Privacy Policy.

Privacy Policy: Version [2.0]
Effective Date: [19/08/2025]
Last Updated: [19/08/2025]

Introduction

Beet Online Healthcare Limited (“Beet Online,” “we,” “us,” or “our”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and protect your data when you use our online medical practice. It is designed to comply with all relevant privacy and healthcare regulations in Ireland, including:

General Data Protection Regulation (EU) 2016/679 (GDPR) – European data protection law
Irish Data Protection Acts 1988–2018 – National data protection legislation
Irish ePrivacy Regulations (S.I. 336/2011) – Rules on cookies and electronic communications
Guidance from the Data Protection Commission (DPC) – Irish regulator’s guidelines on data protection and cookies.
Medical Council of Ireland codes of professional conduct (including confidentiality)
HIQA (Health Information and Quality Authority) and HSE (Health Service Executive) standards for health data security, retention, and governance

This Privacy Policy is an integral part of our [Terms of Service] and should be read alongside our [Cookie Policy] and [Refund Policy]. By using our services, you agree to the data practices described in this Policy. We have written this Policy in plain English to be clear and accessible, and we will update it as needed to remain compliant with law and best practices.

Throughout this document, when we refer to the “Platform” means, collectively: (a) Beet Online’s patient-facing website and patient portal located at [insert your domain] (including any related mobile interfaces), and (b) the underlying clinical software and communications infrastructure provided by Semble Technology Limited (“Semble”) that we use to schedule, conduct, record, prescribe, and communicate in relation to consultations. The Platform is the tool patients and Practitioners use to access and deliver care through our online medical practice and does not make Semble a party to these Terms. A “Practitioner” refers to an independent medical doctor who is registered with the Irish Medical Council and provides remote consultations via Beet Online. Practitioners are responsible for their clinical decisions; we are responsible for operating the practice and systems with reasonable care. The term “Consultation”means a telemedicine appointment you have with a Practitioner through our service (for example, a video call or phone call). “You” or the “User” means the person who registers an account or uses our Services, including a parent/guardian who registers on behalf of a minor.

Privacy Highlights: For a brief overview of our privacy practices, you can also refer to our Privacy Highlights summary (available on our website).

1. Definitions

To make this Policy clear, here are some key terms we use:

Personal Data: Any information relating to an identified or identifiable individual. This includes obvious things like name or email, as well as information like an IP address or medical record number if it can identify you.
Special Category Data: Sensitive personal data that is given extra protection under GDPR – for example, data about health, genetics, biometrics, or sexual orientation. Your medical information falls in this category.
Processing: Any operation performed on personal data, such as collection, recording, organising, storing, using, or deleting data. If we handle your data in any way, that’s “processing.”
Data Controller: The entity that determines the purposes (“why”) and means (“how”) of processing personal data. In other words, the decision-maker about the data.
Data Processor: A party that processes personal data on behalf of a controller, following the controller’s instructions. For instance, a cloud service storing data for us might be a processor.
SCCs: Standard Contractual Clauses – these are EU-approved contractual terms used to legally transfer personal data outside the European Economic Area (EEA).
EEA: European Economic Area, which includes all EU countries plus Iceland, Liechtenstein, and Norway.

2. Who We Are (Data Controller Details)

Beet Online Healthcare Limited is the Data Controller for the personal data processed via our online medical practice (website and app). This means we are responsible for deciding how and why your personal data is used, and for ensuring it is protected. We are an Irish company operating an online medical practice providing telemedicine services within the Republic of Ireland.

Company Name: Beet Online Healthcare Limited
Registered Office Address: 34 Scholars Way, Ballynagee, Co. Wexford Y35 RDW0(Ireland)
Contact Email: hello@beetonline.ie
Contact Phone: [Insert Phone Number]
Data Protection Officer (DPO): We have appointed a DPO who can be reached at the above privacy email. This person oversees our data protection strategy and compliance.

If you have any questions about this Privacy Policy or our data practices, you can contact us by email or mail at the address above (please mark correspondence “Attn: Data Protection Officer”).

3. Data We Collect

We only collect data that is necessary to provide our services and to comply with our obligations. The categories of personal data we collect include:

Identification Data: Information that identifies you – for example, your name, date of birth, contact details (email, phone number), postal address, and any identity verification documents needed (especially for verifying a parent/guardian or a minor’s identity).
Health Data: Medical and health-related information you provide or that is recorded during your consultations. This can include your medical history, symptoms, diagnoses, treatment plans, prescription details, doctor’s consultation notes, and any reports or referral letters. This is considered sensitive “special category” data under GDPR.
Technical Data: Information about how you access our online medical practice. For instance, your IP address, browser type and version, device type (computer or phone model), operating system, and unique device identifiers. We collect this mainly through cookies and similar technologies to ensure platform security and functionality (see our [Cookie Policy] for details). We use cookies to support core site functions (like secure login), as well as optional tools (like site analytics and video performance monitoring). Non-essential cookies (like those for analytics) are only used with your consent. Please see our [Cookie Policy] for full details.
Usage Data: Data about your interactions with our platform and services. For example, appointment booking history, consultation logs (dates/times of visits), chat or message transcripts on the platform, and user preference settings. We also keep records of any communications you have with our support (like emails to customer service).
Payment Data: Details you provide to pay for our services. We use third-party payment processors (e.g., Stripe) so we do not store full credit/debit card numbers on our servers. We may keep basic transaction records such as the amount paid, date, and payment method, as needed for billing and compliance. Payment processing is handled securely by our payment partner in accordance with PCI-DSS standards.
Children’s Data: If a parent or guardian creates an account for a minor (under 18), we collect the child’s personal and health data as necessary for providing the service, as well as the parent/guardian’s information. Note: Our services are not available to children under 5 years old at all. For children aged 5–15, a parent or legal guardian must create the account and provide consent (see Section 8 below). Teens 16 or older can access our services independently, but we may notify them of their privacy rights when they turn 16.

We collect most of this data directly from you or generated through your use of our service. In some cases, we may receive information about you from third parties with your consent – for example, if you ask us to obtain past medical records from your GP or if an insurance company or employer coordinates a service for you (in which case they should have your permission to share your details). We do not purchase any mailing lists or data about you from outside companies.

4. Legal Basis for Processing

We always ensure we have a valid legal basis under GDPR to process your personal data. Depending on the context, one or more of the following legal bases apply:

Performance of a Contract (GDPR Article 6(1)(b)): When you register and use Beet Online, you enter into a service agreement with us. We need to process certain personal data to fulfil our obligations in that contract – for example, using your provided information to set up your account, schedule consultations, or for a doctor to provide medical advice. Simply put, we can’t provide the telemedicine service without using certain data about you.
Provision of Healthcare (GDPR Article 9(2)(h)): Many of the data we handle (like your health and medical details) are sensitive. GDPR allows us to process health data “for the purposes of medical diagnosis, the provision of health or social care or treatment,” when done by or under the responsibility of a professional bound by confidentiality. This is the primary basis for processing your health information – our IMC-registered doctors and healthcare staff handle your data for your care, in line with professional secrecy obligations.
Legal Obligation (GDPR Article 6(1)(c)): We have to comply with various legal requirements that might involve processing your data. For example, tax and accounting laws require us to keep payment records, health regulations may require us to retain medical records for a certain time, or we might have to report certain information to authorities (like an infectious disease, in rare cases, or cooperate with court orders). We will only disclose or use the necessary data to fulfil such legal duties.
Legitimate Interests (GDPR Article 6(1)(f)): We may process some data to pursue the legitimate interests of running and improving our service, provided those interests are not outweighed by your rights and interests. For instance, we have a legitimate interest in ensuring IT security and preventing fraud – so we might monitor usage data to detect malicious activity. We also have an interest in improving user experience, so we might analyse usage patterns or feedback (in an aggregated, non-identifying way) to refine our service. Whenever we rely on this basis, we carefully consider and balance any potential impact on you, and we will be transparent about it. You have the right to object to processing based on legitimate interests (see Section 15 on your rights).
Consent (GDPR Articles 6(1)(a) and 9(2)(a)): Generally, we do not rely on consent for most of your data processing because the above bases usually cover it. However, we will ask for your explicit consent in certain scenarios – for example, if we want to send you marketing emails/newsletters, if you opt-in to an optional wellness program or research study, or if we plan to use your data in a way that isn’t already covered by the other bases. Where consent is required, we will explain clearly what you are consenting to, and you can refuse or withdraw your consent at any time with no effect on the core services. We will also obtain parental consent for processing a child’s data (see Section 8).

Summary of Key Legal Bases: To put it in context, here is a quick reference of how different types of data are handled legally:

Data Type

Purpose & Legal Basis

GDPR Basis

Identification Data (e.g. name, contact info)

To register and manage your account; verify your identity; schedule appointments (Contractual necessity)

Art. 6(1)(b) – Contract

Health Data (medical information, consultation records)

To provide you with medical diagnosis and treatment via our platform (Healthcare services by professionals)

Art. 9(2)(h) – Health/Treatment

Payment Data (billing info, transactions)

To process payments and comply with financial laws (Legal obligation for record-keeping)

Art. 6(1)(c) – Legal Obligation

Technical & Usage Data(cookies, device info, logs)

To ensure platform security, prevent fraud, and improve our services (Legitimate interests, with minimal impact on privacy)

Art. 6(1)(f) – Legitimate Interest

Optional Data (e.g. marketing preferences)

Only used if you opt-in (Consent for specific purpose, like receiving a newsletter)

Art. 6(1)(a) – Consent

If we ever need to process your data for a new purpose that isn’t covered by one of the above, we will inform you and, if required, seek your consent.

5. Purpose of Processing (How We Use Your Data)

We strictly use your personal data for the purposes for which it was collected, and no more. The main purposes for which Beet Online processes your data include:

Providing Telehealth Services: We use your information to deliver our core medical services to you—this includes scheduling and conducting your remote consultations, allowing our practitioners to review your medical history and symptoms, enabling them to provide medical advice or diagnosis, and documenting the consultation in your health record.
Managing Your Account: We maintain your user account with your registration details. This allows you to securely log in, book appointments, view your consultation history, and manage personal settings. We may also use your contact information to communicate with you about account-related issues (e.g. to verify your email or notify you of updates to our terms or policies).
Communication & Coordination: Your data is used to coordinate care and communications. For example, a doctor might use your health information to write a prescription or referral; we might send that prescription to your chosen pharmacy; or if you ask, we might send a summary of your visit to your regular GP. We also use your email or phone number to send appointment reminders, follow-up instructions, or to follow up on how you’re doing after a consultation (with your consent).
Payments & Administration: We use payment and contact data to process your consultation fees or subscription charges. This involves sending the necessary details to our payment processor and keeping records of transactions. If there are issues (like a failed payment), we’ll use your info to notify you and resolve it.
Service Functionality & Performance: Technical and usage data (like cookies or device info) help us ensure the website/app functions properly, loads quickly, and remembers your preferences (such as keeping you logged in if you chose “remember me”). We also measure usage of features to understand what’s working well or what might need improvement. This is generally done in an aggregated or anonymised way for analytics.
Safety and Security: We monitor usage and technical data to protect against fraud, abuse, or unauthorised access. For instance, we may detect multiple failed login attempts or unusual activity to prevent someone from breaking into accounts. We also keep logs of access to medical records to detect any improper access.
Legal and Regulatory Compliance: We may use your data as needed to comply with laws or regulations. Examples: maintaining medical records for the minimum periods required by Irish law; generating reports required for public health (very rarely, if a doctor must report a notifiable disease); or providing information in response to a lawful request by authorities (as required by court order, etc., see Section 19). We also use data to comply with medical standards (e.g., quality audits or clinical governance reviews, using anonymised data whenever possible).
Quality Assurance and Training: To maintain a high standard of care, we might review certain consultation records (by authorised personnel) as part of quality audits or clinician supervision, always under strict confidentiality. We also may use feedback or recordings (with consent) to train our staff or practitioners.
Service Improvement and Research: With appropriate safeguards, we might use de-identified data (data that cannot identify you personally) to analyse trends, outcomes, or for research and innovation to improve telemedicine services. If we ever want to use identifiable data for research beyond your direct care, we would seek your explicit consent or ethically approve it under Irish health research regulations.
Marketing (with consent): If you have opted in to marketing communications, we may use your contact info to send you newsletters, updates about new services, or promotions. We respect your choice – if you don’t opt in, we won’t send marketing emails, and even if you do, you can unsubscribe at any time. We do not use any sensitive health information for marketing purposes.

We do not use your personal data for any automated decision-making that produces legal or significant effects on you (see Section 9 – no profiling). And we absolutely do not sell your data to third-party advertisers or data brokers. All uses of data are tied to providing and improving our service and ensuring we meet our responsibilities to you.

6. Processing of Health Data and Confidentiality

Your health data is treated with the highest level of care and confidentiality. Only those who need to access your health information to provide services will be able to do so. Specifically:

Healthcare Provision: Healthcare Provision: Health data (like the information you share in a consultation, your medical history, etc.) is accessed by practitioners who work for or on behalf of Beet Online Healthcare Limited as part of our medical practice. They use it to diagnose, advise, and treat you appropriately under professional secrecy obligations and Irish Medical Council rules (GDPR Article 9(2)(h)).
Clinical Documentation: Practitioners will record notes about each consultation (just as they would in a regular clinic). These notes become part of your medical record within our service. We maintain these records securely as part of providing care and to meet legal record-keeping obligations.
Prescriptions and Referrals: If a doctor issues a prescription or a referral letter for you, they will include necessary health details in those documents. We handle the transfer of these documents (for example, sending the prescription to your chosen pharmacy, or sending a referral letter to a specialist if you’ve requested that) in a secure manner.
Internal Healthcare Operations: Occasionally, authorised clinical staff (like a medical director or a quality supervisor) may review patient records to ensure that the care provided meets all standards, or to investigate a quality issue. Such reviews are done by personnel who are also bound to confidentiality (for example, a senior doctor checking that consultations are properly documented). We minimise these occurrences and, when possible, use anonymised data for quality checks.
Confidentiality Safeguards: All Beet Online staff and contractors who handle health data must sign confidentiality agreements and undergo training on patient privacy. We enforce role-based access controls – meaning, a staff member can only access the specific data necessary for their role. For example, our administrative staff can see your contact and appointment info to assist with scheduling, but they cannot view detailed health notes, which are restricted to medical professionals. We also log every access or action taken with health records, so there is an audit trail.

In short, your health information stays private between you and your care providers, with Beet Online facilitating that process under strict privacy controls. We recognise the sensitive nature of medical data and treat it with utmost care, in line with professional ethics and legal requirements (like the Medical Council’s guidelines and HIQA/HSE standards on health record handling).

7. Consent to Telehealth Treatment

By using Beet Online, you are consenting not only to data processing as described here, but also specifically to receiving medical treatment via telehealth. This is important because telemedicine has some differences from in-person care. When you register and each time you book a consultation, we will ask you to confirm your understanding and agreement to telehealth, including:

Nature of Telehealth: You understand that our services are provided remotely (via online video, audio, or messaging) and that no in-person physical examination will occur. You agree to receive care in this format.
Scope and Limitations: You acknowledge that telehealth has limitations. For example, the doctor is relying on the information and visuals you provide remotely. Certain conditions might not be identifiable without an in-person exam or tests. We will always do our best, but you accept that there is a small risk something might be missed due to the constraints of remote consultation. If the practitioner advises you to get in-person follow-up or emergency care, you will do so.
Consent to Treatment: Just as you would sign a consent form for a procedure in a clinic, by proceeding to use our service, you consent to allow our practitioners to provide medical advice and treatment recommendations to you via telehealth. You can ask questions at any time if you need clarification about a treatment or advice given.
Right to Withdraw: You have the right to discontinue use of telehealth services at any time. If you’re not comfortable with a telehealth assessment or advice, you can always choose to seek in-person care. Let us or your practitioner know if you wish to stop a consultation. (Note: this is about your medical consent; for data processing consent withdrawal, see your rights in Section 15).

We will typically reconfirm your consent at the start of each consultation (for example, the doctor might ask if you’re okay to proceed via video and if you’re in a private setting). This ensures you remain comfortable with telehealth at each visit. Our goal is to make sure you’re fully informed: telehealth is convenient, but it should be used appropriately and you should be aware of its scope. By continuing, you indicate that you understand and accept these terms of telehealth treatment.

8. Children’s Data and Parental Consent

Protecting children’s privacy is extremely important to us. Our policies for minors (under 18 years of age) are as follows:

Under 5: We do not provide telemedicine services to children below 5 years old. If you are under 5 (which would require an adult’s assistance regardless), please seek in-person paediatric care. This age cutoff is in place because very young children typically require hands-on clinical examination.
Ages 5–15: Children aged 5 to 15 can use Beet Online only with a parent or legal guardian’s involvement and consent. The parent/guardian must create the account in their own name, then add the child as a patient profile. We will require verification of the parent/guardian’s identity and perhaps documentation proving guardianship. The parent/guardian must consent to the collection and use of the child’s data and also consent to the telehealth treatment on the child’s behalf. We may request that the parent/guardian be present during consultations. We provide privacy information in a way that is understandable to the child where possible, but the guardian’s authorisation is paramount for processing the child’s data.
Ages 16–17: Teenagers who are 16 or 17 may use our services independently in accordance with Irish law(noting that 16 is the digital age of consent in Ireland for data processing). They can register themselves and consent to the processing of their data and telehealth treatment on their own. However, during registration we will still seek confirmation of age. We might notify a 16- or 17-year-old user that they have the option to involve a parent if they want, but it’s generally their choice at that point. If a minor (under 18) registers on their own, we may ask for additional confirmation at the consultation that they understand the process and perhaps ask if they have a trusted adult they wish to involve (especially if sensitive issues are discussed).
Parental Access: For accounts created by a guardian, that adult will generally have access to the child’s medical information on the platform. We treat communications as being on behalf of the child. Once a child under a guardian’s account reaches 16, we will notify them (and the guardian) that the child can assume control of their data/account if they wish. We can, at that point, transition the account to the teen’s own control, with the guardian’s access reduced or removed, to respect the emerging autonomy of the young person. We do this in line with best practices recommended by the DPC and healthcare guidelines, balancing child welfare with privacy rights.
Capacity and Understanding: We provide age-appropriate explanations about privacy to younger users. For example, a child might get a simplified notice explaining that we keep their information to help the doctor treat them, and that they can ask questions. We also recognise that as children mature, their ability to make certain decisions about their healthcare and data may increase. We take this into account, especially for older teens, in how we communicate and obtain consent.
Verification: When we say we verify guardian consent, this could involve requiring the guardian to provide a valid ID, and possibly the child’s birth certificate or other proof, especially if there’s any doubt. We do this to ensure that consent is valid and to prevent someone else from falsely claiming to be a guardian.

In summary, if you are a parent or guardian using Beet Online for a minor, we will work closely with you to protect your child’s data and ensure you are fully informed. And if you are a teenager using Beet Online, know that we are safeguarding your privacy while also making sure you have the support you might need from a parent or another adult as appropriate. We comply with all laws regarding minors’ data, including obtaining parental consent up to age 16, and ensuring high standards of protection for children’s health information.

9. Automated Decision-Making

We do not engage in any automated decision-making or profiling as defined under GDPR Article 22 that would have legal or similarly significant effects on you. In other words, there are no computer algorithms solely making important decisions about your eligibility for services, your health outcomes, or anything of that sort on our online medical practice. Every important decision (like a medical diagnosis or treatment plan) is made by qualified human practitioners, not by machines.

No AI Diagnoses: Our service doesn’t use artificial intelligence to diagnose or treat you without a doctor’s involvement. Any symptom check tools or resources are purely informational and do not replace a doctor’s judgment.
No Credit Scoring or Marketing Profiles: We also don’t profile you for things like creditworthiness or extensive marketing segmentation. We might analyse usage patterns to improve service (e.g., “X% of users use our service on mobile”), but this is not tied to individual identities in a way that would impact you personally.
If This Changes: If in the future we introduce any feature that involves automated processing of your data to make a decision, we will update this policy, notify you, and ensure all your rights are respected (including the right to have a human review any automated decision, the right to an explanation of the decision-making logic, and the right to object). For example, if we ever use some automated triage system to prioritise urgent cases, we would only do so with careful consideration and transparency.

Your trust is important to us, and part of that is being clear that you won’t be subject to “black box” decisions about your personal data or healthcare on our online medical practice. Everything is either user-driven (like you input information and can see what it’s used for) or overseen by a human professional.

10. Data Sharing and Disclosure

We do not share your personal data with third parties for their own independent use, except in the situations described here. When we do share data, we always ensure there is a specific purpose and that appropriate safeguards (like confidentiality and security measures) are in place. The parties we may share data with include:

Healthcare Providers (Practitioners): When you receive care from Beet Online, your relevant information is shared with our practitioners (doctors or other clinicians) who deliver care as part of Beet Online’s medical practice. Practitioners access only the information necessary to treat you and are bound by medical confidentiality and our internal clinical governance.
Pharmacies: If the practitioner issues a prescription for you, we will send the necessary details to your chosen pharmacy so you can get your medication. This typically includes your identification data (name, date of birth) and prescription details. Pharmacies are also bound by confidentiality and professional rules. We send prescriptions via secure encrypted email or pharmacy fax systems as per standard practice, or through any integrated e-prescribing system if available.
Your GP or Other Healthcare Providers (Optional): We will only share information with your regular GP (family doctor) or another healthcare provider outside our online medical practice if you explicitly ask us to or consent to it. For example, if you want us to forward a referral letter or a summary of your consultation to your GP or a specialist, we can do that with your permission. By default, we do not routinely send your Beet Online records to any other doctor or clinic without your request.
Service Providers (Processors): Beet Online uses reputable third-party companies to help us run our service. These include:

Clinical System & Hosting: We use Semble Health Ltd (Semble.io) as our electronic health record (EHR) and practice management system, including secure hosting of patient records. Semble acts as our data processor and only processes personal data on our documented instructions under a Data Processing Agreement. Data is stored in secure data centres in the EEA and/or the UK (which currently benefits from an EU adequacy decision); where relevant, appropriate safeguards (such as Standard Contractual Clauses) are in place.
Email and Communication Tools: We use services like Google Workspace (Gmail) for some communications (for instance, sending prescriptions or administrative emails). We ensure that any such provider has adequate data protection measures (Google, for example, is certified under the EU-U.S. Data Privacy Framework and we have SCCs in place). Your sensitive data is not sent via plain email to you unless you’ve asked us to (e.g., you want a copy of a document by email – in which case we’ll warn you of risks). Normally, we’ll just send you notifications to check your secure account for any sensitive messages.
Payment Processor: Payments are handled by Stripe (or a similar secure payment gateway). When you enter your payment details, that information goes directly to Stripe. Stripe is a processor for us in this context. They might be based outside the EEA, but again we have legal safeguards in place (Stripe uses SCCs and is a PCI-DSS compliant entity). We share only what’s needed for billing (like your name, email, amount to charge) with the processor.
Analytics and Performance: We may use analytics tools (such as Google Analytics or similar) to collect anonymous statistics about how users navigate our site (e.g., which pages are visited most). These tools might set cookies – see [Cookie Policy] for details – but they do not receive your identifying information. We configure such tools to respect privacy (for example, anonymising IP addresses where applicable). These analytics providers help us improve the service and are not allowed to use the data for other purposes or combine it with their own data to identify you.

All our service providers are bound by Data Processing Agreements (DPAs) under GDPR, which contractually require them to safeguard your data to EU standards. They can only act on our instructions and cannot use your data for any other purposes. We regularly review our vendors’ compliance. A list of key sub-processors can be provided on request.
Law Enforcement or Regulators: We do not share data with authorities unless we are legally compelled to. However, if we receive a valid legal order or there’s a legal requirement (for example, a court subpoena, or a statutory obligation to report certain injuries or diseases), we may have to provide the requested data. We will verify any such request carefully and only disclose the minimum necessary information. Where possible and lawful, we will inform you if such a request has been made (for instance, if a court order allows notification). Additionally, if the Health Service Executive (HSE) or another health regulator requires data for auditing or an investigation, we will comply but ensure the data is handled confidentially.
Insurance or Third-Party Payers (With Consent): If your consultation is being paid for by an insurance company, employer, or other entity, we would only share information with them if you have given explicit consent. For example, sometimes insurance plans cover telehealth – you might ask us to send confirmation of your consultation or a receipt with basic details to your insurer. We would do that only with your approval, or you might choose to share it yourself. We do not send your medical records to insurers or others without you initiating that.
In Case of Company Transactions: This is a bit theoretical, but if Beet Online were ever involved in a merger, acquisition, or sale of assets, your data might be transferred to the new owner as part of the business transfer. If that happened, we would ensure the new entity is bound by the same privacy commitments, and we would notify you of the change and your options (for example, you might choose to delete your data if you don’t want to continue under new management).

Importantly, we do not share, rent, or sell your personal data to advertisers or social media companies. We also do not share any identifiable health data with any third parties for marketing or advertising purposes. Any use of your data is strictly for serving you or fulfilling our obligations.

For transparency, here’s a summary table of key third-party recipients and why they might receive data (either as a processor or, in some cases, as independent controllers like other healthcare providers):

Recipient

Purpose of Sharing

Basis

Treating Doctors/Practitioners

To provide you with direct patient care (consultation, diagnosis, prescription)

Contract; Medical care (Art. 9(2)(h))

Pharmacy of your choice

Prescription fulfillment (providing your Rx details so you can get medication)

Contract; Vital interests/consent

Semble Technology Limited (platform host)

Secure platform hosting and telehealth software management

Contract (Data Processor)

Stripe (Payment processor)

Processing payment transactions (charging your card for consultations)

Contract; Legal obligation (secure payments)

Google (Workspace/Gmail)

Secure email services for communication (e.g., sending prescription to pharmacy or sending you notifications)

Contract (Data Processor under SCCs)

Health Regulators (HSE, etc.)

Legal compliance (e.g., mandatory reporting or audits)

Legal obligation

Your GP or Specialist(with your consent)

Continuity of care (sharing records or referral for ongoing treatment)

Your Consent/Request

Insurance Company/Employer (with consent)

Processing claims or payment on your behalf (sharing receipt or necessary info)

Your Consent

IT Support or Auditors(bound by NDA/DPA)

Technical support, security audits, or quality audits on our systems (limited access as needed)

Legitimate interests; bound by confidentiality

If you have questions about any particular sharing or want more details on whom we use for what, feel free to contact us. We maintain a full list of our data processors that we can provide upon request. Remember, any third party that receives your data will get only the minimum necessary information and will be obligated to protect it just as carefully as we do.

11. Data Breach Notification

If a data breach occurs that is likely to result in a risk to your rights and freedoms (such as identity theft or loss of confidentiality), we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of it. This aligns with Article 33 of the GDPR and our internal incident response protocols.

12. Communication & Email Practices

We use electronic communications to run our service efficiently, but we do so securely and thoughtfully. Here’s how we handle communications:

Service Emails and Texts: We will email or text you for things like appointment confirmations, reminders, and follow-ups. For example, you might get an email confirmation when you book a consultation, a reminder the day before your appointment, or a message after your consultation with any next steps. These communications are considered part of the service (service notifications). We try to include only the necessary information and avoid sensitive details in these messages. For instance, a reminder email might say “You have an appointment with Beet Online on [Date] at [Time]” without delving into medical specifics.
Sending Medical Information: There are times we may send medical information via email with your knowledge – for instance, sending a prescription or a referral letter. Typically, we prefer to send such information directly to the relevant party (like sending the prescription to the pharmacy). If we send something to you, we might send it as a secure link that requires login to retrieve, rather than as an open attachment, to add a layer of security. We do not send highly sensitive health details to your personal email unless you have specifically asked and consented (for example, you insist on getting a copy of a consult note by email – we’d caution you and then accommodate if you understand the risk).
Secure Email Infrastructure: We use secure email service providers. For example, our domain’s email (like hello@beetonline.ie or support@beetonline.ie) is backed by Google Workspace (Gmail) or a similarly robust provider. These services automatically use encryption in transit (TLS encryption), meaning when we send an email to your inbox, it’s encrypted while traveling through the internet. However, once it’s in your email inbox, the security also depends on your email provider. We recommend you use a reputable email provider and keep your account secure.
Pharmacy Communication: Prescriptions might be sent via secure email or fax to pharmacies. We include only what’s needed: your name, date of birth, and prescription details. Pharmacies are accustomed to receiving such info and have their own legal obligations to keep it confidential.
Internal Messaging: Within our service, if there’s a messaging feature (for example, you messaging the doctor or our support through the app), those communications are kept within our secure system. We may monitor support communications to improve service quality, but medical communications between you and a practitioner are treated as part of your confidential medical record.
No Unsolicited Marketing Without Consent: We respect your inbox. We will not send you newsletters or marketing emails unless you have opted in. On our registration or account settings, you might be given the choice to receive updates or health tips – if you do not actively choose this, we won’t send it. If you do opt in and later change your mind, every marketing email will have an “unsubscribe” link, or you can contact us to remove you from the list. Transactional or service-related emails (as described above) are separate and you’ll receive those as part of using the service.
Email Access Controls: Only authorised Beet Online staff have access to our email systems, and they will only access communications as needed (for example, a support agent checking a conversation to help resolve an issue). All staff with such access are under confidentiality agreements. We also implement measures like two-factor authentication to protect email accounts from unauthorised access.
Data Privacy Framework and SCCs: Providers like Google LLC, which we use for email, have measures in place for international compliance. Google, for example, has certified under the EU-U.S. Data Privacy Framework, and we also have in our agreements that European data (like our emails) is protected via Standard Contractual Clauses. This means even if an email is stored on a server in the U.S., it’s covered by agreements to uphold EU-level privacy protection.
Retention of Communications: We keep copies of important communications for record-keeping. For instance, if you correspond with us about a refund or a complaint, we’ll retain those emails as part of our records (in line with retention policies). Routine notifications may not be stored long on our end (if they’re just automated sends). If you message a practitioner through our platform, those messages might be stored as part of the medical record.
Appropriate Use: We ask that you use caution when communicating with us too. Please do not send sensitive medical information over regular email unless necessary – instead, use the platform’s secure messaging or discuss it during your consultation. If you do email us sensitive info (like a photo of a rash or a document), we will handle it as we would other medical data, but email is not the most secure channel for initial receipt of such data. We might transfer it into your medical record and then delete the email.

In summary, we use electronic communications to serve you better but always aim to do so securely and respectfully. If you have a preferred way to communicate or special request (like “Don’t email me, please call”), let us know and we’ll accommodate if possible. Our default is to use email/SMS for efficiency, but your privacy and preferences come first.

13. International Data Transfers

Beet Online is based in Ireland, and we strive to store and process data within the European Economic Area whenever possible. However, some of our service providers or technical infrastructure may be located outside the EEA. Whenever your personal data is transferred to a country that does not have an EU Commission adequacy decision (for example, the United States), we take steps to ensure your data remains protected to EU standards. Our measures include:

Standard Contractual Clauses (SCCs): For any service providers outside the EEA, we sign the European Commission’s approved Standard Contractual Clauses. These are legal contracts that bind the foreign recipient to protect your data and give you rights to legal recourse, just as if your data stayed in Europe. In practice, this means companies like Semble.io or Stripe (if they process data in the US or another country) have agreed to strict data protection commitments in line with EU law. You can request a copy of these clauses from us if you’re interested (some parts may be redacted for commercial confidentiality, but the essence will be available).
EU-U.S. Data Privacy Framework: Where applicable, we work with U.S. companies that participate in the Data Privacy Framework (the replacement for the old Privacy Shield). For example, Google and Stripe are participants. This framework was deemed adequate by the EU in 2023, meaning it’s recognised as providing sufficient protection for personal data transferred to those certified U.S. entities. We still use SCCs as an extra layer, but this certification gives added assurance.
Supplementary Safeguards: We implement additional technical protections on data that might be stored or accessed overseas. These include:

Encryption: All data is encrypted in transit (using strong TLS protocols) and at rest on our servers or cloud storage (using AES-256 encryption). This means that even if data is stored outside the EU, it’s in an unreadable form to unauthorised parties. For example, your health records in the database are encrypted, so a cloud admin in another country couldn’t just browse through them without keys.
Access Controls and Audits: We restrict who can access data even within our provider companies. For instance, if data is hosted on AWS in the U.S., only a very limited number of tech personnel (who may be EU-based or under EU instruction) can access the live environment, and any access is logged and monitored. We also use multi-factor authentication (MFA) for any remote access.
Data Minimisation: We try to minimise the personal data leaving the EU. For example, if possible, we might choose European datacenters for our services. If some data must leave, we might pseudonymize it (replace identifying info with codes) if full functionality allows.
Periodic Reviews: We stay updated on any changes in international data transfer law. We will adjust our measures if needed (for example, if SCCs are updated or if legal rulings affect data transfers, we will act promptly). We also re-evaluate the risk environment periodically and may issue transparency reports if relevant.

By using our service, you acknowledge that your data may be transferred and stored outside your home country, including to countries like the United States. We assure you that any such transfer is done lawfully and with your data’s security in mind. We treat data protection as a global commitment, not just a local formality. If you have questions about where your data is stored or want more details on cross-border safeguards, contact us at hello@beetonline.ie.

(For the curious, here are some concrete examples: For example, our clinical records are hosted in Semble (Semble.io). Stripe may process payment data, and Google may route emails through global servers. Where data is processed outside the EEA, we rely on an EU adequacy decision (e.g., the UK) or implement Standard Contractual Clauses and supplementary safeguards.)

14. Data Security

We employ robust security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. We understand that your medical and personal information is highly sensitive, and we treat it with the same security standards as a bank (if not higher). Our security program includes:

Encryption: All communication between your device and our platform is encrypted using TLS (Transport Layer Security) with strong ciphers (TLS 1.2 or higher). This means that when you log in, fill in forms, or have a video consultation, the data is scrambled in transit so that no eavesdropper can read it. Additionally, personal data stored on our servers or databases is encrypted at rest (we use industry-standard AES-256 encryption for data at rest). For example, even if someone somehow got a hold of a database file, they would not be able to decrypt your health records without the encryption keys, which are stored securely.
Access Controls: We operate on a principle of least privilege – staff and practitioners only have access to the minimum data necessary for their role. Our system is role-based: a doctor can see medical records for patients they treat; support staff can see your account info to assist you but not your private consult notes, etc. Administrative access to systems is tightly controlled – for instance, only two senior engineers might have the keys to access the entire database for maintenance purposes, and even that access is gated behind multi-factor authentication and VPNs. We regularly review user permissions to revoke any unnecessary access.
Authentication Security: Users (including you) are required to create strong passwords. We store passwords securely (hashed and salted, never in plain text). We also support (or will be introducing) two-factor authentication (2FA) for users, adding an extra step (like a code sent to your phone) when logging in from a new device. Internally, all our employees and doctors also use 2FA for accessing any sensitive system.
Network and Infrastructure Security: Our servers are protected by firewalls and monitored for intrusions. We keep our software and systems up-to-date with security patches. We conduct periodic vulnerability scans and penetration tests (we may hire independent security experts to try to find weaknesses so we can fix them before any bad actors exploit them). We also separate environments (e.g., testing vs. production data) to minimise risk.
Audit Logs: We maintain detailed logs of access to data. For example, there is a log entry every time a medical record is accessed or modified – noting who did it, when, and what was viewed or changed. We routinely review these logs for any unusual activity. If a particular account is accessed more often than expected or at odd hours, it triggers a review.
Breach Detection and Incident Response: We have a plan in place to deal with any security incidents. If we detect suspicious activity that could indicate a data breach, our incident response team springs into action to contain it, assess impact, and remediate. In the unlikely event of a data breach that poses a risk to you, we will notify the Data Protection Commission within 72 hours and also inform affected users without undue delay. Our notifications would include information on what happened, what data was involved, and any steps we recommend for you (for example, if passwords were affected, we’d prompt a reset).
Employee Training and Policies: All Beet Online team members undergo privacy and security training at least annually, and more frequently for those in sensitive roles. We educate our staff about phishing, proper handling of data, and the importance of following procedures. We also have strict internal policies – for instance, no one is allowed to download or copy personal data to unsecured devices, and we mandate the use of encrypted devices and secure channels when working.
Data Minimisation and Pseudonymisation: Where possible, we minimise the amount of personal data we collect and retain (see Section 14 on retention). For certain development or analytics tasks, we use anonymised or pseudonymised data (meaning direct identifiers are removed or replaced with codes) so that staff working on those tasks aren’t handling raw personal data.
Resilience and Backups: We keep regular backups of data in secure, encrypted form. This protects against data loss, and also ensures we can recover data in case of a ransomware attack. Our systems are designed with redundancy (if one server fails, another can take over) to avoid downtime that could impact your care.
Ongoing Monitoring: Security isn’t a one-time thing. We continually monitor our systems for intrusion attempts, suspicious logins, or any anomalies. We receive alerts in real time if something looks off. Additionally, we keep up with the latest security advisories in the healthcare and tech industry, adapting quickly if new threats emerge.
DPIAs: For any high-risk data processing activities, we conduct Data Protection Impact Assessments. For example, before introducing a new feature that uses patient data in a novel way, we’d carry out a DPIA to ensure we address any privacy risks in design.

In summary, we treat your data security as paramount. We invest in modern security technology and practices to safeguard your information as if it were our own. While no system can ever be 100% impenetrable, we are committed to doing everything in our power to protect your data. If you have specific security questions, feel free to contact us, but note that for security reasons we might not disclose certain sensitive details of our safeguards (since doing so could aid an attacker). Rest assured, however, that our approach is comprehensive and in line with healthcare industry best practices and legal requirements.

15. Data Retention

We retain your personal data for only as long as is necessary to fulfil the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements. Given the healthcare context, some of your data (especially medical records) need to be kept for minimum periods mandated by Irish law and medical guidelines. Our retention schedule is as follows:

Adult Medical Records: If you as an adult (18+) have used our services, we will retain your health records for at least 8 years from the date of your last consultation or treatment. This period aligns with Medical Council of Ireland and HSE recommendations for adult patient records (minimum eight years).
Children’s Medical Records: If the patient is a child or teenager, we retain their records until they reach age 25, or 26 if they were 17 at the end of treatment. This effectively means a minor’s records are kept for several years into adulthood (because a condition from their teens might be relevant later, and for legal purposes). If, God forbid, a child patient passes away before age 25, we would keep the record for 8 years after the date of death, as per guidelines.
Maternity Records: Records related to pregnancy and maternity (including antenatal, birth, and postnatal care) are kept for 25 years after the birth of the last child. This extended retention is due to the possibility of obstetric-related issues arising years later and to protect the mother and child’s interests.
Mental Health Records: Records of care for mental health conditions are kept for 20 years after the last contact or treatment, or at least 8 years after death, whichever is longer. Mental health care can have long-term relevance, hence the longer retention recommendation by the Mental Health Commission.
Deceased Patients: If an adult patient dies while we still have their records, we would retain their records for at least 8 years after death (unless other rules above require longer, e.g. if it’s a mental health record or a child’s record). This is both for any estate issues and in respect of potential post-mortem inquiries or medicolegal matters.
Account Data (if no treatment): If you registered an account but never actually received a consultation or any treatment through Beet Online, you can request deletion and, in that case, we will delete your personal details from our active systems (see Section 16). We might keep very minimal info (like email address) in a suppression list just to remember not to contact you or to prevent fraud (ensuring someone doesn’t create multiple accounts), but we will not keep any health info if no service was provided.
Transactional and Payment Records: Financial records (invoices, payment confirmations) are typically kept for 7 years to comply with revenue/taxation laws (the standard for bookkeeping records in Ireland). These records contain minimal personal data (usually just name, date, amount, and service).
Communications: Emails or communications with you are generally retained for a few years (up to 6 years if they could be relevant to a contract or legal matter). For example, if you had a dispute and we resolved it over email, we might keep that correspondence as evidence of the resolution. Routine inquiries might be deleted sooner if not needed.
Analytics Data: Any analytics data (which is usually anonymised) may be kept for as long as useful for trend analysis. But since it doesn’t identify individuals, retention periods are not as sensitive. However, any user-specific logs (like logs of login history) might be kept for a shorter period (maybe 1-2 years) unless needed for security analysis.
Archived Backups: We maintain encrypted backups. These backups are rotated and retained according to our backup policy (for example, daily backups might be kept for 30 days, monthly for a year, etc.). When data is deleted from our live systems, it will also be deleted from backups in the normal rotation. We won’t restore deleted data unless absolutely required for system integrity (and even then, we would endeavour not to restore personal data if it was properly requested to be deleted).

Extensions of Retention: In certain circumstances, we might keep data longer than the periods above:

If there is an ongoing dispute, investigation, or legal case involving your data or care, we will retain the relevant data until it is resolved (even if that extends beyond the normal period).
If a doctor or our service is aware of some reason to keep a record longer for patient safety (for example, a record has info that could be significant to a future treatment or to a complaint), we may extend retention with justification.
We also follow any updated guidance from regulatory bodies. If, say, the HIQA or Medical Council changes recommended retention times, we will adjust our policy accordingly and either retain longer or, if allowed, delete sooner.

Deletion and Anonymisation: After the applicable retention period ends, we will either securely delete your personal data or anonymise it. Secure deletion means we expunge the data from our databases and any identifiable backups. Anonymisation means we strip any identifying details so the data can no longer be linked to you – for instance, we might keep aggregate statistics (“we provided X consultations in 2025”) but not the personal details. Anonymised data is no longer considered personal data and may be retained indefinitely for statistical or research purposes without further notice.

Your Right to Deletion: You have the right to request erasure of your data in certain circumstances (see Section 15). We will do our best to honour such requests. However, if you have received medical services, we cannot delete your medical records immediately upon request due to the legal retention obligations described above. In such cases, we can deactivate your account (so it’s no longer accessible to you or active use), but we must retain the records until the retention period expires. We will inform you if this is the case, and we will ensure the data is kept securely only for the required time and then destroyed. If you have not received any care, we can usually delete your data fully upon request.

We manage retention carefully to balance your privacy (not keeping data longer than necessary) with your safety and our legal duties (not disposing of records too soon). For example, you wouldn’t want a situation where you come back to us after 5 years and we have no history of your past treatment – that’s why we keep it 8 years or more as above. Rest assured, when data is no longer needed, we remove it from our systems in a secure manner (we follow industry standards for data destruction, like wiping storage and ensuring backups eventually purge the info too).

16. Your Data Protection Rights

Under GDPR and Irish data protection law, you have several important rights regarding your personal data. We are committed to honouring these rights. Below is a summary of those rights and how you can exercise them:

Right of Access (Article 15 GDPR): You have the right to ask us for a copy of the personal data we hold about you, and to obtain information about how we process it. This is commonly known as a “Subject Access Request.” For example, you can request a copy of your medical record or account details. We will provide this free of charge in most cases, in a concise, transparent, and easily accessible form. Usually, we respond electronically (since you signed up online, we assume email is acceptable), unless you request otherwise. We’ll also include additional information like the purposes of processing, categories of data, who we share it with, etc., which are basically what this Privacy Policy covers.
Right to Rectification (Article 16 GDPR): If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. For instance, if you notice your name is misspelled in our records or your contact number has changed, let us know. In the context of medical data: if you think something in your medical history we have is wrong, we will note your correction (though in healthcare, rather than erasing the original entry, often an amendment is added to ensure a clear history). We want to have accurate data – not just because it’s your right, but because it’s critical for proper care.
Right to Erasure (“Right to be Forgotten,” Article 17 GDPR): You have the right, in certain circumstances, to request that we delete your personal data. This right is not absolute, especially in healthcare. If you never used our service or if the data is no longer necessary, we will erase it on request. However, as noted in the retention section, medical records usually cannot be deleted immediately due to legal obligations. We will assess each request: if, for example, you withdraw consent for something that was consent-based, we’ll delete that data. If you close your account, we will remove what we can, and we will inform you about any data we must keep and for how long. Essentially, we won’t keep data longer than we have to, and we’ll certainly delete data that we have no lawful reason to retain.
Right to Restriction of Processing (Article 18 GDPR): This allows you to ask us to limit how we use your data, typically in scenarios like: you contest the accuracy of the data (we then restrict use until we verify/update it); or you need us to keep data (that we’d normally delete) for a legal claim; or you’ve objected to processing (see below) and we’re considering that objection. Restriction means we store the data but don’t actively use it. If you request this, we’ll confirm to you when the restriction is in place and when/if it’s lifted.
Right to Data Portability (Article 20 GDPR): You have the right to receive certain data in a structured, commonly used, machine-readable format, and to have that transmitted to another controller. In plain terms, for example, you could ask for an electronic copy of your medical record that you can then give to another healthcare provider or service. We’d provide this likely as a PDF or similar standard format (or possibly a structured format like JSON or CSV for non-clinical data). This right applies to data you provided to us and that we process by automated means on the basis of contract or consent. For medical records, we’d likely just give you a clear copy of your record (which might include doctor’s notes, etc., which you have the right to as well).
Right to Object (Article 21 GDPR): You have the right to object to certain types of processing of your data. The main scenarios: (1) Direct marketing – if we were sending you marketing, you can object (opt-out) at any time, and we will stop. (We already don’t do it without consent, but this is an extra guarantee.) (2) Legitimate interests – if we are processing data under the lawful basis of legitimate interests (see Section 4) and you feel this impacts your rights, you can object. For example, if we were using your usage data for some analytics and you don’t want that, you can say so. We will then stop that processing unless we have compelling legitimate grounds that override your rights (which we will explain if that’s the case) or if it’s needed for legal claims. Typically, in a medical context, legitimate interest processing is minimal and we’d be inclined to honour objections unless it hampers our service security or something crucial.
Right to Withdraw Consent (GDPR Article 7(3)): If we are processing any of your data based on your consent, you have the right to withdraw that consent at any time. For example, if you gave consent to receive our newsletter, you can later opt out; if you consented to share data with an insurance, you can change your mind (though if we already shared it once, we can’t undo that, but we’ll stop any further sharing). Withdrawing consent will not affect the lawfulness of processing already carried out while your consent was in force, and it won’t affect services we provide that don’t rely on consent. If withdrawal of a certain consent means we can no longer provide you a part of the service (for example, you withdraw consent to let us use your health data at all), we’ll inform you of implications. But note, for core treatment we rely on contract and legal bases, not consent, so you’re generally not in a position where you have to consent to treatment processing – it’s either you use the service under the policy or you don’t. Consent is mostly for optional things.
Rights related to Automated Decision-Making: As we noted, we don’t do automated decisions that have legal or significant effects. But if we ever did, you’d have rights to human review and to contest decisions.

How to Exercise Your Rights: The easiest way is to email our DPO at hello@beetonline.ie with your request. You can also write to our postal address (see Section 2) if you prefer. Please be as specific as possible about your request to help us respond efficiently (for example, “I’d like a copy of all my data from 2023 consultations” or “Please correct my phone number” etc.). We may need to verify your identity before fulfilling certain requests (we wouldn’t want to give your data to an impersonator). Typically, we’ll respond to requests within one month as required by GDPR. For complex requests or multiple requests, we might extend that by another two months, but if so we’ll inform you of the extension and the reason. In general, we don’t charge a fee for exercising your rights. If a request is manifestly unfounded or excessive (e.g., repetitive requests), the law allows us to charge a reasonable fee or refuse, but we rarely expect to invoke that. We will always explain our reasoning if we ever cannot comply with a request in full (for example, “We cannot delete X data because of Y legal requirement”).

Right to Lodge a Complaint: While we hope to resolve any concerns you have directly, we want to remind you that you also have the right to complain to the supervisory authority if you believe your data protection rights have been infringed. In Ireland, that is the Data Protection Commission (DPC).

Website: www.dataprotection.ie
Phone: +353 57 8684800 / +353 761 104 800
Email: info@dataprotection.ie
Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

If you’re located in another EU country, you can contact your local Data Protection Authority, but the DPC is our lead authority.

We encourage you to come to us first at hello@beetonline.ie so we can address your issue promptly – we’re committed to protecting your rights and want to ensure you’re satisfied. Your trust is crucial to us, and we’ll do everything we can to uphold your rights and remedy any issues.

17. Account Management & Deletion

We want you to have control over your account and personal information on Beet Online. Here’s how account deletion or deactivation works and what happens to your data in those scenarios:

Requesting Account Deletion: You may request deletion of your Beet Online account at any time. This can usually be done by contacting us (via email to support or privacy) or through an account settings option if provided. For security, we will verify that the request is coming from you (the account holder) – for example, by requiring you to send the request from your registered email or complete some verification steps.
If You Never Received Treatment: If your account is on file but you have not had any consultations or medical treatment through our platform (perhaps you signed up and never used it, or only did a test booking and canceled), then deleting your account will generally mean we can delete all personal data. We will remove your profile information, login credentials, and any associated data from our live systems. It will be as if you never registered (with the exception of potential minimal records we keep to remember not to re-create your account or to honour opt-outs, etc.). You will receive confirmation once this is done.
If You Have Received Treatment: If you have had consultations or any medical services via Beet Online, your situation is different because we have to preserve medical records as described in Section 14 (Data Retention). In this case, when you request to delete your account, we will:

Deactivate Your Account: This means your account will be closed – you will no longer be able to log in or use the services, and it won’t be visible to you or active practitioners. Essentially, it freezes your account from further use.
Retention of Medical Records: Even though the account is deactivated, we must retain the medical records of the care you received for the legally required retention period (e.g., 8 years or more, as per Section 14). We will archive these records securely. They will no longer be readily accessible on the platform, but are stored in our secure archive database. Only authorised personnel would access them, and only if necessary (for example, if you later request a copy, or if there’s a legal need). We won’t use these records for any new purposes – they’re just kept on file until we are permitted to delete them.
We will make sure to disassociate your identity from the active user list. No marketing or service emails will be sent. Your profile won’t appear in any active user management interfaces. In effect, our team and systems treat it as a deleted account, with the exception that the records sit quietly in our secure storage until their deletion date.

Confirmation and Follow-up: After processing your account deletion request, we will confirm to you that your account has been deleted or deactivated (as appropriate) and outline what data remains stored (if any) and for what purpose (e.g., “Your medical records will be retained until [Date] to comply with legal requirements, after which they will be permanently deleted.”).
Reactivating Accounts: If you change your mind before the retention period is up and want to use our services again, you’d typically need to create a new account. In some cases, if you contact us, we might technically be able to reactivate the old account (since data still exists in archive), but we might just start fresh for security/privacy reasons. If you do start fresh, your archived medical records from the past could potentially be re-linked to your new account if needed for continuity of care (we would do so carefully and with your consent).
Data in Backups: When we delete or deactivate account data, we ensure it is removed from active databases. It might persist for a time in encrypted backups until those backups cycle out, but those are secure and eventually deleted as well. We will not restore deleted data from backups except if required for some disaster recovery, and even then we’d re-delete as appropriate.
Children’s Accounts: If a parent/guardian requests deletion of a minor’s account, we will handle it similarly. Keep in mind the minor’s records retention rules still apply. If a child who had an account through a guardian reaches adulthood and then requests deletion of their childhood records, we’ll handle it under the same retention obligations (but we can certainly deactivate and ensure no further use of the data beyond storage).
Account Inactivity: Separately from user requests, we might implement a policy to deactivate accounts that have been inactive for a long period (say, a few years with no logins or appointments). If we do, we would notify you in advance at your last known email. Inactive accounts might be deactivated for security. Even then, the same retention rules apply for any past medical records. If an inactive account is deleted, we’d keep medical data in archive and delete the rest.

In plain terms: You can leave Beet Online at any time. We won’t hold your personal data hostage. The only caveat is that, for the public good and legal compliance, medical records have to be kept around for a while even after you leave. But they’ll be sealed off and eventually purged once we’re allowed to. We want you to feel comfortable that you’re in control – and we never want to keep data about you longer than we should.

If you have any concerns about your data when closing your account, we’ll be happy to discuss them. We can even provide you a copy of your records before closing the account so you have them for your own files or to transfer to a new doctor.

18. Cookies and Tracking Technologies

When you use the Beet Online website or app, we may place small data files called cookies on your device, and use similar tracking technologies (like web beacons or local storage). We use these technologies to make our service function correctly, to improve your experience, and to analyse how our site is used. No health or sensitive personal data is stored in or transmitted via cookies. We value your privacy, so we keep cookie usage to a minimum and provide you control over non-essential cookies. For full details, please see our [Cookie Policy], but here’s a brief overview:

Types of Cookies: We use a few types of cookies:

Strictly Necessary Cookies: These are essential for the website to operate. For example, when you log in, we use a cookie to keep you logged in as you navigate between pages (session cookie). Without it, you’d have to re-login on every page. These cookies do not require consent under ePrivacy rules because they are needed for the service you requested.
Functional Cookies: These help to remember your preferences and enhance functionality. For instance, a cookie might remember your chosen language or that you’ve seen a particular notification so it doesn’t show again. While helpful, we treat these similarly to necessary cookies when they are purely first-party and low-impact.
Analytics Cookies: We use these to collect information about how users use our site (which pages are visited, how long is spent on pages, etc.). This helps us improve our services and fix user experience issues. We might use Google Analytics or similar, configured to anonymise data (like masking IP addresses). These cookies will only be set with your consent, as they are not strictly necessary. They typically collect aggregated stats, not personal user profiles.
Advertising/Marketing Cookies: As of now, we do not have third-party ads on our platform, but if we ever use marketing cookies (for example, for retargeting ads about our service on other platforms, or integrating with a Facebook pixel to reach our users on social media), those too would only be with your explicit consent. These cookies would track your visit to help show you relevant ads on other sites. We would not use health info for ad targeting – it might just be, for example, to remind you of our service generally. If we introduce these, it will be clearly explained in the Cookie Policy and consent management tool.

Cookie Consent: When you first visit our site, you will see a cookie banner or pop-up requesting your consent for non-essential cookies (like analytics or marketing). We do not set those cookies until you choose to “Accept” or otherwise give consent. You can also choose to “Reject” or customise your cookie settings (for instance, accept analytics but reject marketing). We strive to make this choice clear and easy – equal prominence to accepting or rejecting as per DPC guidance. If you ignore the banner, we will assume no consent for anything optional (only necessary cookies will run).
Opt-In/Opt-Out Rights: You have the right to opt out of cookies that are not necessary. Even after you’ve consented, you can change your mind anytime. We provide a Cookie Settings link (often in the footer of the site) where you can adjust your preferences or withdraw consent. Additionally, you can use your browser settings to delete or block cookies. Note that if you block all cookies, some parts of our site might not function (like you might not be able to log in because the session cookie would be blocked). Our Cookie Policy gives instructions on managing cookies via browser if you prefer that route.
No Tracking without Consent: We do not use any sneaky tracking techniques. We don’t use keyloggers, we don’t record videos of your screen, etc. We also honour “Do Not Track” signals to the extent possible (though many sites don’t, we try to ensure that if your browser sends DNT, we minimise tracking). However, because we anyway don’t drop non-essential cookies without consent, DNT is usually moot on first load (since we default to no tracking unless allowed).
Third-Party Services: Some third-party services we integrate might use their own cookies. For example, if we embed a YouTube video on a help page, YouTube might set cookies; or if we have a live chat support widget from a third party, it might use cookies. We will list these in the Cookie Policy. We ensure any third-party cookie is covered by our consent process as well.
Cookie Lifespan: The cookies we set have varying lifespans. Session cookies (like login session) expire when you log out or close the browser. Others like a preference cookie might last a few months. We adhere to guidance that consent cookies should ideally expire after no more than 6 months– meaning if you consent today, we might set a cookie that just remembers that you consented, and that cookie will be auto-removed in 6 months so that we ask you again. We will periodically refresh consent to make sure you’re still okay with our use (at least once a year or sooner if our cookie usage changes significantly).

Again, please refer to our detailed Cookie Policy for more information, including a list of cookies in use, their purposes, and how you can control them. We believe in transparency about tracking, and we want you to feel comfortable that we aren’t doing anything unexpected or invasive. If you have any concerns about cookies or tracking on our website or app, you can always reach out to hello@beetonline.ie.

(Fun fact: The reason we don’t store health info in cookies is both for your privacy and for security. Cookies can sometimes be seen or misused by other sites (if not properly secured) or by someone with access to your browser, so we keep them limited to technical identifiers. All your health data stays on our secure servers, not in your browser storage.)

19. Limitation of Liability (Use of Service)

While this section is more about our telemedicine service than about data, we include it here for clarity. Using Beet Online’s platform involves certain understandings and acknowledgments on your part regarding our liability:

Clinical Responsibility: Medical care is delivered by practitioners working for or on behalf of Beet Online Healthcare Limited as part of our medical practice. Clinical decisions are made by qualified clinicians in line with professional standards and clinical governance. Beet Online maintains appropriate oversight and requires practitioners to hold professional registration and indemnity.
No Warranty of Specific Results: We do not guarantee any particular clinical outcome. Healthcare involves inherent uncertainties and clinicians exercise professional judgment in your best interests. For example, we cannot promise that a certain medication will cure you, or that you will definitely get a prescription or a sick note – those decisions are made by the doctor based on their professional judgment. We operate an online medical practice and provide the clinical systems ‘as is’; clinical decisions are made by your doctor. Sometimes the doctor might advise in-person follow-up; sometimes they might not be able to resolve your issue via telehealth. We strive to deliver high-quality care, but the results will vary case by case and are not guaranteed.
Service Availability: We work hard to keep our platform running 24/7, but we do not guarantee absolute uptime or instantaneous availability of doctors. Technical issues or high demand might occasionally delay or prevent a consultation. We limit our liability for any such downtime or technical failures (though as noted in our Refund Policy, we will make things right with rescheduling or refunds when it happens – see the Refund Policy for details).
No Liability for Indirect Damages: To the extent permitted by law, Beet Online will not be liable for indirect losses or damages that you might claim arise from using our service. This means, for instance, we aren’t liable for lost profits, loss of opportunity, incidental or consequential damages like if you missed work and lost wages because a prescription wasn’t given, or if you experience pain and suffering from an illness – those kinds of damages are too indirect for us to assume. Our maximum liability in any case is generally limited to what you paid us for the service in question (if anything).
User Responsibilities: We need to make clear that you also have a responsibility in using our services. You must provide accurate and complete information about your medical history and current symptoms. If you withhold information or misrepresent facts, the advice given might be inappropriate and we cannot be responsible for outcomes stemming from misinformation. You acknowledge that your own role in providing truthful info is crucial for safe care. We also expect you to seek emergency care when needed – as our Terms state, Beet Online is not for emergencies. If you use it in a scenario that is actually an emergency and something goes wrong due to delay, we cannot accept liability for that because we explicitly instruct not to use it for emergencies.
Third-Party Services: If we link you to or integrate with any third-party services (like a pharmacy delivery service, or a lab test booking service), those are outside our control. We aren’t liable for the acts or omissions of those third parties. We do not endorse or assume responsibility for external websites or services even if you access them through our platform.
Legal Limitations: Nothing in this section is meant to limit liability that cannot be limited under law. For example, if Irish law does not allow exclusion of certain warranties or if we caused damage by wilful misconduct or gross negligence, this limitation might not fully apply. But as a general statement, using our service means you understand these limitations.

Essentially, Beet Online’s role is to provide a secure and convenient platform for you to consult with doctors. We stand behind the quality and security of the platform, but we cannot take on liability for the medical advice itself or outcomes beyond our platform’s control. We want you to be healthy and satisfied, and we will do our best to ensure a good experience, but there are boundaries to what we can promise or be held responsible for, as outlined above. For more details on liability and dispute resolution, please refer to our [Terms of Service], which is the controlling agreement for service use.

20. Legal Disclosures and Public Interest Exceptions

In rare circumstances, we might need to disclose your personal data without your consent, if required by law or necessary to protect vital interests. We take such actions very seriously and only do so in strict accordance with applicable laws and professional ethics. Examples of situations where this might occur include:

Compliance with Laws and Orders: If we receive a court order, subpoena, or other legally binding request that compels us to provide information, we will comply as required. For instance, a court might order release of medical records in the context of a legal case. We will verify any such order’s legitimacy and scope before disclosing anything. We will usually try to inform you as well, unless the order legally forbids notifying you. Additionally, certain laws might require reporting: for example, the Infectious Diseases Regulations might mandate that doctors report cases of certain communicable diseases to public health authorities. In such scenarios, the doctor (and by extension, Beet Online Healthcare) would disclose the necessary data (like patient name, disease, etc.) as required by public health law. Another example: if a law enforcement agency presents a lawful warrant related to a criminal investigation requiring user data, we would have to comply. We will always ensure any disclosure is narrowly tailored – only the information specifically demanded by the law will be disclosed, nothing more.
Child Protection Concerns: If a practitioner suspects that a child using our service (or a child associated with an adult patient) is at risk of abuse or neglect, they have a legal and ethical obligation to report this to child protection services (Tusla in Ireland) or the Gardaí. In doing so, they may need to provide personal data about the child or family. This is permitted under GDPR as a necessary disclosure for important reasons of public interest (protecting the child’s vital interests) and as a legal obligation (Children First Act). We would support the practitioner in making such a report as needed.
Preventing Harm: If we have reason to believe that not disclosing certain information would result in a serious risk of harm to someone’s health or safety, we may disclose data to appropriate authorities or persons. For example, if during a consultation a patient expressed intent to self-harm severely or harm someone else, the doctor might need to alert mental health services or law enforcement to prevent harm. Similarly, if a patient has a medical condition that poses a public health threat (like highly contagious deadly illness), there are mechanisms to inform public health authorities. These disclosures are allowed under GDPR (Article 9(2)(i) for public health, or as vital interest protection) and under the principle of “duty of care” and ethical necessity. We will always document any such disclosure and the reasons.
Legal Defence: If Beet Online is subject to a legal claim or proceeding (for example, if you were to sue us), we might need to use or disclose relevant personal data from our records as part of our defence. GDPR allows processing (including disclosure) of data when necessary for the establishment, exercise, or defence of legal claims (Article 9(2)(f) for special category data). We would still aim to handle data carefully (perhaps under protective orders, etc., in court).
Anonymised Public Interest Data: Sometimes health data is aggregated and reported for public interest purposes (like statistical reports on telehealth usage or illness trends). We may contribute to such efforts but only using anonymised data that doesn’t identify individuals. For instance, the HSE might want to know how many flu cases were handled via telehealth in a season. We could provide stats without names or anything identifying.

Whenever we disclose data under this section, we ensure:

It’s done by authorised personnel with review (usually involving our DPO or legal counsel).
We keep a record of what was disclosed, to whom, when, and under what authority.
We only disclose the minimum necessary information to achieve the purpose (data minimisation principle).
We ensure the recipient is aware that the information is confidential and should be handled accordingly (especially for sensitive health data).

Medical Ethics: Our practitioners follow the Medical Council’s guidelines which emphasise patient confidentiality. Disclosing patient info without consent is only allowed in limited situations such as those described (law requirements or immediate risk of serious harm). Any such disclosure, when needed, will be done “strictly in accordance with legal requirements and medical ethics” – meaning if the law says “you may disclose X if Y,” we will stick to that and nothing beyond. For example, if a court order says “provide record of Consultation on Jan 1”, we won’t also throw in other dates. Or if child protection needs a report, we report only what’s relevant to the concern.

We hope these situations never arise, and they are indeed uncommon. Our default mode is not to disclose anything to anyone without your consent. This section is just to be transparent about the exceptions where we might have to override confidentiality for greater legal or safety reasons. If you have questions about how we handle such scenarios, feel free to contact us.

21. Updates to This Policy

We may update or revise this Privacy Policy from time to time as our services evolve or as laws and regulations change. If we make significant changes, we will notify you in a prominent way. For example:

We might send you an email to the address associated with your account summarising the changes.
We might post an announcement or notification within the platform (especially if an email bounce back or if you are more likely to see it upon login).
We will always update the “Last Updated” date at the top so you know if a new version has come out.

Latest Version Availability: The most current version of the Privacy Policy will always be accessible on our website at www.beetonline.ie/privacy (or a similar URL). We encourage you to review it periodically. If you continue to use Beet Online after a new policy is in effect, that will indicate your acceptance of the updated terms (of course, subject to your rights under applicable law). If you do not agree with changes, you should stop using the service and can request account deletion as outlined.

Summary of Major Changes: If changes are material, we’ll summarise them in the notice. For instance, if we change how we use cookies, or start processing data for a new purpose, we’ll call that out. Minor changes (like clarifications or typographical fixes) might not be specifically called out, but they’ll still be in the updated policy online.

We will also keep prior versions of this Privacy Policy archived (and can provide them upon request) so there’s a record of how our privacy commitments have evolved.

Rest assured, we will not reduce your rights under this Privacy Policy without your consent. If anything, changes are generally to give you more transparency or to adapt to new legal requirements that enhance your protection.

21. Governing Law and Jurisdiction

This Privacy Policy and any disputes or claims arising out of or in connection with it are governed by the laws of Ireland. This means we operate under Irish law (which includes the GDPR as it applies in Ireland and Irish national laws) with respect to personal data.

If there is ever a dispute that goes to court about our privacy practices or your information (for example, an alleged violation of data protection law), such proceedings shall be subject to the exclusive jurisdiction of the courts of Ireland. By using our service, you agree that if you were to sue us or vice versa, it would happen in Ireland under Irish law.

We hope to never see a courtroom and to resolve any issues amicably or through the DPC if needed, but we include this section for completeness.

Contact Us

Your privacy is very important to us, and we’re here to answer any questions or address any concerns you have about how we handle your data.

If you need to reach out for any reason related to privacy or your personal data, please contact:

Beet Online Healthcare Limited – Privacy Team/DPO
Please Note this address is only for administrative purposes:
34 Scholars mWay, Ballynagee, Wexford, Ireland, Y35RDW0
Email: hello@beetonline.ie

When contacting us, please provide as much detail as possible about your question or concern, and we will do our best to help you. For security and confidentiality, we may need to verify your identity before discussing specific personal data matters.

Thank you for taking the time to read our Privacy Policy. We know it’s lengthy, but we believe it’s important to be thorough and transparent. We appreciate your trust in Beet Online, and we are dedicated to protecting your personal information while providing you with convenient and quality telehealth services.