Medicbank Logo

MedicBank Privacy Policy

Effective Date: Date: [01/01/2025] (Version 2)

Last Updated: [01/01/2025]

Introduction and Scope

MedicBank is committed to protecting your privacy. This Privacy Policy explains how MedicBank Healthcare Limited (“MedicBank,” “we,” “us,” or “our”) collects, uses, discloses, and protects information that can identify you (“Personal Data”) in connection with our website, mobile application, and services (collectively, the “Service”). It also describes your rights and choices regarding your Personal Data and how you can contact us about our privacy practices.

This Privacy Policy applies to all users of MedicBank’s platform worldwide, including healthcare professionals (“Candidates”), staffing agencies (“Agencies”), healthcare facilities (“Facilities”), and public reviewers, as well as visitors to our website. It covers Personal Data we collect through our Service, and in related communications (such as emails or support calls). It does not apply to any third-party websites or services that you may access through MedicBank, which are governed by their own privacy policies.

By using the MedicBank Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service. We encourage you to read this policy in full to understand our practices. This Privacy Policy is incorporated into and governed by our Terms of Use.

Important Note for Agency and Facility Users: If you are using MedicBank on behalf of a company (e.g., as an employee of an Agency or Facility), this Privacy Policy applies to Personal Data about individuals (such as yourself and any candidates or contacts) that is collected through the platform. Additionally, your company is responsible for its own compliance with data protection laws regarding any Personal Data it obtains via MedicBank. For example, if a Facility downloads a Candidate’s CV and processes it outside our platform, the Facility is independently responsible for that data processing.

Data Protection Laws: MedicBank is based in the UK and our data practices are designed to comply with the EU and UK data protection laws, including the EU General Data Protection Regulation (EU GDPR) and the UK GDPR as defined by the UK Data Protection Act 2018. We also strive to honor privacy rights under other applicable regimes (such as the California Consumer Privacy Act for U.S. users, described later in this Policy). We will update this Policy from time to time to reflect changes in law or our services.

Quick Links: (for ease of navigation)

1. Information We Collect

We collect several categories of information from and about users of our Service, including:

1.1 Information You Provide to Us Directly:

When you use MedicBank, you may provide certain Personal Data voluntarily, including:

  • Account Registration Data: When you create an account, we collect information such as your name, email address, phone number, username, password, and your role (Candidate, Agency, Facility representative, or Reviewer). Facilities and Agencies may provide business contact details (company name, address, your professional title, etc.). We may also collect profile photos or logos that you upload.

  • Profile and Resume Data (Candidates): As a Candidate, you may provide additional personal details such as your professional qualifications, certifications or licenses, employment history, education, skills, specialty (e.g. nursing, therapy), and any other information typically found on a CV or job application. You can also provide preferences like desired shift times or locations. Important: Please do not include sensitive personal data on your profile or CV unless necessary (for example, information about health, racial/ethnic origin, or other special categories should generally not be needed for job matching; if you volunteer such information, you are consenting to its processing as described in this Policy).

  • Job and Shift Information (Facilities/Agencies): When Facilities post job openings or shifts, they provide details about the role, location, requirements, pay rates, and potentially contact info for the job poster or hiring manager. Agencies may also input information about candidate profiles they manage or positions they are filling.

  • Messages and Communications: The content of communications you send through MedicBank (such as messages with other users or with MedicBank support) will be collected. This may include any personal data you choose to share in those communications.

  • Reviews and Feedback: If you are a Reviewer posting a public review of a Facility, we collect the information you include in that review. This typically includes your rating, comments about your experience, and optionally a review title. We will also capture the date/time of the review and associate it with your account. Keep in mind that reviews are public; do not include personally identifying information about yourself or others in a review that you aren’t comfortable sharing publicly.

  • Payment Information: If you make or receive payments through MedicBank (such as purchasing a subscription or a Facility paying a Candidate/Agency for a shift via the platform), our payment processor will collect your payment details. This may include credit card numbers or bank account information and billing address. Note: MedicBank itself does not store your full payment card details on our servers; these are handled by our third-party payment providers. However, we may keep records of transactions (amount, date, parties, and partial card information such as last four digits).

  • Customer Support Information: If you contact us for support or to report an issue, we will collect the information you choose to provide (such as your contact information and a description or screenshot of the problem). We may also collect metadata about your support request (e.g., the time of contact and our subsequent communications with you).

1.2 Information We Collect Automatically:

When you use our Service (whether via website or app), we and our third-party analytics providers automatically collect certain information about your device and usage of the Service:

  • Usage Data: We log usage information such as the pages or screens you view, the features you use (e.g., submitting an application, posting a review), the links you click, and the time and duration of your activities. For example, we may record that a Facility user logged in and viewed X number of candidate profiles on a given day.
  • Device and Technical Data: We collect information about the device and software you use to access the Service. This includes IP address, browser type, device type (e.g., iPhone, Android, PC), operating system version, device identifiers, and possibly device sensor information (like orientation or touch events, if relevant to features).
  • Location Data: We may collect or infer information about your general location. We do not continuously track GPS location in the background, but if you are using the mobile app and permit location services, we might use your precise location to show nearby job opportunities or to enhance map-related features. Otherwise, location may be inferred from your IP address (which gives a general location, not exact). For the public Facility directory, we collect the location of Facilities from public sources or user input, not from user devices.
  • Cookies and Similar Technologies: We use cookies, web beacons, and similar tracking technologies (described in Section 3 below) to collect information about your interactions with our Service. This includes your preferences (e.g., language, saved login state) and analytics information (e.g., which website you came from, how long you stay on a page, etc.).

1.3 Information from Third Parties:

We may receive information about you from third-party sources, such as:

  • Public Sources & Directories: We pre-list certain Facility profiles on our platform using public information (e.g., a care home’s name, address, phone number, and publicly available images or descriptions from its website or public databases). If you are associated with a Facility that is listed, this means some basic business contact info may be on our platform without you having provided it directly (since it’s public). Facility representatives can claim or update these profiles.

  • Verification Services: We might use third-party verification services or databases to confirm professional licenses, certifications, or identities of users (particularly for Candidates). For example, we could use a nursing license registry API to verify that a candidate’s nursing license number is valid.

  • Platform Integrations: If you integrate or link a third-party service with MedicBank (for example, if we allow “Sign in with Google” or pulling data from a LinkedIn profile), we will receive information from that third party according to your permissions. Similarly, if a Facility invites you to MedicBank by providing your email address through our invite feature, we receive your email from them.

  • Other Users: Sometimes other users provide information that includes you. For example, an Agency might enter details about a Candidate into the platform (if the Candidate gave them permission), or a reviewer might mention the first name of a staff member at a Facility in a review. We generally discourage sharing personal data of others without consent, and our Acceptable Use Policy prohibits certain disclosures, but some information could be provided by others.

  • Cookies from Third Parties: We might get information from third-party analytics and advertising partners via cookies and trackers on our site (e.g., Google Analytics might provide aggregated demographic info or interest categories based on your browsing). We treat any combined information (e.g., linking your activity data with your account details) as Personal Data under this Privacy Policy. Where applicable law requires, we will obtain your consent or provide necessary notices for the collection of Personal Data. For instance, where consent is required for certain cookies or for using your precise location, we will only do so if you have given consent.

2. How We Use Your Information

MedicBank uses the collected information for the following purposes (each aligned with a lawful basis under applicable data protection law such as GDPR):

2.1 To Provide and Maintain the Service (Contractual necessity):

We use Personal Data to operate the platform’s core functionality that you or your organization have requested. This includes:

  • Creating and managing your account, authenticating your logins, and remembering your settings.

  • Facilitating connections between users (e.g., showing Candidate profiles to Facilities/Agencies and vice versa, delivering messages between users).

  • Enabling job posting, search, and matching features, including recommending candidates for a job or jobs for a candidate.

  • Allowing you to complete transactions, such as subscribing to a plan or processing staffing payments. (For example, we use your provided payment info to charge fees and pay out to providers as needed.)

  • Providing customer support and responding to your inquiries. If you contact us about an issue with the Service, we will use your information to troubleshoot and assist you. Without this data, we cannot provide the requested services. For example, we need profile and resume data to introduce candidates to employers; we need contact details to communicate with you about your account.

2.2 To Improve, Personalize, and Develop the Service (Legitimate interests / Contractual

where applicable): We are continually working to make MedicBank better for our users. We use the information we collect to:

  • Understand usage and performance: We perform analytics on how users navigate and use our platform in order to identify trends and usage patterns. This helps us optimize user experience, such as improving user interface flows, fixing technical issues, and ensuring the platform is stable and secure. For instance, we might measure how long users spend on creating a job post to see if the form can be simplified.

  • Develop new features and services: By analyzing what users need and how they use MedicBank, we can develop new functionalities. For example, if we notice many users manually searching for certain schedule information, we might develop a feature to automate that.

  • Personalize your experience: We may use collected data to tailor the content you see. This could include suggesting relevant job opportunities to Candidates, recommending potential candidates to a Facility, highlighting Agencies to Facilities for partnership based on specialization or geography, or customizing the order of search results. Personalization may be based on your profile, activity, and similar users’ behavior.

  • Conduct research and data analysis: We might aggregate and anonymize data to generate insights about healthcare staffing trends. For example, using the data across users, we may produce statistical reports on demand for certain specialties in specific regions. These insights help us and our users (we might share such anonymized trends with Facilities or publish industry reports). Any research or analytics output would not identify individuals.

  • Internal AI/algorithms: As noted, we use AI models to predict staffing needs or provide smart suggestions. We feed internal usage data into these models. The use of AI might involve profiling (analyzing user attributes to categorize or predict preferences), but it does not result in any decision that significantly affects individuals without human review. It’s mainly to support our users (e.g., “We predict an upcoming shortage of registered nurses next month in your area” or automatically ranking candidate profiles by likely fit).

  • Quality control: We may monitor certain transactions or communications on the platform to ensure everything is working correctly and users comply with our policies. This can also help in training our support staff or improving automated moderation tools. Our use of data for improvement and personalization is balanced against your privacy rights. We take steps to minimize privacy impact, such as using aggregated data for analysis, and providing opt-outs where feasible (e.g., see Section 7 on how you can opt out of certain analytics or profiling).

2.3 To Communicate with You (Contractual necessity for service communications;

consent or legitimate interests for marketing): We use contact information to send various types of communications:

  • Service and Transactional Communications: We will email or message you to confirm your account registration, notify you of important account or service updates, send invites you request (e.g., an Agency inviting a Candidate), and to inform you of job applications or shift status (e.g., “Your application was viewed,” “You have a new message,” or “Reminder: you have a shift tomorrow”). These are necessary to provide the services and you typically cannot opt out of such messages, as they are not promotional in nature.

  • Announcements and Administrative Messages: We may inform you of changes to our Terms or Privacy Policy, security alerts, or technical issues (e.g., downtime notices, software updates). These are important notices and not marketing.

  • Marketing and Promotional Communications: We may send you newsletters, research reports, event invitations, or other marketing content about MedicBank’s services or related opportunities, if you have opted in or if it’s otherwise permitted. For example, if you are a Facility contact, we might email you about new features for employers; if you are a Candidate, we might send tips for improving your profile. We may also send promotional communications about third-party services that integrate with MedicBank, but we won’t share your contact with third parties without consent – rather we’d include their offer in our own communication. You have the right to opt out of marketing emails at any time (see Section 7.2). We include an “unsubscribe” link in such emails for your convenience.

  • Surveys and Feedback Requests: Occasionally, we may send requests for you to participate in user surveys or provide feedback on your experience. Responding is optional, but your feedback helps improve our service.

2.4 For Safety, Security and Legal Compliance (Legal obligations or Legitimate interests):

We use information to keep our platform safe, secure, and compliant with laws:

  • Fraud and Abuse Prevention: We monitor for suspicious activities on the platform to prevent fraud, spam, and abuse. For example, we might use automated systems to detect accounts with unusual activity patterns that could indicate a bot or scam. We may also use information like device identifiers or IP addresses to block known malicious actors or prevent a banned user from re-registering.

  • Enforcing our Terms and Policies: Information is used to investigate and address violations of our Terms of Use or Acceptable Use Policy. For instance, if we receive reports of a user posting inappropriate content or circumventing fees, we will review the relevant data (such as messages or logs) to verify and take action. We may also use automated content scanning (e.g., for malware or forbidden terms) as part of our efforts.

  • Legal Compliance: We process data as required to comply with applicable laws and regulations. For example, retaining transaction records for accounting and tax compliance, responding to lawful requests by public authorities, or keeping records as required under labor or healthcare regulations. If we process personal data classified as special category (e.g., health data like vaccination status if provided, or data about criminal convictions for background checks), we do so in compliance with stricter requirements and only with appropriate bases (such as explicit consent or where necessary for substantial public interest under law).

  • Protecting Rights and Interests: We may process and preserve data to establish, exercise or defend legal claims. For example, if a dispute arises or we face a legal claim, we might retain relevant communications or logs to demonstrate what happened. We will also use data to protect the rights, property, or personal safety of MedicBank, our users, or the public as required or permitted by law. This could include sharing information with law enforcement if we believe someone is causing harm or engaging in illegal activities. If we need to use your information for a purpose that is materially different from the purposes listed in this Policy, we will update this Policy and, if required by law, seek your consent or provide you with the opportunity to opt out. Legal Bases (for users in the EU/UK): We rely on several legal grounds for processing Personal Data:

  • Contract: Much of our processing is to fulfill our contract with you (Terms of Use) or in preparation to do so at your request (e.g., when you register and input data to use our service).

  • Legitimate Interests: We process certain data for our legitimate interests in providing a safe, effective, and innovative platform, in a manner that does not outweigh your privacy rights. We carefully consider and balance any potential impact on you and your rights.

  • Consent: In some cases we rely on consent, for example for sending marketing communications to individuals or for using certain cookies. Where we rely on consent, you have the right to withdraw it at any time.

  • Legal Obligation: When we have a legal duty, we process data to comply (e.g., complying with tax law or a court order).

3. Cookies and Tracking Technologies

MedicBank uses cookies and similar tracking technologies on our website and app to provide and improve our Service, as described below. For more detailed information, please see our separate Cookie Policy.

3.1 What are Cookies:

Cookies are small text files that websites send to your device (computer, smartphone, etc.) when you visit. They are stored by your web browser and often contain an identifier used to recognize your browser later. Cookies can be “first-party” (set by us) or “third-party” (set by other domains with our permission, like analytics or advertising partners).

We also may use related technologies like web beacons (tiny graphic images in emails or on pages that track if they’ve been viewed) and software development kits (SDKs) in our mobile app for similar purposes.

3.2 Categories of Cookies We Use:

MedicBank uses cookies for various functions, which can be categorized as:

  • Strictly Necessary Cookies: These are essential for the operation of our Service. They include, for example, cookies that allow you to log in, keep you logged in across page requests, or keep track of actions in a transaction (like remembering items you have in a shift bidding “cart”). Without these cookies, some parts of the Service would not work. Because they are necessary, we use them without requiring consent, but you can still block them via browser settings (though doing so may break the Service functionality).

  • Functionality Cookies: These cookies allow us to remember choices you make to provide a more personalized experience. For instance, a cookie might remember your preferred language or that you dismissed a pop-up so it doesn’t show again. While not strictly necessary, these enhance your experience. If disabled, some preferences (like auto-login or UI customizations) might not persist.

  • Analytics/Performance Cookies: We use analytics cookies to collect information about how visitors use our site, which pages are popular, or if certain emails were opened. For example, we use Google Analytics to understand overall user behavior on our platform. These cookies collect information in an aggregate form (e.g., total number of visitors, time spent on a page). We use this data to improve our Service’s performance and design. We may also use tools to track how far users scroll or where they click on a page to improve UI (these are sometimes called user experience analytics). We treat analytics data as personal data if it’s linked to user identifiers.

  • Advertising/Marketing Cookies: MedicBank currently does not host third-party ads on our platform in the way consumer sites do. However, if we run any promotional campaigns or retargeting (for example, showing MedicBank ads on other platforms like LinkedIn or Facebook to people who visited our site), then cookies from those third-party services might be used. These cookies track your browsing to help deliver more relevant ads to you on other sites. They might also cap how many times you see an ad. You can usually opt out of targeted advertising via those third parties. We will obtain consent before using any non-essential advertising cookies, especially in jurisdictions where required (EU/UK).

  • Third-Party Embedded Content: When we embed content from third-party services (like a map from Google Maps or a video from YouTube) on our site, those providers may set cookies. For example, Google Maps may set cookies to remember preferences or track usage of their maps on our site. These cookies are set by the third party, and we don’t control them. However, we ensure not to embed such content without letting you know, and where necessary, we’ll use techniques to obtain consent for those (like a notice before loading an embedded map if required). Use of Google Maps on our site is subject to Google’s terms, as noted in our Terms of Use, and Google’s cookies are governed by Google’s privacy policy.

3.3 Consent and Choices:

When you first visit our website (from certain regions), you will see a cookie banner or notice that explains our use of cookies and asks for your consent for certain types (like analytics or marketing cookies). You can choose to accept or reject these. If you ignore the banner and continue using the site, we will treat that as implied consent only for categories allowed by law to assume consent (in some places, strictly necessary cookies can be set without a click, but analytics might require opt-in – we will follow applicable law). You can manage your cookie preferences at any time by using our [Cookie Settings] tool (if provided) or by adjusting your browser settings to refuse cookies. Most browsers allow you to block or delete cookies. However, be aware that if you block all cookies, some features of MedicBank may not function properly (e.g., you might not be able to log in or maintain sessions).

3.4 Do Not Track:

Some browsers have a “Do Not Track” (DNT) feature that lets you tell websites you do not want to be tracked. Currently, there is no consensus on how to interpret DNT signals, so like many websites, MedicBank does not respond to DNT signals specifically. We instead provide the cookie controls described above.

3.5 Analytics Opt-Out:

For Google Analytics, you can install Google’s opt-out browser add-on if you don’t want analytics collected by Google Analytics JavaScript. We respect such choices. Additionally, if we send marketing emails, we may use analytics to see if you opened them; you can opt out of marketing communications altogether to avoid that (see 7.2 below). For more details, including a list of cookies used on our site and their purposes and lifespans, please see our Cookie Policy document. By using our Service, you consent to the use of cookies and similar technologies as described in this Policy and the Cookie Policy.

4. How We Share Your Information

MedicBank will not sell your personal information to third parties. We only share information in the following circumstances:

4.1 Sharing with Other Users of the Platform:

MedicBank is a networking and staffing platform, so certain information needs to be shared with other users to fulfill the platform’s purpose:

  • Candidate to Facility/Agency: If you are a Candidate (or an Agency submitting a Candidate), your profile information, including personal data like your name, qualifications, work history, and any documents you upload (e.g. CV, certifications), will become visible to relevant Facilities or Agencies. This can happen when you apply for a job, when an Agency you’ve signed up with presents you to a Facility, or in some cases if you have a public profile visible to recruiters on the platform. Your contact information (email, phone) is not revealed to other users until a later stage (for instance, when a Facility is ready to contact or hire you, we may share your email or facilitate contact via the platform). We allow you to control some visibility settings in your account preferences (for example, you might hide your profile from certain recruiters if feature supported).

  • Facility/Agency to Candidates: If you are a Facility or Agency user, some of your information is shared with Candidates or others. Facility profiles are public in the directory by default, showing the Facility name, location, and other details (often these are not personal data, but if an individual’s name or work contact is part of the profile, that is visible). If a Candidate is in communication with a Facility or Agency about a job, we will share the necessary contact info with the Candidate (e.g., the name and title of the hiring manager or recruiter, and possibly work contact details) so they know who they are dealing with. Similarly, Agencies might have profiles highlighting key team members or points of contact – those could be visible to prospective candidates or facilities.

  • Reviews Visibility: If you post a review, it is public on the Facility’s profile page. We will show your display name (which might be your first name and last initial, or a chosen alias if we allow that) next to the review. We will not publish your full name or contact. In some cases, we might verify that a reviewer had an actual experience (for example, linking a review to a confirmed shift or an invitation code). If you’re an employee reviewing your employer, it might be semi-anonymous (the employer sees the review but might not know which employee you are unless you’ve made it obvious in content).

  • Messages: Messages you send privately are only shared with the intended recipient(s). However, be aware that recipients could share the content of messages outside the platform (MedicBank can’t control what a user does with information you send them).

  • Public Information: Any information you post on public-facing areas of the Service (like the Q&A forums or comments, if such features exist outside of reviews) will be visible to others. Assume it can be read by any visitor or user.

4.2 Service Providers and Partners:

We employ third-party companies and individuals to help us operate the Service or perform functions on our behalf (“Processors”). They are contractually obligated to only use personal data as needed to provide services to us and to keep it confidential. Key types of service providers include:

  • Hosting and Infrastructure: Cloud hosting providers (such as Amazon Web Services or similar) that store our databases and run our application. They technically have access to data for storage and backup.

  • Payment Processors: (e.g., Stripe, PayPal, or banking partners) that handle payment transactions on our behalf. They receive billing information and process payments securely. They are PCI-DSS compliant and authorized to process your payment data. MedicBank itself doesn’t see full card numbers handled by them.

  • Email and Communication Providers: Services we use to send emails, SMS, or in-app notifications to you (e.g., SendGrid for emails, Twilio for SMS). They will process your contact info and message content to deliver it.

  • Analytics and Performance Tools: Third parties that provide analytics services (Google Analytics, etc.) will receive certain usage and device data as described in Section 3. We may also use tools like crash reporting services (to get reports if the app crashes on your device, including device information and logs).

  • Verification and Background Check Services: If we use external services to verify identities, licenses, or run permitted background checks (with your consent where required), we share necessary data (like name, ID details) with those providers and they return a result (e.g., verification status, or background report) to us.

  • Customer Support Tools: If you interact with our support, your data might pass through support software (like Zendesk, Intercom, or a similar CRM tool) that help us manage communications.

  • Marketing and Advertising Partners: If we engage in marketing, we might share some limited data with marketing platforms to better target or measure our campaigns. For example, we might upload a list of business emails to LinkedIn or Facebook to create a “custom audience” (where allowed) to send MedicBank ads to those users (the platform hashes the data and matches internally). Or we might use a tool to send newsletters and track engagement.

In all cases, we choose reputable providers and share the minimum information necessary. Our contracts with them include data protection clauses to safeguard your data.

4.3 Corporate Transactions:

If MedicBank is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of such a transaction. For instance, if another company acquires MedicBank or its assets, personal data held by MedicBank will likely be one of the transferred assets. In such cases, we will ensure the recipient agrees to respect your Personal Data in a manner consistent with this Privacy Policy. We will also provide notice (e.g., via email or a prominent notice on our Service) if your data becomes subject to a new privacy policy due to a change in ownership.

4.4 Legal and Safety Disclosures:

We may disclose your information if required to do so by law or in a good-faith belief that such action is necessary:

  • Compliance with Laws: If we receive a subpoena, court order, or other legal process requiring disclosure, we may disclose data as needed to comply. We will attempt to notify you of such requests when allowed, and if we deem it appropriate, to give you a chance to object (except in emergency or where prohibited by law).

  • Enforce Our Rights: We might disclose data when necessary to enforce or apply our Terms of Use or other agreements, or to investigate potential violations.

  • Protect Users, You, or Others: If we believe disclosure is necessary to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual illegal activity, we may share information with appropriate authorities. For example, if we suspect that someone is engaging in human trafficking or abuse via our platform, we would inform law enforcement.

  • Fraud Protection: We may exchange information with other companies and organizations for the purposes of fraud protection and credit risk reduction (for example, to detect and prevent cybercrime or to investigate a data security incident). These disclosures will be made in accordance with applicable laws and regulations. We try to limit the scope of data shared to what is necessary in each specific situation.

4.5 With Your Consent or At Your Direction:

In certain situations, we may share information based on your explicit consent or request. For instance:

  • If you ask us to share your information with a third-party career service or staffing partner, we will do so with your consent.
  • If you use an integration that requires sending your data to another service, we will do so at your direction (e.g., exporting your MedicBank profile to another platform).
  • We might publish personal testimonials or user success stories on our site, but only with consent. If we want to use your name, photo, and story, we’ll ask you first.
  • If none of the above conditions for sharing apply, we will contact you to explain why sharing is proposed and obtain consent as needed.

4.6 Anonymized or Aggregated Information:

We may share information that has been anonymized (de-identified) or aggregated so it no longer can be used to identify an individual.

This is not Personal Data anymore. For example, we might share statistics like “X% of shifts are filled within 48 hours in London” or average ratings in an area, or we may share user demographic insights in aggregate with a partner. Such information could be used in industry reports, research, or with prospective business partners or investors. We ensure that this data cannot be re-associated with any individual by reasonable means.

We do not sell personal data to data brokers or advertisers. We do not share your contact details with third parties for their independent direct marketing (unless you separately consent with them, such as if you sign up for a webinar co-hosted with a partner, you’ll be told the partner will get your info).

If in the future we ever wish to share data in a way that is materially different from the above, we will update this Policy and obtain any necessary consent.

5. International Data Transfers

MedicBank operates in and outside of the United Kingdom, and we have users globally. Your Personal Data may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country (and in some cases may not be as protective).

5.1 Our Locations:

Our main operations and data centers are in the United Kingdom and the European Economic Area (EEA). However, some of our service providers (see Section 4.2) are based in the United States and other countries. Also, as a global platform, personal data (like profile information) may be accessed by users in different countries (for example, a Facility in the UK viewing a Candidate’s profile who resides in India). When we transfer personal data out of the UK or EEA, we take steps to ensure appropriate safeguards are in place:

  • If we transfer data to the US or other countries that the European Commission (or UK authorities) has not deemed to have an “adequate” level of data protection, we rely on mechanisms like the European Commission’s Standard Contractual Clauses (SCCs) with the recipient to ensure your personal data remains protected. These are contractual commitments binding the recipient to protect your data according to EU/UK standards.

  • We may also rely on the fact that some of our US service providers are certified under frameworks like the EU-U.S. Data Privacy Framework (if applicable and approved) or similar frameworks that facilitate lawful transfer.

  • In some cases, we rely on an adequacy decision: for example, transfers from the EU to the UK are permitted because the EU has deemed UK law adequate. Similarly, if you are in a country like Canada or Japan, your data might move to the UK which is allowed by your local rules if they consider UK adequate.

  • We also consider additional measures as needed (like encryption in transit and at rest, minimization of data transfers, and careful review of government access laws in the destination country) as recommended by regulators to ensure that the data is afforded essentially equivalent protection to EU/UK standards.

5.2 Your Rights and Transfer Complaints:

If you would like more information about the global handling of your data, or to obtain a copy of the relevant transfer mechanism (such as executed Standard Contractual Clauses) for your data, you can contact us (see Section 11). We will respond to legitimate requests and can provide an overview of the safeguards in place. If you believe your data was transferred in violation of applicable privacy law, please inform us. Users in the EU/EEA or UK also have the right to complain to their country’s Data Protection Authority about cross-border transfers (see Section 7.3 for contact info). 5.3 Local Storage: Note that by using the MedicBank Service, you understand that your data will be transferred to our facilities and those of third parties as described. If you do not want your data to leave your country or you are not satisfied with our safeguards, you should refrain from using our Service. However, we welcome any questions or concerns you have so we can address them.

6. Data Retention

We retain your Personal Data for as long as necessary to fulfill the purposes for which we collected it, including for satisfying any legal, accounting, or reporting requirements.

6.1 Active Accounts:

If you have an active account with us, we will typically retain your information for as long as your account is active or as needed to provide you services. For example, your profile and posted content remain available until you delete them or request deletion of your account.

6.2 Inactive Accounts: If you stop using MedicBank or your subscription expires, we may

retain your account information for a reasonable period in case you reactivate. For instance, if a Candidate has not logged in for a year, we may deactivate the account but keep data for another year in case they return, unless they request deletion sooner. We will periodically review and delete or anonymize data from accounts that have been inactive for extended periods as appropriate.

6.3 Content and Reviews: Content you have posted (like reviews) may be kept available to

other users even if you deactivate your account, unless you specifically request removal (subject to our rights, for example we may retain a removed review internally to evaluate a dispute). We may dissociate reviews from personal accounts by labeling them as from an “anonymous former user” if needed.

6.4 Legal Obligations: We may be required by law to keep certain information for set periods of

time. For example:

  • Financial and transaction records are often kept for 6-7 years for tax and audit purposes.

  • Information related to the hiring process might need to be kept to comply with labor laws or to defend against potential discrimination claims (often a couple of years).

  • If you participated in a placement, we might retain data about that placement in line with employment law requirements (like working time records).

  • If you gave consent to certain processing, we might keep a record of your consent (and withdrawal if applicable) as required by GDPR accountability principle.

6.5 Dispute and Enforcement Retention: If we are involved in a dispute with you or another

party, or we suspect future litigation, we may retain relevant information until the issue is resolved, even if that extends beyond typical retention. Similarly, if we know of a user violation leading to account termination, we may keep data to ensure the user doesn’t circumvent the rules or to cooperate with law enforcement.

6.6 Backup and Archival Copies: Even after deletion from our active database, copies of your

data might remain in backup media for a period (due to our backup procedures). We secure those backups and eventually cycle them out. Also, some residual information (like log records) might not be fully removed from all systems even after account deletion, but we will anonymize or secure it.

After the retention period ends, we will either delete your Personal Data or anonymize it (so that it can no longer be associated with you) in a secure manner. If deletion or anonymization is not feasible (for example, because the data is stored in long-term backups), then we will securely store and isolate the data from further use until deletion is possible.

7. Your Rights and Choices

You have various rights regarding your Personal Data. Below, we outline these rights and how to exercise them. Please note that these rights are subject to certain exemptions and may vary based on your jurisdiction (for example, EU/UK residents have GDPR rights, California residents have CCPA rights, etc.).

7.1 Access and Correction:

You have the right to access the Personal Data we hold about you and to request correction of any inaccuracies.

  • How to Access: You can access much of your information directly by logging into your MedicBank account (e.g., your profile, account settings, messages, etc.). If you need a more comprehensive export, you can use any data export features we offer (for example, a “Download My Data” tool if available) or contact us directly. We will provide a copy of your personal data in a common format. For EU users, this is your “right of access.”

  • How to Correct: You can correct and update most information via your account profile. For example, you can edit your contact info, profile details, or job posts. If any information is not editable by you and is inaccurate, contact us and we will rectify it (or, in some cases, we may allow you to add a supplementary statement to clarify the data if appropriate). We may need to verify the accuracy of new data you provide before making the change.

7.2 Deletion (Right to be Forgotten):

You can request that we delete your Personal Data. This is also known as the “right to erasure” in some jurisdictions.

  • You may delete certain data on your own (e.g., remove a profile field or delete a review you posted). To delete your entire account and associated data, you can usually find an option in account settings or you can contact support with a request.

  • Upon receiving a verified deletion request, we will remove or anonymize your personal data from our records, unless retention is required for our legitimate business or legal purposes as described in Section 6. We will also instruct our processors to do the same, where applicable.

  • Note: If you have engaged in any transactions or postings, complete erasure might not be feasible if others have relied on or interacted with that content. For example, if you filled a shift at a Facility, that Facility may have records of your work that they need to keep. We will, however, remove data from our own platform view as much as possible and dissociate it from you.

  • **Also, public content you provided (like reviews) may remain visible to others unless you explicitly ask for its removal, which we will usually honor unless we have an overriding reason to keep it (rare).

7.3 Objection and Restriction:

  • Right to Object: You have the right to object to our processing of your data in certain situations. For example, if we process your data on the basis of legitimate interests, you can object if you believe it impacts your rights. If you object to direct marketing, we will cease processing your data for those purposes immediately (that includes profiling related to marketing).

  • Right to Restrict: You can also request that we restrict processing of your data in certain cases: for instance, if you contest the accuracy of your data (until we verify it), or if you objected to processing and we are considering that objection. Restriction means we will store your data but not use it further except for things permitted by law (like legal claims or protecting others).

  • We will inform you before lifting any restriction on processing.

7.4 Portability:

You have the right to data portability for data you provided to us. This means you can request an electronic copy of certain data in a structured, commonly used, machine-readable format, and you can ask us to transmit such data directly to another service provider where technically feasible. This right applies to information processed by automated means and that you initially provided consent for us to process or where we used it to perform a contract with you (for example, your profile info, job application details, messages you sent). We will provide the data in a CSV or JSON or similar standard format.

7.5 Automated Decision-Making:

MedicBank does not make any legally significant decisions about you purely by algorithms without human involvement (like a computer solely deciding to reject you for a job without any human review). If we ever implement automated decision-making that has a significant effect, you will have rights to know about it and to request human intervention or to contest the decision. But currently, our use of AI is assistive and not determinative for things like hiring (final decisions are made by human recruiters/employers).

7.6 Withdraw Consent:

In cases where we rely on your consent to process personal data (e.g., for sending marketing emails, or for processing sensitive data you provided), you have the right to withdraw your consent at any time. Withdrawal will not affect the lawfulness of processing that was already done based on consent before withdrawal. For example, you can opt out of marketing emails by clicking “unsubscribe” in them or by adjusting your account communication preferences. If you withdraw consent for a specific feature (like location services on the app or use of a health data field), you may disable that feature without impacting your general use of the Service (except that feature won’t function).

  • Note: If you withdraw consent for something essential (like storing your data at all), that might mean we have to deactivate your account.

7.7 California Privacy Rights:

If you are a California resident, you have specific rights under the CCPA (California Consumer Privacy Act) (and as amended by CPRA):

  • Right to know what personal information we have collected about you in the past 12 months (categories and specific pieces of information, the sources, the business purpose, and categories of third parties we share it with).

  • Right to delete personal information (similar to above, with certain exceptions).

  • Right to opt out of “sale” or “sharing” of personal information. MedicBank does not sell personal info for money, but the definition of “sale” under CCPA is broad and could include some analytics or advertising sharing. We will provide a “Do Not Sell or Share My Personal Information” link on our website if we ever engage in any practice deemed a sale or share under CCPA. Currently, our use of third-party analytics might be considered a “share” for cross-context behavioral advertising. You can opt out by using cookie controls (which we will treat as “do not share” signals).

  • Right to non-discrimination for exercising CCPA rights – we will not deny you services or provide different quality because you exercised your privacy rights.

  • California’s “Shine the Light” law allows you to request a notice identifying the categories of personal information we share with affiliates and third parties for their direct marketing purposes and providing contact information for those parties. However, MedicBank does not share personal info with third parties for their own direct marketing.

If you are a California resident and would like to make such requests, you can contact us as described below. We will verify your identity (for example, by requiring you to log in or provide information associated with your account/email) before fulfilling requests. You may also designate an authorized agent to make requests on your behalf, in which case we will need proof of the agent’s authorization and also verify your identity directly.

7.8 How to Exercise Your Rights:

To exercise any applicable rights, you can:

  • Use self-service tools where available (account settings, etc.).

  • Contact our support team at privacy@medicbankapp.com (or the contact details in Section 11) with your request. Please clearly state what right you wish to exercise and provide relevant details (for example, the specific information you want to access, or what you want corrected).

  • For access, deletion, or portability requests, we will need to verify your identity to ensure we’re giving data to the right person (we may ask for information that matches our records, or perform verification through your logged-in status).

  • We strive to respond to requests within one month (30 days). If the request is complex or we have many requests, we may extend this by another two months if necessary, but we will inform you of the delay.

  • There is generally no fee for exercising your rights. However, if a request is manifestly unfounded or excessive (for example, repetitive with no reasonable interval), we may either charge a reasonable fee or refuse the request (with an explanation).

  • If we decline a request (such as denying deletion because an exception applies), we will explain our reasoning and any options you have to appeal the decision (where applicable).

7.9 Complaints:

If you believe we have infringed your privacy rights, please contact us first so we can try to resolve the issue. However, you also have the right to complain to a data protection authority or regulator.

  • For EU users: You can lodge a complaint with the supervisory authority in your member state of residence, place of work, or where the alleged infringement occurred. For example, in the UK, the authority is the Information Commissioner’s Office (ICO).

  • For others: In some jurisdictions you may have a right to complain to a regulator or utilize dispute resolution. We will cooperate with any official inquiries. We would appreciate the chance to address your concerns directly before you approach a regulator, so please reach out with any issues.

8. Third-Party Services

Our Service may contain links to third-party websites, embedded content, or integrations with third-party services that are not operated by MedicBank. For example:

  • When viewing a Facility profile, clicking an address might open Google Maps.

  • We may have social media “Share” buttons or log-in integrations (e.g., “Sign in with LinkedIn”).

  • There may be links to external training programs, certification authorities, or healthcare information resources.

If you click on a third-party link or use a third-party service through our platform, you will be directed to that third party’s site or service. This Privacy Policy does not apply to information collected on or through any third-party sites or services. We strongly advise you to review the privacy policy of every site or service you visit or interact with. We are not responsible for the privacy practices or content of third-party sites. However, we aim to only partner with or integrate services that respect user privacy. For instance, where we use Google’s APIs, we abide by Google’s API Services User Data Policy (including any applicable limited use requirements).

Notably:

  • Google Maps integration: As mentioned, use of Google Maps features on MedicBank is subject to Google’s Privacy Policy and terms. Google may collect data like your IP and location when maps are loaded. We recommend reviewing Google’s privacy terms if you use map features.

  • Social Media and Single Sign-On: If you choose to connect MedicBank with a social network or use a single sign-on, you are sharing certain data with that platform (and they with us, per their policy and your settings). For example, if you log in via LinkedIn, LinkedIn’s privacy policy will govern the data it provides us (like your name, email, and professional info if you consent).

  • External Payment Pages: If you’re directed to a third-party hosted payment page (like a Stripe checkout page), that page might be branded as our service but actually governed by the payment processor’s terms and privacy policy. We encourage you to exercise caution and read the privacy statements of any external websites or services you visit via links or integrations on our platform.

9. Children’s Privacy

MedicBank is not directed to individuals under the age of 16 (or the relevant minimum age in your jurisdiction for providing consent to data processing). We do not knowingly collect personal data from children. The platform is intended for adult professionals and patients or their adult family members who are reviewing care facilities.

If you are under 16, please do not attempt to register or use our Service, or send any personal information about yourself to us. If we learn that we have inadvertently collected personal data from a child under 16, we will take steps to delete such information promptly.

Parents or guardians: if you become aware that your child has provided us with personal information without your consent, please contact us and we will work to delete it. In certain cases (like a child receiving care at a facility that is reviewed on our site), a parent or guardian may provide a testimonial or review. We urge those individuals not to include personal data about minors in reviews beyond perhaps describing the experience in general terms, and certainly not to include a child’s full name or identifying details.

Some jurisdictions have stricter age thresholds (e.g., COPPA in the US sets under 13 as a child for online data). We adhere to those laws as applicable. We do not knowingly market or target our services to children.

10. Updates to this Policy

We may update this Privacy Policy from time to time in response to changing legal, technical, or business developments. When we update our Privacy Policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make:

  • If we make material changes, we will notify you prominently, such as by email (sent to the email address specified in your account) or by means of a notice on our website/app prior to the change becoming effective.

  • Minor changes (e.g. clarifications, typographical corrections, or changes that do not affect your rights) will be posted on the site with an updated effective date. We will obtain your consent to any Privacy Policy changes if and where required by applicable data protection laws. For instance, if we plan to use your personal data for a new purpose that requires consent, we will ask for consent.

We encourage you to review this Privacy Policy periodically for any updates. Your continued use of the MedicBank Service after the effective date of an updated Privacy Policy will be deemed acceptance of the updated terms, to the extent permitted by law. At the top of this Policy, we indicate when it was last updated. Historic versions can be obtained by contacting us.

11. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you can contact MedicBank’s data protection point of contact:

MedicBank Healthcare Limited

Address: 5 Henry Tate Mews, London, England, SW16 3HA, United Kingdom Email: privacy@medicbankapp.com

For the purposes of EU data protection law (GDPR), MedicBank Healthcare Limited is the “data controller” of your personal data. Our EU representative (if required under Article 27 GDPR for having an establishment) can be reached at [Representative’s Name and Contact Address], or via privacy@medicbankapp.com with subject “EU Rep”.

For UK data protection law, our UK Data Protection Officer (if applicable) can be contacted at [DPO contact if designated] – at the same postal address or email above.

We will respond to your inquiries as quickly as possible, generally within 30 days. If you are not satisfied with our response, you may have the right to lodge a complaint with your local supervisory authority (as noted in Section 7.9).

Thank you for trusting MedicBank with your information. We are dedicated to protecting your privacy and providing a secure experience.