Privacy Policy

Last updated: 21 June 2026

This Privacy Policy explains how MedicalStudents.org.uk ("we", "us", "our") collects, uses, and protects your personal information when you use our website and services. We are committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

MedicalStudents.org.uk is an educational platform for UK medical students. For data protection purposes, we are the data controller for personal information collected through this website.

2. Information We Collect

When you register:

  • First and last name
  • Personal email address
  • University email address
  • Medical school and year of study
  • Password (stored as a one-way hash β€” we cannot read your password)

When you use the platform:

  • Profile information you choose to add (biography, research, publications, conferences, societies, electives)
  • Email alias requests
  • Contact form submissions
  • Newsletter subscription (email address only)

Automatically collected:

  • IP address (for security purposes)
  • Session data (to keep you logged in)
  • Browser type and basic device information (via standard web server logs)

3. How We Use Your Information

  • Account management β€” creating and managing your account, verifying your email, enabling login
  • Email aliases β€” processing and managing your @medicalstudents.org.uk forwarding address
  • Public profiles β€” displaying your profile at /u/[username] (only information you choose to make public)
  • Communications β€” sending you transactional emails (email verification, password reset, alias updates)
  • Newsletter β€” sending updates if you have subscribed (you can unsubscribe at any time)
  • Contact responses β€” responding to messages submitted via the contact form
  • Security β€” detecting and preventing fraudulent or abusive use

4. Legal Basis for Processing

  • Contract performance β€” processing necessary to provide the services you have registered for
  • Legitimate interests β€” security, fraud prevention, platform improvement
  • Consent β€” newsletter subscription; you may withdraw consent at any time

5. Data Sharing

We do not sell your personal data. We do not share your data with third parties except:

  • Hosting provider β€” Hostinger, who host the website and store data on their servers (data may be processed in the EU/EEA)
  • Email service β€” email sending via PHP mail or SMTP (for transactional emails only)
  • Cloudflare β€” for DNS, email routing, and security (your alias email is forwarded via Cloudflare Email Routing)
  • Legal requirements β€” if required to do so by law or in response to a valid legal request

6. Data Retention

  • Account data is retained for as long as your account is active
  • If you delete your account, your data will be removed within 30 days
  • Contact form messages are retained for up to 12 months
  • Server logs are retained for up to 30 days

7. Your Rights

Under UK GDPR, you have the right to:

  • Access β€” request a copy of the personal data we hold about you
  • Rectification β€” correct inaccurate or incomplete data
  • Erasure β€” request deletion of your data ("right to be forgotten")
  • Restriction β€” request we restrict processing of your data
  • Portability β€” receive your data in a structured, machine-readable format
  • Object β€” object to processing based on legitimate interests
  • Withdraw consent β€” for newsletter subscription at any time

To exercise any of these rights, contact us via the contact form.

8. Cookies

We use only essential cookies required for the website to function (session management, cookie consent preference). We do not use advertising or tracking cookies. See our Cookie Policy for full details.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including password hashing, session security, and HTTPS encryption. No system is completely secure, and we cannot guarantee absolute security.

10. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. Continued use of the website after changes constitutes acceptance of the updated policy.

12. Contact

For data protection enquiries, contact us via our contact page.