Loading…
Loading…
Last updated: 2 March 2026
SyncMed is a medical education platform registered in England & Wales, operated by SyncMed (“we”, “us”, “our”).
Registered address: Unit 111481, PO Box 6945, London W1A 6US, United Kingdom
Data protection contact: support@syncmed.co.uk
ICO registration: Our registration with the Information Commissioner’s Office is in progress. For any data-protection query, contact us at support@syncmed.co.uk.
SyncMed is the data controller for your personal data. This means we decide how and why your personal data is processed.
We collect different data depending on whether you register as a student or a doctor.
All users: full name, email address, password (stored in hashed form only; we never store your actual password), account role (student or doctor).
Medical students: medical school name, year of study, topic interests.
Doctors: NHS email address, GMC number, medical grade (e.g. FY1, ST3, Consultant), specialty or specialties, short biography, profile photo URL.
Usage data: tutorial attendance records, notification preferences, login timestamps, pages visited within the platform.
Technical data: IP address, browser type and version, device type, operating system. This data is collected through essential cookies and server logs only.
We do not collect financial or payment data at this time. We do not use analytics cookies, advertising cookies, or any third-party tracking technologies. We do not collect health data, patient data, or clinical information of any kind.
Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for processing your personal data. We rely on the following:
Contractual necessity (Article 6(1)(b)): Processing your account data, matching you to tutorials, verifying doctor credentials, and delivering the SyncMed service. Without this data, we cannot provide you with an account or access to tutorials.
Legitimate interests (Article 6(1)(f)): Improving the platform and user experience, analysing aggregate usage patterns (not individual tracking), preventing misuse or fraud, and maintaining platform security. We have conducted a legitimate interests assessment and concluded that these interests do not override your rights and freedoms.
Consent (Article 6(1)(a)): Sending you marketing emails about SyncMed updates, new features, or educational content beyond essential service notifications. You can withdraw consent at any time by clicking the unsubscribe link in any marketing email or by contacting us at support@syncmed.co.uk.
Legal obligation (Article 6(1)(c)): Where we are required to retain or disclose data to comply with a legal obligation, such as responding to a lawful court order or regulatory request.
We use your data for the following specific purposes:
Account creation and management : creating your account, authenticating logins, and maintaining your profile.
Tutorial matching : using your year of study, topic interests, and specialty preferences to show you relevant tutorials and send notifications about upcoming sessions that match your interests.
Doctor credential verification : checking your GMC number against the GMC register to confirm your registration status. This is a one-time check at registration and periodic re-verification.
Tutorial delivery : sharing necessary information with Microsoft Teams to facilitate live tutorial sessions. This includes your display name and email address for the meeting invitation.
Service communications : sending you essential emails about your account, upcoming tutorials you have registered for, and important platform changes. These are not marketing emails and cannot be opted out of while your account is active.
Marketing communications : with your consent, sending you emails about new tutorials, platform features, and educational content via our email marketing provider Klaviyo. You can opt out at any time.
Platform improvement : analysing aggregate, anonymised usage data to understand how the platform is used and where we can improve it.
Doctor profiles : displaying doctor profile information (name, specialty, grade, biography, and profile photo) publicly on the platform so students can choose relevant tutorials. Doctors consent to this public display at registration.
We do not sell, rent, or trade your personal data. We never have and never will.
We share your data only with the following categories of recipients, and only to the extent necessary:
Sub-processors (service providers): We use the following third-party services to operate SyncMed. Each processes your data solely on our instructions and under contractual obligations to protect it:
| Provider | Purpose | Data shared | Data location |
|---|---|---|---|
| Supabase Inc. | Database hosting, user authentication | All account data, usage data | EU (Frankfurt, Germany) |
| Netlify Inc. | Website hosting, content delivery | IP address, browser data via server logs | Global CDN (edge nodes worldwide, origin in US) |
| Microsoft Corporation | Live tutorial delivery via Teams | Display name, email address | EU data boundary (for UK/EU tenants) |
| Klaviyo Inc. | Email marketing and service communications | Name, email address, role, year of study | US (with Standard Contractual Clauses) |
Other users of the platform: Doctor profile information (name, grade, specialty, biography, photo) is visible to all platform users. Student information is never publicly displayed.
Legal requirements: We may disclose your data if required by law, court order, or regulatory request from a UK authority (such as the ICO).
Business transfers: If SyncMed is acquired, merges with another organisation, or undergoes a restructuring, your data may be transferred to the successor entity. We will notify you of any such transfer and your choices.
We do not share your data with advertisers, data brokers, or any other third parties not listed above.
Some of our sub-processors are based outside the United Kingdom. When your personal data is transferred outside the UK, we ensure it is protected by one or more of the following safeguards:
UK adequacy decisions: Where the UK government has determined that a country provides an adequate level of data protection (such as EU/EEA countries under the current UK adequacy regulations), no additional safeguards are required.
Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision (such as the United States, where Klaviyo and some Netlify infrastructure are based), we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs, which are pre-approved contractual terms ensuring your data receives equivalent protection.
Supplementary measures: Where appropriate, we implement additional technical measures such as encryption in transit and at rest to further protect your data during international transfers.
You may request a copy of the relevant safeguards by contacting support@syncmed.co.uk.
We retain your data for the following specific periods:
Active accounts: Your account data and profile information are retained for as long as your account is active and you continue to use SyncMed.
Inactive accounts: If your account is inactive for 24 consecutive months (no login, no tutorial attendance), we will send you a reminder email. If no action is taken within 30 days of that reminder, we will delete your account and associated personal data.
Tutorial attendance records: Records of tutorial attendance (which doctor taught, which students attended, date, topic) are retained for 6 years after the tutorial date. This is to support doctors who use SyncMed as portfolio evidence for training applications, appraisals, and revalidation. After 6 years, attendance records are anonymised (individual names removed).
Doctor verification data: GMC verification records are retained for 12 months after a doctor's account is closed, to comply with our safeguarding obligations and to maintain an audit trail.
Marketing preferences and email data: Retained until you unsubscribe or delete your account, whichever comes first. Upon unsubscription, your email address is moved to a suppression list to ensure we do not contact you again, and is deleted from the suppression list after 12 months.
Server logs: Technical server logs (IP addresses, browser data) are retained for 90 days and then automatically deleted.
Backup copies: Encrypted database backups may retain your data for up to 30 days after deletion from the live system, after which backups are overwritten.
When the retention period expires, we delete your personal data or anonymise it so it can no longer identify you.
You have the following rights in relation to your personal data. These rights are not absolute; some are subject to conditions and exemptions under the UK GDPR.
Right of access (Article 15): You can request a copy of the personal data we hold about you. We will provide this within one calendar month of receiving your request.
Right to rectification (Article 16): You can ask us to correct inaccurate data or complete incomplete data. You can also update most of your information directly in your account settings.
Right to erasure (Article 17): You can ask us to delete your personal data. We will do so unless we have a lawful reason to continue processing it (for example, where retention is required for doctor portfolio evidence or legal obligations).
Right to restrict processing (Article 18): You can ask us to temporarily stop processing your data in certain circumstances, such as while we verify the accuracy of data you have challenged.
Right to data portability (Article 20): You can request your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON) and have it transmitted to another controller where technically feasible.
Right to object (Article 21): You can object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. You can object to marketing at any time; no grounds needed.
Right to withdraw consent: Where we process your data based on consent (marketing emails), you can withdraw consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.
Email support@syncmed.co.uk with the subject line “Data Rights Request” and specify which right you wish to exercise. We will respond within one calendar month. If your request is complex, we may extend this by two further months, but we will tell you within the first month if this is the case.
We will verify your identity before processing any request. This is to protect your data from being disclosed to someone who is not you.
To make a complaint about how we handle your data, see our Complaints Procedure or contact the ICO directly.
If you are not satisfied with how we handle your data or your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We ask that you contact us first so we have the opportunity to resolve your concern.
SyncMed uses essential cookies only. These are strictly necessary for the platform to function and do not require your consent under the Privacy and Electronic Communications Regulations 2003 (PECR).
Authentication session token: Keeps you logged in during your session and identifies your account when you make requests to our servers. This cookie expires when you log out or after 7 days of inactivity.
CSRF token: Prevents cross-site request forgery attacks. This is a security measure that expires at the end of each session.
We do not use:
Because we only use strictly necessary cookies, we do not display a cookie consent banner. Under PECR, consent is not required for cookies that are essential to provide a service you have requested.
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.
Our tutorial matching feature uses your stated topic interests and year of study to surface relevant tutorials, but this is a simple filtering mechanism (similar to a search filter), not automated profiling. You can see all tutorials regardless of your interests, and no decisions about your access to the platform are made automatically.
We take the security of your data seriously and implement the following measures:
Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
Encryption at rest: Your data is encrypted at rest in our database (Supabase provides AES-256 encryption).
Password hashing: We never store your password in plain text. Passwords are hashed using bcrypt before storage.
Role-based access controls: Only authorised personnel can access personal data, and access is limited to what is necessary for their role.
Secure authentication: We use secure session management with automatic expiry and support for account lockout after repeated failed login attempts.
Regular review: We periodically review our security measures and update them as needed.
No system can guarantee 100% security. If you become aware of any security vulnerability or suspect unauthorised access to your account, please contact us immediately at support@syncmed.co.uk.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
Notify the ICO within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR. Where we cannot notify within 72 hours, we will provide reasons for the delay.
Notify affected individuals without undue delay where the breach is likely to result in a high risk to your rights and freedoms, as required by Article 34 of the UK GDPR. Notification will include the nature of the breach, the likely consequences, the measures taken or proposed to address it, and the contact details of our data protection contact.
Document all breaches in our internal breach register, including those that do not meet the threshold for reporting to the ICO.
SyncMed is not directed at individuals under 18. We do not knowingly collect personal data from anyone under the age of 18.
If we become aware that we have collected data from a person under 18, we will take steps to delete that data promptly.
If you believe a child under 18 has provided us with personal data, please contact support@syncmed.co.uk.
We may update this Privacy Policy from time to time. When we make changes:
Material changes (such as changes to what data we collect, who we share it with, or how long we retain it) will be communicated to registered users by email at least 14 days before taking effect.
Non-material changes (such as clarifications or formatting updates) will be reflected by updating the “Last updated” date at the top of this page.
We encourage you to review this page periodically. Your continued use of SyncMed after changes take effect constitutes acceptance of the updated policy. If you do not agree with any changes, you may close your account at any time.
For any questions, concerns, or requests relating to this Privacy Policy or your personal data:
Email: info@syncmed.co.uk
Subject line: Privacy Inquiry
Postal address: SyncMed, Unit 111481, PO Box 6945, London W1A 6US, United Kingdom
We aim to respond to all privacy-related inquiries within 5 working days.