Privacy Policy

1. Introduction

ME+MA Community Interest Company ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website (meandma.uk) and our medical cannabis clinic services.

2. Data Controller

ME+MA CIC is the data controller for your personal data.

3. What Data We Collect

• Personal identifiers: name, date of birth, contact details
• Health information: medical history, conditions, symptoms, prescriptions
• Usage data: IP address, browser type, pages visited, time spent
• Communication data: emails, messages, consultation notes
• Financial data: payment information (processed by secure third-party providers)

4. Legal Basis for Processing

• Contractual necessity: to provide medical consultations and prescriptions
• Legal obligation: compliance with GMC, CQC, and UK medical cannabis regulations
• Consent: marketing communications, analytics cookies
• Legitimate interests: website improvement and fraud prevention
• Vital interests: emergency medical situations
• Special category data (health): processed under Schedule 1, DPA 2018 for health/social care purposes

5. How We Use Your Data

• Provide medical consultations and prescribe cannabis-based medicinal products
• Coordinate with pharmacies for prescription fulfilment
• Communicate with you about appointments, prescriptions, and care
• Maintain medical records in compliance with UK law
• Improve our website and services
• Send newsletters (with consent)
• Comply with legal and regulatory obligations

6. Data Sharing

• NHS GP (with your consent): for continuity of care
• Registered pharmacies: to dispense prescriptions
• Regulatory bodies: GMC, CQC, MHRA as required by law
• Service providers: hosting, analytics (Google Analytics), payment processing
• Legal authorities: when required by court order or statute

WE DO NOT SELL YOUR PERSONAL DATA.

7. International Transfers

Your data is stored and processed within the UK/European Economic Area. If any transfer outside the UK/EEA occurs, we ensure adequate safeguards (Standard Contractual Clauses) are in place.

8. Data Security

• Encryption in transit (TLS 1.3) and at rest
• Access controls and role-based permissions
• Regular security audits
• Staff training on data protection
• We are a CIC — patient data is never used for commercial sale

9. Data Retention

• Medical records: retained for 10 years after last treatment (in line with GMC guidance)
• Financial records: 7 years (HMRC requirement)
• Marketing consent records: retained until consent is withdrawn
• Website analytics: 26 months (anonymised where possible)
• Closed accounts: data retained as required by medical record keeping obligations

10. Your Rights Under UK GDPR

• Right to access: request a copy of your data
• Right to rectification: correct inaccurate data
• Right to erasure: request deletion (subject to medical record obligations)
• Right to restrict processing: limit how we use your data
• Right to data portability: receive data in a structured format
• Right to object: opt out of marketing and certain processing
• Rights related to automated decision-making: we do not use automated decision-making for clinical care

To exercise these rights, contact us by phone on 07365 420 420.

11. Cookies and Tracking

We use cookies as described in our Cookie Policy. You can manage preferences via the cookie banner. Analytics data is collected only with your consent.

12. Children's Privacy

Our services are for adults aged 18 and over. We do not knowingly collect data from children.

13. Changes to This Policy

We may update this Privacy Policy. Changes will be posted on this page with a revised "Last updated" date.

14. Complaints

If you are unhappy with how we handle your data, contact us first. You also have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk.