AC
Ask a Cardiologist

Privacy Policy

Last updated: April 2026

1. Who We Are

Ask a Cardiologist is operated by Dr Mohammad Radwan Almajali MD MRCP(UK) CCT Cardiology, a UK-registered consultant cardiologist (GMC No. 7389425). We provide remote cardiology advice and consultation services via askacardiologist.co.uk.

For data protection purposes, Dr Almajali is the Data Controller. You can contact us at: contact@askacardiologist.co.uk

2. What Data We Collect

  • Name, email address, and phone number (when you register)
  • Date of birth (optional, for clinical context)
  • Medical information you provide in questions or notes
  • Uploaded files (ECG reports, echocardiograms, blood tests, letters)
  • Payment information (processed securely by Stripe — we do not store card details)
  • Consultation history and correspondence with Dr Almajali

3. How We Use Your Data

  • To provide cardiology consultation services
  • To communicate with you about your consultations
  • To process payments securely
  • To maintain records as required under GMC guidance on remote consultations
  • To improve our service

We will never sell your data to third parties or use it for marketing without your explicit consent.

4. Legal Basis for Processing

We process your data under the following lawful bases (UK GDPR):

  • Contract — to deliver the consultation service you have paid for
  • Legitimate interests — to operate and improve our service
  • Legal obligation — to comply with GMC record-keeping requirements
  • Vital interests — in the event of a medical emergency disclosed to us

5. Data Storage & Security

Your data is stored securely using Supabase (PostgreSQL database hosted in the EU). Uploaded files are stored in encrypted cloud storage. Access is restricted to Dr Almajali only. We use industry-standard encryption (TLS) for all data in transit.

6. Data Retention

Medical records are retained for a minimum of 8 years following your last consultation, in line with NHS and GMC guidance. You may request deletion of non-clinical account data at any time.

7. Your Rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request erasure (subject to clinical retention obligations)
  • Object to or restrict processing
  • Data portability
  • Lodge a complaint with the ICO (ico.org.uk)

To exercise any of these rights, email: contact@askacardiologist.co.uk

8. Third-Party Services

  • Clerk — authentication and account management
  • Stripe — payment processing (PCI DSS compliant)
  • Supabase — database and file storage (EU region)
  • Resend — transactional email delivery
  • Whereby — video consultations
  • Vercel — website hosting

Each provider operates under their own privacy policy and data processing agreements.

9. Cookies

We use essential cookies only — for authentication and session management. We do not use advertising or tracking cookies.

10. Changes to This Policy

We may update this policy from time to time. The date at the top of this page will reflect the most recent update. Continued use of the service constitutes acceptance of the updated policy.