MedHandover

Privacy Policy

Effective date: 16 July 2026  ·  Last updated: 16 July 2026

MedHandover is a clinical handover and task-coordination app for hospital medical teams. This policy explains what information we handle, why, and the choices you have. We have written it to be read, not skimmed — it is the accurate description of how the app works.

Who we are: Hicksmore & Harrison Ltd (company no. 16356014), a company registered in England and Wales at 128 City Road, London, EC1V 2NX, trading as MedHandover ("MedHandover", "we").
Contact for privacy matters: privacy@medhandover.app
ICO registration number: Pending registration.

1. The two kinds of data in MedHandover — and our two different roles

Understanding this policy starts with a distinction:

(a) Your account and usage data — we are the controller. Information about you as a user: your name, email address, verification status, and how you use the app. We decide how and why this is processed, and this policy is our privacy notice to you for it.

(b) Clinical content you and your team enter — we are a processor. Patient details, jobs, and notes are entered by clinicians into lists their teams control. For this content, the clinicians and the healthcare organisations they work for determine the purposes; we process it only to provide the service — storing it, syncing it between team members' devices, and delivering it according to the permissions your team sets. We do not use clinical content for any purpose of our own. We do not sell it, advertise against it, analyse it for our own products, or share it with anyone outside the permission model you and your team control.

MedHandover is a coordination tool, not the medical record. The patient's formal record remains your organisation's electronic patient record and documentation systems; MedHandover exists to help teams organise and hand over work safely alongside them.

2. What we collect and why

Account data (we are controller)

DataWhyLawful basis (UK GDPR)
Name, email address, password (stored as a secure credential hash by our authentication provider)To create and secure your accountArt. 6(1)(b) — contract
Your NHS or institutional email address and its domainTo verify your affiliation with an NHS trust when you choose to join a hospital: we check the domain against the trust's known email domains and send a one-time verification code. We record the verification outcome (your verification tier), not the codeArt. 6(1)(b) — contract; Art. 6(1)(f) — our and your teams' legitimate interest in a verified clinical environment
Profile photo (optional)Shown to your teammates in lists and requestsArt. 6(1)(b) — contract
Hospital/trust memberships and verification tierTo control what you can see and do (e.g. discovering your hospital's open lists)Art. 6(1)(b) — contract
Push notification tokenTo deliver handover, request, and reminder notifications to your deviceArt. 6(1)(b) — contract
Usage and interaction data (e.g. sign-ins, invites sent and accepted, verification completions, lists and handovers created, feature interactions), device type and app version, approximate technical logsTo operate the service, keep it secure, fix faults, and understand how the product is used so we can improve itArt. 6(1)(f) — legitimate interests

Clinical content (we are processor, acting on your team's instructions)

Patient identifiers and clinical notes (such as name, location, hospital number, date of birth, and free-text notes), jobs and their status, assignments, and handover records — entered by clinicians, visible only to the members of the list concerned under the roles your team's admins set. This is special category data (health data); the clinicians and organisations using MedHandover are responsible for having the appropriate basis to record it (in a care context, typically Art. 9(2)(h) — provision of health care — alongside their professional duties), and we process it strictly as their processor under Art. 28.

Your responsibilities as a clinical user: enter only the information needed for safe coordination of care, follow your organisation's information-governance policies, and remember the app does not replace the formal medical record.

3. What we deliberately do NOT do

4. Who your data is shared with

Your team, by design. The entire purpose of the app is controlled sharing: what you enter in a list is visible to that list's members under its permission settings; your name and photo appear to colleagues in lists, requests, and handovers; when you request to join a hospital's list, the approving admin sees your verification tier (e.g. "Trust-verified" or "NHS-verified — affiliation unconfirmed").

Our processors (Art. 28 sub-processors for clinical content):

We do not permit these providers to use the data for their own purposes.

Legal requirements. We may disclose information if required by law or a valid legal process, and we will challenge requests that are overbroad.

5. Where your data lives

Our database is hosted on Google Cloud in the European Union (multi-region: Netherlands and Belgium — Google region "eur3"), with encryption in transit and at rest. Where a processor involves a transfer outside the UK/EEA (for example, email or push-notification relay infrastructure), it takes place under UK-approved safeguards such as the UK Addendum to Standard Contractual Clauses or an adequacy decision.

6. How long we keep it

7. Deleting your account — exactly what happens

You can delete your account at any time, in the app: Settings → Account → Delete account (you will be asked to confirm and re-enter your password). Deletion is immediate and permanent — there is no recovery window. Specifically:

This in-app deletion is how we honour your right to erasure; the de-identified retention of team clinical records reflects that those records are the patients' and teams' data, over which an individual user's erasure right does not extend.

8. Your rights

Under UK GDPR you have the right to access your personal data, correct it, erase it (see section 7), restrict or object to processing based on legitimate interests, and data portability where applicable. To exercise any of these, contact privacy@medhandover.app. We will respond within one month. For clinical content where we act as processor, we may need to direct your request to the team or organisation that controls the list, and we will help you identify them.

You also have the right to complain to the Information Commissioner's Office (ico.org.uk), though we would welcome the chance to address any concern first.

9. Security

Access to data in MedHandover is governed by a server-enforced permission model: every read and write is checked against your role, your list memberships, and your verification tier — including protections against user enumeration and unauthorised access that we test with an automated security-rules suite on every change. Passwords are handled by Google Firebase Authentication and never visible to us. Data is encrypted in transit and at rest. On Android the app blocks screenshots of clinical screens; on iOS, where the platform does not offer an equivalent control, we rely on device security and your organisation's mobile-device policies. Please protect your own device with a passcode/biometrics and report any suspected compromise to us immediately.

10. Changes to this policy

If we make material changes we will notify you in the app before they take effect, and the "last updated" date above will change. Continued use after that date means the updated policy applies.