Privacy Policy

Clinic Companion Ltd ("Clinic Companion", "we", "our", or "us") is committed to protecting and respecting the privacy and security of personal data.

This Privacy Policy explains how we collect, use, process, store and protect personal information when individuals use the Clinic Companion platform and associated services.

Clinic Companion is a clinician-facing platform designed to support healthcare professionals with clinical documentation workflows, including ambient consultation capture, speech recognition, AI-assisted clinical note generation and related healthcare administrative processes.

This policy applies to:

• healthcare professionals using the platform
• healthcare organisations using the platform
• visitors to our website
• individuals communicating with us
• prospective employees and contractors

We process personal data in accordance with:

• UK GDPR
• Data Protection Act 2018
• NHS information governance requirements
• applicable healthcare confidentiality obligations

If you have questions regarding this Privacy Policy or how your information is handled, you may contact us using the details below.

Clinic Companion Ltd
Company Number: 16172125
General enquiries: info@cliniccompanion.com
Information Governance / Data Protection enquiries: info@cliniccompanion.com

You may contact us to:

• request access to your information
• request correction of inaccurate information
• request deletion where applicable
• exercise your data protection rights
• raise concerns regarding privacy or security
• ask questions regarding this policy

Clinic Companion provides a cloud-based clinician support platform intended primarily for use within GP and primary care environments.

The platform supports authorised healthcare professionals with:

• consultation documentation
• speech recognition and transcription
• structured clinical note generation
• referral and correspondence drafting
• workflow and administrative support

The platform is designed to support clinicians in delivering healthcare services while reducing administrative burden.

Final clinical responsibility always remains with the healthcare professional reviewing and approving generated content.

For patient data processed through the platform:

• the relevant NHS organisation, GP practice, Primary Care Network, NHS Trust or other healthcare provider acts as the Data Controller
• Clinic Companion Ltd acts as the Data Processor providing the hosted platform and associated support services on behalf of those organisations

Clinic Companion may also act as a Data Controller for limited business administration activities relating to:

• user account management
• supplier management
• billing and finance
• recruitment
• legal and regulatory obligations
• service security and operational monitoring

We may collect and process the following categories of personal data.

Clinician and User Information

This may include:

• name
• NHS email address
• contact details
• role or job title
• organisation details
• NHS organisation identifiers (such as ODS codes)
• authentication identifiers
• user account information
• audit and access logs
• IP address and session information

NHS CIS2 Authentication Information

Where NHS CIS2 Authentication is used, Clinic Companion receives limited identity and authentication information from NHS England identity services in order to authenticate authorised healthcare professionals and manage secure access to the platform.

This information may include:

• NHS CIS2 subject identifiers
• clinician name
• NHS email address
• organisation information
• role information
• authentication metadata

This information is processed solely for:

• authentication
• access control
• audit logging
• security monitoring
• operational support

Patient and Clinical Information

Patient and clinical data processed through the platform may include:

• consultation audio
• dictated content
• patient demographics
• symptoms and clinical history
• examination findings
• diagnoses
• treatment plans
• referral information
• generated clinical documentation outputs

Patient data is processed only for the minimum period necessary to support requested clinical documentation workflows, clinician review and associated operational requirements.

Where appropriate, patient information is pseudonymised — direct identifiers are removed or replaced before content is used for any secondary purposes such as service improvement or quality assurance. Pseudonymised data is held under strict access controls and is never used to train public or shared AI models.

Technical and Device Information

We may collect:

• browser type
• operating system
• device identifiers
• IP addresses
• connection metadata
• usage logs
• security monitoring information

Recruitment Information

Where individuals apply for employment or contractor roles, we may process:

• CVs and application materials
• employment history
• references
• qualifications
• interview notes

We collect information through:

• user registration and onboarding
• use of the platform
• direct communications with us
• healthcare organisations using the platform
• NHS identity services
• support interactions
• website usage
• cookies and analytics technologies
• recruitment processes

We process personal data for the following purposes.

Service Provision

To:

• provide access to the platform
• authenticate users
• support healthcare documentation workflows
• generate clinical documentation outputs
• maintain system functionality

Security and Access Control

To:

• authenticate authorised healthcare professionals
• maintain audit logs
• detect unauthorised access
• investigate incidents
• monitor platform security

Service Improvement

To:

• improve platform performance
• improve usability and reliability
• identify operational issues
• analyse system behaviour using de-identified or aggregated information where appropriate

Patient data is not used to train public or shared AI models.

Communications

To:

• send operational notifications
• provide support
• communicate important service updates
• respond to enquiries

Legal and Regulatory Obligations

To:

• comply with applicable laws
• support healthcare regulatory obligations
• cooperate with regulators and law enforcement where legally required

Clinic Companion processes personal data under the following legal bases.

Clinician and User Data

Processing may be undertaken under:

• Article 6(1)(b) UK GDPR — performance of a contract
• Article 6(1)(f) UK GDPR — legitimate interests relating to platform security and service provision

Patient and Health Data

Processing of patient personal data and special category health data is undertaken under:

• Article 6(1)(e) UK GDPR — public task
• Article 9(2)(h) UK GDPR — provision of health or social care and medical diagnosis

Processing occurs under the responsibility of healthcare professionals bound by obligations of professional secrecy.

Personal data and special category health data associated with the service is hosted and managed within UK-based infrastructure environments.

Core application hosting, database infrastructure, storage and operational logging are maintained within UK regions.

Data is encrypted:

• in transit using TLS 1.2+
• at rest using industry-standard encryption controls

Patient and clinician data is retained only for the minimum period necessary in accordance with:

• applicable legal obligations
• controller instructions
• retention schedules
• operational and security requirements

Clinic Companion uses carefully selected transcription and AI processing providers to support:

• speech recognition
• transcription
• AI-assisted clinical documentation functionality

Appropriate contractual, security and data protection controls are maintained with these providers.

Where applicable:

• zero data retention configurations are implemented
• data minimisation controls are applied
• contractual data protection obligations are maintained

Patient data is never used to train, develop or improve any public, shared or third-party AI models. Where transcription or AI providers are used, they are contractually prohibited from retaining or training on customer data.

No special category data is intentionally retained outside the United Kingdom.

A qualified healthcare professional always reviews, edits and approves any AI-generated clinical documentation before it is used or saved into a clinical system. Clinic Companion does not make solely automated clinical decisions, and the platform is not used as a substitute for clinical judgement.

Relevant processing arrangements are documented within our DPIA, supplier agreements and associated information governance documentation.

We may share personal data where necessary with:

• healthcare organisations using the platform
• authorised clinicians
• hosting and infrastructure providers
• carefully selected service providers and subprocessors
• professional advisers
• auditors and regulators
• law enforcement or public authorities where legally required

We only share information necessary for the relevant purpose and subject to appropriate contractual and security controls.

We do not sell personal data.

Clinic Companion seeks to minimise international transfers of personal data.

Where third-party providers are used, we implement appropriate safeguards and contractual protections in accordance with UK GDPR requirements.

No special category data is intentionally retained outside the United Kingdom.

We use cookies and similar technologies to:

• maintain secure sessions
• improve website functionality
• understand website usage
• improve platform performance

Users may manage cookie settings through their browser.

Blocking cookies may affect functionality.

Analytics technologies are configured to avoid unnecessary processing of patient-identifiable clinical information.

Clinic Companion maintains formal information security and governance controls including:

• access controls
• encryption
• audit logging
• security monitoring
• staff confidentiality obligations
• secure software development practices
• vulnerability management
• penetration testing
• incident management procedures
• data minimisation practices

Security measures are regularly reviewed and updated.

We retain personal data only for as long as necessary for:

• service provision
• legal and regulatory obligations
• security and audit requirements
• controller instructions

Where information is no longer required, it is securely deleted or anonymised.

Individuals may have rights under UK GDPR including:

• access to personal data
• rectification of inaccurate data
• erasure in certain circumstances
• restriction of processing
• objection to processing
• data portability
• complaint to the Information Commissioner's Office (ICO)

Requests may be submitted to: info@cliniccompanion.com

We aim to respond to all data subject requests within one calendar month of receipt, in line with UK GDPR. In limited circumstances — for example where a request is particularly complex — we may extend this period by up to a further two months and will let you know if that applies.

We may require identity verification before responding.

If you are dissatisfied with how we handle personal data, please contact us first so we can attempt to resolve the issue.

You also have the right to complain to the UK Information Commissioner's Office (ICO).

Website: https://ico.org.uk

We may update this Privacy Policy periodically to reflect:

• changes in law
• changes to our services
• changes to technology or processing activities
• security or governance improvements

The latest version will always be published on our website.