Clinibee Privacy Policy 

Effective as of 18/08/2025

Purpose and Scope of this Policy

The purpose of this Privacy Policy is to provide you, as our data subject, with a statement regarding the Data Protection and Privacy practices and obligations of Clinibee and an explanation of your rights as a data subject.

This Privacy Policy applies dually where Clinibee acts as a data controller, including initial user registration and account management on our website. For activities where Clinibee provides services on behalf of healthcare organisations, Clinibee acts as a data processor under the instructions of those organisations, who are responsible for determining the purpose and means of data processing.

This Data Protection and Privacy Policy and Notice applies to our business practices, and our website, which is accessible from https://www.clinibee.com/.

As the Organisation is established in the United Kingdom, this document is written in the vein of UK and EU Data Protection Law, and Clinibee falls under the jurisdiction of the Information Commissioner’s Office UK. This Privacy Policy sets out what Personal Data we collect and process about you in connection with the services and functions of the Organisation. We are not responsible for the content or the privacy notices for any websites to which we may provide external links.

Who we are

“Data controllers” are the people or organisations that determine the purposes for which, and the manner in which, any Personal Data is processed, and make independent decisions in relation to the Personal Data and/or who/which otherwise control that Personal Data.

For the purposes of the UK and EU GDPR (the “GDPR”), UBQO Limited (UBQO) (“Clinibee”) primarily acts as a data processor on behalf of healthcare organisations who act as data controllers. However, Clinibee may also act as a data controller in limited instances, particularly when individuals interact directly with Clinibee’s website or services prior to engaging with specific  healthcare organisations’libraries

Clinibee has outsourced the function of the Data Protection Officer to XpertDPO Ltd.

Our Data Protection Officer can be contacted as follows:

Telephone: +353 1 678 8997

Email: privacy@clinibee.com
Post: 20 Harcourt St, Saint Kevin's, Dublin, D02 H364, Ireland

Laws that apply to us

- UK General Data Protection Regulation (EU Regulation 679/2016)
- Regulations flowing from Data Protection Act 2018
- Data (Use and Access) Act 2025
- Privacy & Electronic Communications Regulation (PECR) 2003 implementing EU Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD)

Why and how do we ensure compliance?

Data protection and privacy laws provide rights to individuals with regard to the use of their Personal Data by organisations, including our organisation. UK and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of Personal Data.

We must comply with data protection and privacy laws because the law requires us to, but we also would like you to have confidence in dealing with us, and compliance with data protection law helps us to maintain a positive reputation in relation to how we handle Personal Data.

We are required to demonstrate accountability for our data protection obligations.This means that we must be able to show how we comply with the applicable data protection and privacy laws, and that we have in fact complied with the laws.

We do this, among other ways, by our written policies and procedures, by building data protection and privacy compliance into our systems and business rules, by internally monitoring our data protection and privacy compliance and keeping it under review, and by acting if our representatives, including employees or contractors, fail to follow the rules.

We also have certain obligations in relation to keeping records about our data processing.

Who must comply?

All our representatives, which include employees and contractors, are required to comply with our Data Protection Policies and Procedures which inform this Privacy Policy when they process Personal Data on our behalf.

What are the data protection principles and rules?

We aim to comply with the following principles found in Data Protection Law:

- Lawfulness, fairness and transparency – Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose Limitation – Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation – Personal Data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
- Accuracy – Personal data must be accurate and, where necessary, kept up to date. Inaccurate Personal Data should be corrected or deleted.
- Retention – Personal data should be kept in an identifiable format for no longer than is necessary.
- Integrity and confidentiality – Personal data should be kept secure.
- Accountability – Under the GDPR, we must not only comply with the above six general principles, but we must be able to demonstrate that we comply by documenting and keeping records of all decisions.

What is personal data?

Personal data is any data that identifies you, or could be used to identify you, which is submitted and/or collected by Clinibee. It does not include anonymised data where your identity has been removed. 

Any personal data that you share with us is treated with the highest standards of security and confidentiality, strictly in accordance with the Data Protection Act 2018 and the UK and EU General Data Protection Regulation (GDPR).

What personal data do we process?

We may collect the following categories of personal data: 

  • Name, Title
  • Email Address 
  • Address/es
  • Phone Number/s
  • Date of birth
  • Commercial/business and/or professional data (e.g., company/university name, address, and email address)
  • Employment Data (e.g., organisation name, job title, and contact details)
  • Education Data (e.g., educational institution)
  • Clinical / General Practitioner details 
  • Social media data e.g., Facebook name, profile ID, Instagram handle, comments made on posts, messages you may send to us via social media and your activity on our pages via insight tools.
  • Marketing and Communications preferences
  • Technical data such as operating system (OS), internet protocol (IP) address, browser type/version, time zone and location, browser plug-in types and versions
  • Usage data (e.g., how you use our website via Cookies, Log Files and other similar technologies)
  • Any data sent via email, text, or other electronic communications

Special Category Data

We may collect sensitive data – or ‘Special Category Data’ – about you in order to assist you and to provide our service/s.  

- Data regarding your medical history (including but not limited to) disease conditions, diet, health, family history including hereditary diseases
- Data concerning a natural person’s sex life or sexual orientation (e.g., gender)
- Personal data revealing racial or ethnic origin (e.g., your nationality)

This is not an exhaustive list but rather a generalisation of the special category data collected. Special category data may vary with regard to the requirements of each Library. In this regard Clinibee acts as a processor of such data.

Clinibee does not collect special category data unless it is at the direction of a healthcare organisation, in which case Clinibee acts strictly as a data processor. Any special category data captured through the system is done so under the legal basis and control of the healthcare organisation acting as the data controller.

Criminal Convictions / Offence Data

Clinibee does not collect any information about criminal convictions and offences.

Aggregated Data

As with most websites, we gather statistical data and other analytical information (for example, demographic information, usage data etc.) collected on an aggregated basis of all visitors to our website. This data is not considered personal data in law as it does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Policy. 

How and why we use your data

- To contact and communicate with you
- To process and deliver our services to you, including providing you with information about our servicesTo receive feedback
- To understand the use of our website and Clinibee platform
- To administer and protect our website, Clinibee platform and business (including troubleshooting, data analysis, testing, maintenance, support, reporting and hosting of data)
- For compliance with legislation relevant to Clinibee
- For marketing and promotional purposes in connection with the services
- To meet specific legal obligations to maintain audit documentation in the case of statutory audits
- For the management and administration of Clinibee (now and in the future).

Legal Bases for using your data

We use your personal data for the purposes outlined above. In doing so we rely on a number of separate and overlapping legal bases to lawfully process your personal data. These may include:
- Where necessary to perform our contract with you
- Where you have consented to the processingWhere necessary for statutory obligations
- Where necessary for us to comply with a legal obligation, or to establish, exercise or defend legal claims
- For the purposes of our legitimate interests, provided that those interests are not overridden by your interests or fundamental rights and freedoms

How long do we keep your data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Where Clinibee acts as a data processor on behalf of a data controller (such as a healthcare organisation), the retention period is determined by the respective controller. In these instances, Clinibee inherits the controller’s retention obligations and will retain personal data only for the duration specified by the controller in accordance with its own policies and legal obligations.Clinibee implements technical and organisational measures to ensure compliance with controller-defined retention periods and ensures secure deletion or return of data at the end of the retention period or upon instruction.

We have a Retention Policy and Retention Schedule in place, and we ensure data is destroyed confidentially when it is required to do so.

In some circumstances you can ask us to delete your data: see below for further information. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you. In some cases, by law, we have to keep basic information about our customers (including Contact, Identity, and Transaction Data) for six years after they cease being customers for tax purposes.

If you have any queries about our retention periods you can contact us on privacy@clinibee.com

Third Parties and Disclosures of your Personal Data

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

When you consent to providing us with your personal data, we will also ask you for your consent to share your personal data with the third parties set out below.

Clinibee has contracts in place and carry out due diligence in regards to our suppliers and relevant third parties.

Third Parties we may disclose your data to

- Service providers acting as processors based in the UK, Ireland and Europe who provide development, IT, and system administration services.
- Technical providers who are other entities that interact with us in connection with the services we provide.
- Professional advisers acting as processors, controllers or joint controllers including lawyers, bankers, auditors and insurers based in the UK and EU who provide consultancy, banking, legal, insurance and accounting services.
- Regulators and other authorities as processors, controllers or joint controllers based in the UK and EU who require reporting of processing activities in certain circumstances.

Clinibee does not collect special category data unless it is at the instruction of a  healthcare organisation. In such cases, Clinibee acts strictly as a processor, and the clinical team or organisation acts as the controller responsible for the lawful basis and purpose of that processing. Clinibee does not determine the purposes for which special category data is used and does not share this data across libraries. Each library operates under its own privacy notice and terms, which are separate and additional to this policy.

Clinical Libraries and User Profiles

User profiles created on Clinibee are centrally maintained and include only general information such as name, date of birth, and email address. This information may be accessed by teams healthcare organisations across libraries. However, any sensitive data collected within a specific library (such as medical information) is managed independently by that library’s team and is not accessible to other libraries or shared across platforms.

Each library accessible via Clinibee maintains its own Privacy Notice and Terms and Conditions.These govern how data is handled within that specific environment. Before accessing any library, individuals are required to review and agree to the relevant privacy and legal documentation. Clinibee’s role in such cases is limited to providing the infrastructure, and we do not determine or control how data within libraries is processed.

Security features/data location

If Clinibee has received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.

Clinibee utilises encryption, access controls and other features to ensure the security of your data.

Clinibee data is stored in the UK and EU. Should Clinibee engage a data processor or controller outside of the UK or EU (subject to adequacy findings) standard contractual clauses and a transfer impact assessment would be carried out.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.

Clinibee limit access to your personal data to those employees, contractors and other third parties on a need-to-know basis and under contract. We will only process your personal data for the purposes for which it was collected, and third parties are only permitted to process your data on our instructions.

Information on Consent

By consenting, where this is the appropriate and identified lawful basis for processing, to our processing your Personal Data in line with this Data Protection and Privacy Policy and Notice you are giving us permission to process your Personal Data specifically for the purposes identified.

You may withdraw consent at any time by providing an unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify withdrawal of consent to the processing of Personal Data relating to you.If you have any queries relating to withdrawing your consent, please contact our Data Protection Officer using the contact details set out below.

Withdrawal of consent shall be without effect to the lawfulness of processing based on consent before its withdrawal.

Your Rights

Under certain circumstances, and dependent on legal basis under which your personal data is processed, by law you have the right to:

- Request information about whether we hold Personal Data about you, and, if so, what that Personal Data is and why we are holding/using it.
- Request access to your Personal Data (commonly known as a “Data Subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
- Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
- Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes.
- Object to automated decision-making including profiling, that is not to be subject of any automated decision-making by us using your Personal Data or profiling of you.
- Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request transfer of your Personal Data in an electronic and structured form to you or to another party (commonly known as a right to “data portability”). This enables you to take your data from us in an electronically useable format and to be able to transfer your data to another party in an electronically useable format.

How do you exercise your rights?

We have appointed a Data Protection Officer to monitor compliance with our data protection obligations and with this policy and our related policies. If you have any questions about this policy or about our data protection compliance, please contact the Data Protection Officer.

If you wish to exercise your rights please contact our Data Protection Officer who will respond to the request within one calendar month.

Where your personal data is processed by Clinibee on behalf of a healthcare organisation, requests for data deletion (also known as the ‘right to be forgotten’) will be reviewed and managed in conjunction with the relevant data controller. Clinicians and library teams may assess each deletion request on a case-by-case basis, taking into account clinical, legal, or regulatory requirements.

This may mean that some data cannot be immediately deleted if it is required for patient care, regulatory obligations, or public interest purposes.Our Data Protection Officer can be contacted as follows:

XpertDPO
Telephone: 353 1 678 8997
Email: privacy@clinibee.com
Post: 20 Harcourt St, Saint Kevin's, Dublin, D02 H364, Ireland

Your Right to Lodge a Complaint

You as the Data Subject have the right to complain at any time to a supervisory authority in relation to any issues related to our processing of your Personal Data. We would like to hear from you first if you have a complaint about how we use your data so that we may rectify the issue.

As our organisation is located in the United Kingdom, and since we conduct our data processing here, we are regulated for data protection purposes by the Information Commissioner’s Office.

You can contact the Information Commissioner’s Office:
Website: http://www.ico.org.uk/
Phone: (+44) 0303 123 1113
Address: Head Office - Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK

Updates

Our practices as described in this Privacy Policy may be changed, but any changes will be posted, and changes will only apply to activities and information on a going forward, not retroactive basis.

You are encouraged to review this Privacy Policy periodically to make sure that you understand how any personal information you provide will be used.

We may also email you in certain circumstances to let you know if and when we update this Privacy Policy to ensure you are informed.

Any changes to this Privacy Policy will be posted on this website so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any time we decide to use Personal Data in a manner significantly different from that stated in this Privacy Policy, or otherwise disclosed to you at the time it was collected, we will notify you by email, and you will have a choice as to whether or not we use your Personal Data in the new manner. We may use your personal information for reasons not described in this Privacy Policy where permitted by law and the reason is compatible with the purpose for which we collected it. If we need to use your personal information for an unrelated purpose, we will notify you and explain the applicable legal basis.

Appendix 1

Use of API and Data Transfers Between Systems 

Clinibee provides access to certain data through a secure Application Programming Interface (API), which allows authorised downstream systems to extract data for further processing. This functionality is used by specific healthcare organisations who operate as independent data controllers.Access to the Clinibee API is strictly controlled and only granted where:

- The organisation has a lawful basis for the intended processing;
- The data subject has provided explicit and informed consent, where required under applicable data protection laws; and
- Specific, limited approval is obtained from Clinibee for each use case of data extraction or transmission.

In certain scenarios, data may be exported from the Clinibee platform to external systems under the responsibility of the receiving data controller. Clinibee will ensure that any such data transfers are logged, governed by contract, and subject to technical safeguards such as encryption, access control, and audit trails.

Individuals will be notified where their personal data is to be transferred or processed outside the Clinibee platform. Where data is moved between systems, it will only occur where such data has already been lawfully obtained and appropriate notice has been provided.

The Clinibee API is not universally accessible. It is designed with privacy-by-design principles and may only be accessed by authenticated and authorised systems operating under clearly defined data processing agreements. Each API access event is logged, and Clinibee reviews all requests for conformance with the intended purpose, legal basis, and scope of data usage.

No personal data — especially special category data — is transferred via the API without prior consent and without adherence to strict contractual and technical controls. Where special category data is involved, such transfers are additionally subject to appropriate safeguards in accordance with Article 9 of the GDPR.

Find out how Clinibee can improve your workflow today

Book a demonstration with us at time that suits you

Book a Demo
Clinibee logo
hello@clinibee.com
Linkedin
Home
About
Contact
Support
Privacy Policy
Terms of Service
Cookies
SLA
ORCHA LogoICO LogoGOV G-Cloud 13 Supplier LogoNHS Data Security Toolkit
© Copyright 2023 Clinibee. All rights reserved. A UBQO company.
Close Modal
Close Modal

Let’s talk

If you have a specific query, book a call with us at a time that suits you or feel free to contact us via the form on the right and we’ll get back to you right away.

Book a DemoGo to Support
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.