Skip to main content

Data Processing Addendum

Last updated: May 9th, 2025

This Data Processing Addendum ("DPA") forms part of the Terms and Conditions between the Customer and My Practice Manager Ltd ("we," "us," or "our") and applies when the Customer uses our Services to process personal data.

1. Definitions

  • Customer: The entity (e.g., GP practice) using our Services and acting as the data controller.
  • Company: My Practice Manager Ltd, acting as the data processor.
  • Personal Data: Information relating to an identified or identifiable natural person.
  • Data Protection Laws: UK GDPR, Data Protection Act 2018, and related legislation.
  • Services: The My Practice Manager platform, including the Compliance Document Manager and AI document creation tools.

2. Purpose and Scope

This DPA applies when the Customer uploads or stores documents containing personal data, or uses AI-powered tools to generate documents (e.g., policies, SOPs, risk assessments) that may include such data. In doing so, the Customer acts as the data controller and we act as the data processor.

Use of our AI document creation tools may involve the input of staff information (e.g., names, roles, emails) to tailor documents to the practice’s operations. This processing is limited to supporting the generation of practice-specific documents and materials.

Important: The Services must not be used to enter, process, or generate content that includes patient data, whether directly or incidentally. We do not currently operate under NHS-mandated data handling standards for patient-identifiable information.

3. Nature of Processing

  • Subject Matter: Storage and generation of compliance documentation and operational resources.
  • Duration: For the duration of the Customer’s use of the Services.
  • Type of Data: Names, roles, contact details of staff or individuals mentioned in practice documents.
  • Data Subjects: Practice employees, contractors, or other staff referenced in compliance documentation or AI-generated content.

4. Processor Obligations

  • Process personal data only on the Customer's documented instructions.
  • Ensure personnel are subject to confidentiality obligations.
  • Implement appropriate technical and organisational measures for security.
  • Assist the Customer in responding to data subject requests and compliance obligations.
  • Delete or return personal data upon termination of the Customer’s account.
  • Not subcontract processing without appropriate written agreements and notice to the Customer.

5. Customer Responsibilities

  • Ensure any personal data uploaded or entered via AI tools is lawful and appropriate.
  • Do not upload or generate documents containing any patient-identifiable data.
  • Provide privacy notices to individuals named in practice documents, if required.

6. Subprocessors

We use subprocessors to support the delivery of our Services. In particular, we rely on Google Cloud services (including Firebase) for data hosting and infrastructure. These services are configured to ensure that all personal data is stored and processed within the United Kingdom or the European Economic Area (EEA).

Google may engage its own subprocessors as part of its cloud infrastructure operations. While we do not control these relationships directly, Google remains contractually obligated to ensure that any such subprocessors meet appropriate data protection and security standards.

We will notify you of any material changes to our subprocessors where required, and we maintain a current list of primary subprocessors available upon request.

7. Data Transfers

All personal data processed by My Practice Manager Ltd is stored and handled within the United Kingdom or the European Economic Area (EEA). We do not transfer personal data outside these jurisdictions.

Our infrastructure providers, including hosting and database services (e.g., Google Cloud via Firebase), are configured to ensure that all data remains resident within the UK or EEA.

If any change to this arrangement becomes necessary in the future, we will implement appropriate safeguards (such as Standard Contractual Clauses) and notify affected customers in advance.

8. Records

We will provide reasonable documentation to demonstrate compliance.

9. Termination

Upon account termination, personal data will be deleted or anonymised within 30 days unless otherwise required by law.

10. Governing Law

This DPA is governed by the laws of England and Wales. Disputes shall be subject to the jurisdiction of English courts.

11. Contact

If you have any questions about this DPA or how we handle your data, please contact us at:

My Practice Manager Ltd
contact@mypracticemanager.co.uk