Privacy Policy

Last updated: 15 May 2026

Last updated: 15 May 2026

This policy explains how Get Patient Consent ("we", "us", "our") collects, uses, and protects personal data when you use our consent platform and website at getpatientconsent.com.

We take your privacy seriously, particularly because our service handles special category health data about patients.

Who we are

Get Patient Consent is the trading name of CSSL Ltd is a company registered in England and Wales , company number 03996773. Our registered office is at Sharpe Medical Accounting Ltd, Normanby Gateway, Lysaghts Way, Scunthorpe, South Humberside, England, DN15 9YG. We are the data controller for personal data we process about clinician users of our platform, and a data processor for personal data clinicians process about their patients using our platform.

We are registered with the Information Commissioner's Office (ICO) under reference ZB417718.

The personal data we process

About clinician users

• Name and email address
• Professional registration details (e.g. GMC number) you choose to provide
• Account credentials and access tokens
• Billing information (when paid plans launch)
• Technical data: IP address, browser type, pages viewed, audit log of actions taken within the platform

About patients (processed on behalf of clinicians)

When clinicians use our platform to obtain consent from their patients, we process the following on their behalf as a data processor:

• Patient name, date of birth, and contact details (email, phone)
• The consent request content (procedure, risks, leaflets shown)
• Patient responses, questions asked, and answers received
• Signature data, timestamps, and device metadata
• Cryptographic audit trail of all interactions with the consent record

The clinician (or their organisation) is the data controller for this patient data. Patients with questions about how their data is used should contact the clinician directly in the first instance.

Why we process this data, and our lawful basis

We rely on the following lawful bases under the UK GDPR:

For patient health data, which is special category data under Article 9, the clinician (as controller) relies on Article 9(2)(h) — provision of health or social care. We act only on the clinician's documented instructions, under a data processing agreement.

How we store and protect your data

• All data is stored in AWS eu-west-2 (London). Nothing leaves the UK.
• Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Patient identifiers are encrypted at the application level using AWS KMS.
• The consent audit trail uses a cryptographic hash chain so any tampering is detectable.
• Access to production systems is restricted, logged, and protected by multi-factor authentication.

Who we share data with

We do not sell or rent personal data. We share data only with:

• AWS (Amazon Web Services EMEA SARL) — infrastructure and storage, eu-west-2 region
• MxRoute — to deliver transactional emails
• Professional advisers — accountants, lawyers, auditors, where required and under confidentiality
• Law enforcement or regulators — where we are legally compelled to do so

All sub-processors are bound by written contracts that meet UK GDPR requirements.

How long we keep your data

• Active accounts: for as long as the account is active, plus a reasonable wind-down period after closure.
• Consent records: clinicians (as controllers) determine the retention period. The default minimum we support is 8 years from the date of the procedure, in line with NHS records management guidance, but clinicians may instruct us to retain for longer.
• Marketing enquiries: up to 24 months from last contact, unless you ask us to delete sooner.
• Audit logs and security records: up to 24 months.

Specific retention rules are documented in our Data Retention Schedule, available on request.

Your rights

Under the UK GDPR you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erase your data ("right to be forgotten"), subject to legal retention obligations
• Restrict how we process your data
• Object to processing based on legitimate interests
• Data portability — receive your data in a machine-readable format
• Withdraw consent at any time, where consent is the basis we rely on

To exercise any of these rights, contact us at privacy@getpatientconsent.com. We will respond within one month.

If you believe we have not handled your data properly, you have the right to complain to the ICO at ico.org.uk or 0303 123 1113. We would, however, appreciate the chance to address your concerns first.

Cookies and tracking

The marketing website at getpatientconsent.com currently uses no analytics, advertising, or third-party tracking cookies. The only cookies used by the platform itself are strictly necessary for sign-in and security (session cookies). If this changes, we will update this policy and ask for your consent where required.

Children

Our platform is for use by registered healthcare professionals. We do not knowingly collect data directly from anyone under 18 through the marketing site. Patient consent flows initiated by clinicians may involve minors, and in those cases the clinician is responsible for any necessary parental consent.

International transfers

We do not transfer personal data outside the United Kingdom. If this changes in future (for example, if a sub-processor is based outside the UK), we will use UK GDPR-approved transfer mechanisms (UK IDTA or equivalent) and update this policy.

Changes to this policy

We may update this policy from time to time. Material changes will be highlighted at the top of this page, and where appropriate we will notify account holders directly by email. The "Last updated" date above shows when the most recent change was made.

Contact us

For any privacy-related question:

• Email: privacy@getpatientconsent.com

• Post: Normanby Gateway, Lysaghts Way, Scunthorpe, South Humberside. DN15 9YG

• Data Protection Officer: Neville Dastur