Expert.Med Privacy Policy
Last updated: 2 February 2026
This Privacy Policy explains how Expert Med Telerad Ltd (“Expert.Med”, “we”, “us”, “our”) collects and uses personal data when you use Expert.Med.
Company details: Expert Med Telerad Ltd, incorporated in England and Wales.
Registered office: 30a High Street, Milton Keynes, Buckinghamshire, England, MK11 1AF
Company number: 16913094
Contact: support@expert.med
Note: Radiologists who provide your Second Opinion may be independent data controllers for their professional services. This Privacy Policy explains our processing and the main ways we share data with Radiologists.
1) What data we collect
A) User account and identity data
Name
Email
Date of birth
Gender
Account authentication data (e.g., hashed password)
B) Health and case data (special category data)
DICOM imaging data (CT/MRI/X-ray)
Primary report (required)
Prior scans/reports (optional)
Medical form responses (e.g., height, weight, cancer status, symptoms, contrast usage)
Free-text health information you provide
Other documents you upload (e.g., lab results)
C) Transaction and support data
Payment status and receipts (processed via payment provider; we do not store full card details)
Customer support messages
Feedback and survey responses
D) Technical and usage data
Device and browser information
IP address (may be logged for security)
Cookies and similar technologies (see Cookie Policy)
Analytics events (e.g., page views, feature usage)
2) Where we get your data
From you when you sign up, complete forms, and upload a Case
Automatically from your device/browser when you use the Platform
From third parties you authorise (e.g., if someone uploads a Case on your behalf)
3) How we use your data and our legal bases
We use your personal data for the purposes below.
A) Provide the Platform and services
Purpose: Account creation, case submission, matching your Case to Radiologist(s), delivering reports, customer support.
Legal basis (UK GDPR Art. 6): Contract performance (Art. 6(1)(b)).
Special category condition (Art. 9): Explicit consent for health data (Art. 9(2)(a)).
B) AI summary and chat features
Purpose: Summarise/aggregate Radiologist report(s) and enable informational Q&A to help you understand reports.
Legal basis: Contract performance (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)) depending on feature.
Special category condition: Explicit consent (Art. 9(2)(a)).
C) Safety, security, fraud prevention, and platform integrity
Purpose: Protect accounts, prevent abuse, maintain logs, investigate sus
picious activity.
Legal basis: Legitimate interests (Art. 6(1)(f)).
D) Legal, compliance, and dispute handling
Purpose: Comply with law, respond to lawful requests, enforce Terms, handle complaints and disputes.
Legal basis: Legal obligation (Art. 6(1)(c)) and/or legitimate interests (Art. 6(1)(f)).
Special category condition (where needed): Establishment/exercise/defence of legal claims (Art. 9(2)(f)).
E) Product analytics and improvement (non-health)
Purpose: Understand usage to improve the Platform (e.g., performance, UX).
Legal basis: Legitimate interests (Art. 6(1)(f)).
We aim to minimise what we collect and avoid collecting health content through analytics tools.
F) Marketing communications
Purpose: Send newsletters and occasional updates.
Legal basis: Consent (Art. 6(1)(a)) where required. You can unsubscribe any time.
4) Sharing your data
We share personal data only as needed:
A) With Radiologists
We share your Case data (including imaging and medical form responses) with the Radiologist(s) who accept your Case to produce the Second Opinion report(s).
B) With service providers (“processors”)
We use vendors to operate the Platform, including:
Cloud/storage for DICOM and application data (e.g., Google Cloud Healthcare / GCP)
App database services (e.g., Supabase)
Hosting/CDN (e.g., Vercel)
DICOM viewer (e.g., MedDream self-hosted)
Payments (e.g., Stripe)
Analytics (e.g., Google Analytics, PostHog)
AI processing for summarisation/aggregation (e.g., Anthropic)
These providers process data under contractual controls appropriate to their role.
C) Legal and safety disclosures
We may disclose data to regulators, law enforcement, courts, or professional bodies where required or appropriate for legal compliance and safety.
5) International transfers
Your data may be transferred to, stored in, or accessed from countries outside the UK (for example, where a service provider or Radiologist is located abroad). When we make restricted transfers, we use appropriate safeguards (such as the UK International Data Transfer Agreement or the UK Addendum to EU SCCs) and conduct risk assessments where required.
6) Data retention
We retain data only as long as necessary for the purposes described above.
Suggested baseline retention (you can adjust):
Case records (imaging, reports, and associated case data): 8 years from report delivery (to support continuity, complaints, and legal defence).
Account data: for the life of the account, then typically up to 24 months after closure (unless needed longer for legal reasons).
Billing and financial records: at least 6 years to meet UK company/tax record-keeping obligations.
Analytics data: typically up to 26 months (configurable).
You can implement shorter retention for raw DICOM if you prefer, but keep in mind clinical complaints and legal defence needs.
7) Your rights
Depending on your location, you may have rights including:
Access to your personal data
Correction of inaccurate data
Deletion (where applicable)
Restriction or objection to processing (in some cases)
Data portability (in some cases)
Withdrawal of consent (where we rely on consent)
To exercise rights, contact: legal@expert.med
If you withdraw consent for processing health data, you may not be able to use the Platform for new Cases, and we may not be able to continue an in-progress Case.
8) Security
We use technical and organisational measures designed to protect data (access controls, encryption in transit where supported, logging, least-privilege access). No system is 100% secure; you are responsible for keeping your account credentials confidential.
9) Children
The Platform is not intended for minors, and we do not knowingly collect personal data from individuals under 18.
10) Complaints
If you are unhappy with how we handle your data, contact us first: legal@expert.med.
You may also complain to the UK Information Commissioner’s Office (ICO).
11) Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will post the updated version and revise the “Last updated” date.
