Privacy Policy.

Last updated: 8 June 2026

Introduction and Scope

This Privacy Policy explains how Medical Ocean collects, uses, shares, and protects personal data in connection with our cloud-based healthcare software and our website. We are committed to handling personal data lawfully, fairly, and transparently.

Medical Ocean provides cloud-based software for medical facilities, including modules for Electronic Health Records (EHR), Pharmacy Management, an Anesthesia Module, a Laboratory Information System, HR & Payroll, and Incident Reporting. Because we operate in the healthcare sector and process health information, we hold ourselves to a high standard of data protection.

This policy is framed primarily around UK GDPR (the retained EU General Data Protection Regulation) and the Data Protection Act 2018, which govern how organisations established in the United Kingdom process personal data. Where our clients have additional healthcare-compliance obligations — for example HIPAA in the United States — we design our services to support those obligations and to act consistently with them.

Controller and processor roles

The way data protection law applies to us depends on the type of data involved:

Patient and clinical data. When healthcare facilities use our software to manage their patients, Medical Ocean generally acts as a data processor. The healthcare facility (our client) is the data controller and decides why and how patient data is processed. We process that data only on the client’s documented instructions and under a written data processing agreement.
Website and account data. For information we collect about visitors to our website and about the individuals who administer our client accounts, Medical Ocean acts as a data controller and is directly responsible for how that data is handled.

This policy describes both roles. Where you are a patient of one of our healthcare clients, that client’s own privacy notice governs your relationship with them, and you should contact them directly to exercise your rights over your patient record.

Information We Collect

We collect the following categories of personal data.

Account and contact information

When you register for an account, request a demonstration, or communicate with us, we may collect your name, job title, employer or facility name, business email address, telephone number, and login credentials. As a data controller for this information, we use it to provide and administer access to our services.

Usage and analytics data

When you use our website or platform, we may automatically collect technical information such as your IP address, browser type, device information, pages viewed, features used, and the dates and times of access. This helps us operate, secure, and improve our services.

Patient and health data (processed on behalf of clients)

When our clients use the EHR, Pharmacy, Anesthesia, Laboratory, and related modules, the system stores and processes patient and clinical information on their behalf. This may include patient identifiers, medical histories, diagnoses, prescriptions, anesthesia and laboratory records, and incident reports. Medical Ocean acts as a data processor for this information and does not determine the purposes for which it is processed. We access it only as necessary to host, maintain, support, and secure the service on the client’s instructions.

How We Use Information

We process personal data only where we have a lawful basis to do so under UK GDPR. The lawful bases we rely on include:

Contract. To provide our services, manage accounts, and fulfil our agreements with clients and users.
Legitimate interests. To operate, secure, troubleshoot, and improve our platform and website, and to communicate with business contacts, provided these interests are not overridden by your rights.
Legal obligation. To comply with applicable laws, regulatory requirements, and lawful requests from authorities.
Consent. Where required — for example, for certain marketing communications or non-essential cookies — we rely on your consent, which you may withdraw at any time.

When acting as a processor for patient data, we process that data on the lawful basis established by our client (the controller) and strictly in accordance with their instructions.

Special Category (Health) Data

Health and medical data is treated as a special category of personal data under UK GDPR and the Data Protection Act 2018, and it requires a higher level of protection.

Where Medical Ocean processes special category health data, we do so as a processor on behalf of our healthcare clients. The client, as controller, is responsible for ensuring an appropriate lawful basis and an applicable special-category condition (such as those relating to the provision of health care or treatment under Article 9 UK GDPR) are in place. We support clients in meeting these obligations by providing appropriate technical and organisational safeguards, restricting access to authorised personnel, and processing such data only as instructed and as necessary to deliver the service.

We do not sell personal data. We share personal data only in the following limited circumstances:

Sub-processors. We engage trusted service providers — such as cloud hosting, infrastructure, and support providers — to help deliver our services. These sub-processors act on our instructions, are bound by written contracts imposing data protection obligations consistent with this policy and applicable law, and may only process data as needed to perform their services.
Our clients. Where we act as a processor, we make patient and account data available to the relevant healthcare facility (the controller) that the data belongs to.
Legal and regulatory disclosures. We may disclose personal data where required to comply with the law, a court order, or a lawful request from a competent authority, or to protect our rights, safety, and property.
Business transfers. If Medical Ocean is involved in a merger, acquisition, or asset sale, personal data may be transferred as part of that transaction, subject to appropriate confidentiality and data protection safeguards.

Where we use sub-processors to handle patient data on behalf of a client, we do so consistently with our data processing agreements, including obligations to notify clients of changes to sub-processors as required.

Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction. Our security posture is HIPAA-aware and designed to support clients’ healthcare-compliance obligations. Measures include:

End-to-end encryption of data in transit and encryption of data at rest.
Role-based access control (RBAC), so that users and staff can access only the data appropriate to their role.
Access controls, authentication, and logging to monitor and restrict access to systems and data.
Secure cloud infrastructure with safeguards designed to maintain the confidentiality, integrity, and availability of data.

While no system can be guaranteed completely secure, we continually review and improve our safeguards. If a personal data breach occurs, we will act in accordance with our legal obligations, including notifying the relevant controller, the Information Commissioner’s Office (ICO), and affected individuals where required.

International Data Transfers

Medical Ocean is based in the United Kingdom. Where personal data is transferred outside the UK — for example, to a sub-processor located in another country — we ensure an adequate level of protection by relying on an appropriate safeguard recognised under UK GDPR. These safeguards include UK adequacy regulations, the International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses (SCCs), or other lawful transfer mechanisms. We take steps to ensure that any such transfer is subject to suitable protections for your personal data.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to provide our services, comply with our legal, accounting, and regulatory obligations, resolve disputes, and enforce our agreements.

Where we act as a processor for patient data, retention is determined by our client (the controller) in line with their own legal and clinical-records obligations, and we retain or delete such data in accordance with their instructions and our data processing agreement. When data is no longer required, we securely delete or anonymise it.

Subject to the conditions and exemptions in UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

Right of access — to obtain confirmation that we process your data and a copy of it.
Right to rectification — to have inaccurate or incomplete data corrected.
Right to erasure — to have your data deleted in certain circumstances.
Right to restriction — to limit how we process your data in certain circumstances.
Right to data portability — to receive certain data in a structured, commonly used, machine-readable format.
Right to object — to object to certain processing, including processing based on legitimate interests and direct marketing.
Right to complain — to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority.

If you are a patient of one of our healthcare clients, please direct requests relating to your patient record to that client, who is the controller of your data. We will support our clients in responding to such requests. For data where Medical Ocean is the controller (such as website and account data), you may contact us directly using the details below.

Cookies and Tracking

Our website uses cookies and similar technologies to enable core functionality, remember your preferences, and understand how the site is used through analytics. Essential cookies are necessary for the website to function. Non-essential cookies, including those used for analytics, are used in accordance with your preferences and, where required, your consent. You can control or disable cookies through your browser settings, though some features may not function correctly if you do so.

Children’s Privacy

Our services and website are intended for use by healthcare facilities and their authorised staff, and are not directed at children. We do not knowingly collect personal data directly from children through our website. Where patient records processed on behalf of our clients relate to minors, that data is handled under the instruction and responsibility of the relevant healthcare facility (the controller), with the protections described in this policy.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, provide additional notice. We encourage you to review this policy periodically.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Medical Ocean
Email: admin@medicalocean.co
Registered address: 86-90 Paul Street, London EC2A 4NE, United Kingdom

If you are not satisfied with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection supervisory authority, at ico.org.uk. We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so we encourage you to contact us first.