Last Updated 04/06/2026

1. Introduction and Scope

This data protection notice (this "Notice") describes how ID Medical Group Holdings Ltd and its Affiliates (as defined in this Notice), except the Aya Entities as defined in this Notice, (collectively, "IMD", "us", "we", or "our") collect, use, disclose and otherwise process personal data of data subjects who are both resident in the United Kingdom ("UK") and who use or interact with our mobile application(s) (the "Digital Properties"), collectively, a "Data Subject".

If you are not a Data Subject, this Notice does not apply to you.

If you are a data subject, we act as joint controller (along with the Aya Entities) of Data Subjects' personal data under the UK General Data Protection Regulation, the UK Data Protection Act 2018, and related data protection and e-privacy laws in the UK (collectively, the "UK GDPR") in relation to the processing activities covered by this Notice. While this Notice is provided on IDM's behalf, the Aya Entities will provide their own data protection notice to Data Subjects. Should you have any questions about our and the Aya Entities' respective responsibilities regarding your data protection rights under the UK GDPR, please see Section 9 (How to Contact Us).

Capitalised terms used but not defined in the main body of this Notice have been defined in Schedule 1 (Definitions). The words "including" or "such as" in this Notice are not limiting.

 

2. What Types of Personal Data Do We Process and How Do We Collect This Personal Data?

In this section we set out the types of personal data relating to Data Subjects we may collect and the potential sources of such information. We may also receive any or all the types of personal data referred to in this section from our Affiliates.

 

Automatically Generated Personal Data

We may receive the following personal data relating to Data Subjects which is automatically collected or logged from our information systems or third parties when Data Subjects access and use the Digital Properties:

  • Cookie and Technical Data
  • Usage Data
  • Location Data

 

Contingent Worker Provided Personal Data

We may receive the following personal data about you when you register as, or seek a role, as a Contingent Worker through our Digital Properties:

  • AML/KYC Data
  • Contact and Professional Data
  • Cookie and Technical Data
  • Financial Data
  • Government Issued Data
  • Marketing and Communications Data
  • Profile Data
  • Voluntarily Provided Data

 

Government Provided Personal Data

We may receive the following personal data relating to Data Subjects from Governmental Authorities (including from websites and registers):

  • AML/KYC Data
  • Contact and Professional Data

 

Publicly Available Personal Data

We may receive the following personal data relating to Data Subjects from publicly available sources (including the internet):

  • AML/KYC Data
  • Contact and Professional Data
  • Government Issued Data

We may combine Personal Data that you provide to us with Personal Data that we collect from you, or about you from other sources, in some circumstances. This will include Personal Data collected in an online or offline context.

 

Special Category Personal Data

We do not request any special categories of personal data from Data Subjects with respect to the data processing activities covered by this Notice. (This includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information concerning health, and genetic and biometric data). However, Data Subjects may provide these types of personal data to us as Voluntarily Provided Personal Data. We will rely on "conditions" (including explicit consent) provided for in the UK GDPR to process such special category data.

 

Criminal Convictions and Offences Personal Data

Personal data relating to criminal convictions and offences relating to Data Subjects with respect to the data processing activities covered by this Notice may be (1) revealed to us because of KYC, AML, or transaction related due diligence (including via due diligence questionnaires) which we conduct; or (2) provided to us as Voluntarily Provided Personal Data. We will rely on "conditions" provided for in the UK GDPR to process such criminal convictions and offences data.

 

Personal Data Relating to Children

Our Digital Properties and our services (including those relating to Contingent Workers) are not intended for children (as such term is understood under applicable law). We do not knowingly collect personal data from children. Parents or guardians of a child who believe such child has disclosed personal to us, should contact us using the contact details in Section 9 (How to Contact Us) below. A parent or guardian of a child may review and request the deletion of such child's personal data and prohibit its use.

 

3. How Do We Use Personal Data?

This section sets out how we may use the personal data that we obtain or receive and our lawful bases under the UK GDPR for doing so (as defined in Part B of Schedule 1).

Purpose of Data Processing

Type of Personal Data

Lawful Basis for Processing

To ensure the Digital Properties work as intended and remain secure (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
  • Cookie and Technical Data
  • Usage Data
  • Location Data
  • Legitimate Interests (i.e., in operating well-functioning and secure Digital Properties)
  • Consent (for cookies which are optional)
If you are a Contingent Worker, to administer and fulfill our services to help you be placed as a medical professional at a hospital or healthcare providers' facilities, including to assess your suitability for such a position(s), which may include the use of automated processes.
  • AML/KYC Data
  • Contact and Professional Data
  • Financial Data
  • Government Issued Data
  • Marketing and Communications Data
  • Profile Data
  • Voluntarily Provided Data
  • Location Data
  • Legitimate Interests (i.e., searching for a suitable contract of employment for you, prior to commencement)
  • Performance of a Contract

Condition for any special category personal data:

  • Article 9(2)(a) UK GDPR
  • Any conditions specified under applicable UK law

Condition for any criminal offences personal data:

  • Article 10 UK GDPR and applicable UK law
Operating, evaluating, developing, promoting, and growing our business. This may include evaluating, entering into, and performing corporate transactions (including those involving raising capital, whether equity or debt, mergers and acquisitions, joint ventures, the sale, transfer, or merger of all or parts of our business or our assets).
  • All types of data set out in Part A of Schedule 1 to the extent relevant to the activity
  • Legitimate Interests (i.e., promoting our services and growing our business)
  • Performance of a Contract

Condition for any special category personal data:

  • Article 9(2)(a) UK GDPR
  • Any conditions specified under applicable UK law

Condition for any criminal offences personal data:

  • Article 10 UK GDPR and applicable UK law
Complying with legal and regulatory obligations, including (relative to Contingent Workers):

  • conducting due diligence and onboarding checks
  • maintaining accurate books and records
  • facilitating internal and external audits
  • conducting internal investigations
  • conducting verification, "know your client", terrorist financing, sanctions, and anti-money laundering checks
  • preventing and detecting fraud
  • investigating and addressing any complaints, claims, proceedings, or disputes
  • responding to requests and directions from Governmental Authorities
  • seeking advice from Professional Advisors, including legal advice.
  • AML/KYC Data
  • Contact and Professional Data
  • Profile Data
  • Government Issued Data
  • Marketing and Communications Data
  • Voluntarily Provided Data
  • Legitimate Interests (i.e., complying with industry standards or best practices)
  • Compliance with a Legal Obligation

Condition for any special category personal data:

  • Article 9(2)(a) UK GDPR
  • Any conditions specified under applicable UK law

Condition for any criminal offences personal data:

  • Article 10 UK GDPR and applicable UK law
Preparing for and addressing investigations and disputes (including those involving Contingent Workers, Affiliates, Professional Advisors, Governmental Authorities)All types of data set out in Part A of Schedule 1 to the extent relevant to the investigation or dispute
  • Legitimate Interests (i.e., preparing for and addressing investigations and disputes)
  • Compliance with a Legal Obligation

Condition for any special category personal data:

  • Article 9(2)(a) UK GDPR
  • Any conditions specified under applicable UK law

Condition for any criminal offences personal data:

  • Article 10 UK GDPR and applicable UK law
Responding to Data Subjects who request such contact
  • Contact and Professional Data
  • Voluntarily Provided Data
  • Consent
Providing services to our Contingent Workers, including:

  • managing contractual relationships with Contingent Workers
  • communicating with Contingent Workers
  • analysing and managing commercial risks
  • Contact and Professional Data
  • Profile Data
  • AML/KYC Data
  • Voluntarily Provided Data
  • Government Issued Data
  • Legitimate Interests (i.e., providing our services to Contingent Workers)
  • Performance of a Contract
Managing and protecting our business, employees and staff from risks and threats, including identifying and preventing virtual threats such as cyber-attacks.
  • Cookie and Technical Data
  • Usage Data
  • Contact and Professional Data
  • Voluntarily Provided Data
  • Location Data
  • Legitimate Interests (i.e., protecting our business and employees and preventing fraud)

Condition for any criminal offences personal data:

  • Article 10 UK GDPR and applicable UK law

 

If a Data Subject has provided consent to processing and subsequently withdraws that consent, we may still process that Data Subject's personal data where we have another lawful basis for doing so, provided that the Data Subject has not expressly asked us to stop processing their personal data in accordance with Section 6 (Data Protection Rights).

Where we need to collect personal data by law or under the terms of a contract that we have with a Data Subject and the Data Subject fails to provide that personal data when requested, we may not be able to perform the contract we have with the Data Subject or with her/his relevant employer.

 

4. Sharing of Personal Data

We may share Data Subjects' information with the following third parties (as defined in Part C of Schedule 1):

  • Affiliates, including the IDM Entities
  • Business Partners
  • Governmental Authorities
  • Professional Advisors
  • Service Providers

Please see Section 5 (International Data Transfers) below for information on international transfers to such third parties. We require all our data processors and any other third party that we provide Data Subjects' personal data to respect the security of Data Subjects' personal data and to treat it in accordance with applicable law.

 

5. International Data Transfers

Your personal data may be transferred to, stored in, or accessed within the UK or transferred to, stored in or accessed from countries outside the UK (including to the United States) in connection with the purposes described in this Notice. For transfers to countries outside the UK, the data protection regime may be different than in the UK and may not provide the same level of data protection. Where required, we rely on UK international data transfer agreements when we transfer personal data out of the UK (collectively, the "UK SCCs").

To the extent that we undertake any onward transfers of personal data to any third parties, such transfers shall only be to the third parties listed in Section 4 (Sharing of Personal Data) above and for the purposes described in Section 3 (How Do We Use Your Personal Data?) above. UK SCCs (or an alternate approved mechanism) shall be relied upon to make any restricted onward transfers of personal data outside of the UK.

 

6. Data Protection Rights

If you are a Data Subject, you may relative to the personal data we process about you:

  • Request access to such personal data;
  • Request correction of such personal data;
  • Request erasure of such personal data;
  • Object to processing of such personal data;
  • Request restriction of processing of such personal data;
  • Request the transfer of such personal data to you or to a third party; or
  • Withdraw consent at any time where we are relying on consent to process such personal data; or
  • Obtain a copy of any UK SCCs we use to transfer such personal data outside of the UK.

To exercise any of the rights set out above, please contact us using the contact details provided in Section 9 (How to Contact Us) below. There are exceptions and exemptions that apply to some of the rights, which we will apply in accordance with the applicable data protection laws. Where you have any such rights under applicable laws, we will respond to any such rights that you want to exercise within one month of receiving the request, unless the request is complex, in which case it may take longer. In addition to the above rights, you have the right to lodge a complaint with the UK's Information Commissioner's Office.

We may need to request specific information from you to help us confirm your identity and your right to access your personal data (or to exercise any of the other rights).

 

7. Automated Processing and Decision Making

We do not make any decisions regarding Data Subjects solely using automated processes (including profiling) based on Data Subjects' personal data where such decision produces legal effects concerning the Data Subject or similarly affects the Data Subjects.

We may use automated processes to help offer Data Subjects located in the UK potential opportunities based on their qualifications, grades specialties, availability, and hours worked. Such processes will: (i) not involve special category personal data, or criminal convictions and offences personal data; and (ii) be subject to meaningful human involvement. Data Subjects may contact us as provided for in this Notice to learn more about such automated processes, including the applicable logic and safeguards.

 

8. Retention of Personal Data

We will only retain a Data Subject's personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, regulatory requirements, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal or regulatory requirements. Details of retention periods for personal data are available from us on request using the contact details at Section 9 (How to Contact Us).

 

9. How to Contact Us

Should you wish to exercise your data protection rights relating to the personal data processed under this Notice, we suggest that you contact us through the details provided. We will coordinate our response to your request with the Aya Entities (which, as noted above, act as joint controllers of your personal data along with us).

Our Data Protection Officer may be contacted using the following contact details:

Address: Attention — Data Protection Officer, ID Medical Group Holdings Ltd, 2 Mill Square, Featherstone Rd, Wolverton Mill, Wolverton, Milton Keynes MK12 5ZD, United Kingdom

Email: dpo@id-medical.com

You may also contact our UK GDPR Representative, European Data Protection Office (EDPO), by writing to Unit 33, Waterside, Schooner Court, 44-48 Wharf Road, London, N1 7UX, United Kingdom or using EDPO's UK

Online request form: https://edpo.com/uk-gdpr-data-request/

 

10. Cookie Notice

Cookies are small text files that are placed on your computer by websites or software applications that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the digital properties. We use certain cookies on our Digital Properties. We will deploy cookies (which are not "strictly necessary") on your device only with your consent. Please see our cookie banner on our Digital Properties and our Cookie Policy for more details.

 

11. Amendments to This Notice

This Notice may be revised from time to time, including where we add new features and services, as laws or regulations change, and as industry privacy and security best practices evolve. We display a "Last Updated" date in at the top of this Notice so it is clear when there has been a change. If we make any material change to this Notice regarding use or disclosure of personal data, we will notify you of such change.

 

Schedule 1 (Definitions)

A. Types of Personal Data That We May Process

Type of Personal DataDetails
Anti-Money Laundering and Know Your Customer Data ("AML/KYC Data")
  • Personal data contained in government issued identification documents
  • Financial and banking information (including investment history and source of funds)
  • Information relating to political exposure if revealed during AML, KYC, fraud checks
  • Criminal convictions and offences data if revealed during AML, KYC, fraud checks
Contact and Professional Data
  • First name and last name
  • Name of employer or the organisation represented
  • Title and position
  • E-mail address and physical address
  • Telephone numbers
  • Date and country of birth
  • Gender
  • Country of residence, nationality, and citizenship
Cookie and Technical Data
  • Our cookie banner sets out details of the cookie and related data which we collect and process (including "strictly necessary" and "optional" cookies).
  • Internet protocol (IP) address
  • Browser type and version
  • Time zone setting and location
  • Browser plug-in types and versions
  • Operating system and platform
  • Other technology on the devices used to access the Digital Properties
  • Location Data
Financial Data
  • Bank account details
Location Data
  • Country, region, state and city in which a Data Subject is located. High precision geolocation data will not be collected.
Government Issued Data
  • Social Security number
  • Driver's license number
  • Passport number
  • National identification number
  • Tax identification number
Marketing and Communications Data
  • Preferences in receiving marketing from us and third parties
  • Communication preferences
Profile Data
  • Username
  • Profession and current employment status
  • Professional experience
  • Grade, qualifications, degree(s)m and transcripts
  • Specialty
  • CV and resume
  • Professional certifications
  • Visas and immigration related information
  • Availability and hours worked
Usage Data
  • Information about how the Digital Properties is used
Voluntarily Provided Data
  • Any other personal data provided by the Data Subject, including "special category" personal data or criminal convictions or offences data.

 

B. UK GDPR Lawful Bases for Processing

Lawful BasisDescription
Compliance with a Legal ObligationWe may process personal data to the extent necessary for us to comply with applicable laws.
ConsentWe may process personal data where the Data Subject has provided consent for us to do so.
Legitimate InterestsWe may process personal data for our legitimate interests as a business or those of a third party where our processing does not prejudice the Data Subject's rights so as to override our legitimate interest. We have provided examples where applicable in Section 3 (How do we use personal data?).
Performance of a ContractWe may process personal data where it is necessary for us to do so to exercise our rights or satisfy our obligations under a contract we have with the Data Subject.

 

C. Third Party Data Sources and Recipients

Third PartyDescriptionStatus of Third Party
AffiliatesRefers to our affiliates, subsidiaries, or entities under common management or subject to common control as us.Joint controller with our other Affiliates.
Aya EntitiesAya Healthcare, Inc., Qualivis, LLC, Bespoke Workforce, LLC, Vaya Workforce Solutions, LLC and Symmetry Workforce LLC.Joint controller.
Business PartnersRefers to current or prospective business partners (i) involving investments from us; (ii) with which we undertake commercial, corporate, or other business transactions (involving mergers, acquisitions, equity, debt, or credit), includes transactional counterparties, banks, lenders, and financial institutions; and/or (iii) hospitals and healthcare providers, including NHS hospital trusts.Independent controller.
Governmental AuthoritiesRefers to governmental authorities in the UK, or other countries, including law enforcement agencies, tax authorities, supervisory authorities, and regulators.Independent controller.
Professional AdvisorsRefers to current or prospective professional advisors including lawyers, solicitors, attorneys, accountants, investment and merchant bankers, brokers, auditors, and insurers.Independent controller.
Service ProvidersRefers to current or prospective party providers of services such as IT services, hosting services, and other business process and marketing services.Typically, data processors. However, Service Providers who are independently regulated will be independent controllers.