Privacy Policy

1. Who we are

VirtualPatients Ltd is the “controller” responsible for your personal data.

• Registered company: VirtualPatients Ltd (company number 16303492).
• Registered office: 2 St. Mary's Road, Tonbridge, England, TN9 2LB.
• ICO: We are registered with the UK Information Commissioner’s Office (ICO).
• Contact for data protection enquiries: contact@medmock.com.

2. Important note about clinical scenarios

MedMock is an educational simulation tool. The patients, examiners, relatives and clinical cases you interact with are entirely fictional and AI-generated, and because the Platform is powered by artificial intelligence, which makes mistakes, the content, scores and feedback will at times be incorrect. You should never enter real patient data, real patient-identifiable information, or any other person’s confidential information into the Platform, and you should not enter your own sensitive health information. Any clinical content you type or speak is treated as part of an educational exercise, not as a medical record. The Platform must never be used for real clinical decisions or in the care of any real patient, and it is your responsibility to independently verify all content before relying on it — see our Terms and Conditions.

3. The personal data we collect

3.1 Account and profile data

Full name, email address, password (stored only as a secure hash by our authentication provider), the institution or workplace you provide, the exam or interview you are preparing for, your subscription tier, and any optional details you give us (such as a target hospital, specialty or medical school).

3.2 Conversation and session content

The text and voice content of your practice sessions, including your typed messages, the audio you record, the transcripts generated from that audio, the AI-generated patient/examiner responses, and the automated scores, feedback and coaching tips produced for each station. We also store session metadata such as the exam, station, duration and timestamps.

3.3 Payment data

When you subscribe or top up, payments are processed by Stripe. We receive limited billing information (for example your subscription status, plan, customer reference and the outcome of payments). We do not receive or store your full card number — that is handled directly by Stripe.

3.4 Usage, device and technical data

IP address, approximate location (country, region and city derived from your IP), browser type and user agent, device information, pages visited, features used, and interaction and performance metrics.

3.5 Marketing and acquisition data

How you found us (referrer, landing page and any campaign/UTM parameters), and your communications and feedback when you contact us.

4. How we use your data and our legal bases

Under the UK GDPR we must have a lawful basis for each use of your personal data. We rely on the following:

• Performance of a contract — to create and manage your account, deliver practice sessions, generate scores and feedback, process payments and provide support.
• Legitimate interests — to secure and operate the Platform, prevent fraud and abuse, understand how the service is used, and improve our features, prompts and models using de-identified and aggregated data (see section 7). We balance these interests against your rights and you can object at any time.
• Consent — for non-essential cookies and analytics, and for any optional marketing emails. You can withdraw consent at any time.
• Legal obligation — to comply with our legal, tax, accounting and regulatory duties.

5. Artificial intelligence and voice processing

The Platform uses third-party artificial intelligence services to power its simulations and feedback. When you take part in a session:

• Your typed messages and session context are sent to Google’s Gemini generative AI service to generate patient/examiner responses, scenarios, mark schemes, feedback and coaching.
• If you use voice, your recorded audio is sent to Google Cloud Speech-to-Text (and, for longer clips, Google’s Gemini) to convert your speech into text.

These providers process this content on our behalf to return a result to you. The scores and feedback are produced by automated systems for educational purposes only; they are not a definitive assessment of your competence and have no bearing on any official examination. They do not produce decisions that have legal or similarly significant effects on you, and you can contact us if you wish to discuss any feedback.

6. Who we share your data with

We do not sell your personal data. We share it only with the service providers (“processors”) needed to run the Platform, each under a contract that limits how they may use it:

• Google Cloud Platform / Firebase — hosting, database (Firestore), authentication, file storage and analytics.
• Google (Gemini & Cloud Speech-to-Text) — AI generation and speech transcription, as described in section 5.
• Stripe — payment processing.
• Resend — sending transactional and marketing emails (for example verification, password reset, support replies, and any marketing emails you have agreed to receive).
• Cloudflare (Turnstile) — bot and abuse protection on our sign-up and contact forms.
• Professional advisers and authorities — for example legal, accounting or regulatory bodies, where we are required to do so by law, court order, or to establish, exercise or defend legal claims.

If our business is restructured, sold or merged, personal data may be transferred to the relevant party, subject to this Policy.

7. Using data to improve the service

We may use de-identified and aggregated data — with personal identifiers removed — to monitor quality, debug issues, and improve our prompts, scoring and the Platform’s performance. We do not use your identifiable conversation content to train third-party foundation models. If you would prefer your content not to be used even in de-identified, aggregated form to improve the service, contact us at contact@medmock.com and we will honour that request.

8. International transfers

We aim to store your account and session data on Google infrastructure located in the European Union (London/Europe regions). Some of our providers (including Google, Stripe, Resend and Cloudflare) may process limited data outside the UK and EEA. Where data leaves the UK, we rely on an appropriate safeguard — such as an adequacy decision, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses — so that your data continues to be protected to UK standards.

9. How long we keep your data

We keep your personal data only for as long as necessary for the purposes set out in this Policy. In general, we keep your account and session data for the life of your account and for a reasonable period afterwards. If you close your account or ask us to delete it, we will delete or anonymise your personal data within a reasonable period, except where we are required to retain certain records (for example, transaction records for tax and accounting purposes, typically up to six years).

10. How we keep your data secure

We protect your data using encryption in transit, access controls, server-side enforcement of who can read each user’s data, and reputable infrastructure providers. No system is completely secure, but we take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, alteration or disclosure, and we will notify you and the ICO of a personal data breach where we are legally required to do so.

11. Your rights

Under the UK GDPR you have the right to:

• be informed about how we use your data (this Policy);
• access a copy of your personal data;
• have inaccurate data corrected;
• have your data erased in certain circumstances;
• restrict or object to certain processing, including processing based on legitimate interests and any direct marketing;
• data portability — receive your data in a structured, commonly used, machine-readable format; and
• withdraw consent at any time, where we rely on consent.

To exercise any of these rights, email us at contact@medmock.com. We will respond within one month. There is normally no charge, and we may need to verify your identity first.

12. Cookies and analytics

We use essential cookies needed to keep you signed in and to operate the Platform. We also use Google Analytics to understand how the Platform is used. Non-essential analytics cookies are only set after you accept them via our consent banner, and you can change your choice at any time in your browser settings. Disabling cookies may limit some features. For more detail, see our cookie banner controls.

13. Marketing

We will only send you marketing emails where you have agreed to receive them or where we are otherwise permitted to do so. You can manage your email preferences at any time in your account settings, opt out using the unsubscribe link in any marketing email, or by contacting us. Transactional and service messages (such as verification, billing and security notices) are not marketing and may still be sent while you hold an account.

14. Children

The Platform is intended for users aged 18 or over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will delete it.

15. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices or for legal, operational or regulatory reasons. If we make significant changes, we will notify you by email or by placing a prominent notice on the Platform before the change takes effect. The “Last updated” date above shows when this Policy was last revised.

16. Complaints

We hope to resolve any privacy concern you raise, so please contact us first at contact@medmock.com. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk, or with the data protection authority in your country of residence.

17. Contact us

If you have any questions about this Policy or how we handle your data, contact us at contact@medmock.com, or write to us at VirtualPatients Ltd, 2 St. Mary's Road, Tonbridge, England, TN9 2LB.