Privacy Policy
Last updated: April 2026
Fly&Health ("we", "us", "our") is committed to safeguarding the privacy of our website visitors, patients, and registered healthcare providers. This Privacy Policy sets out how we collect, use, store, and protect your personal data when you use our website (flyandhealth.com), our patient application (app.flyandhealth.com), and our doctor portal (doctors.flyandhealth.com).
Fly&Health is operated by Fly&Health Limited, a company registered in England and Wales. Our processing of personal data is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Definitions
We use the term "personal data" to refer to any information that directly or indirectly identifies you, such as your name, email address, phone number, IP address, or medical information you provide in a treatment request.
"Healthcare provider" refers to any doctor, clinic, or hospital registered on the Fly&Health platform.
"Platform" refers collectively to our website, patient application, and doctor portal.
2. Lawful Grounds for Processing
Under UK GDPR, we must have a lawful basis for processing your personal data. The bases we rely on are:
| Data type | Lawful basis |
|---|---|
| Patient contact details | Explicit consent (collected at form submission) |
| Patient treatment request details | Consent and legitimate interest |
| Doctor/clinic profile data | Contract (required to use the service) |
| Payment and transaction data | Legal obligation (financial records) |
| Website usage data | Legitimate interest (improving our services) |
3. What Data Do We Collect?
3.1 For patients
- Contact information: first name, last name, email address, phone number, WhatsApp number
- Treatment request details: treatment category, procedure description, budget range, country of origin, urgency, treatment history, medical notes
- Photos uploaded as part of a treatment request
- Verification data: email and phone OTP verification status
- Account data (if registered): email, password (hashed), profile information
3.2 For healthcare providers
- Registration details: name, email, phone number
- Professional credentials: medical licence, diploma, specialist certifications
- Organization details: clinic/hospital name, address, type, logo
- Payment data: credit purchase history, transaction records (payment processing is handled by Stripe; we do not store card details)
3.3 For all visitors
- Technical data: IP address, browser type, device information, operating system
- Usage data: pages visited, referral source, length of visit, page interactions
- Cookie data (see Section 10 below)
4. How Do We Collect Your Data?
You directly provide us with most of the data we collect when you:
- Submit a treatment request on our patient application
- Register an account as a patient or healthcare provider
- Complete the doctor/clinic onboarding and verification process
- Purchase credits on the doctor portal
- Contact us by email
We also collect data automatically when you visit our website through cookies and similar technologies.
5. How Will We Use Your Data?
We use your personal data to:
- Process and display your treatment request to relevant healthcare providers
- Notify you when a healthcare provider expresses interest in your case
- Verify healthcare provider credentials and maintain platform quality
- Process credit purchases and maintain transaction records
- Send transactional emails (request confirmations, doctor interest notifications, account updates)
- Administer and improve the platform and website
- Analyse website usage to improve our services
- Comply with legal obligations
6. Sharing Your Data
6.1 Patient data shared with healthcare providers
When a verified healthcare provider expresses interest in your treatment request, the following data is shared with that provider:
- Your full name, email address, phone number, and WhatsApp number
- Your treatment request details and any uploaded photos
- Your preferred contact method
Your contact details are never shared publicly. They are only shared with specific healthcare providers who have expressed genuine interest in your case. You will be notified by email each time a healthcare provider receives your details.
6.2 Third-party service providers
We use the following third-party services to operate the platform:
- Supabase: database hosting and authentication (EU region)
- Stripe: payment processing. We securely share your email address with Stripe for payment and fraud detection purposes. Stripe's privacy policy is available at stripe.com/privacy. We do not store your card details.
- Brevo: transactional email delivery
- Vercel: website and application hosting
6.3 Other disclosures
We may also share personal data:
- To the extent required by law or regulation
- In connection with legal proceedings or prospective legal proceedings
- To establish, exercise, or defend our legal rights
- In response to lawful requests by public authorities
7. How Do We Store and Secure Your Data?
We take reasonable precautions to prevent the loss, misuse, or alteration of your personal data. Our infrastructure includes:
- All data transmitted via HTTPS (encrypted in transit)
- Database hosted on Supabase in the EU (eu-west region)
- Encryption at rest for all stored data
- Row-Level Security (RLS) on all database tables containing personal data
- Access restricted to authorised personnel only
You are responsible for keeping your account passwords confidential. We will never ask you for your password.
8. Retention of Data
| Data type | Retention period |
|---|---|
| Active treatment requests | Until expired or closed, plus 30 days |
| Patient contact details | Deleted when request is closed or expired |
| Healthcare provider profiles | Duration of account, plus 2 years after deletion |
| Credit transaction records | 7 years (UK financial record-keeping requirement) |
| Email logs | 90 days |
| Website analytics data | 26 months |
9. Your Data Protection Rights
Under UK GDPR, you have the following rights:
- Right of access: you can request a copy of your personal data held by us.
- Right to rectification: you can request correction of inaccurate or incomplete personal data.
- Right to erasure: you can request deletion of your personal data under certain circumstances, such as when you withdraw consent or when the data is no longer necessary.
- Right to restrict processing: you can request that we limit how we use your data in certain circumstances.
- Right to data portability: you can request your personal data in a structured, commonly used, machine-readable format.
- Right to object: you can object to processing based on legitimate interests.
- Right to withdraw consent: where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at privacy@flyandhealth.com. We will respond within one month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been handled unlawfully.
10. Cookies and Similar Technologies
Our website uses cookies and similar technologies (such as browser local storage), which are small pieces of data stored on your device, to operate the website, analyse traffic, and measure the performance of our advertising. The categories of cookies we use are:
- Strictly necessary: required for the website to function, including authentication, security, and preserving your cookie consent choice. These cookies do not require consent and cannot be disabled.
- Analytics: help us understand how visitors use our website (Google Analytics 4). They collect data such as pages visited, time spent, device type, and referral source.
- Advertising: used to measure the effectiveness of our advertising campaigns and to deliver more relevant ads (Google Ads). They include identifiers such as gclid and conversion tracking cookies.
- Functionality and personalisation: remember choices you make to provide a more personalised experience.
When you first visit our website, a consent banner appears asking you to accept or reject non-essential cookies. We do not load analytics or advertising cookies until you accept. We implement Google Consent Mode v2, which means that until you provide consent, Google services run in cookieless mode and no advertising or analytics identifiers are stored on your device.
Your consent choice is stored on your device for up to 12 months. After that period, we will ask you again. You can change or withdraw your consent at any time by selecting Cookie Settings in the footer of any page. Most browsers also allow you to manage or block cookies through their own settings. For more information about cookies, visit allaboutcookies.org.
11. Third-Party Websites
Our website may contain links to other websites. We are not responsible for the privacy practices or content of third-party websites. We encourage you to read the privacy policy of any website you visit.
12. Changes to This Policy
We keep this privacy policy under regular review and will place any updates on this page. This policy was last updated in April 2026.
13. How to Contact Us
If you have any questions about this privacy policy, the data we hold on you, or you would like to exercise any of your data protection rights, please contact us:
- Email: privacy@flyandhealth.com
- Post: Fly&Health Limited, York House, 18 York Road, Maidenhead, United Kingdom SL6 1SF
If you wish to report a complaint or feel we have not addressed your concern satisfactorily, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.