Privacy Policy

Medicann Privacy and Cookie Policy

Effective Date: 23rd July 2025

1. Introduction

Medicann, trading as Medicann (Jersey) Limited (Jersey, company number: 116256), Medicann (Guernsey) Limited (Guernsey company number CMP68085), Medicann (IOM) Limited (Isle of Man, company number: 019128V), and Medicann UK Limited (trading under Medcann (Scotland) Limited, company number: SC842768 ) (‘the Clinic,’ ‘we,’ ‘us,’ or ‘our’) is the data controller responsible for your personal data and is committed to protecting and respecting your privacy. This Privacy and Cookie Policy explains how we collect, use, disclose, and safeguard your personal data when you interact with our services, including when you use or visit our clinics or digital platforms.

This policy complies with applicable data protection legislation, including:

• The UK and EU General Data Protection Regulation (UK & EU GDPR)
• The UK Data Protection Act 2018
• The Data Protection (Jersey) Law 2018
• The Data Protection (Bailiwick of Guernsey) Law, 2017
• The Data Protection Act 2018 (Isle of Man)

Healthcare professionals working with us are also bound by professional confidentiality obligations and codes of conduct, in addition to data protection laws.

This Privacy and Cookie Policy should be read alongside our Terms and Conditions, which outline the basis on which medical services are provided.

2. What Information We Collect

We may collect and process the following categories of personal data:

• Identification data: Full name, date of birth, gender, photographic ID
• Contact details: Address, email, phone number
• Health data: Medical history, diagnosis, treatment records, prescriptions, medical cannabis usage
• Payment information: Billing details, payment card data (processed securely via third parties)
• Technical data: IP address, browser type, device identifiers, usage data on our website or app
• Preferences: Marketing opt-in status, cookie preferences

3. How We Collect Information

We collect your information through:

• Direct interactions (e.g., patient registration forms, consultations)
• Referrals from healthcare providers (with your consent)
• Third-party software systems used to facilitate appointments, prescriptions, telemedicine, and payment processing
• Automated technologies via cookies and similar tools on our website
• Medical records and history from third-party medical evidence gathering agencies (when authorised by you)

4. Legal Basis for Processing

We process your personal data under the following legal grounds:

• Consent: Where required for special category data or marketing communications
• Performance of a contract: To provide healthcare and related services
• Legal obligation: Compliance with applicable healthcare and regulatory requirements
• Legitimate interest: For business administration, quality control, and fraud prevention

For special category data, including health-related information, we primarily rely on Article 9(2)(h) UK GDPR and equivalent provisions in local laws—processing necessary for the provision of health or social care. Explicit consent under Article 9(2)(a) is used only where legally required. You may withdraw consent at any time.

5. Use of Your Information

We use your information to:

• Provide safe and effective medical cannabis treatment
• Communicate with you regarding appointments, prescriptions, and care
• Comply with regulatory and legal obligations
• Improve our services and patient experience
• Facilitate billing and payment processes
• Conduct clinical audits and support medical research in anonymised or pseudonymised form, where permitted
• Assess eligibility for cannabis-based medicinal products, including review of mental health and psychiatric history in accordance with clinical prescribing protocols

6. Sharing Your Information

We may share your data with:

• Licensed third-party pharmacies for prescription fulfilment
• Medical professionals and practitioners involved in your care
• Regulatory authorities (e.g., GMC, MHRA, local health authorities, law enforcement)
• IT and software providers (e.g., patient record systems, telehealth platforms, payment processors)
• Insurers, legal, compliance, and audit teams
• Email marketing providers and analytics platforms

Prescription data may be disclosed to local or national monitoring authorities where required under controlled drugs legislation or prescription monitoring frameworks

All third-party providers are bound by data processing agreements and operate under our instructions. Some may act as joint controllers, and where applicable, Joint Controller Agreements are in place. A list of key third parties and their roles is available upon request.

7. International Data Transfers

We currently do not transfer personal data outside the UK or EEA. Transfers between the UK and Jersey, Guernsey, or the Isle of Man are lawful under adequacy decisions. If future transfers become necessary, we will use safeguards such as Standard Contractual Clauses or equivalent.

8. Data Security

We implement appropriate technical and organisational measures to protect personal data, including encryption, secure servers, access control, and regular security audits. Our systems are continuously monitored for vulnerabilities.

9. Data Retention

We retain data only for as long as necessary:

• Medical records: Minimum of 22 years after last treatment (or longer as required by law)
• Financial data: 6 years in line with accounting standards
• Contact and technical data: Retained in accordance with operational needs and regulatory requirements
• Marketing preferences: Retained until consent is withdrawn

10. Your Rights

You have the following rights under data protection law:

• Right to access your personal data
• Right to rectify inaccurate or incomplete data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent at any time
• Right not to be subject to automated decision-making with legal or similarly significant effects

We may require identity verification to process your request, such as confirming your full name, date of birth, and providing a scanned copy of photographic ID or proof of address, depending on the nature of your request. To exercise your rights, contact: dpo@medicann.co.uk. If you are dissatisfied, you may lodge a complaint with your local supervisory authority.

11. Children’s Data

Our services are generally intended for those aged 18 and over. Where minor patients are treated, consent is obtained from a parent or guardian. We follow local laws regarding age of consent and parental rights.

12. Automated Decision-Making and Profiling

We do not make decisions based solely on automated processing that produce legal or similarly significant effects. Any decision support tools (e.g., symptom triaging software) assist clinicians but do not replace clinical judgment.

13. Special Category Personal Data

We may process sensitive data such as health data, ethnicity, religious beliefs, genetic data, and sexual orientation. This data is handled under legal bases provided by GDPR and only when strictly necessary for healthcare delivery or when you have given explicit consent.

We also process cannabis-specific health data such as dosage, treatment efficacy, and any psychoactive effects. This information is handled with the highest level of confidentiality and only shared with authorised parties involved in your care or regulation.

14. Marketing Communications

You may opt in to receive newsletters, service updates, and promotions. We may use profiling or segmentation to tailor these communications, and any such activity in the future will be conducted only with your explicit consent. You can unsubscribe at any time by using the link in our emails or contacting: marketing@medicann.co.uk. We do not share your contact details with unauthorised third parties for marketing.

15. Cookies

15.1. What Are Cookies?

Cookies are small files stored on your device when you visit our website. They help us improve functionality, performance, and user experience.

15.2. Types of Cookies We Use

• • Strictly Necessary Cookies: Essential for site functionality
  • Performance Cookies: Help us analyse usage
  • Functionality Cookies: Remember preferences
  • Third-Party Cookies: Used by analytics tools (e.g., Google Analytics)

We do not currently use advertising cookies. You may manage or disable cookies through your browser settings. Instructions for major browsers (Chrome, Firefox, Safari) are available on our website.

15.3. Cookie Consent

Our website uses a cookie consent banner. You may accept or reject non-essential cookies. Your preferences can be updated at any time.

16. Updates to This Policy

We may update this Privacy and Cookie Policy. The latest version will always be available on our website and the effective date will be updated accordingly.

17. Compliance with Controlled Drugs Regulations

Medicann complies with all applicable controlled drugs regulations in the jurisdictions in which we operate, including the Misuse of Drugs Regulations 2001 (UK) and equivalent laws in Jersey, Guernsey, and the Isle of Man. Our clinicians and pharmacists adhere to prescription monitoring, secure data handling, and audit requirements in line with local controlled substances laws.

18. Contact Us

For questions regarding this policy or to exercise your rights, contact our Data Protection Officer: dpo@medicann.co.uk