Privacy Policy
Last updated: 20 April 2026 · MedicFlow is a trading name of Haseeb Ullah
This policy explains how MedicFlow collects, uses, and protects your personal data under UK GDPR and the Data Protection Act 2018.
1. Who we are
MedicFlow is operated by Haseeb Ullah, trading as MedicFlow ("we", "us", "our"). We are the data controller for personal data processed through this platform. Contact: support@medicflow.uk
2. What data we collect
Account data
- Name and email address
- Clinical grade, speciality, and location (to personalise AI outputs)
- Google account details if using Google sign-in
Usage data
- Number and type of AI queries made
- Tool usage patterns (anonymised)
- IP address, browser type, device type
Payment data
- Subscription tier and status — payment card details are processed by Stripe only and never stored by us
We do not collect or store patient data. You must not enter patient-identifiable information into MedicFlow. All clinical inputs must be anonymised.
3. How we use your data
- To provide and personalise the MedicFlow service
- To process payments and manage subscriptions
- To enforce usage limits by subscription tier
- To send essential service communications
- To improve the platform using aggregated, anonymised analytics
- To comply with legal obligations
4. Legal basis
- Contract performance — delivering the service you signed up for
- Legitimate interests — security, fraud prevention, service improvement
- Legal obligation — UK law compliance
- Consent — marketing (withdrawable at any time)
5. Third-party processors
Your queries are processed by Anthropic's Claude API. Text you enter is sent to Anthropic's servers. See Anthropic's privacy policy.
- Supabase — authentication and database
- Stripe — payment processing (PCI DSS compliant)
- Vercel — web hosting
- Anthropic — AI processing
6. Data retention
- Account data: while active + 2 years after closure
- Usage logs: 12 months
- Payment records: 7 years (HMRC requirement)
- CPD logs: stored locally on your device only
7. Your rights (UK GDPR)
You have the right to access, rectify, erase, port, restrict, and object to processing of your data. Email support@medicflow.uk — we respond within 30 days.
8. Security
We use TLS encryption, encrypted storage, and access controls. No system is completely secure — we cannot guarantee absolute security.
9. Cookies
Essential cookies only: session management and theme preferences. No advertising or tracking cookies.
10. International transfers
Some processors (Anthropic, Vercel) are US-based. Transfers are protected by Standard Contractual Clauses approved by the UK ICO.
11. Complaints
Contact us first at support@medicflow.uk. You may also complain to the ICO at ico.org.uk.