GDPR Policy

Jwebly Ltd operates in two capacities under UK GDPR:

• Data controller: For personal data we collect directly (website visitors, enquiries, platform account holders).
• Data processor: For patient and clinical data entered into the HealthOS platform by our clinic clients. In this role, we process data strictly on the instructions of the clinic (the data controller).

Jwebly Ltd is registered with the Information Commissioner's Office (ICO) as a data controller. Our ICO registration number is available on request. You can verify our registration at ico.org.uk.

All personal data processed by Jwebly Ltd has a documented lawful basis. We do not process personal data without one. Our primary lawful bases are:

• Contract: Processing required to deliver our contractual obligations to platform subscribers.
• Legitimate interests: Platform security, fraud prevention, and service improvement where these do not override individual rights.
• Legal obligation: Where processing is required to comply with a legal or regulatory requirement.
• Consent: For optional communications and marketing, where explicitly obtained and freely given.

Patient health data constitutes special category data under UK GDPR Article 9. When processing such data as a processor on behalf of clinic clients, we rely on Article 9(2)(h) (healthcare provision) as the lawful basis and require a Data Processing Agreement to be in place with each clinic. We implement additional technical safeguards for special category data including role-based access control, audit logging, and encryption.

We respect and facilitate the exercise of all UK GDPR data subject rights. These include the right to access, rectification, erasure, restriction, portability, and objection. Requests should be submitted to hello@jwebly.co.uk. We will respond within one calendar month. Where Jwebly Ltd acts as processor, data subject requests relating to patient data should be directed to the relevant clinic (data controller), and we will assist as required.

Jwebly Ltd enters into a Data Processing Agreement (DPA) with each clinic client before any patient data is processed. The DPA sets out the subject matter and duration of processing, the nature and purpose of processing, the type of personal data involved, and the obligations and rights of each party. Clinics may request a copy of our standard DPA at any time.

We do not transfer personal data outside the UK or EEA except where adequate safeguards are in place. Our AI inference partner (Anthropic) processes data via UK and EEA-compliant infrastructure. All primary data storage remains within the UK. Where any third-party processor operates internationally, we ensure appropriate Standard Contractual Clauses (SCCs) or equivalent mechanisms are in place.

We maintain a documented breach response procedure. In the event of a personal data breach likely to result in a risk to individuals, we will notify the ICO within 72 hours of becoming aware and, where required, notify affected individuals without undue delay. All staff are trained in breach identification and reporting.

Given the nature of our data processing activities, we have designated a data protection contact. Queries relating to data protection should be directed to hello@jwebly.co.uk with the subject line "Data Protection".