Clever Clinic

Privacy

Clever Clinic® Mobile Application Privacy Policy

Last updated: June 2026

Contents

  1. About Us and This Policy
  2. The Legal Framework
  3. Children
  4. Third Party Links
  5. The Data We Collect About You
  6. How Is Your Personal Data Collected?
  7. Cookies and Similar Technologies
  8. How We Use Your Personal Data
  9. Lawful Basis — Explained
  10. Disclosures of Your Personal Data
  11. International Data Transfers
  12. Data Retention
  13. Your Legal Rights
  14. Changes to This Policy
  15. Your Right to Complain
  16. Glossary - Categories of Personal Data

1. About Us and This Policy

Clever Technologies Limited (“We”, “Us”, “Our”) is committed to protecting your personal data. Under data protection law We are required to provide you with certain information about who We are, how We process your personal data and for what purposes, and your rights in relation to your personal data. This policy (together with Our end-user licence agreement at cleverclinic.co.uk/terms (the “EULA”) and any additional terms of use incorporated into it, together Our “Terms of Use”) applies to your use of:

  • the Clever Clinic® mobile application software (the “App”), available via the Apple App Store, once you have downloaded or streamed a copy onto your mobile telephone or handheld device (“Device”); and
  • any of the services accessible through the App (the “Services”) available on Our site at app.cleverclinic.co.uk (the “App Site”), unless the EULA states that a separate privacy policy applies to a particular Service, in which case that policy applies. This policy sets out the basis on which We will process your personal data and the personal data of any other individual using the App or App Site for the purpose of facilitating medical record-taking and patient interactions. If any other individual (such as a partner or employee) will use the App or App Site on this Device, you must bring this policy to their attention.

1.1 App data versus in-App patient data

Where you use the App or App Site to process the personal data of your patients or other individuals, that processing, and any transfer of that personal data to Us, is governed by the Data Protection Schedule of the EULA. In respect of that patient data, your clinic acts as the data controller and Clever Technologies Limited acts as a data processor, in accordance with Schedule 3 of the Clever Clinic Terms and Conditions at cleverclinic.co.uk/terms. This policy concerns the personal data We process about you as a user of the App, for which We are the controller.

1.2 Who We Are

Clever Technologies Limited is a company incorporated in Guernsey on 13 June 2019 (Guernsey Company Number 66489), with its registered office at Albert House, South Esplanade, St Peter Port, Guernsey, GY1 1AJ. We are the controller responsible for your personal data. We are registered as a data controller with the Office of the Data Protection Authority (ODPA) in Guernsey. Our ODPA registration number is DPA3740.

1.3 Contact and Data Protection Officer

Any questions, comments or requests regarding this policy, or any request to exercise your rights, should be addressed to Our Data Protection Officer: Data Protection Officer, Clever Technologies Limited, Albert House, South Esplanade, St Peter Port, Guernsey, GY1 1AJ. Email: dpo@healthxchange.com (or legal@cleverclinic.co.uk). It is important that the personal data We hold about you is accurate and current. Please keep Us informed if your personal data changes during Our relationship with you.

2. The Legal Framework

We process your personal data in accordance with:

  • the Data Protection (Bailiwick of Guernsey) Law 2017 (the “Guernsey Law”), as the primary framework applicable to Our Guernsey-registered operations;
  • the EU General Data Protection Regulation 2016/679 (“EU GDPR”), as applicable to Our processing of personal data of individuals in EU member states; and
  • the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018, as applicable to Our processing of data concerning UK residents (including as updated by the Data (Use and Access) Act 2025). This policy sets out the categories of personal data We collect, the purposes for which We process it, the lawful basis on which We rely, how long We retain it, and your rights in relation to your personal data.

3. Children

The App is not intended for children and We do not knowingly collect data relating to children.

4. Third Party Links

The App may, from time to time, contain links to and from the websites of Our partner networks, advertisers and affiliates. These websites and any services accessible through them have their own privacy policies, and We do not accept responsibility or liability for those policies or for any personal data collected through them. Please check those policies before you submit any personal data.

5. The Data We Collect About You

We may collect, use, store and transfer different kinds of personal data about you, which We have grouped as follows (each category is explained in the Glossary in Section 17):

  • Identity Data
  • Contact Data
  • Financial Data
  • Transaction Data
  • Device Data
  • Profile Data
  • Usage Data
  • Marketing and Communications Data We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not personal data in law, as it does not directly or indirectly reveal your identity. If We combine Aggregated Data with your personal data so that it can identify you, We treat the combined data as personal data, used in accordance with this policy.

6. How Is Your Personal Data Collected?

We collect and process data about you in the following ways:

  • Information you give Us. This includes Identity, Contact, Financial and Marketing and Communications Data you provide by filling in forms in the App or App Site, or by corresponding with Us (for example by email or chat). It includes information you provide when you register to use the App Site, download or register for the App, subscribe to a Service, make an in-App purchase, enter a competition, promotion or survey, or report a problem. If you contact Us, We keep a record of that correspondence. Recordings of phone calls to Our offices or Customer Service Centre, and other communications such as email and electronic messaging, may be used for staff training and audit purposes.
  • Information We collect about you and your Device. Each time you use the App or App Site We automatically collect Device, Content and Usage Data using cookies and other similar technologies.

7. Cookies and Similar Technologies

We use cookies and similar technologies (such as application programming interfaces (APIs) and local storage, collectively “cookies”) to distinguish you from other users and to remember your preferences. This helps Us provide a good experience and improve the App and App Site. The categories We use are strictly necessary, analytical, performance, functionality and targeting cookies. Where required by law, non-essential cookies are only placed with your consent. For further detail, please see the relevant Cookie Policy.

8. How We Use Your Personal Data

We will only use your personal data when the law allows. Most commonly We rely on one or more of the following: your consent; the performance of a contract with you; Our legitimate interests (or those of a third party), provided your interests and fundamental rights do not override those interests; or compliance with a legal or regulatory obligation. The table below sets out the purposes for which We use your personal data and the lawful basis We rely on for each.

Purpose / ActivityType of DataLawful Basis for Processing
To install the App and register you as a new App userIdentity; Contact; DeviceYour consent
To process in-App purchases and deliver Services, including managing payments and collecting money owed to UsIdentity; Contact; Financial; Transaction; Device; Marketing and CommunicationsPerformance of a contract with you; legitimate interests (to recover debts due to Us)
To manage Our relationship with you, including notifying you of changes to the App or ServicesIdentity; Contact; Financial; Transaction; Marketing and CommunicationsPerformance of a contract with you; legitimate interests (to keep records updated and analyse use); legal obligation (to inform you of changes to terms)
To deliver personalised marketing about Our products and services and those of carefully selected third parties; to measure the effectiveness of advertising; to monitor trends to improve the App; and to conduct satisfaction surveysIdentity; Contact; Device; Content; Profile; Usage; Marketing and CommunicationsConsent; legitimate interests (to develop Our products and grow Our business)
To administer and protect Our business and the App, including troubleshooting, data analysis and system testingIdentity; Contact; DeviceLegitimate interests (running Our business, IT services and network security)

9. Lawful Basis - Explained

Consent means processing your personal data where you have signified your agreement by a clear opt-in for a specific purpose. Consent is only valid if freely given, specific, informed and unambiguous. You can withdraw your consent at any time by contacting Us.

Legitimate Interest means the interest of Our business in conducting and managing Our business to give you the best and most secure service. We consider and balance any potential impact on you and your rights before processing for Our legitimate interests, and We do not process where Our interests are overridden by the impact on you (unless We have your consent or are otherwise required or permitted by law).

Performance of Contract means processing where it is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into a contract.

Legal Obligation means processing where it is necessary to comply with a legal or regulatory obligation to which We are subject.

10. Disclosures of Your Personal Data

We may share your personal data, for the purposes set out in Section 8, with the following categories of third party:

  • Service providers acting as processors who provide accounting, cloud, IT, SMS and software development services (including other companies within the Healthxchange group).
  • Professional advisers acting as processors or joint controllers, including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
  • HM Revenue & Customs, the Guernsey authorities, regulators and other authorities who require reporting of processing activities in certain circumstances. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We only permit them to process your personal data for specified purposes and in accordance with Our instructions.

11. International Data Transfers

Some of Our processors are based outside Guernsey, the United Kingdom or the European Economic Area (EEA). Whenever We transfer your personal data internationally, We ensure a similar degree of protection by relying on at least one of the following safeguards:

  • Adequacy. We may transfer personal data to countries that have been deemed to provide an adequate level of protection by the relevant regulator (the ODPA, the UK Government / ICO, or the European Commission).
  • Appropriate safeguards. Where We use service providers in countries without an adequacy decision, We use approved transfer mechanisms, such as the Standard Contractual Clauses, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, which give your personal data the same protection it has in Europe and the UK.
  • US transfers. Where We use providers based in the United States, We may transfer data to providers certified under the EU-US Data Privacy Framework (and the UK Extension to it), together with appropriate contractual safeguards. Please contact the DPO at dpo@healthxchange.com if you would like further information on the specific mechanism used when transferring your personal data outside Guernsey, the UK or the EEA.

12. Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, tax, accounting or reporting requirements. The table below sets out Our standard retention periods. Where a legal obligation requires a longer period, We will retain data for that period instead.

Data CategoryRetention PeriodReason
Account information (Identity / Contact)Duration of account + 6 years from closureContract limitation period
Financial and Transaction Data7 years from transaction dateTax and VAT obligations
Marketing consent records Until consent withdrawn + 1 yearTo demonstrate consent was validly obtained
Analytics / Usage Data26 monthsAnalytics default retention setting
Customer service correspondence3 years from resolutionLimitation period for complaints
Inactive App accountsTreated as expired after 12 months of non-use; data may then be deletedData minimisation

In some circumstances you can ask Us to delete your data: see Section 13 (Your Legal Rights). In some circumstances We will anonymise your personal data (so it can no longer be associated with you) for research or statistical purposes, in which case We may use that information indefinitely without further notice to you.

13. Your Legal Rights

Under data protection law you have the following rights in relation to your personal data:

  • Right of access — to obtain a copy of the personal data We hold about you and to check that We are lawfully processing it (a “data subject access request”).
  • Right to rectification — to have inaccurate or incomplete personal data corrected, subject to verification of any new data you provide.
  • Right to erasure — to ask Us to delete or remove personal data where there is no good reason for Us to continue processing it, where you have successfully objected, or where We are required to erase it to comply with law. We may not always be able to comply for specific legal reasons, which We will notify to you where applicable.
  • Right to object — to object to processing based on Our legitimate interests where something about your situation makes you want to object, and to object at any time to processing for direct marketing purposes.
  • Right to restrict processing — to ask Us to suspend processing of your personal data in certain circumstances.
  • Right to data portability — to receive your personal data in a structured, commonly used, machine-readable format, where the processing is based on consent or a contract and is carried out by automated means.
  • Right to withdraw consent — to withdraw consent at any time where We rely on it, without affecting the lawfulness of processing carried out before withdrawal. You can exercise any of these rights at any time by contacting the Data Protection Officer (see Section 1.3). Any request will be free of charge. We will respond within one calendar month and may ask you to verify your identity before We act. We may decline to act on, or charge a reasonable fee for, a request that is vexatious or excessive (Data (Use and Access) Act 2025, s.11, amending Article 12 UK GDPR).

14. Changes to This Policy

We keep this policy under regular review. This version was last updated in June 2026. Any changes will be posted on this page and, where appropriate, brought to your attention when you next start the App or log onto the App Site. The new policy may be displayed on-screen and you may be required to read the changes to continue your use of the App or Services.

15. Your Right to Complain

If you have any concern about how We handle your personal data, please contact Our Data Protection Officer in the first instance so that We can try to resolve it. You also have the right to lodge a complaint with a supervisory authority:

  • the Office of the Data Protection Authority (ODPA) in Guernsey, Our lead supervisory authority;
  • the UK Information Commissioner’s Office (ICO), if the App is used in the United Kingdom; or
  • the competent supervisory authority of an EU member state, if the App is downloaded or used elsewhere in the EEA.

16. Glossary - Categories of Personal Data

Identity Data: first name, last name, maiden name, username or similar identifier, title, date of birth, gender, profile picture.

Contact Data: address, email address and telephone numbers.

Financial Data: bank account and payment card details.

Transaction Data: details of payments to and from you and details of in-App purchases.

Device Data: the type of mobile device you use, a unique device identifier, mobile network information, your mobile operating system, the type of mobile browser you use, the country in which your Device is located, connection type, and the App version number.

Profile Data: your username and password, in-App purchase history, your interests, preferences, feedback and survey responses.

Usage Data: details of your use of the App and your visits to the App Site, including traffic and other communication data and the resources you access.

Marketing and Communications Data: your preferences in receiving marketing from Us and Our third parties, and your communication preferences.