Your privacy isn't just a legal obligation—it's a sacred trust. In healthcare, privacy can mean the difference between a patient seeking help or suffering in silence. At Tublat Ltd, we understand this profound responsibility. This Privacy Policy explains how we collect, use, protect, and respect your personal data with the care it deserves.
1. Our Privacy Promise
We believe privacy is a fundamental human right. Every decision we make about data processing starts with a simple question: "Would we be comfortable if this were our own health information?" This philosophy guides everything we do.
We are committed to full transparency. We never sell your personal data. We minimize data collection to what's essential. We protect your information with state-of-the-art security. And we empower you with control over your own data.
Your data belongs to you. We are merely its custodians, trusted to protect it while you use our services.
2. Data Controller
Tublat Ltd, registered in England and Wales with offices at 40 Bowling Green Ln, London EC1R 0NE, United Kingdom, is the Data Controller for information collected through our websites and marketing activities. For patient data processed through the KlinicUp platform, healthcare providers remain the Data Controllers, and Tublat Ltd acts as a Data Processor on their behalf.
3. What Data We Collect
We collect information necessary to provide our services and improve your experience. We never collect more than we need.
Information You Provide
- Account information: name, email address, phone number, professional credentials
- Billing information: payment details, billing address, tax identification numbers
- Clinical data: patient records, appointments, medical documents (entered by healthcare providers)
- Communications: support inquiries, feedback, and survey responses
Information We Collect Automatically
- Usage data: features used, time spent, interaction patterns (anonymized)
- Device information: browser type, operating system, device identifiers
- Log data: IP addresses, access times, pages viewed, error reports
Sensitive Health Data
- Patient health records are processed only on behalf of healthcare providers
- We implement additional safeguards for special category data under GDPR
- Access to health data is strictly limited and logged for audit purposes
4. How We Use Your Data
We use your information only for legitimate purposes that benefit you and improve healthcare delivery:
- Providing and maintaining the KlinicUp platform and its features
- Processing transactions and sending billing notifications
- Communicating important updates, security alerts, and support responses
- Improving our services through anonymized analytics and user feedback
- Ensuring security, detecting fraud, and preventing abuse
- Complying with legal obligations and protecting our legal rights
5. Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process your data based on the following legal grounds:
- Contract Performance: Processing necessary to provide our services to you
- Legitimate Interests: Improving our services, preventing fraud, and ensuring security
- Legal Obligation: Complying with applicable laws and regulations
- Consent: Where you have given explicit consent for specific processing activities
6. Data Sharing
We do not sell, rent, or trade your personal information. We share data only in limited circumstances:
We may share information with:
- Service providers who assist us (hosting, payment processing, customer support) under strict confidentiality agreements
- Legal authorities when required by law, court order, or to protect rights and safety
- Business successors in the event of a merger, acquisition, or asset sale (with advance notice)
All third-party service providers are carefully vetted and contractually bound to protect your data.
7. International Data Transfers
Your data may be processed in countries outside your residence. We ensure adequate protection through Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms under GDPR, UK GDPR, and equivalent frameworks.
Our primary data centers are located in the European Union, with backup facilities in secure jurisdictions. We never transfer data to countries without appropriate safeguards.
8. Data Retention
We retain your data only as long as necessary for the purposes outlined in this policy or as required by law. Account data is retained while your account is active and for a reasonable period thereafter to allow you to reactivate.
Patient health records are retained according to healthcare regulations in your jurisdiction, typically ranging from 5 to 30 years depending on the type of record and local requirements. When data is no longer needed, it is securely deleted or anonymized.
9. Your Rights
You have significant rights regarding your personal data. We respect and facilitate these rights:
- Right to Access: Request a copy of the personal data we hold about you
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your data under certain circumstances
- Right to Restriction: Limit how we process your data
- Right to Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or direct marketing
- Right to Withdraw Consent: Revoke consent at any time without affecting prior processing
To exercise your rights, contact us at hello@tublat.com. We respond to all requests within 30 days. Some rights may be limited where required by law or to protect the rights of others.
10. Data Security
We implement comprehensive security measures to protect your data:
- Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
- Access Controls: Role-based permissions, multi-factor authentication, audit logging
- Infrastructure: SOC 2 certified data centers, regular penetration testing, 24/7 monitoring
- Personnel: Background checks, security training, confidentiality agreements
11. Children's Privacy
Our services are designed for healthcare professionals and are not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately for deletion.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or prominent notice on our platform at least 30 days before they take effect. We encourage you to review this policy periodically.
13. Contact & Complaints
For privacy inquiries, data requests, or complaints, contact our Data Protection Team at hello@tublat.com. We are committed to resolving concerns promptly and respectfully.
You also have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO). In the EU, contact your national supervisory authority.