no method of transmission or storage is completely secure. If you have concerns about the security of your data, please contact us.
8. International Transfers
Some of our service providers may process your data outside the United Kingdom. Where this occurs, we ensure that appropriate safeguards are in place in accordance with UK GDPR, such as standard contractual clauses, adequacy decisions, or other approved transfer mechanisms, to protect your personal data to the same standard as within the UK.
9. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Access: You may request a copy of the personal data we hold about you (Subject Access Request). We will respond within one calendar month.
- Rectification: You may request correction of any inaccurate or incomplete personal data.
- Erasure: You may request deletion of your personal data in certain circumstances. Please note that we may be required to retain core medical records to comply with regulatory and professional obligations (see Section 6).
- Restriction: You may request that we restrict the processing of your personal data in certain circumstances.
- Portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format.
- Objection: You may object to the processing of your personal data where we rely on legitimate interests as the lawful basis.
- Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at: support@doctorcert.co.uk. We will respond to all legitimate requests within one calendar month. If your request is particularly complex, we will notify you and may take up to an additional two months as permitted by law.
You can also withdraw consent for optional cookies at any time using the Cookie settings link in the footer where shown, or by using the control in the cookie section below.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
11. Contact Us
If you have any questions about this privacy policy or wish to exercise your data protection rights, please contact us:
Data Protection Enquiries: support@doctorcert.co.uk
General Enquiries: support@doctorcert.co.uk
12. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. Any material changes will be indicated by updating the "Last Updated" date at the top of this page. We encourage you to review this page periodically.