Privacy policy

Our terms and conditions at WriteUpp, we decided
they need to be simple and precise for everyone.

Pathway Software (UK) Limited (the Company) is committed to protecting and respecting the privacy of all our customers, partners and the end users of our Services and Software.

This policy together with:

  • our Terms of Service applicable to your use of the Services where you are our Customer (our Terms of Service);
  • our Acceptable Use Policy applicable to your use of the Software (our Acceptable Use Policy)
    • and any other documents referred to in the Terms of Service and/or the Acceptable Use Policy sets out the basis on which any Personal Data the Company collects from you, or that you provide to the Company, will be processed by us. Please read the following carefully to understand our views and practices regarding your Personal Data and how we will treat it. By using our Services and WriteUpp you are accepting and consenting to our practices as described in this policy.

This policy has been prepared in close co-operation with the Company's legal advisers to take account of the forthcoming changes under GDPR. We may change this policy from time to time to take account of:

  • changes to Data Protection Laws and other laws which may affect this policy;
  • guidance issued by the ICO and others;
  • issues raised by our Customers, partners and end users

Accordingly, and we suggest that you regularly check this page to ensure that you continue to be comfortable with the measures that we are taking to protect your privacy. This policy is effective from 11th April 2018.


In this policy the following words have the following meanings:

Act means the Data Protection Act 1988.

Customer includes the following (a) customers who have entered into a contract with us for the supply of the Services and WriteUpp (b) customers who have subscribed for a trial of our Services and WriteUpp, in both cases in accordance with our Terms of Service.

Data Protection Laws means the Act, GDPR, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) and all applicable laws and regulations relating to the processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the ICO or any other supervisory authority, and the equivalent of any of the foregoing in any relevant jurisdiction.

Data Controller, Data Processor, Data Subject and Personal Data all have the meaning given to them in the Act and GDPR.

Patients means the Customer's patients.

Patients Data means Personal Data of Patients, including clinical notes and assessments.

GDPR means EU General Data Protection Regulations.

ICO means the Information Commissioner's Office and any successor to it as data protection authority.

Us, Our, We or Company means Pathway Software (UK) Limited and our Staff.

You, Your, or Customer means your organisation and its Staff

WriteUpp means the software and service provided and developed by the Company

Staff means your and our employees, workers, agents and sub-contractors

Site means the Company's website at

The Company – as Data Controller

Where you are a Customer of the Company, we will be the Data Controller in respect of certain Personal Data which you and your Staff may supply to us or which we collect from you which relates to you and your Staff (Customer Data).

For the purpose of the Act and, upon its coming into force on 25th May 2018, GDPR, Pathway Software (UK) Limited of 6 Nicholas Street, Chester, England, CH1 2NX (registered in England and Wales with company number 06844098) will be the Data Controller in respect of Customer Data. Should we ask you to provide certain information by which you can be identified when using our Site, our Services or WriteUpp or by other contact methods, then you can be assured that it will only be used in accordance with this privacy policy.

As Data Controller, we determine the purposes for which and the manner in which Customer Data is, or is to be, processed. In this policy we describe the types of processing we may undertake with respect to Customer Data.

The Customer– as Data Controller, the Company as Data Processor

Where you or your Staff are responsible for the input of Patient Data which may be collected, stored and processed as a result of your use of the Services and WriteUpp, you will be the Data Controller. The Company will be a Data Processor only.

In cases where you are collecting, storing and processing Patient Data you will determine the purposes for which and the manner in which that Personal Data is, or is to be processed. You will also be responsible for:

  • informing your Staff and Patients of your privacy policy and practices, including, the lawful grounds upon which you are processing any Personal Data;
  • compliance with Data Protection Laws including all data protection and privacy laws relevant to the territory in which you operate and/or which are applicable to your Patients;
  • drawing the Patient's attention to this privacy policy;
  • informing us if any Patient objects to either your or our processing.

Patient Data is to be distinguished from Customer Data which the Company has collected from you (our Customer). For example, you may have agreed to our collection, use, transfer and storage of Customer Data (including data of your Staff) for the Company's own business purposes including credit checks, administration of contractual arrangements, sales and marketing.

Conditions for Processing

The Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Patient Data to the Company for the duration and purposes of the Services. The Customer acknowledges that for the purposes of the Data Protection Laws, the Customer will be the Data Controller and that the Company is the Data Processor. The Company shall, in relation to any Patient Data processed in connection with the performance by the Company of the Services:

  • process that Patient Data only on your written instructions unless the Company is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Company to process Personal Data (Applicable Laws).;
  • ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Patient Data and against accidental loss or destruction of, or damage to, Patient Data, as are appropriate ;
  • ensure that all the Company's Staff who have access to and/or process Patient Data are obliged to keep the Patient Data confidential; and
  • not transfer any Patient Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
    • the Customer or the Company has provided appropriate safeguards in relation to the transfer;
    • the data subject has enforceable rights and effective legal remedies;
    • the Company complies with its obligations under the Data Protection Laws by providing an adequate level of protection to any Personal Data that is transferred; and
    • the Company complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Patient Data;
  • assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
  • notify the Customer without undue delay on becoming aware of a Personal Data breach;
  • within 45 days of the date of termination or cancellation of your Contract delete Patient's Data and copies thereof unless required by Applicable Law to store the Personal Data; and
  • maintain complete and accurate records and information to demonstrate its compliance with these obligations.

You acknowledge that the Company uses various third-party suppliers to provide functionality within WriteUpp for the Customer's optional use to deliver and send text and email messages. The Customer accepts that such use will be in accordance with the third-party suppliers' terms and conditions and their respective privacy policies. The Customer will ensure that it has Patients consent or other authority to share Patients Data via these communications.

The Company confirms that it will notify you if it proposes to enter into any agreements with third-party processor. In such cases, a written agreement with the third party processor will incorporate terms which are substantially similar to those set out in this Privacy Policy for processing..

At any time on not less than 30 days' notice, the Company may revise this part of the privacy policy by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when this policy is updated).

The Company is not liable in respect of any Patient Data which is controlled by the Customer in breach of Data Protection Laws or outside the scope of the permissions granted to you by the Patient.

The Kind of Information we hold

The Company will collect and process the following personal information:

  • Information you provide to us;
  • Information we collect about you; and
  • Information supplied to us by third parties.

Information you provide to us.

We may process the following types of Personal Data:

Customer Data:

This is information you give us about you and your Staff and may include:

  • Name;
  • Address;
  • Email address: and
  • other information necessary for the operation of the Services or WriteUpp.

This data may be supplied by you when you:

  • Visit our Site
  • Use our Services;
  • Use WriteUpp;
  • Correspond with us by phone, e-mail or otherwise;
  • Participate in any discussion boards or other social media functions on our Site; and
  • Report a problem with our Site or Services

Patient Data:

This is information you enter into WriteUpp about your Patients when using WriteUpp and our Services which may include, but is not limited to:

  • Name;
  • Address;
  • Email address;
  • Landline & Mobile Number
  • Insurer details
  • GP details
  • Medical records
  • Treatment plans
  • Letters & documentation
  • Communications with other healthcare professionals: and
  • Other information necessary for the operation of the Services and/or WriteUpp.

This Patient Data may be supplied by you when you:

  • Use our Services in the course of your business;
  • Use WriteUpp in the course of your business;and
  • when you report a problem with our Site.

This Patient Data may be processed by us for the purposes of:

  • storing Patient Data on WriteUpp;
  • storing Patient Data on our servers;
  • supplying you with our products and Services;
    • enabling and assisting us to comply with all legal, regulatory and compliance obligations to which we are subject; and
    • ensuring the security of our Services, maintaining back-ups of our databases and sending communications to you.

Enquiry Data:

This is information you give to us and may include:

  • your name;
  • address;
  • email address; and
  • any other information you may supply or volunteer.

This data may be supplied by you when you:

  • submit an enquiry to us regarding our products and/or Services whether by telephone, email, via our website or other channel;
  • register a profile, complete surveys, or tell us about any problems with our Site;
  • submit material for publication on our website (whether in discussion boards, chat rooms or other social media platforms our website; or
  • subscribe for any newsletter or publication we may supply.

This data may be processed by us for the purposes of:

  • responding to your enquiry;
  • marketing, offering and selling our products and Services to you; or
  • sending you publications you have requested;
  • enabling and monitoring your use of our Site, products and Services.

Information we collect

Whenever you access the Site we will automatically collect the following information:

Usage Data:

This may include

  • technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, and your login information;
  • information about your visit, via our cookie policy; and
  • Information collected by Raygun – error and performance monitoring for WriteUpp

How we will use information

Lawful Grounds for the Company's processing activities

When the Company processes Personal Data, whether as Data Controller or as Data Processor, we will rely on the following lawful grounds for processing of each of the categories of data identified above.

Customer Data – the legal basis for this processing is:

  • because this is necessary in order for us to supply the Services to you and perform our contract with you and/or taking steps at your request to enter such a contract;
  • because this is necessary for the purposes of our legitimate interests (or those of a third party).

Patient Data – the legal basis for this processing is:

  • consent from the Patient/data subject;
  • because this is necessary for your use of of WriteUpp and the supply of our Services to you in accordance with our contract; and/or
  • your legitimate interests, namely the supply of your services to your Patients.

The Company will use personal information in the following ways:

Customer Data:

May be processed for the purposes of:

  • for internal record keeping
  • in the performance and administration of the Services and WriteUpp
  • to operate our business and the Site efficiently
  • to provide you with information to improve our Services and WriteUpp
  • to notify you about new features, products, special offers or other information which we think you may find interesting
  • to notify you about changes to the Company's service, the Site. this privacy policy, the Terms of Service and the Acceptable Use Policy;
  • maintaining back-ups of our databases.

Patient Data:

May be processed for the purposes of:

  • storing Patient Data on WriteUpp;
  • storing Patient Data on our servers;
  • supplying you with our products and Services;
  • enabling and assisting us to comply with all legal, regulatory and compliance obligations to which we are subject; and
  • ensuring the security of our Services, maintaining back-ups of our databases.

Usage Data:

May be processed:

  • to administer the Site for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
  • to improve the Site to ensure that content is presented in the most effective manner for you and for your computer;
  • to allow you to participate in interactive features of the Site, when you choose to do so;
  • as part of our efforts to keep the Site safe and secure;
  • to measure or understand the effectiveness of advertising which may be served via the Site;
  • to make suggestions and recommendations to you and other users of our Site about goods or services that may interest you or them.

If you fail to provide personal information

If you, the Customer, fail to provide certain information when requested, the Company may not be able to perform the Services and any contract we have entered into with you or we may be prevented from complying with our legal obligations.

Change of purpose

Where we are Data Controller (in respect of Customer Data and Usage Data only): the Company will only use personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Where we are Data Processor: the Company will only process Patient Data in accordance with the conditions for processing set out in this policy. We shall only process Patient Data relevant to a particular Customer's Patients, while our contract with the Customer is continuing and shall cease such processing (a) when requested by the Customer (b) on termination of the contract (c) on cancellation of the contract; or (d) at the request of the data subject.

Disclosure of your information

You agree that the Company has the right to share Customer Data and Usage Data (but not Patient Data) with:

  • Any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
  • Selected third parties including:
    • business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you (including third party IT providers, hosting and back-up service providers); and
    • third party service providers who assist us with our activities, such as hosting providers, and other IT or payment service providers, may also have access to personal information held by us and may use this information on our behalf

The Company will disclose Customer Data and Usage Data to the above third parties:

  • if the Company or substantially all of its assets are acquired by a third party, in which case personal data held by the Company and other registered users of the Site, the Services and WriteUpp will be one of the transferred assets.

Other third parties:

  • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply the Terms of Service or the Acceptable Use Policy and other agreements; or
  • to protect the rights, property, or safety of the Company, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction;
  • to assist us in improving our products and Services. We monitor aggregated data that is collected by our Service and may share this with third parties collectively and in an anonymous way. This data will not reveal personal information..

We will not sell, rent or share Customer Data, Usage Data or Patient Data with third parties in other ways without your consent unless we are entitled by law to do so;

Where the Company will store personal data

We may hold personal information in electronic databases, such as our customer relationship management system. We take all reasonable steps to keep any personal information we hold about you (and your Patients) secure.

We restrict access to personal information to our Staff who require that information in order to operate and develop the Services and/or WriteUpp.

All information which is provided to, or collected by, the Company is:

  • stored on the Company's secure servers within the European Union (EU).
  • Hosted on secure data centre managed by our hosting partner with 24/7 manned security, CCTV, biometric access to the facility and restrictive access to the internals of the building based on authorisation levels.

Third Party Processors (where the Company is Data Controller)

Customer and Usage Data may be processed (by third party processors engaged by the Company) outside of the EEA.

Passwords and Security

Where the Company has given you (or where you have chosen) a password which enables you to access your account, you are responsible for keeping this password confidential. The Company asks you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although the Company will do its best to protect your personal data, the Company cannot guarantee the security of your data transmitted via the site; any transmission is at your own risk. Once the Company has received your information, the Company will use strict procedures and security features to try to prevent unauthorised access.

How long the Company will store personal data

The Company will retain Customer Data for:

  • such time as this is required in connection with the Services we are supplying to you;
  • following completion of the Services for a period of not less than 6 years from the date the Services end.

We may retain Customer Data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

The Company will retain Patient Data for:

  • such time as this is required in connection with the Services we are supplying to you;
  • following completion of the Services for a maximum period of 45 days from the date the Services end.

The Company will retain Enquiry Data for:

  • such time as this is required in connection with the enquiry you have raised;
  • a period of not less than 6 years from the date of your Enquiry.

The Company will retain Usage Data for:

  • a period of not less than 6 years from the date of collection.

Your rights as a data subject (where the Company is the Data Controller)

If you are an individual in respect of whom the Company processes Personal Data, you have the following rights. Please note that this is a summary of your rights. If you wish to understand your rights in detail you should read the relevant laws, guidance and regulations for a fuller explanation).

Right of access to your Personal Data

You can ask us to confirm whether or not we process your Personal Data, and where we do, request a copy from us. If your request is sent to the Company electronically the Company will supply this in a commonly used electronic form, unless you specifically request this in a different format.

We will supply the data free of charge but we reserve the right to charge a reasonable fee (or refuse to act on the request) if you request additional copies of the information, if access requests are unfounded or excessive.

There are circumstances where we may withhold the supply of your Personal Data – for instance where the rights and freedoms of others may be affected or where we are permitted by law.

Right to request the rectification of your Personal Data

In the event that you think we hold any inaccurate or incomplete Personal Data, you can ask us to correct any inaccurate data or to complete any incomplete data we hold.

Right to request the erasure of your Personal Data (the "right to be forgotten")

The Company will not hold any Personal Data for longer than is necessary for the purposes for which it was collected. However, in some circumstances, you may request the erasure of any Personal Data held by the Company.

Right to request the restriction on processing of your Personal Data

In some circumstances, you may request the Company to restrict processing of your Personal Data.

Right to object to the Company's processing of your Personal Data

You may object to the Company's processing of your Personal Data where:

  • processing is based on public interests or legitimate interests pursued by is or by a third party; or
  • processing is for direct marketing.

If you object the Company will stop processing the Personal Data unless the Company:

  • has a compelling legitimate ground for processing the Personal Data ; or
  • needs to process the Personal Data to establish, exercise, or defend legal claims.

Processing for direct marketing will cease immediately.

Right to data portability in respect of your Personal Data.

In limited circumstances, you may have the right to request the Company to:

  • supply your Personal Data in a format so that you may store it for further personal use on a private device;
  • transmit the Personal Data to another data controller;
  • transmit your Personal Data directly to another data controller to another where technically possible.

Right to complain to ICO/supervisory authority

If you believe our processing infringes Data Protection Laws, you have the right to lodge a complaint with a supervisory authority responsible for data protection.

You may complain in the EU member state of your residence, place of work or the place of the alleged infringement.

Right to notification of any breach

In the unlikely event of a Personal Data breach which is likely to result in a high risk to your rights, the Company will notify you of the breach without undue delay.

However, if your Personal Data is encrypted or otherwise unintelligible the Company will not be required to notify you of a breach.

Withdrawal of consent

In all cases where the legal basis for our processing of your Personal Data is consent, you have the right to withdraw that consent at any time. Such withdrawal will not affect the lawfulness of any processing before you withdraw consent.


Like most applications, WriteUpp uses cookies to help provide you with the best experience we can. Cookies are small text files that are placed on your computer or mobile phone when you browse websites

Our cookies help us:

  • Make WriteUpp work as you'd expect
  • Enables WriteUpp to remember your details so you don't have to enter them each time you log in (if you so choose)
  • Remember your settings in WriteUpp
  • Improve the speed/security of WriteUpp

We do not use cookies to:

  • Collect any personally identifiable information (without your express permission)
  • Pass data to advertising networks
  • Pass personally identifiable data to third parties

You can learn more about all the cookies we use below.

Granting us permission to use cookies

If the settings on your software that you are using to view this website (your browser) are adjusted to accept cookies we take this, and your continued use of our website, to mean that you are fine with this. Should you wish to remove or not use cookies from our site you can learn how to do this below, however doing so will prevent the service from working.

Website Function Cookies

Our own cookies

We use cookies to make our website work, including:

  • Determining if you are logged in or not
  • Remembering your search settings
  • Showing which patients you have recently viewed
  • Tailoring content to your needs
  • Remembering your preferences

There is no way to prevent these cookies being set other than to not use our site.

Third party functions

Our site, like most websites, includes functionality provided by third parties. Disabling these cookies will likely break the functions offered by these third parties.

Turning cookies off

WriteUpp will not function if cookies are turned off or disabled.


The Site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that the Company does not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Changes to our privacy policy

Any changes the Company makes to this privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.


Questions, comments and requests regarding this privacy policy are welcomed and should be directed here.

Questions or complaints

You can contact us here.

If you have any questions or have a complaint about this Privacy Policy please let us know us immediately.

Company Information

Pathway Software
6 Nicholas Street

Company Number: 06844098
VAT Number: 948 3831 85