_test.svg){kind=logo}
Patientric Limited (“Patientric”, “we”, “us”, “our”) is a UK‑based data insights company providing anonymised and aggregated real‑world healthcare and pharmacy data to clients via our secure analytics platform (referred to as the “Patientric Platform”). We are committed to protecting your privacy and handling all personal data responsibly, lawfully, and transparently.
Patientric is a company registered in England and Wales (Company No. 13595312), with its registered office at Sentinel House, Ancells Farm Business Park, Harvest Crescent, Fleet, GU51 2UZ. Patientric is registered with the Information Commissioner’s Office (“ICO”) as a data controller for the purposes of data protection law. Our ICO registration reference is ZC089931. This Privacy Notice explains how we collect, use, share and safeguard personal data relating to website visitors, client representatives, suppliers and others who interact with us. This Privacy Notice is kept regularly under review and was last updated on 4 February 2026.
We know that legal terms can sometimes feel complex, so we’ve provided explanations below of key terms used in this Privacy Notice.
“Aggregated data” refers to data that has been combined or summarised such that it no longer identifies you personally. Aggregated data is not considered personal data as long as it cannot be traced back to an individual.
“Anonymised data” refers to data that has been processed in such a way that it can no longer be used to identify you personally. Once anonymised, the data is no longer considered personal data under data protection laws.
“Consent” refers to when an individual gives agreement which is freely given, specific, informed and is an unambiguous indication of their wishes. It is done by a statement or by a clear positive action in respect of the processing of any personal data relating to them.
“Criminal convictions data” refers to personal data relating to criminal convictions and offences and includes personal data relating to criminal allegations and proceedings.
“Data controller” refers to an organisation that determines when, why and how to process personal data. It is responsible for establishing policies and procedures in line with data protection laws.
“Data processor” refers to an organisation that processes personal data on behalf of a data controller. It is responsible for establishing policies and procedures in line with data protection laws and also its contractual obligations with data controllers.
“Data protection laws” refers to the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, the Data (Use and Access) Act 2025, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), as well as any other applicable United Kingdom (“UK”) laws and regulations regarding privacy. These laws set out principles for how we must handle your personal data.
“European Economic Area (“EEA”)” refers to the 27 countries in the European Union (“EU”), Iceland, Liechtenstein and Norway. While the UK is no longer in the EU and EEA, we mention it because sometimes data might be transferred internationally.
“Legitimate interests” refers to when an organisation’s interests are legitimate (as they need to do something to operate) and these interests do not override an individual’s interests or fundamental rights and freedoms.
“Personal data” refers to any information identifying an individual or information relating to an individual that an organisation can identify (directly or indirectly) from that data alone or in combination with other identifiers that it processes. Personal data includes special category data and criminal convictions data. Personal data excludes anonymous data or data that has had the identity of an individual permanently removed.
“Process” or “processing” refers to any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties.
“Special category data” refers to information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data of an individual.
Patientric acts as an independent data controller for the personal data it processes across its operations. This means that we independently determine the purposes for which we collect and use personal data, as well as the means by which that data is processed. We are responsible for ensuring that all personal data is handled in accordance with data protection laws, including the UK GDPR, the Data Protection Act 2018, and the Data Use and Access Act 2025.
Although the datasets used within the Patientric Platform are anonymised and therefore no longer constitute personal data, we still process limited personal data relating to our website visitors, suppliers and representatives of our client organisations. For all such processing, Patientric determines the scope, purpose and lawful basis of the data collection and use.
Patientric is not legally required to appoint a Data Protection Officer (“DPO”) under UK data protection laws. We have assessed our business activities against the statutory criteria and confirmed that we do not process large‑scale special category data, nor do we engage in the type of monitoring that would mandate the appointment of a DPO. However, even though a DPO is not required, we are committed to maintaining high standards of privacy and data governance. Patientric has a dedicated Legal & Compliance Team that ensures we handle personal data appropriately and that we meet our obligations under the UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025.
Our Legal & Compliance Team:
- Oversees our data protection and privacy framework.
- Reviews the anonymisation and aggregation processes applied before data reaches the Patientric environment.
- Ensures we maintain strong governance, policies and technical safeguards.
- Provides ongoing guidance on UK data protection compliance.
- Acts as a point of contact for privacy‑related queries.
If you have any questions about how Patientric handles personal data, anonymised data or aggregated data, you can reach our Legal & Compliance Team at legal@patientric.co.uk.
Protecting the confidentiality, integrity and security of personal data is central to how Patientric operates. Although the data within our Patientric Platform is anonymised and aggregated, we still apply strong data protection and governance standards to the limited personal data we do handle (such as website, candidates, client and suppler information).
Our compliance approach includes:
Governance and accountability – Our Legal & Compliance Team oversees privacy matters, provides guidance to the business, and ensures we meet our obligations under UK data protection laws.
Privacy by design – We build privacy and security considerations into our systems and processes from the outset. This includes ensuring that any data transferred into the Patientric environment has already undergone appropriate anonymisation and aggregation steps.
Policies and processes – We maintain documented policies covering data protection and information security.
Technical and organisational measures – We apply strong access controls, secure infrastructure, encryption in transit, segregation of environments, and regular security reviews. Only authorised personnel can access relevant systems.
Awareness and compliance culture – Our team is trained to understand and follow our privacy, confidentiality and security requirements.
Our approach is guided by the core principles of UK data protection law: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability.
We may collect the following categories of personal data:
Identity and contact data – Basic details such as your name, job title, organisation, work email address and phone number when you contact us, act as a client representative or engage with us as a supplier.
Profile and account data – Information relating to your interaction with Patientric, including user account details, access permissions and usage logs required for the Patientric Platform support and security.
Financial and transaction data – Billing and invoicing details from client organisations and suppliers, such as purchase order numbers, payment confirmations or business bank information.
Technical and usage data – Information collected when you browse our website or access the Patientric Platform, such as IP address, browser type, device identifiers, and analytics data collected via cookies or similar technologies.
Communications and marketing data – Records of emails, website enquiries, support requests and marketing preferences.
Special category data (prospective employees only) – If you apply for a role with Patientric, you may choose to provide health information (e.g., details of a disability for interview adjustments). We only process such information where you voluntarily provide it and only for recruitment‑related purposes.
Criminal convictions data (prospective employees only) – For certain roles, we may request a DBS check where legally appropriate. Any such information is handled securely and retained only for as long as necessary.
All data used within the Patientric Platform is anonymised and aggregated before it reaches us. Anonymised data is information that has been processed so that it cannot be used to identify an individual, either directly or indirectly. To achieve this, identifiable details are removed, data is generalised or banded, and individual‑level records are aggregated so they cannot be singled out. We review the anonymisation steps carefully and apply additional safeguards to ensure that no individual can be identified, even when multiple data points are combined from our side.
Where anonymised datasets are shared within our group or used for analytics, all parties are contractually prohibited from attempting to re‑identify anyone and must use the data only for legitimate analytical or research purposes under strict security and confidentiality requirements.
We may use anonymised data to analyse trends, support research, improve our services, and generate statistical insights for business planning. As this data cannot identify you, we may use anonymised and aggregated information indefinitely. We do not share any information that could reasonably be used to identify an individual, and all anonymised‑data sharing is governed by robust agreements that include clear bans on re‑identification and ongoing compliance monitoring.
Patientric interacts with a small number of data subject categories, and only processes limited personal data for clear, lawful purposes. We do not process special category data in the Patientric Platform – all datasets used by Patientric are anonymised and aggregated before they reach us.
Below is a summary of the groups we interact with and the legal bases we rely on.
Website users
We collect:
Technical and usage data (IP address, device type, browsing behaviour via cookies).
Contact data you provide through website forms (name, email, phone).
Communications and marketing preferences.
The method in which we collect it is:
Automatically through cookies/analytics.
Directly from you when you submit an enquiry or opt into marketing.
The legal bases that we rely on are:
Consent – for non‑essential cookies and marketing sign‑ups.
Legitimate interests – to operate, secure and improve our website and respond to enquiries. Legal obligation – to record and action rights requests where required. We only share your personal data with trusted service providers such as website hosts, analytics tools and email delivery platforms.
Job applicants
We collect:
Identity and contact details.
CVs, work history and qualifications.
Special category data you voluntarily provide (e.g., disability information for interview adjustments).
Criminal convictions data, only where a role legally requires a background check.
The method in which we collect it is:
Directly from you (CVs, interviews).
From third parties with your approval (recruiters, referees, screening providers).
The legal bases that we rely on are:
Consent – for special category data.
Contract – to take steps before entering an employment contract.
Legitimate interests – to assess suitability and manage recruitment.
Legal obligation – verifying right‑to‑work or conducting required checks.
We only share your personal data with recruiters, referees, screening providers and professional advisers, where necessary.
Client representatives
We collect: Identity and contact data (name, email, job title).
Financial and transaction data for billing and invoicing.
Profile, account, technical and usage data needed to provide Patientric Platform access.
Communications and marketing data to share information about our Patientric Platform and services.
The method in which we collect it is directly from you.
The legal bases that we rely on are:
Contract – to create accounts, provide support and manage the commercial relationship.
Legitimate interests – to maintain security, improve our services and record interactions.
Legal obligation – to meet accounting, tax and audit requirements.
We only share your personal data with cloud hosting providers, Patientric Platform infrastructure partners, professional advisers, and payment processors.
Suppliers (including independent contractors)
We collect:
Identity and contact information (name, email, job title).
Financial and transaction data for billing and invoicing.
Communications data. The method in which we collect it is directly from you.
The legal bases that we rely on are: Contract – to manage the relationship and process payments.
Legitimate interests – supplier management and due diligence.
Legal obligation – retaining contracts and financial records.
We only share your personal data with payment processors, accountants, auditors and regulators (only when required).
We only share your personal data when necessary and always with appropriate safeguards. Recipients include:
Technology and IT service providers – Companies that help us operate our website, the Patientric Platform and internal systems; for example, cloud hosting (AWS), infrastructure and deployment services, document storage providers, analytics tools and communication platforms. These providers act on our instructions and must keep your data secure and confidential.
Professional advisers – Legal, financial and compliance advisers who support us in meeting our regulatory, contractual and business obligations. They may access personal data only where required and are bound by confidentiality.
Payment processors and banking partners – Where payments are made to or from Patientric (e.g., invoices for client or supplier relationships), payment providers and banks will process the necessary financial details securely.
Potential buyers or investors – If Patientric is involved in a merger, acquisition or investment process, we may share limited relevant personal data for due diligence. Any such sharing is carried out under strict confidentiality and only where necessary.
Regulators and authorities – We may disclose data where legally required; for example, to the ICO, HMRC or other government bodies for audits, investigations or compliance checks.
We take security seriously and apply strong technical and organisational measures to protect the limited personal data we handle (e.g., website, candidate, client and supplier information). While the data within the Patientric Platform is anonymised and aggregated, we safeguard all other personal data carefully. Our key security measures include:
Access controls – Access to personal data is restricted to authorised personnel and contractors on a need‑to‑know basis. User accounts are individual and role‑based.
Secure infrastructure – Our systems are hosted in secure environments (e.g., AWS) using firewalls and network segregation. We use encryption in transit (HTTPS), regular patching, monitoring for suspicious activity and periodic security testing.
Incident response – We maintain a breach response process designed to detect, contain and investigate potential incidents, and to notify individuals or regulators where legally required.
Organisational measures – We maintain policies and procedures, ensure confidentiality commitments are in place, and provide training to our team. We review and update these measures regularly to keep pace with evolving security best practices.
Patientric is based in the UK, but some of our trusted service providers operate internationally or use global cloud infrastructure. This means that limited personal data we handle (e.g., website, candidate, client or supplier information) may be stored or accessed outside the UK or EEA. Whenever personal data is transferred internationally, we ensure it remains protected by applying one or more of the following safeguards:
Adequacy decisions – We may transfer data to countries that the UK has deemed to provide an adequate level of data protection.
Data transfer agreements – For countries without an adequacy decision, we use approved contractual safeguards such as the UK International Data Transfer Agreement (“IDTA”) or EU Standard Contractual Clauses (“SCCs”), supported by transfer risk assessments where required.
Explicit consent or legal derogations – In rare cases where no other safeguard is available, we may rely on your explicit consent or on a limited legal exception (e.g., performance of a contract).
Patientric remains responsible for your personal data wherever it is processed, and we work only with third‑party providers who commit to strong privacy and security standards.
We keep personal data only for as long as it is needed for the purposes for which it was collected, including meeting any legal, accounting or regulatory requirements.
When setting retention periods, we consider the nature, sensitivity and volume of the data; the purposes for which we use it and whether those purposes can be achieved in another way; and any legal or regulatory requirements that require certain data to be kept for a minimum period.
an Once we no longer have a lawful or business need to retain personal data, we securely delete or anonymise it. In some cases, we may convert information into aggregated or statistical form that cannot identify you; this anonymised data may be retained and used indefinitely for analysis, research or business insights.
Under UK data protection law, you have a number of rights over the personal data we hold about you. Some rights apply in all cases; others depend on the circumstances and may include legal exceptions. Your rights include:
Right to be informed – You have the right to understand how we use your personal data. This Privacy Notice forms part of that obligation, but you can contact us with any additional questions.
Right of access – You can request a copy of the personal data we hold about you, along with information about how we use it. We will provide this free of charge unless a request is clearly unfounded or excessive.
Right to rectification – If any personal data we hold is inaccurate or incomplete, you can ask us to correct or update it.
Right to erasure – You may ask us to delete your personal data in certain circumstances. This right is not absolute – if we are legally required to retain certain information (for example, for tax or accounting purposes), we may not be able to delete it immediately. We will explain what can and cannot be erased when you make your request.
Right to restrict processing – You can ask us to temporarily stop using your data if you contest its accuracy, object to our processing, or believe we no longer need it, but you require it for a legal claim.
Right to data portability – Where our processing is based on consent or contract and carried out by automated means, you can request your personal data in a structured, commonly used, machine‑readable format or ask us to transfer it to another organisation. This right applies only in limited cases.
Right to object – You can object to our processing of your personal data where we rely on legitimate interests. If you object to direct marketing, we will stop immediately.
Rights relating to automated decision‑making – Patientric does not make decisions about you based solely on automated processing that have legal or significant effects. If this ever changes, we will ensure you are informed and that appropriate safeguards, including human review, are provided.
How can you exercise your rights?
You can exercise any of your rights by contacting our Legal & Compliance Team at legal@patientric.co.uk. We may need to ask for basic information to verify your identity before responding, to ensure that we do not disclose personal data to the wrong person.
When will we respond?
We aim to respond within one month of receiving your request. If the request is complex or you have made several requests, we may extend this by up to two further months but we will always inform you within the first month if an extension is needed. There is generally no fee, unless a request is clearly unfounded or excessive.
Concerns or complaints
If you have concerns about how we handle your personal data, please contact us first — we are committed to resolving issues promptly. You also have the right to lodge a complaint with the ICO at https://www.ico.org.uk.
Our website may contain links to third-party websites, plug-ins, or applications (e.g., link to our social media pages on LinkedIn) for you to follow us. If you click on those links or enable those connections, third parties may collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website or service you visit. This Privacy Notice applies solely to Patientric.
We may use your personal data (such as your contact details and engagement history) to send you updates about our services that we believe may be relevant or useful to you. We keep marketing communications minimal and focused.
We may contact you if:
You have requested information from us or consented to receive marketing; or
You represent a client or supplier, and we rely on our legitimate interests to share updates about similar services you use or have shown interest in.
You will always have the option to opt out.
We do not share your details with third parties for their own marketing. We do not send third‑party marketing unless you have explicitly consented.
You can opt out at any time by:
Clicking “unsubscribe” in any marketing email; or
Letting us know that you do not wish to receive marketing calls.
We will always respect your choice.
We review and update this Privacy Notice regularly to reflect changes in our services or legal requirements. We encourage you to check it from time to time. If we make any significant updates, we may notify you directly (for example, by email or by posting a clear notice on our website).
If you have any questions about this Privacy Notice, how we handle personal data, or your rights, our Legal & Compliance Team is here to help. We welcome questions, concerns and feedback about our privacy practices. You can contact us by email at legal@patientric.co.uk and you can also write to us at Patientric Limited, Sentinel House, Ancells Farm Business Park, Harvest Crescent, Fleet, GU51 2UZ, United Kingdom.
We take privacy and data protection seriously and are committed to ensuring your information is handled responsibly and transparently.