Privacy Policy

Effective date: 1 April 2026 | Last updated: 13 April 2026

1. Who We Are

DrToye HMS is operated by Neural Signal Corporation Limited ("we", "us", "our"), registered in England and Wales. We act as a data processor on behalf of healthcare providers (Hospitals) that use our platform, and as a data controller for account and platform-related data.

Data Protection Officer contact: support@drtoye.com

2. Data We Collect

Category	Examples	Lawful Basis
Identity Data	Full name, date of birth, gender, profile photo	Contract performance
Contact Data	Email address, phone number, home address	Contract performance, consent (SMS/calls)
Health Data	Medical history, diagnoses, lab results, prescriptions, vital signs, allergies	Provision of healthcare (Article 9(2)(h) UK GDPR)
Appointment Data	Booking details, doctor assignments, scheduling history	Contract performance
Financial Data	Billing records, payment method (via Stripe — we do not store full card numbers)	Contract performance, legal obligation
Technical Data	IP address, device type, app version, push notification tokens	Legitimate interest (security & service improvement)
Communication Data	In-app chat messages, email correspondence	Contract performance

3. How We Use Your Data

Providing healthcare services: Managing appointments, consultations, lab results, prescriptions, admissions, surgeries, and billing.
Transactional notifications: Sending appointment reminders, status updates, lab result alerts, prescription notifications, and billing confirmations via SMS, voice call, email, and push notification.
Telemedicine: Facilitating video consultations between patients and doctors.
Account management: Authentication, password resets, account security.
Legal compliance: Maintaining records as required by healthcare regulations and tax law.
Service improvement: Aggregated, anonymised analytics to improve platform performance and user experience.

4. Third-Party Processors

We use the following third-party services to deliver the Platform. All are bound by data processing agreements:

Service	Purpose	Data Shared
Twilio	SMS text messages & automated voice calls	Phone number, message content
Stripe	Payment processing	Payment details (tokenised)
MongoDB Atlas	Database hosting	All platform data (encrypted)
ElevenLabs	AI voice synthesis for automated calls	Patient name, appointment details (in call script)
SMTP provider	Email delivery	Email address, message content
Firebase (FCM)	Push notifications	Device token, notification content
Agora	Video call infrastructure	Audio/video stream (not recorded)

We do not sell, rent, or share your personal data with any third party for marketing purposes.

5. SMS & Voice Call Communications

By providing your phone number during registration, you consent to receive transactional SMS and automated voice calls related to your healthcare. These include:

Appointment reminders (24h, 1h, 30 minutes before)
Appointment confirmations, cancellations, and rescheduling notices
Lab results ready notifications
Prescription dispensed alerts
Billing and payment confirmations
No-show / missed appointment notices

Opt out: Reply STOP to any SMS, update preferences in the app, or contact support@drtoye.com.

No marketing or promotional messages are sent. Standard carrier message and data rates may apply.

6. Data Security

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Passwords are hashed using bcrypt with salt.
API endpoints are protected by role-based access control (RBAC) and JWT authentication.
Rate limiting, IP blocking, and audit logging are enforced.
Regular security audits and penetration testing.

7. Data Retention

Health records: Retained for a minimum of 8 years (in line with NHS records management guidelines), or as required by the Hospital.
Account data: Retained for the duration of the account. Upon deletion, data is anonymised within 30 days.
Billing records: Retained for 7 years (legal requirement).
Communication logs: Retained for 12 months for service quality.

8. Your Rights (UK GDPR)

Under UK data protection law, you have the right to:

Access: Request a copy of your personal data.
Rectification: Correct inaccurate or incomplete data.
Erasure: Request deletion of your data (subject to legal retention requirements).
Portability: Receive your data in a structured, machine-readable format.
Restriction: Restrict how we process your data.
Objection: Object to processing based on legitimate interest.
Withdraw consent: Where processing is based on consent (e.g., SMS), you can withdraw at any time.

To exercise any of these rights, contact support@drtoye.com. We will respond within 30 days.

9. Cookies & Analytics

The DrToye web portal may use essential cookies for authentication and session management. We do not use advertising or third-party tracking cookies. The mobile app does not use cookies.

10. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect data from children under 16 without parental consent. Minors' accounts are created and managed by a parent, guardian, or Healthcare Provider.

11. International Transfers

Your data is primarily stored in the UK/EEA. Where data is processed by third-party services outside the UK (e.g., MongoDB Atlas, Twilio), appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and UK International Data Transfer Agreements (IDTAs).

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. The "Last updated" date at the top of this page indicates when the latest revision was made.

13. Contact & Complaints

If you have questions or complaints about this Privacy Policy or how we handle your data:

Email: support@drtoye.com
Phone: +44 117 463 3074
Website: drtoye.com

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk