Privacy
Policy.

Sync Dynamics Ltd is a healthcare technology company registered in England and Wales (Company No. 15767790). We develop and operate DataForge, a Software as a Service pharmacy management platform, and provide web design and development services, white-label software licences and consulting services to businesses operating in the healthcare sector.

For the purposes of UK GDPR and the Data Protection Act 2018, Sync Dynamics Ltd is the Data Controller in respect of personal data collected directly from individuals who visit our website, engage our services or apply to work with us. Where we process personal data on behalf of our clients, we act as a Data Processor and our clients act as Data Controllers. This distinction is explained further in Section 7.

We are registered with the Information Commissioner's Office (ICO) under registration number ZB966384. Queries relating to our data protection practices should be directed to office@syncdynamics.co.uk.

This Policy does not apply to personal data processed by Sync Dynamics Ltd on behalf of its clients as a Data Processor. Such processing is governed by the relevant client agreement and the applicable Data Processing obligations set out in our Terms and Conditions. Clients who are Data Controllers in respect of patient data or end-user data processed through the DataForge platform are solely responsible for their own privacy notices and compliance obligations.

This Policy does not cover third-party websites or services linked to from our website. We are not responsible for the privacy practices of third parties and encourage you to read their privacy notices.

We do not intentionally collect special category personal data (including health data, biometric data, data relating to criminal convictions or racial or ethnic origin) from individuals who visit our website or contact us directly. If you voluntarily disclose such information in a communication with us, we will handle it with appropriate care.

Where Sync Dynamics Ltd processes special category data, including health data relating to patients, on behalf of clients through the DataForge platform, such processing occurs in our capacity as a Data Processor acting on the documented instructions of the client as Data Controller. See Section 7.

Where we process special category personal data in our capacity as Data Controller (which we do not do in the ordinary course of business), we will identify and document an additional condition under Article 9 UK GDPR.

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects on individuals.

Where we have obtained your consent or where we have a legitimate interest to do so under applicable law, we may send you marketing communications about our products and services. Where we rely on consent, you may withdraw it at any time by emailing privacy@syncdynamics.co.uk or using the unsubscribe mechanism in any marketing email.

We do not sell personal data to third parties for marketing purposes. We do not share personal data with third parties for their own marketing purposes.

When clients use the DataForge platform to process personal data relating to their own staff, patients or end users, Sync Dynamics Ltd acts as a Data Processor on behalf of those clients. In this capacity, we process personal data strictly in accordance with the client's documented instructions and the data protection obligations set out in our Terms and Conditions.

This Privacy Policy does not govern the processing of personal data carried out in our capacity as a Data Processor. Individuals whose data is processed by a client through the DataForge platform should refer to the relevant client's own privacy notice for information about how their data is used.

Where special category data, including health data and patient records, is processed through the DataForge platform on behalf of clients, we implement enhanced technical and organisational measures including encryption at rest and in transit, role-based access controls, immutable audit logging and strict data isolation between client environments.

All personal data processed through the DataForge platform on behalf of clients is stored on infrastructure located within the United Kingdom. We do not transfer such data outside the United Kingdom without the prior written consent of the relevant client, unless required to do so by applicable law.

We may share personal data with our solicitors, accountants, auditors and other professional advisers where necessary for the provision of their services to us. Such advisers are bound by professional duties of confidentiality.

We may disclose personal data to regulatory authorities, law enforcement bodies, courts or other public bodies where required or permitted to do so by applicable law, including in response to a court order, legal process or lawful request from a Regulatory Authority.

In the event of a merger, acquisition, restructuring, sale or other transfer of all or substantially all of Our business or assets, personal data held by us may be transferred to the acquiring entity as part of that transaction. We will notify affected individuals in advance of any such transfer and ensure that the acquiring entity is bound by appropriate data protection obligations.

We are a UK-based company. All personal data we collect and process in our capacity as Data Controller is stored on infrastructure located within the United Kingdom. We do not routinely transfer personal data to countries outside the United Kingdom.

Where any transfer of personal data outside the United Kingdom is necessary, for example in connection with a sub-processor that operates outside the UK, we will ensure that an appropriate safeguard is in place before the transfer occurs. Appropriate safeguards include: an adequacy decision by the UK Secretary of State; standard data protection clauses approved by the UK Information Commissioner; or another mechanism recognised under UK GDPR.

You may request further information about the safeguards applicable to any international transfer by contacting us at privacy@syncdynamics.co.uk.

Where data is retained for longer periods to comply with a specific legal or regulatory obligation, we will document the basis for such retention. When personal data is no longer needed, we will securely delete or anonymise it.

Platform data processed on behalf of clients in our capacity as Data Processor is retained and deleted in accordance with the relevant client agreement. Our default retention period for client data following termination of a Subscription is thirty (30) days, after which data may be permanently deleted unless the client has requested an export.

You have the right to request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month of receipt of a valid request. We will not charge a fee for a reasonable request but reserve the right to charge a reasonable fee or refuse a request that is manifestly unfounded or excessive.

You have the right to request that we correct any personal data about you that is inaccurate or incomplete. We will respond within one calendar month.

You have the right to request that we delete your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent (and there is no other lawful basis for processing), or where you object to processing based on legitimate interests and there are no overriding legitimate grounds.

We may be unable to comply with a request for erasure where we are required to retain data to comply with a legal obligation, to pursue or defend legal claims, or for other permitted grounds under UK GDPR. We will explain the basis for any refusal.

You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data, where processing is unlawful, or while an objection to processing is being assessed.

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to request that we transmit that data to another controller where technically feasible.

You have the right to object to processing of your personal data where we rely on legitimate interests as our lawful basis. We will cease processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

You have an absolute right to object to processing for direct marketing purposes. Where you object to direct marketing, we will stop that processing immediately.

We do not carry out automated decision-making, including profiling, that produces legal or similarly significant effects on individuals. If this changes, we will update this Policy and take appropriate steps to protect your rights.

To exercise any of your rights, please contact us at privacy@syncdynamics.co.uk. We may need to verify your identity before processing your request. We will respond within one calendar month of receipt of a valid request. In complex or high-volume cases, we may extend this period by a further two months, in which case we will notify you within the initial one-month period.

If you are a patient or end user whose data is processed through the DataForge platform by one of our clients, your rights request should be directed to the relevant client as Data Controller. We will assist our clients in responding to such requests as required by law.

We use cookies and similar tracking technologies on our website and within the DataForge platform. Cookies are small text files placed on your device that allow us to recognise your browser and capture certain information about your visit.

We do not use advertising or targeting cookies on our website. We do not share cookie data with third parties for advertising purposes.

Where cookies require your consent under the Privacy and Electronic Communications Regulations (PECR), we will request your consent via a cookie banner before placing non-essential cookies on your device. You may withdraw or amend your cookie preferences at any time by adjusting your browser settings or contacting us at privacy@syncdynamics.co.uk. Please note that disabling certain cookies may affect the functionality of our website.

We take the security of personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, destruction, alteration or disclosure. Our security measures include:

Where we engage sub-processors to process personal data on our behalf, we require them to implement security measures that are at least equivalent to our own. All sub-processors are subject to written data processing agreements.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO without undue delay and in any event within 72 hours of becoming aware of the breach, where required by UK GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify the affected individuals directly without undue delay.

Notwithstanding our security measures, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of personal data and your transmission of personal data to us is at your own risk. If you become aware of any actual or suspected security incident or breach involving your account or data, please contact us immediately at privacy@syncdynamics.co.uk.

Our website and Services are directed at businesses and professionals operating in the healthcare sector. They are not intended for use by children under the age of 18. We do not knowingly collect personal data from children under the age of 18 through our website or Services.

If you believe that a child under the age of 18 has provided personal data to us without appropriate parental or guardian consent, please contact us at privacy@syncdynamics.co.uk and we will take steps to delete that data.

Where the DataForge platform is used by clients to process data relating to patients who may be minors, such processing is carried out in our capacity as Data Processor on the client's instructions. The client as Data Controller is responsible for ensuring that all applicable legal protections for children are observed.

Our website and the DataForge platform may contain links to third-party websites, services or resources that are not operated or controlled by Sync Dynamics Ltd. This Privacy Policy does not apply to such third-party websites and services.

We are not responsible for the content, privacy practices or data processing activities of any third-party website or service. We encourage you to read the privacy notice of any third-party website or service you access through a link on our website or platform.

The inclusion of a link to a third-party website does not constitute an endorsement of that website, its content or its data practices by Sync Dynamics Ltd.

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law or regulatory guidance. We will indicate at the top of this Policy the date on which it was last updated.

Where we make material changes to this Policy that affect your rights or the way in which we process your personal data, we will take appropriate steps to notify you. Depending on the nature of the change, this may include notifying you by email, displaying a prominent notice on our website or seeking your renewed consent where required.

We encourage you to review this Policy periodically. The most current version will always be available at www.syncdynamics.co.uk/privacy. Your continued use of our website or Services after any update to this Policy constitutes your acceptance of the revised Policy, subject to your rights under UK GDPR.

If you have any questions about this Privacy Policy, wish to exercise your rights under UK GDPR, or have a concern about how we handle your personal data, please contact us at:

If you are unhappy with how we have handled your personal data or responded to a rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.

The ICO can be contacted at:

We would always prefer the opportunity to address your concerns directly before you escalate to the ICO. If you raise a complaint with us, we will acknowledge it within three (3) business days and aim to resolve it within one (1) calendar month.