Privacy Policy

1. Introduction

Welcome to Clindoc, operated by Insight Dev Ltd (“we”, “our”, or “us”). We are committed to protecting the privacy and security of your personal data and protected health information (PHI). This policy explains how we collect, use, share, and protect your information in compliance with UK data protection legislation, including the Data Protection Act 2018, the General Data Protection Regulation (GDPR), and healthcare privacy standards including HIPAA where applicable.

2. Information We Collect

Personal Data from Healthcare Practitioners:

• Name, email address, phone number, and practice details
• Professional registration numbers and credentials
• Billing and payment information
• Preferences and configurations for the AI documentation system
• Cliniko API credentials (encrypted and securely stored)

Protected Health Information (PHI) from Patients:

• Audio recordings of clinical sessions
• Transcripts of patient-practitioner interactions
• Patient names and appointment details (via Cliniko integration)
• Clinical notes and documentation generated from sessions
• Medical terminology and treatment information discussed during sessions

Technical Information:

• IP address, browser type, operating system
• Usage and interaction data from our platform
• Session recordings and processing metadata

3. How We Use Your Data

We process data for the following lawful purposes:

• Service Delivery: To provide, operate, and enhance the Clindoc platform, facilitating AI-based transcription, clinical note generation, and Cliniko integration.
• Clinical Documentation: To transcribe patient sessions and generate structured clinical notes, referral letters, and other healthcare documentation.
• Quality Assurance: To monitor transcription accuracy and improve our medical-grade AI models.
• Communication: To interact with healthcare practitioners and respond to queries or support requests.
• Billing and Administration: To manage accounts, billing, and related administrative tasks.
• Compliance: To comply with healthcare regulations, legal obligations, and professional standards.

4. Legal Basis for Processing

Our legal basis for processing personal data and PHI includes:

• Contractual obligations with healthcare practitioners
• Consent obtained from patients for recording and processing their health information
• Legitimate interests to enhance healthcare documentation and service delivery
• Compliance with healthcare regulations and legal obligations
• Vital interests where patient care may be involved

5. Data Storage and Retention

Zero Data Storage Policy: We implement a zero data storage policy for patient information. Audio recordings and transcripts are processed in real-time and immediately saved to your Cliniko practice management system. We do not retain patient data on our servers beyond the time necessary for processing.

Practitioner account information is retained for the duration of the service agreement and for up to 7 years after termination for legal and accounting purposes.

6. Sharing Your Data

We do not sell personal data or PHI. However, we may share your data with:

• Your Cliniko practice management system (as directed by you)
• Third-party service providers including secure cloud hosting, AI processing, and communications providers, under strict data protection agreements
• Healthcare regulatory bodies if required by law
• Law enforcement or government agencies when legally obligated

7. Data Security and Compliance

We maintain robust technical and organisational measures to safeguard your data:

• Encryption: End-to-end encryption for all data in transit and at rest
• Access Controls: Role-based access with multi-factor authentication
• Compliance Certifications: SOC 2 Type II, ISO 27001, GDPR, and HIPAA standards
• Regular Audits: Independent security assessments and penetration testing
• Staff Training: Comprehensive privacy and security training for all personnel
• Incident Response: 24/7 monitoring and immediate breach notification procedures

8. Your Rights

Under GDPR and healthcare privacy regulations, you have the right to:

• Request access to your personal data and PHI
• Request correction or deletion of your data
• Object to processing of your data
• Request data portability
• Withdraw consent at any time (where processing is based on consent)
• Request restrictions on data processing
• File complaints with supervisory authorities

To exercise these rights, please contact us at support@clindoc.ai. Patient rights regarding their PHI should be addressed through their healthcare practitioner.

9. International Transfers

If we transfer data outside the UK or EEA, we ensure appropriate safeguards such as Standard Contractual Clauses or adequacy decisions are implemented to protect your data. All international transfers comply with healthcare data protection requirements.

10. Cookies and Tracking

We use essential cookies for platform functionality and security. We do not use non-essential tracking cookies without your explicit consent. You can manage cookie preferences through your browser settings.

11. Changes to this Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. Any changes will be posted on this page with an updated effective date. Significant changes will be communicated via email.

12. Contact Us

For any questions or requests regarding this policy or your personal data, contact:

13. Regulatory Complaints

You may lodge complaints regarding our data handling practices with:

• UK: Information Commissioner's Office (ICO) at www.ico.org.uk
• Healthcare-specific concerns: Relevant professional regulatory bodies