Privacy Policy

CliniVoice AI Ltd (“we”, “us”, “our”) is committed to protecting your privacy and handling your data in an open and transparent manner. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use CliniVoice AI.

1. Data Controller

For your account data and service usage data, CliniVoice AI Ltd is the data controller. We are registered in England and Wales.

For clinical/patient data processed through the Service, your employing healthcare Organisation is typically the data controller and CliniVoice AI acts as a data processor under a Data Processing Agreement.

2. What Data We Collect

Account Data

• Full name and professional title
• Email address
• Organisation/employer name
• Professional registration number (e.g. GMC, NMC, HCPC)
• Password (stored as a salted hash, never in plaintext)

Clinical Content (Processed on Your Behalf)

• Audio recordings of clinical dictation
• Transcribed text from recordings
• AI-generated clinical letters and summaries
• Patient identifiers you include (name, DOB, hospital number, NHS number)

Browser Extension Data

• Authentication session token (stored in chrome.storage.session — cleared when browser closes, never written to disk)
• EPR auto-fill data temporarily held in session storage for the duration of a single browser session and not persisted after the tab closes
• No patient identifiers are ever stored persistently by the browser extension

Usage Data

• Feature usage and interaction patterns (anonymised)
• Session duration and frequency
• Device type, browser, and operating system
• IP address (truncated for analytics)
• Error logs and performance data

Payment Data

• Billing name and address
• Payment card details are processed directly by our payment processor (Stripe) and are never stored on our servers

3. Lawful Basis for Processing

Under UK GDPR, we process your data on the following legal bases:

4. How We Use Your Data

• To provide, maintain, and improve the Service
• To transcribe audio and generate clinical letters using AI
• To authenticate your identity and manage your Account
• To process payments and manage Subscriptions
• To send transactional emails (account confirmations, security alerts)
• To send marketing communications (only with your opt-in consent)
• To detect, prevent, and address security incidents and fraud
• To comply with legal obligations
• To provide customer support

We do NOT use your Clinical Content to train AI models unless you provide explicit, informed opt-in consent.

5. Special Category & Clinical Data

Clinical Content may contain special category data (health data) as defined under Article 9 of UK GDPR. We process this data under Article 9(2)(h) — processing necessary for the provision of health or social care, subject to appropriate safeguards.

We implement enhanced protections for clinical data including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Strict access controls with role-based permissions
• Audit logging of all data access
• Automatic data deletion in accordance with retention schedules
• Data processing limited to the minimum necessary for service delivery

6. Processing of Patient Health Data

Role: When a clinician uses CliniVoice AI to process patient information, CliniVoice AI acts as a data processor under UK GDPR Article 28 on behalf of the clinician or their employing organisation (the data controller). This relationship is governed by our Data Processing Agreement.

Special Category Data

Patient health data is Special Category Data under Article 9 of UK GDPR. We process it only on instructions from the data controller (the clinician or their organisation) and only for the purpose of providing the Service.

Lawful basis: Article 9(2)(h) — processing necessary for the provision of health or social care by a health professional.

Data Processed

• Patient identifiers: full name, date of birth, NHS number, hospital/MRN number
• Clinical history, diagnoses, and presenting complaints (as dictated by the clinician)
• Current medications and prescribed treatments
• Referral information and clinical correspondence content

All of the above is provided by the clinician in the course of their dictation. CliniVoice does not independently collect patient data from any other source.

Batch Transcription

The Service includes a Batch Transcription feature that processes multiple audio or video files in a single session. Each file is transcribed individually and patient data is extracted to generate a clinical letter. Batch-processed audio files are subject to the same deletion schedule as single-file transcriptions. Batch results are stored against your account in the same manner as single-session letters.

AI Processing

Patient data included in clinical dictation is sent to Google Cloud Vertex AI (europe-west2, London) for AI-assisted letter generation — all processing occurs within the UK under Google Cloud’s signed Data Processing Agreement. Transcription is handled by Groq (Whisper Large v3 Turbo) under Groq’s Data Processing Addendum. We do not permit any provider to use patient data to train their models.

NHS Number Handling

Where NHS numbers are included in transcripts or letters, they are stored in our database as a one-way cryptographic hash. The plaintext NHS number is never retained after processing. This ensures we cannot reconstruct or expose NHS numbers in the event of a data breach.

Retention of Patient-Linked Data

Patient-linked clinical letters and transcripts are retained for the period set by the clinician in their account settings (default: 24 months of account activity). All patient-linked data is deleted immediately upon account deletion or upon the clinician’s explicit request.

7. Your API Keys (BYOK — Bring Your Own Key)

CliniVoice allows you to optionally provide your own third-party API keys (for example, a Groq, Google Gemini, or OpenAI API key) to use for transcription and letter generation.

If you choose to provide API keys:

• Your keys are encrypted using AES-256-GCM before being stored in our database. We do not store keys in plaintext.
• Keys are used solely to make API requests on your behalf when you use the Service.
• Keys are never logged, shared, or used for any other purpose.
• Your keys are deleted immediately when you remove them from your account settings, or when your account is closed.

You are responsible for managing the security of your API keys and for compliance with the terms of service of the respective third-party providers.

8. Third Parties & Sub-processors

We share your data with the following categories of third parties, strictly for the purposes described:

We do not sell, rent, or trade your personal data to any third party.

9. International Data Transfers

Where data is transferred outside the UK, we ensure adequate protection through one or more of the following safeguards:

• UK adequacy regulations (for transfers to countries with adequate data protection)
• UK International Data Transfer Agreement (UK IDTA) or EU Standard Contractual Clauses (SCCs) with UK Addendum
• Data processing restricted to providers with binding corporate rules

Groq (primary transcription provider)

Audio transcription is performed by Groq, Inc. (United States). This constitutes a restricted transfer of special category data (health data) from the UK to a third country. We rely on the UK International Data Transfer Agreement (UK IDTA) and EU Standard Contractual Clauses with UK Addendum (ICO approved, February 2022) as the lawful transfer mechanism under UK GDPR Article 46. Key safeguards in place:

• Transient processing only — audio is transmitted over TLS, processed, and deleted by Groq immediately after transcription. No audio is retained
• No model training — Groq contractually prohibits use of customer data for model training
• Data Processing Addendum — a DPA with Groq governs the processing and establishes UK IDTA obligations
• BYOK option — clinicians at organisations with heightened data sovereignty requirements may use their own Groq API keys, maintaining their own direct DPA relationship with Groq

10. Data Retention

CPD portfolio data: CPD portfolio entries (reflections, activity logs, competency evidence) are retained for 5 years from the date of creation, in line with NHS revalidation and professional development record-keeping requirements. You may request deletion of individual CPD entries at any time via your account settings.

Learning Space: Learning Space chat sessions may contain patient context provided by you. All Learning Space conversations are automatically anonymised before storage — patient names, NHS numbers, and dates of birth are redacted. Chat history is retained for 90 days.

Letter quality feedback: Letter quality feedback is retained for 2 years to improve AI letter generation. Personal identifiers (user account links) are automatically anonymised after 90 days; the qualitative feedback text is retained in anonymised form.

11. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access (Art. 15) — Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) — Request deletion of your personal data where there is no compelling reason for continued processing.
• Right to restrict processing (Art. 18) — Request that we limit the processing of your data in certain circumstances.
• Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format.
• Right to object (Art. 21) — Object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time.
• Rights related to automated decision-making (Art. 22) — We do not make solely automated decisions with legal or significant effects on you.

To exercise any of these rights, contact us at privacy@clinivoice.com. We will respond within one calendar month.

12. Subject Access Requests (Patient SARs)

Patients whose data has been processed through CliniVoice AI may submit a Subject Access Request (SAR). Because CliniVoice acts as a data processor (not the data controller), patient SARs should be directed to the clinician or their employing organisation (the data controller).

Where a clinician or their organisation submits a SAR on behalf of a patient, CliniVoice AI will cooperate fully and provide all relevant data within 30 calendar days.

To submit a clinician-initiated SAR on behalf of a patient, contact us at privacy@clinivoice.com. Please include your organisation name, the patient’s hospital number or NHS number, and the date range of processing.

13. Cookies

We use cookies and similar technologies as described in our Cookie Policy. You can manage cookie preferences through your browser settings or our cookie consent banner.

14. Children’s Data

The Service is designed for use by adult healthcare professionals. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have collected data from a child, we will delete it promptly.

15. Security Measures

We implement appropriate technical and organisational security measures including:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for data at rest
• Multi-factor authentication for administrative access
• Regular penetration testing and vulnerability scanning
• Role-based access controls (principle of least privilege)
• Comprehensive audit logging
• Incident response procedures with 72-hour breach notification
• Session anomaly detection: To prevent credential sharing and account abuse, each authenticated API request generates a non-reversible hash (device fingerprint) derived from non-personal browser characteristics (user-agent, screen resolution, timezone, language, hardware concurrency). This hash is processed in memory only, is not stored persistently, and cannot be reversed to identify you. It is used solely to detect multiple concurrent sessions indicative of password sharing. Lawful basis: Legitimate interests (UK GDPR Article 6(1)(f)) — protecting the integrity of the Service and ensuring fair use.

16. ICO Registration

CliniVoice AI Ltd is in the process of registering with the Information Commissioner’s Office (ICO) as a data controller and data processor. Our registration is currently pending. Once confirmed, our ICO registration number will be published here.

In the meantime, you may raise data protection concerns directly with us at privacy@clinivoice.com.

17. Data Processing Agreement

For clinicians and organisations using CliniVoice AI to process patient data, a Data Processing Agreement (DPA) is presented and must be accepted on first use of the Service. This satisfies the requirements of UK GDPR Article 28, which requires a written contract between data controller and data processor.

The DPA sets out:

• The subject matter, duration, nature, and purpose of processing
• The type of personal data and categories of data subjects
• Our obligations and rights as data processor
• Sub-processor arrangements and appropriate safeguards

You can review the full DPA at /legal/dpa.

18. Data Protection Contact

For all data protection enquiries, please contact:

• Email: privacy@clinivoice.com
• Post: Data Protection, CliniVoice AI Ltd, England, United Kingdom

19. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK’s supervisory authority:

• Information Commissioner’s Office (ICO)
• Website: ico.org.uk
• Helpline: 0303 123 1113
• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We encourage you to contact us first so we can try to resolve your concern directly.

20. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before the changes take effect. The “Last updated” date at the top of this page indicates when this policy was most recently revised.