DocMap Logo
← Back to Policies and Terms

Privacy Policy

Effective Date: From 12/12/2024

Last Updated: 14/08/2025

Your Privacy as a Valued Patient

At DocMap, safeguarding your personal information is essential to the trust we build with you. We are committed to protecting your privacy while helping you connect with healthcare providers easily and securely.

Our Commitment to You

Transparency

You have the right to understand what personal information we collect, how we use it, and with whom we share it.

Protection

We treat your personal data with care and use industry-leading security practices to keep it safe.

Purpose

We only collect the information needed to help practitioners facilitate the appointments you request and improve the services we provide.

Support

If you have any questions or concerns, you can contact our Data Protection Officer at support@docmap.co.uk.

What Personal Information We Collect

To help facilitate and improve your healthcare appointment experience, we may collect:

  • Full name
  • Email address
  • Phone number
  • Treatment or service you are requesting
  • Preferred appointment date
  • Attendance status for telehealth sessions (whether you attended or missed the appointment) when using our integrated video conferencing service, such as Zoom.

Why We Use This Information

We use your information to:

  • Identify and contact you.
  • Match you with suitable healthcare providers.
  • Help practitioners manage and confirm your appointment.
  • Send you appointment-related communications.
  • Record and process attendance information for billing accuracy, understanding patient demand, and assessing practitioner engagement.
  • Improve the quality, efficiency, and reliability of our services.
  • Attendance information is anonymized before analysis and is never used to identify individuals in reporting.

Legal Basis for Processing

Under the UK GDPR, our legal bases for processing your personal data are:

Contractual Necessity (Article 6(1)(b))

To process your appointment request and communicate with providers.

Legitimate Interests (Article 6(1)(f))

To operate and improve our service efficiently and securely, including tracking session attendance to improve service delivery.

How We Collect Your Information

We collect your personal information directly from you when you:

  • Submit an appointment request through our platform.
  • Contact our support team.
  • Update your preferences or contact information.
  • Join or miss a telehealth session using our integrated video conferencing service (e.g., Zoom), which records attendance metadata.

Who We Share Your Information With

We only share your information when necessary to provide the service you've requested:

Healthcare providers

To manage and schedule your appointment.

Service providers

Trusted vendors who help operate our platform (including telehealth video conferencing providers such as Zoom), all of whom are bound by strict confidentiality and security obligations.

Legal authorities

Only when required to comply with legal obligations.

How We Protect Your Information

We use secure systems and protocols to protect your data from unauthorized access, loss, or misuse. Access to your data is restricted to authorized personnel and partners who require it to fulfill the service.

In the event of a suspected data breach, we will notify affected individuals and relevant authorities, as required by law.

How Long We Keep Your Data

We retain your personal information only as long as necessary to:

  • Fulfill the purpose it was collected for (e.g., booking and managing an appointment).
  • Meet legal, regulatory, or contractual obligations.

Once no longer needed, your information is securely deleted or anonymized.

Your Rights

You have the following rights under the UK GDPR:

  • Access: Request a copy of your personal data.
  • Correction: Request correction of any inaccurate or incomplete information.
  • Deletion: Request deletion of your data when it is no longer needed.
  • Restriction: Ask us to limit the way we use your data.
  • Objection: Object to our use of your data based on legitimate interests.
  • Data Portability: Request a copy of your data to transfer to another provider.

To exercise these rights, contact us at support@docmap.co.uk.

Automated Decision-Making

We do not use any automated decision-making or profiling that affects your rights or access to care.

Updates to This Privacy Policy

We may update this privacy policy from time to time. If we make significant changes, we will notify you through email or in-platform messaging.

Change Log:

  • 12/12/2024: Initial Policy Published.
  • 04/05/2025: Policy updated.
  • 14/08/2025: Added information about collection and use of telehealth session attendance data.

Contact Us

For any questions about this policy or your data rights, please contact our Data Protection Officer:

📧 support@docmap.co.uk

📍 DocMap Ltd, 16.01 Makers Building, London, N1 7TW

You may also contact the UK Information Commissioner's Office (ICO) if you are not satisfied with our response.

DocMap WhatsApp Service (Specialist Triage)

Privacy notice for the WhatsApp Service

The notice below applies specifically when you use the DocMap WhatsApp Service (also referred to as DocMap Specialist Triage). The WhatsApp Service relies on different lawful bases under UK GDPR (notably explicit consent for health data under Article 9(2)(a)) and uses different processors than the booking platform — so we keep the two notices side-by-side to make it clear what applies to you.

This section sets out how DocMap collects, uses, and protects your personal data when you use the DocMap WhatsApp Service (also referred to as DocMap Specialist Triage). It is in addition to the booking platform privacy notice above.

Last updated: March 2026

1. Who we are

DocMap Specialist Triage (“DocMap”, “the Service”) is operated by DocMap Ltd, a company registered in England and Wales.

Data Controller
DocMap Ltd
Data protection enquiries
admin@docmap.co.uk
General enquiries
support@docmap.co.uk
Website
docmap.co.uk

DocMap Ltd is the data controller for personal data processed through the DocMap WhatsApp Service.

2. What this section covers

This part of the privacy policy applies when you:

  • Send messages to our WhatsApp Business number
  • Use the DocMap web application
  • Interact with our specialist referral and triage services

It applies to patients who contact us via WhatsApp, as well as healthcare operators who use the DocMap dashboard.

3. What data we collect

3.1 Data you provide directly

Phone number

Examples: Your WhatsApp number

Purpose: Identify your conversation, contact you with responses

Health information

Examples: Symptoms, conditions, diagnoses, surgical history, treatment history

Purpose: Understand your needs and match you with appropriate specialists

Location and travel preferences

Examples: City, region, willingness to travel

Purpose: Find specialists in accessible locations

Insurance and funding status

Examples: Private, NHS, self-funding, insurer name

Purpose: Filter specialists who accept your funding arrangement

Conversation messages

Examples: All messages you send to our WhatsApp number

Purpose: Provide the triage service, maintain conversation context

3.2 Data we generate

Intent classification

AI-generated categorisation of your message (e.g., "specialist search", "condition inquiry")

Specialist recommendations

Matched specialists based on your described needs

Conversation summaries

AI-generated summaries of your conversation for internal case management

Case records

Internal records tracking the status of your referral

3.3 Technical data

WhatsApp message IDs

Meta-assigned identifiers for each message

Timestamps

When messages are sent and received

Session metadata

Conversation state used for multi-turn interactions

4. Special category data

Your health information constitutes special category data under UK GDPR (Article 9). For the core triage and referral facilitation service, we rely on:

  • Explicit consent (Article 9(2)(a)): We provide clear information about processing (including AI-assisted analysis) and ask you to agree before we rely on your data for that purpose. Continuing the conversation after receiving our data notice may not be sufficient on its own for all processing — we record a clear affirmative step where required.

We do not rely on Article 9(2)(h) (health or social care processing) for the core DocMap triage service, because DocMap is a referral facilitation and information service, not a regulated healthcare provider delivering direct clinical care. If we introduce processing that requires a different Article 9 condition in future, we will update this policy and obtain appropriate consent or other lawful grounds before that processing begins.

You may withdraw your consent at any time (see Section 9).

5. How we use your data

Each processing activity has a primary lawful basis. Special category (health) data requires both an Article 6 basis and an Article 9 condition.

WhatsApp triage: responding to messages, maintaining conversation history, AI intent classification, specialist matching

Consent (Art. 6(1)(a)); Explicit consent for health data (Art. 9(2)(a))

Internal notifications to our clinical operations team (e.g. new conversation alerts)

Legitimate interests (Art. 6(1)(f)) — not for unrelated marketing

Compliance with law and regulatory requests

Legal obligation (Art. 6(1)(c)) where applicable

Where we use AI observability tools, prompts may contain message content: that processing is covered by the same consent basis as the triage service.

Future services (clinical trial outreach, research, or commercial data use): These are not covered by the table above until we publish a separate notice and, where required, obtain additional explicit consent.

6. How we store and protect your data

6.1 Data storage

AWS DynamoDB

Stored: Message archive, patient records, case data

Location: EU (London, eu-west-2)

Encryption: AES-256 at rest, TLS in transit

Upstash Redis

Stored: Live conversation data, session state

Location: EU

Encryption: Encrypted at rest and in transit (TLS)

Langfuse (or equivalent)

Stored: AI observability traces: may include prompt and response text — pseudonymised, not anonymous

Location: See provider terms

Encryption: Encrypted in transit; provider-dependent at rest

We do not describe LLM traces as “anonymised” where they may still contain identifiable health information in context.

6.2 Security measures

  • All data in transit is encrypted using TLS 1.2 or higher
  • All data at rest is encrypted using AES-256 or equivalent
  • Access to patient data is restricted to authorised operators via authenticated sessions
  • WhatsApp webhook payloads are verified using HMAC-SHA256 signatures
  • We conduct regular security reviews of our infrastructure

7. Who we share your data with

We share personal data with the following categories of recipients, all of whom are bound by data processing agreements:

Amazon Web Services (AWS)

Purpose: Hosting

Data shared: All stored data

Transfer basis: UK Adequacy / SCCs; data remains in eu-west-2

Upstash

Purpose: Caching and real-time conversation state

Data shared: Conversation data

Transfer basis: DPA in place; EU hosting

Meta (WhatsApp Business API)

Purpose: Messaging channel

Data shared: Messages, phone numbers

Transfer basis: Meta DPA; EU–US Data Privacy Framework

OpenRouter / LLM providers

Purpose: AI processing

Data shared: Conversation text (in prompts)

Transfer basis: DPA in place; SCCs for US transfers

Pinecone

Purpose: Specialist search (vector similarity)

Data shared: Messages for retrieval

Transfer basis: DPA in place; pseudonymised session identifiers

Langfuse (or equivalent)

Purpose: LLM tracing and quality monitoring

Data shared: May include prompts and completions referencing your messages

Transfer basis: DPA in place; international transfers per provider docs

We do not sell your personal data to any third party.

We do not share your health data with the specialists we recommend unless you explicitly instruct us to do so (e.g., by requesting an introduction or referral).

8. How long we keep your data

WhatsApp messages

Up to 12 months from last message, then deleted from live systems

Patient case records

Up to 12 months from case closure, then deleted from live systems

AI observability traces

Typically 90 days (or as configured), then deleted

Session and cache data

24 hours to 90 days (varies by type)

Consent records

Retained for the duration of the relationship and as required for legal claims

Backups: Cloud infrastructure may retain copies of deleted data for a limited period after deletion from live databases — commonly up to 35 days. We delete or overwrite backup copies in line with our infrastructure settings.

Aggregated or truly anonymised statistics (where no individual can be identified) may be retained longer — only where we can demonstrate anonymisation under UK GDPR.

9. Your rights

Under UK GDPR, you have the following rights:

Right of access (Article 15)

You can request a copy of all personal data we hold about you. We will provide this in a machine-readable format (JSON) within 30 days.

Right to rectification (Article 16)

You can ask us to correct any inaccurate personal data.

Right to erasure (Article 17)

You can ask us to delete your personal data. We will delete it from live systems within 30 days of your request, subject to the backup retention note in Section 8. To request erasure, message us on WhatsApp with “Delete my data” or email admin@docmap.co.uk.

Right to restrict processing (Article 18)

You can ask us to stop processing your data while we resolve a concern.

Right to data portability (Article 20)

You can request your data in a structured, commonly used, machine-readable format (JSON). We will provide this within 30 days.

Right to object (Article 21)

You can object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

Right to withdraw consent

You can withdraw your consent at any time by:

  • Messaging us on WhatsApp with “Withdraw consent” or “Stop processing”
  • Emailing admin@docmap.co.uk

Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at admin@docmap.co.uk or message us directly on WhatsApp.

10. Automated decision-making

We use AI systems to:

  • Classify the intent of your messages
  • Recommend specialists based on your described symptoms, location, and preferences
  • Generate draft responses for our operators to review before sending

These AI systems assist our human operators — they do not make final decisions about your care or referrals without human review. You have the right to request human review of any AI-assisted decision.

11. Children's data

Our service is not directed at individuals under the age of 18. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, please contact us immediately at admin@docmap.co.uk.

12. Changes to this section

We may update this section from time to time. Material changes will be communicated via:

  • A notice on our website
  • A message on WhatsApp (for active patients)

The “Last updated” date at the top of this section indicates when it was last revised.

13. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Phone: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We encourage you to contact us first at admin@docmap.co.uk so we can try to resolve your concern directly.

14. Contact us

For any questions about this section or your personal data:

Admin / data protection
admin@docmap.co.uk
General
support@docmap.co.uk
WhatsApp
Message our business number directly
Post
DocMap Ltd, 1601 Jasper Walk, London N1 7TW

For details about the WhatsApp Service Terms and our GDPR compliance measures, see DocMap WhatsApp Service Terms & GDPR Compliance.