Dropcare does not collect, own, or control any patient data. All patient data is collected and controlled exclusively by the clinic. Dropcare acts solely as a technical intermediary.
1. About this policy
This Privacy Policy explains how Dropcare ("we", "us", or "our") handles personal data in connection with the Dropcare platform, which consists of:
- The Dropcare Admin Panel — used by eye clinics and their staff
- The Dropcare mobile app — used by patients to receive post-operative drop reminders
Dropcare operates as a B2B2C platform. The clinic collects patient personal data and enters it into the platform. The clinic is the data controller for all patient personal data. Dropcare acts as a data processor — storing and transmitting patient data solely on the clinic's instructions.
Patients who want to exercise their data rights should contact their clinic directly.
2. Dropcare does not collect patient data
Dropcare does not independently collect any patient personal data. Every piece of patient data in the platform — including names, contact details, surgery information, and dose logs — has been entered either by the clinic's staff through the Admin Panel, or by the patient themselves during app activation at the clinic's direction.
Dropcare does not use patient data for advertising, profiling, research, product improvement, or any purpose beyond delivering the scheduling and alarm functionality instructed by the clinic. The clinic bears full responsibility for all aspects of patient data compliance.
3. Who controls what
3.1 Patient data — the clinic is the controller
The clinic that registered the patient is the data controller for that patient's personal data. The clinic determines what data is collected, ensures a valid legal basis for processing, responds to patient data rights requests, and is responsible for all regulatory compliance (including GDPR, UK GDPR, CCPA/CPRA, and HIPAA where applicable).
3.2 Clinic staff data — Dropcare is the controller
Dropcare acts as data controller only for the personal data of clinic administrators and staff members who use the Admin Panel — specifically: full name, email address, role designation, and activity logs within the Admin Panel. This data is processed solely to provide the Admin Panel service.
4. What data is held in the platform
The following categories of data may be present in the Dropcare platform, entered by the clinic or at the clinic's direction. This data is held by Dropcare solely on behalf of the clinic.
| Category | Details |
|---|---|
| Patient name | First and last name. Entered by clinic staff or by the patient during activation. |
| Email address | Used to deliver the Activation Code and for clinic–patient communications. |
| Phone number | Used to deliver the Activation Code via SMS. |
| Surgery type | Type of eye surgery (e.g., LASIK, LASEK, PRK). Health data entered by the clinic. |
| Surgery date and time | Used to calculate the treatment plan schedule. Health data entered by the clinic. |
| Dose compliance logs | Timestamped records of doses marked as taken. Generated by the patient's app use, stored on behalf of the clinic. |
| Patient-submitted questions | Free-text questions submitted by patients via the app. Stored on behalf of the clinic. |
| App activation status | Whether the patient has activated the app. Operational data held on behalf of the clinic. |
Health data note: Surgery type, surgery date, and dose compliance logs may constitute health data (special category data under GDPR / sensitive personal information under CCPA/CPRA). The clinic is solely responsible for ensuring it has an appropriate legal basis for collecting and processing this data.
5. How Dropcare uses data (as processor)
As data processor, Dropcare uses patient data only to deliver the technical functions of the platform on behalf of the clinic:
- Activation code delivery — transmitting activation codes to patients via email and/or SMS
- App service delivery — transmitting treatment plan schedules, dose alarms, follow-up dates, and clinic information to the patient's app
- Progress tracking — storing and displaying dose compliance data to the patient (app) and to clinic staff (Admin Panel)
- Patient questions — routing patient-submitted questions to clinic staff
- Platform security — technical monitoring to protect platform integrity
- Legal compliance — retaining data as required by law
Dropcare does not use patient data for advertising, direct marketing, profiling, product analytics, or training machine learning models.
6. Legal bases for processing
6.1 Patient data (GDPR / UK GDPR) — clinic's responsibility
The clinic, as data controller, is responsible for establishing a valid legal basis for processing patient data. Applicable bases may include Article 9(2)(h) GDPR (healthcare purposes) or Article 9(2)(a) GDPR (explicit patient consent).
6.2 Clinic staff data — Dropcare as controller
Article 6(1)(b) GDPR (performance of the commercial agreement with the clinic) and Article 6(1)(f) GDPR (legitimate interests in platform security).
6.3 California users (CCPA / CPRA)
Dropcare does not sell or share personal information for cross-context behavioural advertising. Patient health data is treated as sensitive personal information under CPRA.
6.4 US healthcare — HIPAA
Where Dropcare processes Protected Health Information on behalf of a HIPAA Covered Entity, Dropcare will execute a Business Associate Agreement (BAA) with that clinic before processing any PHI.
7. Data sharing and disclosure
Patient data is accessible only to: the patient themselves (in their app), and administrator-level staff of the clinic that registered the patient. Patient data is clinic-scoped — no other clinic or Dropcare staff member accesses it except as required to operate the platform.
Dropcare engages third-party infrastructure providers (cloud hosting, email delivery, SMS delivery, security monitoring) that act solely on Dropcare's instructions under equivalent data protection standards.
Dropcare may disclose data if required by law, regulatory order, or court order.
8. International data transfers
Where data is transferred outside the EEA or UK, Dropcare ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or other approved mechanisms.
9. Data retention
Patient data: Retained while the clinic's account is active and for 30 days after account termination, then permanently deleted. Clinics may delete individual patient records at any time via the Admin Panel.
Clinic staff data: Retained while the account is active and for a reasonable period thereafter for audit and legal purposes.
10. Your rights
If you are a patient: Your data is controlled by your clinic, not by Dropcare. To exercise any data rights — access, correction, deletion, portability, restriction, or objection — please contact your clinic directly.
EU / EEA / UK rights (GDPR / UK GDPR)
You have the right to access your personal data; rectify inaccurate data; request erasure; restrict processing; data portability; object to processing based on legitimate interests; and not be subject to solely automated decisions with significant effects.
California rights (CCPA / CPRA)
California residents have the right to know what personal information is collected, used, disclosed, or sold; delete personal information; correct inaccurate information; opt out of sale or sharing (Dropcare does not sell or share); limit use of sensitive personal information; and non-discrimination for exercising rights.
11. Security
Dropcare implements appropriate technical and organisational measures including encryption in transit (TLS) and at rest, role-based access controls, and security monitoring. In the event of a personal data breach, Dropcare will notify the clinic promptly in accordance with the Data Processing Agreement and applicable law.
12. Children's data
The Dropcare platform is a post-operative medical support tool. Where a patient is under 16, the clinic is responsible for ensuring appropriate parental or guardian consent has been obtained before registering the patient's data. Dropcare does not knowingly process data of children under 13 for any purpose beyond delivering the clinic-instructed scheduling service.
13. Changes to this policy
Dropcare may update this policy from time to time. Material changes will be communicated to clinic customers via email or the Admin Panel, and to patients via the app.
14. Contact
For questions about this Privacy Policy or to exercise your rights as clinic staff, contact:
Patients should contact their clinic in the first instance. Supervisory authority complaints may be raised with the relevant EU/EEA data protection authority, the UK Information Commissioner's Office (ico.org.uk), or the relevant US state Attorney General.