Privacy Policy
Last Updated: January 2026
1. Introduction
“Sick Note” (“we”, “us”, or “our”) refers to Sicknote OÜ, a company incorporated in Estonia (Registry Code: 17138961), operating the website https://sicknote.com (“Site”).
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our online telehealth services (collectively, the “Services”) from the United Kingdom. This policy applies specifically to users located in the United Kingdom and is designed to comply with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), and the Data (Use and Access) Act 2025 (“DUA Act 2025”).
UK-Specific Policy
This Privacy Policy is specifically tailored for users in the United Kingdom. If you are located elsewhere in the European Union or European Economic Area, please refer to our EU/EEA Privacy Policy.
By accessing or using our Services from the United Kingdom, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.
2. Who We Are
For the purposes of UK data protection law, the data controller responsible for your personal data is:
Data Controller
Sicknote OÜ
Registry Code: 17138961
VAT Number: EE102812646
Registered Address: Estonia
Email: [email protected]
We provide online telehealth consultations enabling patients to request medical certificates (commonly known as “fit notes” in the UK) from GMC-registered and EU-licensed healthcare professionals.
3. UK Representative
As Sicknote OÜ is established outside the United Kingdom, we have appointed a UK Representative in accordance with Article 27 of the UK GDPR. Our UK Representative serves as your local contact point for all matters relating to data protection.
UK GDPR Representative (Article 27)
If you are located in the UK and have questions or concerns regarding your personal data, you may contact our appointed GDPR representative:
UK Representative:
Address: Euverify Ltd (UK)
3rd Floor
86-90 Paul Street
London
EC2A 4NE
United Kingdom
Email: [email protected]
To submit a Data Subject Access Request (DSAR), data deletion request, or any other GDPR-related inquiry, please use our secure portal at:
https://gdpr.euverify.com/verify/a8ba31f0-f8d5-450a-8815-23df3ce20e0f
This link allows you to verify our appointed representative and submit GDPR requests directly. Requests submitted through this portal are logged and tracked to ensure timely response and compliance.
Role of Our UK Representative
Our UK Representative is authorised to act on our behalf regarding all data protection matters. They can receive communications from the Information Commissioner’s Office (ICO) and from you regarding any data protection queries or requests. Please note that the appointment of a UK Representative does not affect your ability to contact us directly.
4. Information We Collect
We may collect the following categories of personal information:
4.1 Information You Provide Directly
| Category | Examples |
|---|---|
| Identification Information | Full name, date of birth, gender, email address, postal address, phone number, government-issued identification information, and digital signature |
| Health and Medical Information | Medical history, current symptoms and conditions, diagnoses, treatment plans, uploaded images/documents (e.g., test results), and other health-related information you provide or that is generated through your use of our Services |
| Payment Information | Billing address, transaction history (note: full card details are processed by our payment provider and not stored by us) |
| Employment Information | Employer name, occupation, workplace address (when relevant to your fit note request) |
| Account Information | Username, password, security questions and answers, and preferences related to your account |
| Communication Records | Records of your interactions with us, including consultation notes, messages, emails, chat transcripts, and feedback |
4.2 Information Collected Automatically
When you visit our Site or use our Services, we may automatically collect certain information:
- Device Information: IP address, browser type and version, operating system, device type, and mobile device identifiers
- Usage Data: Pages visited, time spent on pages, links clicked, referring/exit pages, search terms, date/time stamps, and interaction with content
- Location Information: General location data derived from your IP address
4.3 Special Category Data
Health Data Under UK GDPR
Health and medical information constitutes “special category data” under UK GDPR Article 9. This data receives enhanced protection, and we only process it where we have a valid legal basis and an additional condition under Article 9(2), such as where processing is necessary for the provision of health care under the responsibility of a health professional bound by professional secrecy obligations.
5. How We Use Your Information
We use your personal information for the following purposes:
5.1 Providing Our Services
- Facilitating online medical consultations with licensed healthcare professionals
- Issuing medical certificates (fit notes) based on clinical assessments
- Processing payments for our services
- Verifying your identity for medical and regulatory purposes
- Communicating with you about your consultation and medical certificate
5.2 Administrative and Operational Purposes
- Managing your account and preferences
- Responding to your enquiries and support requests
- Maintaining medical records as required by law and professional standards
- Quality assurance and clinical governance
5.3 Legal and Regulatory Compliance
- Complying with legal obligations, including medical record-keeping requirements
- Responding to lawful requests from regulatory authorities
- Establishing, exercising, or defending legal claims
5.4 Improving Our Services
- Analysing usage patterns to improve our website and services
- Conducting research and statistical analysis (using anonymised data where possible)
- Developing new features and services
5.5 Marketing (With Your Consent)
- Sending promotional communications about our services (only where you have opted in)
- Personalising your experience based on your preferences
6. Legal Basis for Processing
Under UK GDPR, we must have a valid legal basis for processing your personal data. We rely on the following legal bases:
Processing necessary to perform our contract with you, including providing medical consultations and issuing fit notes (Article 6(1)(b) UK GDPR)
Processing necessary to comply with legal obligations, such as medical record-keeping requirements and responding to regulatory requests (Article 6(1)(c) UK GDPR)
Processing necessary for our legitimate interests or those of a third party, such as improving our services, preventing fraud, and ensuring network security (Article 6(1)(f) UK GDPR)
Where you have given clear consent for us to process your personal data for specific purposes, such as marketing communications (Article 6(1)(a) UK GDPR)
In rare circumstances, processing necessary to protect your vital interests or those of another person (Article 6(1)(d) UK GDPR)
6.1 Additional Conditions for Health Data
For special category data (including health information), we also rely on the following conditions under Article 9(2) UK GDPR:
- Health Care Provision (Article 9(2)(h)): Processing necessary for the provision of health care under the responsibility of a health professional subject to professional secrecy obligations
- Explicit Consent (Article 9(2)(a)): Where you have given explicit consent to the processing of your health data
- Legal Claims (Article 9(2)(f)): Processing necessary for the establishment, exercise, or defence of legal claims
8. International Data Transfers
As Sicknote OÜ is based in Estonia (European Union), your personal data will be transferred outside the United Kingdom to the EU/EEA.
EU Adequacy Decision
The United Kingdom has made an adequacy determination for all EU and EEA member states, meaning that personal data can flow freely from the UK to the EU/EEA without additional safeguards, as these countries are deemed to provide an adequate level of data protection. Similarly, the EU has granted the UK adequacy status, allowing data to flow in both directions.
Where we transfer personal data to countries outside the UK and EU/EEA that do not have an adequacy decision, we ensure appropriate safeguards are in place, such as:
- International Data Transfer Agreement (IDTA) incorporating the UK Addendum to EU Standard Contractual Clauses
- Binding Corporate Rules approved by the ICO
- Certification under an approved certification mechanism
You may request information about the safeguards we have in place by contacting our Data Protection Officer.
9. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements.
| Data Type | Retention Period | Reason |
|---|---|---|
| Medical Records | Minimum 8 years from last consultation (or age 25, whichever is longer for minors) | UK medical record-keeping requirements and professional standards |
| Account Information | Duration of account plus 3 years | Service provision and legal claims limitation period |
| Payment Records | 7 years | Tax and accounting obligations |
| Marketing Preferences | Until consent withdrawn or 3 years of inactivity | Consent management |
| Technical Logs | 12 months | Security and troubleshooting |
10. Your Rights Under UK GDPR
Under UK data protection law, you have the following rights regarding your personal data:
Right of Access
You have the right to request a copy of the personal data we hold about you (commonly known as a “Subject Access Request”).
Right to Rectification
You have the right to request correction of inaccurate personal data or completion of incomplete data.
Right to Erasure
You have the right to request deletion of your personal data in certain circumstances (also known as the “right to be forgotten”).
Right to Restrict Processing
You have the right to request that we limit how we use your data in certain circumstances.
Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
Right to Object
You have the right to object to processing based on legitimate interests or for direct marketing purposes.
Rights Related to Automated Decision-Making
You have rights regarding decisions made solely by automated means that produce legal or similarly significant effects.
Right to Withdraw Consent
Where we rely on consent, you have the right to withdraw it at any time without affecting prior lawful processing.
10.1 How to Exercise Your Rights
To exercise any of these rights, please contact our Data Protection Officer or UK Representative using the contact details provided in Section 15. We will respond to your request within one month. This period may be extended by up to two months for complex requests, in which case we will inform you of the extension and the reasons for it.
10.2 Identity Verification
To protect your personal data, we may need to verify your identity before responding to certain requests. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
10.3 Limitations
Please note that certain rights may be limited, particularly regarding medical records where retention is required by law or for the establishment, exercise, or defence of legal claims.
12. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:
- 256-bit SSL/TLS encryption for all data transmission
- Encrypted data storage at rest
- Qualified Electronic Signatures (QES) for secure document signing
- Access controls limiting data access to authorised personnel
- Regular security assessments and penetration testing
- Staff training on data protection and security
- Incident response procedures for potential data breaches
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office within 72 hours. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
13. Children’s Privacy
Our Services are not intended for children under the age of 16 without parental consent. We do not knowingly collect personal information from children under 16 without verifiable parental consent.
If you are a parent or guardian and believe we have collected information from your child without your consent, please contact us immediately using the details in Section 15, and we will take steps to remove that information from our systems.
For telehealth services provided to minors, we require appropriate parental or guardian consent and involvement in accordance with applicable healthcare laws and regulations.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. We will post the revised policy on our Site with an updated “Last Updated” date.
If we make material changes that significantly affect how we process your personal data, we will notify you through the Services or by other means, such as email, prior to the changes becoming effective.
We encourage you to review our Privacy Policy periodically to stay informed about our data practices. Your continued use of our Services after any changes to this Privacy Policy constitutes your acceptance of the revised policy.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
UK GDPR Representative (Article 27)
If you are located in the UK and have questions or concerns regarding your personal data, you may contact our appointed GDPR representative:
UK Representative:
Address: Euverify Ltd (UK)
3rd Floor
86-90 Paul Street
London
EC2A 4NE
United Kingdom
Email: [email protected]
To submit a Data Subject Access Request (DSAR), data deletion request, or any other GDPR-related inquiry, please use our secure portal at:
https://gdpr.euverify.com/verify/a8ba31f0-f8d5-450a-8815-23df3ce20e0f
This link allows you to verify our appointed representative and submit GDPR requests directly. Requests submitted through this portal are logged and tracked to ensure timely response and compliance.
16. Complaints
If you are not satisfied with our response to any data protection concern, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection.
Information Commissioner’s Office (ICO)
Website: https://ico.org.uk
Helpline: 0303 123 1113
Live Chat: Available on ICO website
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first.