This Privacy Policy explains how PatientsCann UK CIC (“we”, “us”, or “our”) collects, uses, and protects information when you use our Know Your Journey web application at app.patientscann.org.uk.
PatientsCann UK CIC is the Data Controller for any personal data processed through this application, registered with the ICO (No. ZB345466). We comply fully with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The app is built with a Privacy by Design approach. The vast majority of data you enter never leaves your device. This policy explains precisely what does and does not.
The app has three distinct data processing activities.
The following is stored exclusively in your browser’s local storage and is never transmitted to PatientsCann or any third party:
When you use the e-learning parts of the app — Patient Mode, Professional Mode, quizzes, the chapter hub, the science library, the travel guide, and other educational features — we collect anonymised usage data to understand how the content is being used and improve it.
| Data item | What it is | Purpose |
|---|---|---|
| Session ID | A random UUID created when the app loads. It is never stored — it exists only for that session and is discarded when you close or refresh. | Groups events from a single session without identifying you across sessions. |
| Section visited | Which part of the app was opened (e.g. “Chapter Hub”, “Science Library”, “My Treatment”, “Travel Guide”). | Understanding which content is most used, to prioritise improvements. |
| Mode | Whether you are in Patient Mode or Professional Mode. | Distinguishing which user group each section serves. |
| Quiz performance | Whether a question was answered correctly or incorrectly, and approximately how long it took. No question text or personal responses — only chapter index and a correct/incorrect flag. | Identifying difficult questions so content can be improved. |
If you use the My Treatment section and choose to opt in, we collect a small amount of anonymised data to understand how UK patients use medical cannabis at a population level. This is entirely optional — all features work without it.
| Data item | What it is | Purpose |
|---|---|---|
| Device identifier (UUID) | A random code generated on your device and stored in your browser. Not linked to your name, email, clinic, or any identifying information. | Prevents duplicate records. Allows deletion of your specific record if you withdraw consent. |
| Product category | The broad type of product prescribed (e.g. “flower”, “oil”, “cartridge”). Not the specific product name or brand. | Population-level insight into which product types UK patients use, to inform content and advocacy work. |
| Quantity bracket | A broad banding of your prescribed quantity (e.g. “10–20g”). Not the exact amount. | Understanding typical prescription volumes at population level. |
We do not collect your name, email, clinic name, specific product names, diary entries, dosing notes, appointment details, or any other personal information through this feature.
| Activity | Lawful basis |
|---|---|
| Data stored only on your device | Not applicable — never reaches our systems |
| E-learning analytics (session ID, page views, quiz results) | Legitimate Interests — UK GDPR Art. 6(1)(f). No personal data involved. You can opt out at any time. |
| My Treatment anonymised data (UUID, product category, quantity bracket) | Consent — UK GDPR Art. 6(1)(a). Explicit opt-in required. Withdrawable at any time. |
| Incident reports (submitted voluntarily) | Consent — UK GDPR Art. 6(1)(a), and Art. 9(2)(a) for any health-related content voluntarily included. |
When you first open the app, a consent banner explains both types of data collection. You can accept or decline each. Consent is:
If you decline My Treatment data sharing, you will be prompted again after 7 days in case you change your mind. If you opt in, you will not be prompted again.
| Data type | Retention |
|---|---|
| Data stored only on your device | Until you delete it or clear your browser. We cannot access or recover it. |
| E-learning analytics events | Up to 12 months, after which older events are automatically purged. |
| My Treatment anonymised data (UUID, category, quantity bracket) | Retained as anonymous aggregates for service improvement. Deleted immediately on withdrawal of consent, either via the in-app button or by emailing our DPO. |
| Incident reports | Retained for as long as required to act on the report, or as stated at submission. |
Request a copy of any personal data we hold about you.
Ask us to correct inaccurate personal data.
For My Treatment data, use the in-app Withdraw consent button in Settings. This also triggers deletion of your server-side record.
Ask us to pause processing while a dispute is resolved.
Receive your data in a machine-readable format where applicable.
Withdraw at any time via the toolbar privacy icon or My Treatment → Settings, without affecting the lawfulness of prior processing.
Object to Legitimate Interests processing (e-learning analytics) via the privacy icon in the toolbar.
To exercise any right: dpo@patientscann.org.uk. We will respond within one calendar month.
We do not sell personal data. We do not share personal data with third parties for marketing. Data may be shared only with trusted infrastructure providers under a Data Processing Agreement, or where required by law. Anonymised aggregate statistics may be referenced in published reports or shared with partner organisations for research and advocacy.
If you remain unsatisfied, you have the right to complain to the ICO:
We may update this policy to reflect changes in the app or legal requirements. The “Last updated” date at the top will always reflect the most recent version. Material changes affecting personal data processing will be communicated via the app before taking effect, and will require fresh consent where consent is the lawful basis.