Privacy notice

Who we are (controller)

PracticeWise is a trading name of Rajoka Limited (registered in England and Wales, company number 12069067; registered office: 64b Yardley Green Road, Birmingham, England, B9 5QE). For matters relating to this marketing website, Rajoka Limited is the data controller. Contact privacy@practicewise.uk.

Where PracticeWise processes patient data on behalf of clinics, the clinic is the data controller and Rajoka Limited is the data processor under a written Data Processing Agreement signed during onboarding.

We have not appointed a Data Protection Officer; we are not required to do so under Article 37 UK GDPR. Privacy enquiries are handled by the privacy team at the address above.

What this website collects, why, and how long we keep it

• Access requests. When you complete the form at /access, we record the email address, clinic name, clinic type and approximate monthly patient volume you submit, together with your consent confirmation, the request source, your user agent and (where Vercel provides it) the originating country. Lawful basis: Article 6(1)(b) UK GDPR (steps taken at your request prior to entering a contract). Retention: 24 months from last contact, unless we onboard you — in which case the relationship moves to the Master Subscription Agreement and the data is retained per its terms. Follow-up cadence: after submitting, you receive an immediate confirmation and our team receives an alert. Two automated follow-ups are scheduled — at three days and seven days — to check if the request is still relevant. Every email includes a one-click unsubscribe link (RFC 8058) that closes the file immediately and cancels all remaining scheduled emails. Unsubscribing does not delete your access-request record; it simply stops further automated contact. If you want the record deleted, email privacy@practicewise.uk.
• Contact requests. Email address and any details you send to hello@practicewise.uk or other published mailto addresses. Lawful basis: Article 6(1)(b) UK GDPR for sales enquiries, or Article 6(1)(f) (legitimate interest in responding to enquiries) where no contract is contemplated. Retention: 24 months from the last contact; thereafter deleted unless required to defend a legal claim.
• Server logs. Standard request logs (IP address, user agent, requested URL, timestamp). Lawful basis: Article 6(1)(f) (legitimate interest in operational security and abuse prevention). Retention: 30 days, then deleted automatically.
• Strictly necessary cookies. The marketing site does not currently set any strictly-necessary cookies. The consent banner stores your preference in localStorage under the key pw-consent-v1 — this is not a cookie and is exempt from PECR consent under regulation 6(4) (information storage strictly necessary to provide a service explicitly requested by the user).
• Analytics cookies (set only with your consent). If you accept analytics on the consent banner we load Google Analytics 4 (Google LLC) and Microsoft Clarity (Microsoft Corporation). Both set first-party cookies on your device. Lawful basis: Article 6(1)(a) UK GDPR (consent) and regulation 6(1) PECR (consent for non-essential storage and access). Retention:see the cookie table on this page; you can withdraw consent at any time via “Cookie preferences” in the footer.
• Marketing cookies. None set today. If we introduce them we will update this notice and add a new toggle to the consent banner before any non-essential cookie is set.

Cookies set with analytics consent

We use Google Consent Mode v2 with all analytics signals set to denied by default. No analytics cookie is set, and no analytics ping is sent with personal identifiers, until you grant consent. IP addresses passed to Google Analytics are anonymised at the edge (anonymize_ip: true).

Where data is processed

The marketing site is served by Vercel Inc.through a global content-delivery network. Our origin region is the United Kingdom; however, cached static pages and request logs may be processed transiently on Vercel's edge locations outside the UK. Where personal data is transferred outside the UK, the transfer is made under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, consistent with ICO guidance on restricted transfers.

Vercel's Data Processing Addendum is at vercel.com/legal/dpa.

Access-request submissions are stored in the PracticeWise application database operated by Supabase Inc. in the London (eu-west-2) region. Access-request data does not leave the UK.

Transactional email (the confirmation we send you when you submit an access request, and the internal alert that reaches our team inbox) is processed by Resend.com Inc.Resend processes your email address, the subject and body of the message for the time required to deliver it, and the deliverability metadata returned by recipient mail servers. Resend's DPA is published at resend.com/legal/dpa.

The PracticeWise application (app.practicewise.uk) processes patient records, documents and audit logs in the United Kingdom only. Patient data does not leave the UK.

Sub-processors

The marketing website uses the following sub-processors:

• Vercel Inc. — site hosting and content delivery
• Supabase Inc. — access-request database (London, eu-west-2)
• Resend.com Inc. — transactional email for access-request confirmations and alerts
• Google LLC — Google Analytics 4 (loaded only with analytics consent under Consent Mode v2)
• Microsoft Corporation — Microsoft Clarity (loaded only after explicit analytics consent)

A separate list of sub-processors used by the PracticeWise application is published on /security. We give clinics 30 days' notice of any change to that list under the Data Processing Agreement.

Your rights under UK GDPR

You have the right to:

• Access the personal data we hold about you (Article 15)
• Request correction of inaccurate or incomplete data (Article 16)
• Request erasure where the law permits (Article 17)
• Restrict our processing (Article 18)
• Receive your data in a portable form (Article 20)
• Object to processing based on legitimate interest, including any direct marketing (Article 21)
• Withdraw consent at any time where consent is our lawful basis (Article 7(3)) — withdrawal does not affect processing already carried out

We respond to requests within one calendar month of receiving a verifiable request, with the option to extend by a further two months for complex or numerous requests (we will tell you within the first month if we are extending). Contact privacy@practicewise.uk. Routine requests are handled free of charge.

If you are not satisfied with our response you can complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint or on 0303 123 1113.

Children

This marketing site is not directed at children. We do not knowingly collect personal data from anyone under 16. The PracticeWise application is operated by clinics; lawful basis and consent rules for paediatric records are defined by the clinic-controller under its own policies and DPA.

Automated decision-making

We do not carry out automated decision-making or significant profiling on the marketing site. Clinical decisions on the PracticeWise application are made by appropriately qualified clinicians, not by the platform.

Changes to this notice

We revise this notice as the website and product evolve. The “Last updated” date at the top of this page reflects the latest substantive revision. Material changes are flagged in the change log on request.