Privacy Policy

1. Introduction

Lola Dispatch ("we", "our", "us", operating at loladispatch.com) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our phlebotomist marketplace and job matching platform.

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

Lola Dispatch is the data controller for personal data processed through our platform.

3. Information We Collect

For Phlebotomists

• Full name, date of birth, and gender
• Contact details (email, phone number, address)
• Postcode and coverage areas for job matching
• Enhanced DBS certificate details and reference number
• Phlebotomy qualifications and certifications
• Professional indemnity insurance details
• Work history and professional references
• Bank details for payments (processed securely via Stripe)
• Profile photo for identification

For Healthcare Clients

• Company name and registration details
• Contact person details
• Billing information (processed securely via Stripe)
• Job posting history

For Patients (via client integrations)

• Name and contact details (as provided by healthcare clients)
• Appointment address and scheduling preferences
• Special instructions for appointments

Technical Data

• IP address and browser information
• Device type and operating system
• Location data (only when actively on a job, with consent)
• Usage patterns and analytics (anonymized where possible)

4. How We Use Your Data

We use your personal data to:

• Verify identity and professional qualifications
• Match phlebotomists with suitable job opportunities
• Process payments for completed services
• Communicate about jobs, platform updates, and support
• Comply with legal and regulatory requirements (NHS, CQC, ICO)
• Improve our services and user experience
• Prevent fraud and ensure platform security

5. Legal Basis for Processing

We process your data based on:

• Contract: To provide our marketplace services to you
• Legal obligation: To comply with healthcare regulations and employment law
• Legitimate interests: To operate, improve, and secure our platform
• Consent: For marketing communications and optional features

6. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in Transit: All data transmitted uses TLS 1.3 encryption (HTTPS)
• Encryption at Rest: Sensitive data (tokens, credentials) encrypted with AES-256-GCM
• Access Controls: Role-based access with audit logging
• Secure Authentication: Password hashing with bcrypt, optional 2FA
• Regular Security Audits: Vulnerability assessments and penetration testing
• PCI DSS Compliance: Payment processing handled by Stripe (PCI Level 1)

7. Data Sharing

We may share your data with:

• Healthcare clients: Limited information (name, photo, arrival time) for booked appointments
• Payment processors: Stripe for payment processing
• Cloud providers: AWS/Hetzner for secure data storage
• Background check providers: For DBS verification
• Regulatory authorities: When required by law (CQC, NHS, ICO)

We never sell your personal data to third parties.

8. International Transfers

Your data is primarily stored in the UK/EU. Where transfers outside this region are necessary (e.g., for certain cloud services), we ensure appropriate safeguards are in place such as Standard Contractual Clauses or adequacy decisions.

9. Data Retention

We retain your data for:

• Active accounts: Duration of account activity plus 7 years
• DBS certificates: Duration of engagement plus legally required period
• Financial records: 7 years (HMRC requirements)
• Job records: 7 years (healthcare compliance)
• Audit logs: 3 years

10. Your Rights (GDPR)

Under UK GDPR, you have the right to:

11. How to Exercise Your Rights

We will respond to your request within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you.

12. Opt-Out Procedures

Marketing Communications

You can opt out of marketing emails at any time by:

• Clicking the "Unsubscribe" link in any marketing email
• Updating your preferences in your account settings
• Emailing support@loladispatch.com with "Unsubscribe" in the subject

Location Tracking

Location tracking is only active during jobs and can be disabled in your device settings.

Account Deletion

To delete your account and all associated data:

• Email support@loladispatch.com with "Delete My Account" in the subject
• We will process your request within 30 days
• Some data may be retained for legal/regulatory compliance (see Data Retention)

13. Cookies

We use essential cookies for authentication and security. Optional analytics cookies are only set with your consent. You can manage cookie preferences in your browser settings.

14. Third-Party Integrations

When you use third-party integrations (e.g., our REST API for order import), we:

• Only access data necessary for the integration (e.g., order details for job creation)
• Encrypt access tokens at rest
• Allow you to disconnect at any time, which deletes stored integration data
• Respond to data deletion requests from the third party within 48 hours

15. Complaints

If you're not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

16. Changes to This Policy

We may update this policy from time to time. Significant changes will be notified via email or a prominent notice on our platform. The "Last updated" date at the top indicates when this policy was last revised.

17. Contact Us

For any privacy-related questions or to exercise your rights: