We take privacy seriously — especially when the data involved is medical. This policy explains exactly what we collect, why we collect it, who else sees it, and how long we keep it. It's written to be understandable, not just legally watertight.
Who we are
MediGo Lanka ("we", "us", "our") operates the telehealth platform at medigolanka.com which connects users primarily in the United Kingdom with verified specialist doctors based in Sri Lanka. We are the data controller for personal data collected through the platform. To contact our Data Protection lead email dpo@medigolanka.com.
Data we collect
Identity & contact: name, date of birth, email, phone, address. Booking & clinical: appointment history, free-text notes, uploaded medical reports and images (special category data under UK GDPR Article 9). Account & technical: IP, device, browser, session cookies and pages viewed for security and product analytics. Payments: card details are handled directly by Stripe — we never see or store full card numbers.
Lawful basis
Performance of contract for delivering the consultation you booked; explicit consent (Article 9(2)(a)) for processing your medical reports and clinical notes; legitimate interests for security, fraud prevention and improving the platform; legal obligation for tax and clinical record retention.
How we use your data
To book and facilitate your consultations; share relevant medical information with the doctor you choose; process payments and refunds; send transactional emails (confirmation, reminder, receipt); respond to inquiries and support tickets; comply with clinical record-keeping obligations; and improve the platform with aggregated, de-identified analytics.
Who we share with
The doctor you book a consultation with (always with your explicit consent at booking). Stripe for payment processing. AWS / Cloudflare for hosting and storage. A transactional email provider (Postmark / Resend / SES). UK and Sri Lankan tax and clinical authorities where required by law. We never sell your data to advertisers or data brokers.
International transfers
Because the doctors are based in Sri Lanka, your data is transferred outside the UK. Sri Lanka does not currently have a UK adequacy decision. We rely on Standard Contractual Clauses (UK addendum) with the medical practitioners and supplementary technical measures including end-to-end encryption of clinical documents.
Retention
Clinical records and consultation notes: 10 years (UK NHS standard for adult records and Sri Lankan medical council guidance). Uploaded reports: 10 years or until you delete them, whichever is later. Payment records: 6 years (HMRC). Marketing email subscription: until you unsubscribe. Server access logs: 90 days.
Your rights
Under UK GDPR you have the right to access, rectify, erase ("right to be forgotten"), restrict processing, port your data, and object to processing. You also have the right to withdraw consent at any time for processing based on consent. To exercise any of these, email dpo@medigolanka.com — we respond within 30 days. You can also complain to the UK Information Commissioner's Office at ico.org.uk.
Cookies
We use first-party cookies for session management, security and basic, privacy-friendly analytics. We do not use third-party advertising or cross-site tracking cookies.
Children
MediGo Lanka is intended for users aged 18+. Bookings can be made on behalf of children by their parent or legal guardian, who is responsible for providing consent for the minor's data processing.
Changes
We will update this policy from time to time. Material changes will be notified by email to registered users at least 14 days before they take effect.
This privacy policy is provided for informational purposes and is not a substitute for advice from a qualified UK/SL solicitor. Before going live, have it reviewed by a healthcare-specialist data protection lawyer.