Medical Ocean (“Medical Ocean”, “we”, “us”, or “our”) provides enterprise healthcare software, including electronic health records, pharmacy management, anesthesia, laboratory information, HR & payroll, and incident reporting applications (together, the “Services”), and operates the website at medicalocean.co (the “Website”).
We respect your privacy and are committed to protecting personal data. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, how long we keep it, how we protect it, and the rights available to you under the data protection laws of the countries where we operate.
1. Who we are and how to contact us
For the purposes of applicable data protection laws — including the UK General Data Protection Regulation and Data Protection Act 2018 (“UK GDPR”), the Bahrain Personal Data Protection Law (Law No. 30 of 2018, “Bahrain PDPL”), the Saudi Arabian Personal Data Protection Law and its Implementing Regulations (“KSA PDPL”), the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”), the Jordanian Personal Data Protection Law (Law No. 24 of 2023, “Jordan PDPL”), and the EU General Data Protection Regulation (“EU GDPR”) — the controller of personal data described in this Privacy Policy is:
Medical Ocean LTD, Company No. 14943900, registered office at 86-90 Paul Street, London EC2A 4NE, United Kingdom.
- Privacy enquiries and data subject requests: privacy@medicalocean.co
- Data Protection Officer: dpo@medicalocean.co
- General enquiries: hello@medicalocean.co
2. Scope: our two roles
We process personal data in two distinct capacities, and it is important to understand the difference:
(a) Medical Ocean as controller
We act as a controller when we decide how and why personal data is processed. This applies to:
- Visitors to our Website and people who contact us, request a demo, subscribe to communications, or attend our events or webinars;
- Business contact details of personnel at our customers, prospective customers, suppliers, and partners;
- Account, billing, and administrative data relating to our customers’ named users of the Services;
- Job applicants.
This Privacy Policy applies in full to the processing described above.
(b) Medical Ocean as processor
We act as a processor (or equivalent role under local law) when healthcare organisations that subscribe to our Services (“Customers”) enter patient information and other personal data into the Services. In that case, the Customer is the controller, and we process the data only on its documented instructions. Section 3 explains this further.
3. Patient data — Medical Ocean as processor
If you are a patient of a clinic, hospital, laboratory, or pharmacy that uses Medical Ocean, your healthcare provider — not Medical Ocean — controls your health records. Please direct any request to access, correct, or delete your medical records, and any question about how your health information is used, to your healthcare provider. We will assist them in responding to you.
When Customers use the Services to create and manage patient records, prescriptions, laboratory results, anesthesia records, appointment data, and similar information (“Patient Data”):
- The Customer remains the controller of Patient Data at all times; Medical Ocean is a processor acting only on the Customer’s documented instructions under a written Data Processing Agreement (“DPA”) that forms part of our customer contracts;
- We do not use Patient Data for our own purposes, do not sell Patient Data, and do not use Patient Data for marketing or advertising;
- Patient Data is treated as special category / sensitive personal data and is protected with heightened technical and organisational safeguards, including encryption in transit and at rest and role-based access controls;
- We engage sub-processors (Section 7) only under written contracts imposing equivalent data protection obligations, and we maintain a current list of sub-processors available to Customers;
- We notify the Customer without undue delay after becoming aware of a personal data breach affecting Patient Data, and provide the information the Customer needs to meet its own notification duties;
- On termination of a Customer’s subscription, we return or delete Patient Data in accordance with the contract and applicable medical record retention laws (see Section 10);
- Where required by the laws of the Customer’s country — including health data localisation requirements in the Kingdom of Saudi Arabia and the United Arab Emirates — Patient Data is hosted in-country or in a jurisdiction permitted by those laws (see Section 8).
We may create aggregated and anonymised data from usage of the Services (for example, system performance statistics) that does not identify any individual and cannot reasonably be re-identified. Anonymisation of Patient Data, where performed, is carried out in accordance with applicable law and our contracts with Customers. We use such data to operate, secure, benchmark, and improve the Services.
4. Personal data we collect
Acting as a controller, we collect the following categories of personal data:
- Identity and contact data — name, job title, organisation, work email address, work phone number, country;
- Enquiry and demo request data — the products you are interested in and any message you send us;
- Account and user data — usernames, professional role, access permissions, and authentication data for named users of the Services;
- Billing and contract data — billing contacts, invoicing details, payment records (payment card details are processed by our payment providers; we do not store full card numbers);
- Technical and usage data — IP address, browser type and version, device and operating system, pages visited, time and date of visits, referring URLs, and interactions with the Website and the Services (such as feature usage, error reports, and audit logs);
- Marketing and communications data — your preferences for receiving communications from us, and records of consent and opt-outs;
- Support data — the contents of support tickets and correspondence with our support team;
- Recruitment data — CVs, qualifications, and employment history if you apply to work with us.
We do not intentionally collect special category data (such as health information, religious beliefs, or biometric data) through our Website. Please do not include patient information or other sensitive data in Website forms or marketing correspondence. Health information processed within the Services is Patient Data and is handled as described in Section 3.
We collect personal data directly from you (forms, email, phone, events), automatically through your use of the Website and the Services (cookies, logs, analytics), and occasionally from third parties such as your organisation (when it registers you as a user), business directories, and event organisers.
5. How we use personal data and our legal bases
Data protection laws require us to have a lawful basis for processing personal data. The table below sets out our purposes and the corresponding legal bases (terminology varies between jurisdictions; the equivalent local basis applies under the Bahrain PDPL, KSA PDPL, UAE PDPL, and Jordan PDPL).
| Purpose | Data categories | Legal basis |
|---|---|---|
| Responding to enquiries and demo requests | Identity and contact; enquiry data | Legitimate interests (responding to your request); steps prior to entering a contract |
| Providing, administering, and supporting the Services; managing accounts and users | Account and user; technical and usage; support data | Performance of a contract; legitimate interests |
| Billing, invoicing, and debt recovery | Billing and contract data | Performance of a contract; legal obligation; legitimate interests |
| Securing the Services and the Website, preventing fraud and misuse, maintaining audit logs | Technical and usage; account data | Legitimate interests (security); legal obligation |
| Improving and developing the Website and the Services | Technical and usage data (aggregated where possible) | Legitimate interests |
| Sending product updates, newsletters, and marketing about our Services | Identity and contact; marketing preferences | Consent, or legitimate interests for business contacts where permitted — you can opt out at any time |
| Complying with laws, regulations, and lawful requests from authorities | All categories as relevant | Legal obligation |
| Establishing, exercising, or defending legal claims; corporate transactions | All categories as relevant | Legitimate interests; legal obligation |
| Recruitment | Recruitment data | Steps prior to entering a contract; legitimate interests; consent where required |
We do not use personal data for automated decision-making that produces legal or similarly significant effects on individuals. We do not sell personal data.
6. Cookies and similar technologies
Our Website uses cookies and similar technologies in the following categories:
- Strictly necessary cookies — required for the Website and the Services to function (for example, session authentication and security). These cannot be switched off.
- Analytics cookies — help us understand how visitors use the Website so we can improve it. Used only with your consent where required by law.
- Preference cookies — remember settings such as language and region.
- Marketing cookies — used, with your consent, to measure the effectiveness of our campaigns.
Where the law requires it, we ask for your consent before setting non-essential cookies, and you can withdraw or change your choices at any time through your browser settings or our cookie preferences tool. Blocking some cookies may affect how the Website works.
7. How we share personal data
We share personal data only as described below, and we never sell it:
- Within our group — with our affiliates and group entities, for the purposes described in this Privacy Policy and subject to the same protections;
- Service providers and sub-processors — vetted third parties that host, support, and help us deliver the Website and the Services, such as cloud infrastructure providers, communications and email delivery services, payment processors, customer support tooling, and analytics providers. They may process personal data only on our instructions and under written contracts with confidentiality and data protection obligations. A current list of the sub-processors that may process Patient Data is available to Customers on request and via our customer documentation, and we give Customers advance notice of changes with an opportunity to object;
- Professional advisers — lawyers, auditors, accountants, and insurers, under duties of confidentiality;
- Authorities and regulators — where we are required to do so by applicable law, regulation, court order, or binding request of a competent authority, including health regulators in the countries where our Customers operate. Where lawful and feasible, we will notify the affected Customer before disclosing Patient Data;
- Corporate transactions — in connection with a merger, acquisition, financing, or sale of assets, in which case the recipient will be bound by obligations consistent with this Privacy Policy and applicable law;
- With your direction — third-party systems that you or your organisation choose to integrate with the Services (for example, national health platforms, insurers, or laboratory devices). The third party’s own terms and privacy notices apply to its processing.
8. International transfers and data residency
We serve customers in the United Kingdom, Bahrain, Saudi Arabia, the United Arab Emirates, Jordan, and globally, and we use hosting regions appropriate to each market. Where personal data is transferred across borders, we do so only where permitted by applicable law and subject to appropriate safeguards:
- United Kingdom — transfers out of the UK are made under UK adequacy regulations, the ICO’s International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, with transfer risk assessments where required;
- EEA / global — transfers out of the EEA are made under European Commission adequacy decisions or the EU Standard Contractual Clauses (SCCs), with supplementary measures where required;
- Kingdom of Saudi Arabia — personal data is transferred outside the Kingdom only in accordance with the KSA PDPL and its Data Transfer Regulations, and Patient Data of Saudi healthcare customers is hosted in accordance with applicable Saudi health sector data residency requirements (including requirements of the Ministry of Health, the National Health Information Center, and SDAIA, as applicable);
- United Arab Emirates — we comply with the UAE PDPL cross-border transfer rules and with Federal Law No. 2 of 2019 on the Use of ICT in the Health Fields, under which health data relating to UAE patients is stored and processed within the UAE unless transfer outside the UAE is permitted by law or authorised by the competent health authority;
- Kingdom of Bahrain — transfers outside Bahrain are made to jurisdictions approved by the Personal Data Protection Authority or otherwise in accordance with the conditions of the Bahrain PDPL (including consent or contractual necessity);
- Hashemite Kingdom of Jordan — transfers outside Jordan are made in accordance with the Jordan PDPL, including its conditions on adequate protection, consent, and approvals of the competent authority where required.
Details of hosting locations and transfer mechanisms applicable to a specific Customer are set out in the Customer’s DPA and order documentation. You may contact us for more information about the safeguards we use.
9. How we protect personal data
We apply administrative, technical, and physical safeguards appropriate to the sensitivity of the data we handle, including:
- Encryption of data in transit (TLS) and at rest;
- Role-based access controls, unique user accounts, multi-factor authentication, and automatic session timeouts;
- Logical separation of each Customer’s data;
- Audit logging of access to records within the Services;
- Secure software development practices, vulnerability management, and penetration testing;
- Staff confidentiality obligations and data protection training;
- Backup, business continuity, and disaster recovery arrangements;
- A documented incident response process, including notification of affected Customers and, where required, regulators and individuals, within the timeframes set by applicable law.
No system can be guaranteed to be 100% secure, but we review and improve our safeguards on an ongoing basis. You are responsible for keeping your account credentials confidential and for notifying us promptly of any suspected unauthorised use.
10. How long we keep personal data
- Website and marketing data — kept for as long as needed for the purpose collected, and deleted or anonymised when no longer required (typically within 24 months of your last interaction with us, unless you ask us to delete it sooner);
- Customer account and billing data — kept for the duration of the contract and thereafter as required for tax, accounting, and legal purposes;
- Patient Data — retained for the duration of the Customer’s subscription and handled on exit in accordance with the contract. Customers are responsible for complying with the medical record retention periods that apply to them (which range from several years to permanent retention depending on the country and record type). Following expiry of the agreed export window after termination, we delete or return Patient Data unless retention is required by applicable law;
- Audit and security logs — kept for the period required by applicable law and our security policies;
- Recruitment data — kept for the duration of the recruitment process and a reasonable period thereafter, unless you consent to a longer period.
11. Your rights
Subject to the law that applies to you (see Section 12), you may have the right to:
- Access the personal data we hold about you and receive a copy;
- Rectify inaccurate or incomplete personal data;
- Erase personal data in certain circumstances;
- Restrict or object to processing, including objecting to direct marketing at any time;
- Data portability — receive certain data in a structured, commonly used, machine-readable format;
- Withdraw consent at any time, where processing is based on consent (without affecting prior processing);
- Complain to a supervisory authority (Section 12 lists the relevant regulators).
To exercise your rights, contact privacy@medicalocean.co. We may need to verify your identity before acting on a request. We respond within the timeframe required by applicable law (one month under the UK and EU GDPR, subject to extension for complex requests; equivalent statutory periods apply in Bahrain, Saudi Arabia, the UAE, and Jordan). Exercising your rights is free of charge, except where the law permits a reasonable fee for manifestly unfounded or excessive requests.
If your request concerns your medical records held by a healthcare provider that uses Medical Ocean, we will refer your request to that provider, as it is the controller of that data, and we will support it in responding to you.
12. Country-specific notices
United Kingdom
We process personal data of UK individuals in accordance with the UK GDPR and the Data Protection Act 2018. You have all the rights listed in Section 11. You may lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk, although we would welcome the opportunity to address your concerns first.
Kingdom of Bahrain
We process personal data of individuals in Bahrain in accordance with the Personal Data Protection Law (Law No. 30 of 2018). Sensitive personal data, including health data, is processed only with a lawful basis under that law. You may lodge a complaint with the Personal Data Protection Authority (PDPA) of the Kingdom of Bahrain.
Kingdom of Saudi Arabia
We process personal data of individuals in Saudi Arabia in accordance with the Personal Data Protection Law (issued by Royal Decree No. M/19, as amended) and its Implementing Regulations. Health data is processed in line with the additional controls for health data under the PDPL and applicable Ministry of Health requirements. You may lodge a complaint with the competent authority, currently the Saudi Data & Artificial Intelligence Authority (SDAIA).
United Arab Emirates
We process personal data of individuals in the UAE in accordance with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and, for health data, Federal Law No. 2 of 2019 on the Use of ICT in the Health Fields and the regulations of the competent health authorities (including MOHAP, DOH, and DHA, as applicable). You may lodge a complaint with the UAE Data Office. Where our Customers operate in financial free zones (DIFC or ADGM), the DIFC Data Protection Law No. 5 of 2020 or the ADGM Data Protection Regulations 2021 may also apply to their processing.
Hashemite Kingdom of Jordan
We process personal data of individuals in Jordan in accordance with the Personal Data Protection Law (Law No. 24 of 2023). Health data is treated as sensitive data and processed only on a lawful basis under that law. You may lodge a complaint with the Personal Data Protection Council operating under the Ministry of Digital Economy and Entrepreneurship.
European Economic Area and other countries
Where the EU GDPR applies to our processing, individuals in the EEA have the rights listed in Section 11 and may complain to their local supervisory authority. For individuals in other countries, we honour the rights granted by the data protection law applicable in your country; contact us and we will explain how your request will be handled.
13. Children
Our Website and Services are intended for use by healthcare organisations and their professional staff, not by children. We do not knowingly collect personal data from children through our Website. Patient Data relating to minors is processed solely on behalf of our Customers, who are responsible for obtaining any consents required from parents or guardians under applicable law.
14. Third-party websites and services
The Website and the Services may contain links to, or integrations with, third-party websites and services that we do not control. This Privacy Policy does not apply to them, and we are not responsible for their content or privacy practices. We encourage you to read the privacy notice of every website you visit and every service your organisation chooses to connect to the Services.
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. We will post the updated version on this page with a revised effective date, and where a change is material we will provide more prominent notice (for example, by email to Customers or a notice on the Website) before it takes effect.
16. Contact us and complaints
If you have any questions, concerns, or complaints about this Privacy Policy or our handling of personal data, please contact us:
- Email: privacy@medicalocean.co
- Data Protection Officer: dpo@medicalocean.co
- Post: Medical Ocean LTD, 86-90 Paul Street, London EC2A 4NE, United Kingdom
We take every complaint seriously and will respond as quickly as we can. You also have the right to complain to the supervisory authority in your country, as listed in Section 12.