Privacy Policy
How we collect, use, and protect your personal data.
Last updated: 4 April 2026
1. Who We Are
UK Medical Electives ("UKME", "we", "us", "our") operates the website ukmedicalelectives.org and provides clinical elective and observership placement services for international medical students at NHS hospitals in London.
We are the data controller for the personal data described in this policy. For any data protection queries, contact us at contact@ukmedicalelectives.org.
2. What Data We Collect
We collect different types of personal data depending on how you interact with us:
Account & Application Data
- Full name, email address, phone number
- University name and year of study
- Country of residence and nationality
- Preferred placement specialty and dates
- CV or resume
Placement & Compliance Documents
- Passport copy (for identity verification and visa support)
- Medical records, immunisation history, and TB screening results
- DBS (criminal background) check documentation
- Professional indemnity insurance details
- Occupational health clearance
Payment Data
- Billing name and address. Payment card details are processed directly by our payment provider and are never stored on our servers.
Communications
- Messages sent via our contact form or email
- WhatsApp messages (processed through Meta's WhatsApp Business platform)
Technical Data
- IP address, browser type, device information
- Pages visited, time on site, referral source
- This data is collected via cookies and analytics tools (see Section 8)
3. Why We Collect Your Data & Legal Basis
Under the UK GDPR, we must have a lawful basis for processing your personal data. Here is how each purpose maps to a legal basis:
| Purpose | Legal Basis |
|---|---|
| Processing your application and arranging your placement | Performance of a contract |
| Verifying your identity and eligibility (passport, medical records, DBS) | Performance of a contract; legal obligation |
| Processing payments | Performance of a contract |
| Responding to your enquiries (contact form, email, WhatsApp) | Legitimate interest |
| Sharing your details with the host hospital for placement purposes | Performance of a contract |
| Sending service-related updates (placement confirmation, document reminders) | Performance of a contract; legitimate interest |
| Sending marketing communications (programme updates, newsletters) | Consent |
| Website analytics and performance improvement | Consent (via cookie banner) |
4. Who We Share Your Data With
We only share your data with third parties who are necessary for delivering our services. We do not sell your personal data to anyone.
- Supabase (database & authentication) — stores your account data, application details, and uploaded documents. Supabase processes data in the EU and is SOC 2 Type II compliant.
- Stripe (payment processing) — processes your payment securely via Stripe Checkout. We never store your card details. Stripe is PCI DSS Level 1 certified. See Stripe's Privacy Policy.
- Resend (transactional email) — sends you application confirmations, document reminders, and placement updates.
- WhatsApp / Meta (messaging) — if you contact us via WhatsApp, your messages and phone number are processed through Meta's servers. Meta's privacy policy applies to data within WhatsApp.
- Vercel (website hosting & analytics) — hosts our website and provides basic analytics on site usage.
- NHS hospitals where you are placed — we share relevant application and compliance documents with the hospital arranging your placement. This is necessary to arrange and administer your clinical placement.
5. International Data Transfers
Some of our data processors operate outside the UK and European Economic Area (EEA). When your data is transferred internationally, we ensure appropriate safeguards are in place:
- Transfers to countries with an adequacy decision from the UK government or European Commission
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Processor certifications such as SOC 2 and PCI DSS
You can request details of the specific safeguards applied to your data by contacting us at contact@ukmedicalelectives.org.
6. How Long We Keep Your Data
We retain your data only as long as necessary for the purpose it was collected:
- Application & placement records: 6 years after your placement ends (in line with UK limitation periods and NHS record-keeping requirements)
- Compliance documents (passport, medical, DBS): Deleted within 6 months after your placement ends, unless a longer retention is required by law
- Payment records: 6 years (UK tax and accounting obligations)
- Contact form messages: 2 years
- Website analytics data: 26 months (anonymised)
- Accounts with no application: Deleted after 2 years of inactivity
You can request earlier deletion of your data at any time (see Section 7).
7. Your Rights
Under the UK GDPR and EU GDPR, you have the following rights over your personal data:
- Right of access — request a copy of all personal data we hold about you
- Right to rectification — ask us to correct inaccurate or incomplete data
- Right to erasure — request deletion of your data where there is no compelling reason for continued processing
- Right to restrict processing — ask us to temporarily stop processing your data in certain circumstances
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interest or for direct marketing purposes
- Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing
To exercise any of these rights, email us at contact@ukmedicalelectives.org. We will respond within 30 days.
If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local data protection authority.
8. Cookies
Cookies are small text files stored on your device when you visit our website. We use the following types:
Strictly Necessary Cookies
Required for the website to function. These include authentication session cookies and cookie consent preferences. These cannot be disabled.
Analytics Cookies
We use Vercel Analytics to understand how visitors use our site (pages visited, time on site, referral source). This data is anonymised and aggregated. These cookies are only set with your consent.
You can manage your cookie preferences at any time using the cookie settings banner or by adjusting your browser settings. Note that disabling strictly necessary cookies may prevent parts of the site from functioning correctly.
9. Data Security
We take the security of your data seriously and implement appropriate technical and organisational measures, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Role-based access controls limiting who can view sensitive data
- Row-level security on our database
- Secure file storage for uploaded documents
- Regular security reviews and dependency auditing
No system is completely secure. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by the GDPR.
10. Children's Privacy
Our services are intended for medical students and graduates aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this privacy policy from time to time. When we make significant changes, we will notify you by email or by displaying a prominent notice on our website. The "last updated" date at the top of this page reflects the most recent revision.
12. Contact Us
For any questions about this privacy policy, to exercise your data rights, or to raise a concern about how we handle your data:
UK Medical Electives (UKME)
Data Protection Enquiries
Email: contact@ukmedicalelectives.org
We aim to respond to all data protection requests within 30 days.