Operated by: Nicholas Mohammed trading as H.E.Rv3 ("we", "us", "our")
Address: 2 Goodall Street, Walsall WS1 1QL, United Kingdom
Contact: qnicktech@gmail.com
Effective date: 11 June 2026
1. Who This Notice Is For
This notice applies to:
- Patients whose health records are managed in H.E.Rv3 by a clinic or GP practice
- Clinical and administrative staff who use H.E.Rv3 as part of their role
Your clinic or GP practice is the Data Controller. H.E.Rv3 provides the software as a Data Processor acting on the Controller's instructions. For questions about how your specific clinic uses your data, contact your clinic directly.
2. What Personal Data We Process
For Patients
| Category | Examples |
|---|---|
| Identity data | Full name, date of birth, NHS number, address, telephone, email |
| Health data (Special Category) | Medical history, diagnoses, medications, allergies, lab results, clinical notes, referrals |
| Appointment data | Appointment dates, times, clinician, attendance records |
| Financial data | Billing records, insurance details (where applicable) |
| System data | Log-in timestamps, device type (for access audit purposes) |
For Staff Users
| Category | Examples |
|---|---|
| Identity data | Full name, professional registration number, role, work email |
| Access data | Log-in timestamps, actions taken within the system (audit log) |
| Authentication data | Username, MFA device registration (passwords never stored in plain text) |
3. Legal Basis for Processing
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Electronic health records and clinical workflow | Art. 6(1)(c) — legal obligation; Art. 9(2)(h) — healthcare provision |
| Scheduling and appointments | Art. 6(1)(b) — contract; Art. 9(2)(h) |
| Prescribing and medication management | Art. 6(1)(c) — legal obligation; Art. 9(2)(h) |
| Clinical decision support (AI suggestions) | Art. 9(2)(h). AI outputs are informational only; clinician approval required before recording |
| Billing and invoicing | Art. 6(1)(b) — contract |
| Audit logging | Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interests |
| FHIR data export | Art. 6(1)(c) — legal obligation; Art. 20 — data portability |
| System security | Art. 6(1)(f) — legitimate interests |
4. Retention Periods
| Record type | Retention period |
|---|---|
| Adult patient health records | Minimum 8 years from last clinical contact (NHS Records Management Code 2021) |
| Paediatric records | Until the patient turns 25, or 8 years from last contact — whichever is longer |
| Audit logs | 7 years |
| Billing records | 7 years (HMRC requirement) |
| Staff access data | 3 years after end of employment or contract |
5. Who We Share Your Data With
We do not sell your personal data.
| Recipient | Purpose | Safeguards |
|---|---|---|
| AWS (cloud infrastructure) | Hosting and storage | AWS BAA / DPA in place |
| Sentry (error monitoring) | Application error detection | No PHI transmitted |
| AI/CDS provider (where enabled) | Clinical decision support | De-identified prompts only; provider DPA in place |
| Lemon Squeezy (payment processor) | Billing only — name, email, payment details. No PHI transmitted. | Standard Contractual Clauses |
| Clinical team | Providing your care | Role-based access control (RBAC) |
| Regulatory bodies | Where required by law | Only when legally required |
6. International Transfers
We process your data within the United Kingdom. Where third-party providers process data outside the UK, we ensure a UK adequacy regulation is in force or a UK IDTA is in place. AI provider prompts contain de-identified data only.
7. Your Rights
| Right | What it means | How to exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of your personal data | Contact your clinic or qnicktech@gmail.com |
| Rectification (Art. 16) | Correct inaccurate data | Contact your clinic |
| Erasure (Art. 17) | Delete your data — subject to legal retention requirements | Contact your clinic; clinical records must be retained per Section 4 |
| Restriction (Art. 18) | Restrict processing in certain circumstances | Contact your clinic |
| Portability (Art. 20) | Receive your data in FHIR R4 format | Contact your clinic |
| Object (Art. 21) | Object to legitimate-interests processing | Contact your clinic |
| Automated decisions (Art. 22) | Not subject to purely automated clinical decisions | H.E.Rv3 never makes automated clinical decisions — all AI outputs require clinician approval |
We will respond within one calendar month.
8. Security Measures
- Field-level AES-128 encryption for all health data at rest
- TLS 1.2+ encryption for all data in transit
- Role-based access control (RBAC)
- Multi-factor authentication (MFA)
- Append-only audit log of every PHI access
- Automated vulnerability scanning and patching
9. Changes to This Notice
We will update this notice when our processing changes or when the law requires. Previous versions are available on request.
10. Complaints
You have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
- Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF