Privacy Policy

1. Who we are

MCH Software Solutions Ltd (“MCH”, “we”, “us”, “our”) provides cloud-based software solutions to healthcare and related organisations, including:

  • workforce and theatre rostering platforms;
  • staffing and scheduling systems;
  • and patient communication platforms (together, the “Services”).

Our registered office is:

MCH Software Solutions Ltd
24 City Business Centre, Hyde Street
Winchester, Hampshire
SO23 7TA
United Kingdom

Email: dataprotection@mchss.co.uk

MCH is registered in the United Kingdom.

2. Our role under UK GDPR

MCH operates in two distinct legal roles:

a) When providing our Services to healthcare organisations

MCH acts as a Data Processor on behalf of its customer (for example a hospital, clinic, healthcare group or service provider), who is the Data Controller.

In this role, we process personal data only:

  • on documented instructions of the customer; and
  • in accordance with our contractual arrangements and applicable data protection law.

b) When operating our own business

MCH acts as a Data Controller for personal data relating to:

  • website visitors;
  • prospective customers;
  • business contacts;
  • customer account administrators;
  • suppliers and partners.

This Privacy Policy explains both types of processing.

3. Who this policy applies to

This policy applies to:

  • healthcare staff and workers using the Services;
  • patients whose information is processed through the Services;
  • hospital and healthcare administrators and managers;
  • visitors to our websites and portals;
  • business and commercial contacts.

4. The types of personal data we process

Depending on the Services being used, we may process the following categories of personal data.

4.1 Workforce and administrative data

  • name
  • job title and role
  • work location
  • contact details (email, telephone)
  • shift patterns and availability
  • employment identifiers
  • system user accounts and access permissions

4.2 Patient communication data

  • patient name and identifiers
  • contact details (email, phone number)
  • appointment information
  • communication content and delivery status
  • reference numbers linked to clinical systems

4.3 Special category data

Where required by our customers, the Services may process health data relating to patients or staff.

This is treated as special category data under UK GDPR.

MCH processes such data only on behalf of the relevant healthcare organisation and under an appropriate legal basis determined by that organisation.

4.4 Technical and usage data

  • IP address
  • device and browser information
  • log files
  • authentication and access logs
  • audit and activity records
  • error and diagnostic data

4.5 Business and commercial data

  • names and contact details of customer and supplier contacts
  • billing and contractual information
  • communications with MCH

5. Our lawful basis for processing

5.1 When acting as a Data Processor

When processing personal data on behalf of our healthcare customers, the lawful basis for processing is determined by our customer as Data Controller.

MCH processes personal data:

  • in order to perform its contractual obligations to the customer; and
  • in accordance with Article 28 UK GDPR.

5.2 When acting as a Data Controller

When MCH acts as a Data Controller, we rely on the following lawful bases under Article 6 UK GDPR:

  • performance of a contract – to provide and administer the Services;
  • legal obligation – to meet regulatory, tax and legal requirements;
  • legitimate interests – to operate, secure and improve our business and services;
  • consent, where specifically required.

5.3 Special category data

Where special category data is processed (for example health information within the Services), processing is carried out on the basis of:

  • Article 9(2)(h) UK GDPR – management of health or social care systems and services; and/or
  • other applicable conditions determined by the customer as Data Controller.

6. Our right to process personal data

MCH is contractually authorised by its healthcare customers to process personal data strictly for the purpose of:

  • delivering, operating and supporting the Services;
  • maintaining platform security and integrity;
  • providing technical support;
  • complying with legal and regulatory obligations.

This includes the right to:

  • host, store, transmit, analyse and back-up data;
  • provide customer support and incident resolution;
  • carry out monitoring, auditing and logging for security and operational purposes.

7. How we use personal data

We use personal data to:

  • deliver and operate the Services;
  • manage user accounts and access control;
  • provide technical support and customer assistance;
  • maintain system security and performance;
  • conduct system monitoring and diagnostics;
  • communicate service updates and operational notices;
  • administer billing and contractual relationships;
  • improve and develop our platforms.

We do not use patient data for marketing.

8. Automated decision-making

The Services may include automated workflows (for example scheduling, notifications or prioritisation rules).
MCH does not carry out automated decision-making that produces legal or similarly significant effects on individuals on its own behalf.

Any such processing is controlled by the healthcare customer.

9. Sharing of personal data

We may share personal data with carefully selected third parties who act as our sub-processors or service providers, including:

  • cloud hosting and infrastructure providers;
  • security and monitoring providers;
  • payment processors;
  • customer support platforms.

These providers are contractually required to:

  • process data only on our instructions;
  • apply appropriate technical and organisational security measures; and
  • comply with UK GDPR requirements.

We may also disclose personal data where required to do so by law, regulation or court order.

10. International transfers

Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, including:

  • the UK International Data Transfer Agreement (IDTA); or
  • UK Addendum to EU Standard Contractual Clauses; or
  • adequacy regulations where applicable.

11. Data security

We implement appropriate technical and organisational measures designed to protect personal data, including:

  • access controls and authentication mechanisms;
  • encryption in transit and at rest where appropriate;
  • network and infrastructure security controls;
  • logging and monitoring;
  • regular security reviews.

Access to personal data is limited to authorised personnel who require access to perform their duties.

12. Data retention

When acting as a Data Processor, MCH retains personal data in accordance with the instructions and contractual requirements of the relevant healthcare customer.

When acting as a Data Controller, we retain personal data only for as long as necessary to:

  • fulfil the purposes described in this policy; and
  • meet legal, regulatory and contractual obligations.

Data is securely deleted or anonymised when no longer required.

13. Your data protection rights

Under UK GDPR, individuals have the following rights:

  • Right of access – to obtain confirmation that your data is being processed and access to your personal data.
  • Right to rectification – to have inaccurate or incomplete personal data corrected.
  • Right to erasure – to request deletion of your personal data in certain circumstances.
  • Right to restriction of processing – to request that processing is limited in certain situations.
  • Right to data portability – to receive your personal data in a structured, commonly used and machine-readable format.
  • Right to object – to object to processing based on legitimate interests or direct marketing.
  • Right to withdraw consent – where processing is based on consent.
  • Right not to be subject to certain automated decisions.
Important note for patients and staff using healthcare systems

If your personal data is processed by MCH on behalf of a healthcare organisation, you should normally direct your request to the relevant healthcare provider, as they are the Data Controller.

We will support our customers in responding to rights requests where required.

14. How to exercise your rights

Requests can be submitted to:

dataprotection@mchss.co.uk

We may need to verify your identity before responding.

15. Complaints

If you believe that your data protection rights have been infringed, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner’s Office (ICO)
www.ico.org.uk

16. Third-party services and integrations

The Services may integrate with third-party platforms including:

  • Google Cloud Platform
  • ElevenLabs
  • Amazon Web Services
  • Stripe
  • Xero
  • Dropbox
  • Webflow
  • Brevo
  • HubSpot CRM

Each provider acts under its own privacy policy.
Where they act as sub-processors for MCH, appropriate contractual safeguards are in place.

17. External links

Our websites and platforms may contain links to third-party websites.
We are not responsible for the privacy practices or content of those websites.

18. Children’s data

The Services are not intended to be used directly by children.
Where patient data relating to children is processed, this is done solely on the instructions of the relevant healthcare provider.

19. Changes to this policy

We may update this Privacy Policy from time to time.
The most current version will always be available on our website.

20. Contact details

For any data protection enquiries, please contact:

MCH Software Solutions Ltd
24 City Business Centre, Hyde Street
Winchester, Hampshire
SO23 7TA

Email: dataprotection@mchss.co.uk

Effective date: 10th February 2026