Privacy Notice

Last updated: 2026-03-14

This notice describes how the current application build processes personal data in user accounts, patient profiles, appointments, sessions, medical records, uploaded files, DSAR workflows, archived patient folders, video sessions, and security operations.

Data Controller

The controller of personal data processed through this platform is the licensed professional using this account.

If you are a patient or data subject, use the contact details provided by the professional managing your record.

Categories of Data

• Account and identity data: user name, email address, password hash, preferred language, account status, subscription metadata, verification tokens, and password-reset tokens.
• Patient profile data: first name, last name, email, phone, address fields, and lawful-basis / consent metadata entered for compliance purposes.
• Scheduling data: appointment dates, times, comments, attendance/session references, and related email notifications.
• Clinical and session data: session timestamps, notes, transcripts, summaries, SOAP content, AI analyses, speaker labels, and related session metadata.
• Medical record data: anamnesis, diagnoses, objectives, clinical notes, interventions, exported HTML, and uploaded document/image attachments.
• Video-session data when used: room identifiers, access tokens, signalling data, participant display names, optional recordings, and recording files moved into session storage.
• Technical and security data: login attempts, rate-limit and lockout data, IP address and user-agent information, session and CSRF state, audit/incident logs, and operational error logs.

Health-related information entered into patient profiles, notes, transcripts, recordings, or medical records may constitute special-category personal data.

Sources of Data

Data comes directly from the professional using the platform, from patients or other data subjects during scheduling or remote sessions, from uploaded files and recordings, and from system-generated outputs such as transcripts, summaries, analyses, logs, and access records.

Purposes and Legal Basis

Data is processed to provide account registration, login, scheduling, session documentation, remote consultation support, medical-record management, file handling, invoicing support, DSAR handling, security, and system administration.

Where AI or transcription features are used, data is processed to generate transcripts, speaker-role identification, summaries, SOAP notes, and session analysis requested by the controller.

The controller must determine a valid GDPR Article 6 legal basis and, where health or other special-category data is processed, an applicable Article 9 condition. The application can enforce lawful-basis and consent checks before AI summaries, AI analysis, and transcription are allowed.

AI Assistance and Automated Decisions

AI and speech-to-text outputs are assistive tools only. They can be inaccurate and must be reviewed by the professional before use in care, records, or communications.

The current codebase does not perform solely automated decision-making that produces legal effects or similarly significant effects for patients.

Data Processors and Recipients

Data is stored in application-controlled storage for the account owner and may be disclosed to service providers used for email delivery, transcription, or AI assistance when those features are enabled.

• When email delivery is configured, Aruba SMTP is used for account verification, password-reset, and appointment emails (smtps.aruba.it / smtp.aruba.it).

Configured external AI/transcription processors for this deployment:

• Soniox: Speech-to-text transcription (https://api.eu.soniox.com)
• Mistral: Summaries, SOAP notes, role identification, and session analysis (https://api.mistral.ai/v1)

This deployment is currently configured to use explicit EU endpoints or provider endpoints officially described as EU-hosted by default for all enabled AI/transcription processors listed above.

For speech-to-text, this deployment uses Soniox EU endpoints. The application also attempts to delete Soniox transcription jobs and uploaded files from the provider after processing completes or fails.

For AI summaries and analysis, this deployment uses the default Mistral API endpoint (`api.mistral.ai`). Mistral states that its default endpoint is hosted in the EU unless a US endpoint is explicitly used.

The application itself does not use AssemblyAI for transcription in this deployment.

Claims that processor data is never retained, never transferred outside the EU, or never used for model training cannot be guaranteed by application code alone. Those statements depend on the provider-specific terms, regional configuration, plan, and account settings verified by the controller for each enabled provider.

International Transfers and Processor Location

External processor location depends on the configured provider endpoints and account settings. This build can be configured for EU endpoints for some providers, but the controller remains responsible for verifying processor-region settings, subprocessors, contractual terms, and transfer safeguards before using a provider.

Cookies and Session Technologies

The current codebase uses server-side session cookies and CSRF tokens to authenticate users and protect requests. We did not identify advertising or analytics trackers in the current codebase.

Retention

Retention rules are configurable and enforced automatically for several operational stores. Unless a controller deletes data earlier, the current retention settings for this deployment are:

• Application logs: 90 days
• Async job files: 30 days
• Async archived jobs: 30 days
• Uploads: 14 days
• Transcripts: 180 days
• Session audio: 14 days
• Session backups: 30 days
• Full session folders: disabled

Medical record version history keeps the current record plus up to 10 prior JSON versions unless they are overwritten or deleted.

DSAR export ZIP/JSON files are generated on demand and remain in export storage until manually removed or deleted during a DSAR erasure workflow.

Archiving a patient moves data from the active patient store to the archive store. Archiving is an organisational status change, not deletion.

Video room metadata and access tokens are time-limited operational records. If recordings are saved into a session, they follow the session/audio retention settings.

Data Subject Rights

Data subjects may request access, a copy/export, rectification, restriction, objection, portability where applicable, and erasure, and may withdraw consent where consent is the basis.

How To Exercise Rights

Requests should be submitted to the professional/controller managing the patient record. The application provides DSAR export and DSAR erasure tooling, but the controller remains responsible for identity verification, legal assessment, and responding within GDPR deadlines.

If data has already been sent to an external processor, the controller may need to handle follow-up deletion or restriction requests with that processor separately.

Lawful Basis Controls

When lawful-basis enforcement is enabled, AI summaries, AI analysis, and transcription are blocked unless the patient record has a lawful basis set. If the lawful basis is consent, consent status must be granted before those features can run.

Security Measures

The platform uses account authentication, password hashing, session management, CSRF protection, rate limiting, account lockout controls, encrypted file storage for sensitive stores, MIME/type validation for uploads, pseudonymised logging where configured, and incident/event logging.

No internet-facing or local system can guarantee absolute security. Controllers should also apply organisational measures such as device security, access discipline, backups, and processor contracts.

Contact and Complaints

Data subjects may contact the controller using the contact details supplied by the professional and may lodge a complaint with their competent supervisory authority if they believe processing infringes GDPR.