BlockMedPro UK Ltd. (referred to as "organisation", "we," "our," "us") is committed to protecting your personal data and ensuring transparency regarding how we collect, use, and share it, and comply with relevant data protection regulations, including:
UK GDPR and the Data Protection Act 2018
NHS Data Security and DSPT requirements
BlockMedPro UK Ltd. is a business that owns BlockMed Pro, i.e., a healthcare technology platform. We act as a Data Processor as per UK GDPR and Data Protection.
This notice describes how we use your personal data when instructed by our customers (both patients, i.e., "Data Sellers" and Pharmaceutical organisations/laboratories i.e., "Data Purchasers") and/or when the data is being processed, including your rights under the relevant data protection laws.
It discusses how we process information when you use our online platform that connects patients, laboratories, pharmaceutical organisations and other third-party services including but not limited to data storage partners (GCP, MongoDB Atlas) and the financial service provider (Stripe).
The following table presents the important abbreviations and terms used in this document and their definitions:
| Term | Definition |
|---|---|
| Organisation | BlockMed Pro UK Ltd. as a company |
| Service | BlockMed Pro UK Ltd. as an online platform/portal/product that enables patients to monetise their data and pharmaceutical organisations or laboratories to purchase this data with patient's consent. |
| Data Protection Agreement (DPA) | A legally binding contract (under GDPR) between a data controller and data processor |
| Personal Data | Any information that can identify a patient directly or indirectly, including Name, NHS number, DOB, Email, IP Address, etc., (under UK GDPR (Article 4) and the Data Protection Act 2018.). |
| Patient Data | A subset of personal data, relating to a patient in the context of healthcare. Almost always includes special category data (sensitive data) under UK GDPR such as medical history, health records, lab results, etc. |
| Controller | The organisation/entity that determines the purpose (how) and means (why)of using patient data (under UK GDPR, Article 4). It is usually an NHS Trust, GP practice, or a private healthcare provider, collecting and/or using personal data. |
| Processor / Business Associate | An organisation/entity that processes data on behalf of the Controller under a DPA |
| Sub-Processor | A company or an organisation hired by the Processor to help with part of data processing. |
| Third-Party | Anyone (an individual, company or a service) that is not a data subject, Controller, Processor, and/or a Sub-Processor under their direct authority (UK GDPR, Article 4). |
| Information Commissioner Officer (ICO) | UK's independent regulatory authority for data protection, which issues fines, guidance, and codes of practice on handling personal data (including patient data). |
| Data Protection Officer (DPO) | An independent role, mandatory for NHS and healthcare organisations, responsible for advising, monitoring, and overseeing compliance with UK GDPR, the Data Protection Act 2018, DSPT standards, and ICO guidance. |
| Organisation Data Service (ODS) Codes | Unique IDs for pharmacies, labs, GP practices and NHS trusts, etc. |
We, as an organisation, are a UK-based health-tech company, providing our technology related services in the UK healthcare sector since 2024. Our Service based platform acts as a mediator between patients (referred to as "Data Sellers" per Section 3 of this document) and laboratories/pharmaceutical companies (i.e., "Data Purchasers"), enabling patients to share and sell their health data with authorised purchasers in a secure and transparent fashion.
As defined in Section 3, we act as a data Processor whereas the Data Sellers as well as Purchasers are both Data Controllers.
1. Address:
BlockMed Pro UK Ltd
5 Cobcroft Road
Huddersfield
HD2 2RU
United Kingdom
2. Email: info@blockmedpro.com
We understand and respect your data privacy. Therefore, we will take appropriate measures to secure your data that we capture when you interact with our Service. However, we do not claim that any third-party software, service(s), Controllers, or Processors cannot use your submissions and/or data from your device(s) for unlawful purposes.
Refer to the Data Retention and Privacy Policies of the third-party service providers for more details on how they use your data.
We may collect any or all of the following kinds of data:
Personal Information: Name, contact (phone, Email ID, address), login credentials
Patient (Health) Data: NHS number, Site Code, ODS Codes, medical history, test results, and clinical information that the patients share with consent
Transaction Data: Payments processed securely via Stripe (we do not store full card details)
Metadata: Timestamps, user roles, audit trail, etc.
Technical Data: IP address, device/browser type, app usage statistics
Blockchain Records: Proof of consent, transaction logs, and audit trail under a Smart Contract
We use your data for any or all of the following reasons:
Meet security standards of UK GDPR and DSPT requirements
To enable secure exchange of health data with authorised Controllers/Purchasers (with your consent)
Operate and improve our Service i.e., BlockMedPro
Record and verify audit log using blockchain
Process payments and transactions using Stripe
We process your data under the following bases:
Consent – explicit consent for collection and sharing of health data (GDPR Article 9).
Contract – to provide services and process transactions.
Legal obligation – to comply with healthcare and financial regulations.
Legitimate interests – to improve and secure our services.
Disclaimer: Special category health data is processed only with your explicit consent and in line with GDPR safeguards.
We store and protect your data in the following ways:
Cloud services: We store data securely with encryption in a trusted provider i.e., Google Cloud Platform (GCP, London (West-2)) in our case.
Blockchain: We maintain secure, tamper-proof records of consent and transactions under Smart Contract.
Security measures: We implement NHS DSPT standards, and GDPR-compliant safeguards (including encryption, Access Control including Multi-Factor authentication & IP restrictions, and audit logs) to ensure your data remains safe.
We may share data with:
Authorised laboratories and pharmaceutical organisations, with your consent. They act as your data Controllers (and our clients)
Approved Sub-Processors (i.e., Google Cloud Platform (GCP and MongoDB Atlas) in our case) and third party service i.e., our payment processor (Stripe) under strict DPA
Blockchain service provider for secure record-keeping of patients' consents under Smart Contract
Any regulators (such as NHS), authorities, or auditors where legally required.
Disclaimer: We never sell your data outside of the framework mentioned above.
We keep your personal and patient data only as long as necessary to:
Complete the exchange/payment transaction process
Meet NHS DSPT requirements, regulatory obligations, and financial recordkeeping
Resolve disputes and enforce agreements
We retain the data per client instruction or contract. The data retention ceases automatically once the contract terminates, unless subject to legal hold. Refer to our Data Retention Policy for more details.
Under the UK GDPR, you are allowed to contact us/Processor to:
Access, rectify, or delete your data (as a data seller)
Request privacy restrictions or object to processing
Withdraw the permissions at any time
File a complaint with the UK Information Commissioner's Office (ICO)
All rights must be initiated via your Controller. The organisation processes requests only upon written instruction from the Controller.
If there's a breach involving personal data, we, being the Processor, notify the ICO without undue delay, and not later than 72 hours per the UK GDPR requirements. The Controller is responsible for notifying regulators and individuals.
We review and update this notice annually. Any changes will be posted on our website and provided to clients as required by contract or law.
If you have any concerns regarding your data or this notice, contact our Data Protection Officer (DPO) right away. The contact details are as follows:
Data Protection Officer (DPO):
DataCo International UK Limited
Suite 1, 7th Floor, 50 Broadway, London, SW1H 0BL
Email: privacy@dataguard.co.uk
Telephone: +44 2035146557
You can also contact your national supervisory authority i.e., ICO (allocated under UK GDPR):
UK: Information Commissioner's Office (ICO) – www.ico.org.uk
