Privacy Policy — Klinivo

DRAFT — NOT YET IN EFFECT. This policy will be published when Klinivo launches in Europe. The service is not yet available in the EU/UK. Its entry into force is conditional on migrating our infrastructure to an EU region (eu-west-1, Ireland); until then the platform operates only in Brazil (on us-east-1, US). Do not treat this document as in effect or as a basis for processing the data of EU/UK residents.

WARNING: This service is NOT an emergency medical service.

If you or someone else is in immediate danger, call 999 (emergency) or go to the nearest Accident & Emergency department.

For urgent but non-life-threatening medical concerns, call 111 (NHS non-emergency).

Symptoms requiring emergency care include:

Chest pain or difficulty breathing

Loss of consciousness

Severe bleeding

Signs of stroke (face drooping, arm weakness, speech difficulty)

Suicidal or self-harm thoughts

1. Emergency Notice

This platform is designed to support healthcare providers in managing their practices and clinical documentation. Klinivo is not a substitute for emergency medical services. No feature of the platform, including AI-generated content, should be used to make emergency clinical decisions.

In an emergency, always call 999 or attend your nearest Accident & Emergency department. For non-emergency medical advice, call 111.

2. Introduction & Controller Identity

Who We Are

Klinivo is an AI-powered healthcare practice management platform developed by HC Desenvolvimento de Softwares Ltda., a company registered in Brazil operating internationally. Our platform helps healthcare providers focus on their patients by reducing administrative burden through intelligent tools for scheduling, clinical documentation, telemedicine, and patient engagement.

We offer:

Appointment scheduling for in-person and telemedicine consultations
Video consultations with professional-grade quality
Clinical documentation assisted by artificial intelligence
Electronic health records that are secure and accessible
Patient portal for appointment management and health information access

Data Controller

Detail	Information
Legal name	HC Desenvolvimento de Softwares Ltda.
Trading name	Tech Rocks
Brand	Klinivo
CNPJ (Brazil company no.)	06.871.228/0001-33
Registered office	Belo Horizonte — MG, Brazil
Senior Responsible Individual (SRI)	[email protected]
Website	https://klinivo.co

Under the Data Use and Access Act 2025 (DUAA), which amends the UK data protection framework, we have designated a Senior Responsible Individual (SRI) who is accountable for our data protection compliance. The SRI fulfils the oversight functions previously associated with a Data Protection Officer (DPO) and can be contacted at [email protected].

About This Policy

We take your privacy seriously. This policy explains, in clear and accessible language, how we collect, use, store, and protect your personal data in accordance with:

The UK General Data Protection Regulation (UK GDPR)
The Data Protection Act 2018 (DPA 2018)
The Data Use and Access Act 2025 (DUAA)
Guidance from the Information Commissioner's Office (ICO)
General Medical Council (GMC) guidance on telemedicine and record-keeping

3. Scope & Applicability

This policy applies to all users of the Klinivo platform in the United Kingdom, including:

Patients who receive care through the platform
Healthcare providers (doctors, clinicians) who use the platform to manage their practice
Clinic staff (secretaries, managers, administrators) who operate the platform
Organisation owners and administrators who manage the account

Organisation Types

Klinivo serves two types of organisations, each with different data responsibilities:

Type	Description	Data Controller
Public organisations	Solo practitioners and small practices who self-register	Each provider manages their own billing and data
Private organisations	Enterprise clinics and hospital groups, invitation-only	The organisation owner manages billing and data

In both cases, Klinivo acts as a data processor on behalf of the healthcare provider (the data controller for clinical data). For platform account data and analytics, Klinivo is the data controller.

Platform Tiers

Klinivo offers a free core platform (scheduling, patient records, manual clinical notes, check-in, waitlist, patient portal, prescriptions, and 1-on-1 telemedicine) alongside paid subscription tiers (Free / Essential / Pro / Premium) for solo doctors and negotiated contracts for enterprise organizations. This policy covers all data processing across both free and paid features.

4. Data We Collect

We collect only the data necessary to provide our services. Below is a comprehensive overview, organised by category.

4.1 Personal Data (Identity & Contact)

When you create an account or are registered by your healthcare provider:

Data	Purpose
Full name	Identify you in the system and medical records
Date of birth	Age-appropriate treatment, identity verification
Email address	Account access, confirmations, communications
Phone number	Appointment reminders, direct clinic contact
National identifier (type by jurisdiction — NINO (UK), Passport (international patients), SSN (US), CPF (Brazil), NIF (Portugal), DNI/NIE (Spain))	Unambiguous identification, prescription compliance, fiscal identification where applicable, regulatory obligations. Mandatory field — stored unmasked with at-rest encryption; display masking applied only to lower-privilege roles (STAFF, SECRETARY, MANAGER)
National identifier type	Identifies the document type (NINO, PASSPORT, SSN, CPF, NIF, DNI, NIE) for jurisdiction-specific validation
Blood type (structured format: A+, A-, B+, B-, AB+, AB-, O+, O-)	Transfusion safety, emergency clinical decisions. Lawful basis: healthcare provision (UK GDPR Art. 9(2)(h)). Optional, validated by regex pattern and by database CHECK constraint (`chk_patient_blood_type`)
Emergency contact details (name, phone, relationship)	Contact in case of clinical emergency. Optional — if you provide any of these fields, name and phone become mandatory (rule enforced by `@ValidEmergencyContact` DTO validator and by database `chk_patient_emergency_contact_complete` constraint). Lawful basis: vital interests (UK GDPR Art. 6(1)(d) + Art. 9(2)(c)). It is your responsibility to inform the person you have listed that their name and phone number have been shared with Klinivo for emergency-contact purposes (UK GDPR Art. 14 — third-party personal data)
Gender	Clinical relevance
Biological sex	Clinical decision-making (drug dosing, reference ranges, screening protocols)
Address	Healthcare operations, emergency situations

4.2 Health Data (Special Category)

During your consultations, your healthcare provider may record:

Data	Purpose
Medical history	Continuity of care, safe clinical decisions
Reported symptoms	Diagnosis and treatment planning
SOAP notes	Standardised clinical documentation
Prescriptions	Treatment records
Vital signs	Health monitoring (in-person consultations)
Allergies	Medication safety
ICE questions	Ideas, concerns, and expectations (clinical communication)
Mental health screening	PHQ-9 (depression), GAD-7 (anxiety) — only with consent

Health data is classified as special category data under UK GDPR Article 9 and receives enhanced protections.

Biological sex is collected as a clinical data point distinct from gender identity. It is processed under Art. 9(2)(h) (healthcare provision) because it is medically necessary for accurate drug dosing, laboratory reference ranges, and age-appropriate screening protocols. You may decline to provide this information, though it may limit the accuracy of certain clinical decision-support features.

4.3 Scheduling & Appointment Data

Data	Purpose
Date and time of appointments	Scheduling and reminders
Consultation type	In-person or video
Reason for visit	Provider preparation
Attendance history	Schedule management

4.4 Communication Data

Data	Purpose
Chat messages	Communication with your care team
Notification preferences	Respect your contact choices
Reminder history	Confirm communications sent

4.5 Payment & Billing Data

If you or your provider makes payments through the platform:

Data	Purpose
Name on payment method	Payment identification
Email address	Receipt delivery
Payment history	Billing records
Invoice details	Accounting and tax compliance
Module subscriptions	Service entitlements
AI credit usage	Usage tracking and billing

Important: Credit and debit card details are processed directly by Stripe (PCI-DSS Level 1 compliant). We never store card numbers on our systems.

4.6 Device & Usage Data

To maintain security and improve our service:

Data	Purpose
Error reports	Identify and fix technical issues
Feature usage events	Improve the product based on usage patterns
Browser type and version	Compatibility and support
IP address	Security, fraud prevention
Session data	Authentication, user experience

Privacy protections applied to usage data:

All form inputs are masked in analytics
Clinical data uses additional CSS masking (.patient-data class)
No health data is included in analytics events
User identifiers are pseudonymised (organisation ID and role, not email)

4.7 AI Feature Data (Optional — Requires Consent)

If you or your provider authorises AI features:

Data	Feature	Retention
Consultation audio	Real-time transcription (AI Scribe)	24 hours maximum
Transcription text	SOAP note generation (AI Scribe)	Duration of clinical record
Intake responses	Smart Intake AI conversation	Duration of clinical record
Symptom photographs	Visual assessment (Smart Intake)	Duration of clinical record

4.8 Third-Party Data

We may receive data from third-party integrations used by your healthcare provider:

Source	Data	Purpose
AWS Cognito	Authentication tokens	Secure sign-in
Stripe	Payment confirmations	Billing reconciliation
Twilio	Delivery receipts	Confirm messages sent

5. How We Collect Data

5.1 Directly from You

Account registration and profile information
Clinical information you provide during consultations
Intake questionnaire responses
Payment information when subscribing to modules
Feedback and survey responses
Communications you send to support

5.2 Automatically (Cookies, Logs, Device Data)

Browser cookies for authentication and preferences
Server logs recording access events
Error reports captured by our monitoring systems
Analytics events tracking feature usage (no health data)

5.3 From Third-Party Integrations

Authentication data from AWS Cognito (identity provider)
Payment status from Stripe
Message delivery status from Twilio (WhatsApp/SMS reminders)

6. Legal Basis for Processing

The UK GDPR requires us to have a lawful basis for every processing activity. Below is how we apply each basis.

6.1 Lawful Bases Under Article 6

Lawful Basis	When We Use It	Examples
Contract performance (Art. 6(1)(b))	Delivering the service you signed up for	Account creation, scheduling, payments, platform access
Legal obligation (Art. 6(1)(c))	Complying with laws and regulations	Medical record retention, tax records, regulatory reporting
Vital interests (Art. 6(1)(d))	Protecting life in emergencies	Triage detection, emergency symptom alerts
Legitimate interests (Art. 6(1)(f))	Security, service improvement, fraud prevention	Access logs, error monitoring, analytics, B2B communications
Consent (Art. 6(1)(a))	Optional features where you have genuine choice	AI features, marketing communications

6.2 Special Category Data Under Article 9

Your health data is classified as special category data and requires an additional legal basis:

Basis	Application
Healthcare provision (Art. 9(2)(h))	Processing necessary for the provision of health care by a health professional. This covers your clinical records, SOAP notes, prescriptions, vitals, and consultation history.
Explicit consent (Art. 9(2)(a))	Processing that goes beyond standard healthcare provision. This covers AI transcription, AI SOAP generation, Smart Intake conversations, and other AI-enhanced features.
Vital interests (Art. 9(2)(c))	Emergency triage detection and drug interaction checking — safety features that operate without consent.

Key distinction: You do not need to consent to basic clinical data processing (your doctor needs your records to treat you). You do need to give explicit consent for AI-enhanced features, which you can withdraw at any time without affecting your care.

7. How We Use Your Data

7.1 Core Platform (Free Features)

Purpose	Data Used
Scheduling appointments	Name, contact details, appointment preferences
Maintaining electronic health records	Clinical data, consultation history
Manual SOAP note documentation	Clinical observations, patient-reported symptoms
Patient check-in and waitlist	Name, appointment details
Patient portal access	Identity, health records, appointments
Prescription management	Clinical data, medication history, allergies

7.2 AI Modules (Paid — Require Consent)

Module	Data Used	Purpose
AI Scribe	Consultation audio, transcription text	Real-time transcription, AI-generated SOAP notes, speaker diarisation
Smart Intake	Patient-reported symptoms, conversation text, photos	AI-powered symptom collection before consultation
Telemedicine	Video/audio streams, connection metadata	HD video consultations between provider and patient
Reminders	Name, phone number, appointment time	WhatsApp and SMS appointment reminders
Automation	Workflow triggers, appointment events	Automated clinical and administrative workflows
Analytics	Aggregated operational data	Custom reports, dashboards, practice insights

7.3 Analytics & Service Improvement

We use pseudonymised usage data to:

Monitor platform stability and performance
Identify and resolve technical issues
Understand how features are used to guide improvements
Measure service quality through satisfaction surveys (NPS)

7.4 Communications

We may contact you for:

Transactional messages (appointment confirmations, reminders) — based on contract performance
Service communications (security alerts, policy updates) — based on legitimate interest
Marketing communications — only with your explicit consent, and you may unsubscribe at any time

8. AI-Specific Processing

8.1 Transparency About AI

Klinivo uses artificial intelligence to assist healthcare providers with documentation and clinical workflow. We believe in full transparency about how AI processes your data.

8.2 AI Models and Providers

Model	Provider	Purpose	Processing location (EU target)	Data Received
Claude (Sonnet)	Anthropic (via AWS Bedrock)	Text generation, SOAP notes, intake conversations	eu-west-1 (Ireland)†	De-identified clinical text
Claude (Haiku)	Anthropic (via AWS Bedrock)	Patient search, quick summaries	eu-west-1 (Ireland)†	De-identified queries
Groq Whisper	Groq Inc.	Audio transcription	United States*	Consultation audio segments
pyannote (diarisation)	pyannote.audio (in the AI service)	Speaker separation in single-microphone recordings	eu-west-1 (Ireland)†	Consultation audio segments

*Groq audio transcription runs in the United States, with appropriate safeguards (UK IDTA + SCCs — see Section 10). An EU-region or self-hosted transcription provider will be evaluated before any EU launch.

†Pre-launch target location for the EU. Until the infrastructure migration to the EU is complete, the platform operates in Brazil/US (us-east-1) and does not serve EU/UK residents.

8.3 How AI Processes Your Data

You authorise activation — AI features require your explicit consent before use
Identifier minimisation — direct identifiers are stripped from the metadata sent to AI providers; audio is referenced by internal identifiers. The clinical context needed to generate documentation may accompany the request, always under contractual clauses prohibiting retention and training
AI generates output — transcription, clinical note draft, or clinical suggestion
Your provider reviews everything — no AI-generated content is saved without provider approval
Audio is deleted — within 24 hours, only the approved text remains in your clinical record

8.4 Human Oversight

AI is a tool to assist healthcare providers, not replace them:

AI does not make clinical decisions — all diagnoses and treatment plans are the provider's responsibility
AI does not prescribe medication — prescriptions are issued solely by licensed clinicians
AI can make errors — providers always review and may edit or reject AI-generated content
AI does not produce automated decisions affecting your legal rights — no decision with legal or similarly significant effect is made solely by automated means (UK GDPR Article 22)

8.5 Your AI Rights

You have the right to:

Know when AI is active — a visual indicator is displayed whenever AI is processing
Refuse AI entirely — the platform functions fully without any AI features
Withdraw consent — you may revoke AI consent at any time; processing stops immediately
Request human review — of any AI-generated content before it becomes part of your record
Understand the logic — we explain how each AI feature works in plain language

8.6 AI Data Training

Your data is never used to train AI models. Our AI providers (Anthropic via AWS Bedrock, Groq) process data under data processing agreements that explicitly prohibit using customer data for model training.

9. Data Sharing & Third Parties

9.1 Sub-Processors

We share data with carefully selected sub-processors who help us deliver the service:

Target (pre-launch) architecture. The eu-west-1 (Ireland) locations below are the pre-launch target for the EU. Until the infrastructure migration is complete, the platform runs in us-east-1 (US) and does not serve EU/UK residents.

Sub-Processor	Purpose	Data Shared	Location (EU target)	Safeguard
Amazon Web Services (AWS)	Cloud infrastructure, database hosting, AI processing	All encrypted platform data	eu-west-1 (Dublin, Ireland)	UK IDTA + DPA
Groq Inc.	Audio transcription (AI Scribe)	Consultation audio segments	United States	UK IDTA + DPA
Anthropic (via AWS Bedrock)	AI text generation (SOAP, intake, summaries)	De-identified clinical text	eu-west-1 (Dublin, Ireland)	DPA (intra-EU)
Stripe	Payment processing	Name, email, payment amount	EU/UK	PCI-DSS Level 1, DPA
Twilio	WhatsApp/SMS reminders	Phone number, name, appointment time	United States	UK IDTA + DPA
MHRA	Controlled substance data	Controlled substance prescription compliance	United Kingdom	Legal obligation (Misuse of Drugs Regulations 2001)
PostHog	Product analytics	Pseudonymised usage events (no health data)	EU (Frankfurt)	DPA
Sentry	Error monitoring	Error reports (no health data)	EU	DPA

9.2 How We Protect Shared Data

Identifier minimisation: direct identifiers are stripped from the metadata sent to AI models; audio is referenced by internal identifiers
Data minimisation: Each sub-processor receives only the minimum data necessary for its function
Data Processing Agreements: Binding contracts with all sub-processors governing data handling
Encryption: All data is encrypted both in transit and at rest
No training: AI providers cannot use your data to train their models
No selling: We never sell your personal data to any third party

9.3 Other Disclosures

We may disclose your data without your consent where required by law, including:

Compliance with a court order or legal obligation
Safeguarding concerns (protecting life or preventing serious harm)
Regulatory requirements from the GMC, ICO, or other competent authorities
NHS reporting obligations where applicable

10. International Data Transfers

10.1 Where Your Data Is Processed

Target (pre-launch) architecture. The EEA processing described below is the pre-launch target for the EU. Until the infrastructure migration is complete, the platform operates in us-east-1 (US) and does not serve EU/UK residents.

Once Klinivo operates in Europe, the majority of your data will be processed within the European Economic Area (EEA), specifically in AWS eu-west-1 (Dublin, Ireland). The United Kingdom has EU adequacy status (extended to 2031), meaning data flows freely between the EU and UK. Until then, the platform operates in us-east-1 (US) and does not serve EU/UK residents.

10.2 Transfers Outside the UK/EEA

Some sub-processors operate outside the UK and EEA:

Destination	Service	Transfer Mechanism
United States	AWS Cognito (authentication)	UK International Data Transfer Agreement (IDTA)
United States	Groq (audio transcription)	UK IDTA + Standard Contractual Clauses (SCCs)
United States	Twilio (SMS/WhatsApp)	UK IDTA + SCCs
Brazil	HC Desenvolvimento de Softwares Ltda. (controller)	UK IDTA + Standard Contractual Clauses (SCCs)

10.3 Transfer Safeguards

For all international transfers, we ensure:

UK International Data Transfer Agreement (IDTA): The UK-specific addendum to the EU Standard Contractual Clauses, as approved by the ICO
Standard Contractual Clauses (SCCs): Executed with subprocessors where an adequacy decision does not apply
Transfer Impact Assessments: We assess the data protection laws of recipient countries
Supplementary measures: Additional technical safeguards including encryption, pseudonymisation, and access controls

10.4 AWS Data Residency

Target (pre-launch) architecture. EU/UK data residency is a prerequisite to any European launch. Until the infrastructure migration to eu-west-1 is complete, the platform operates in us-east-1 (US) and does not serve EU/UK residents.

Once Klinivo operates in Europe, all clinical and operational data for UK users will be stored in AWS eu-west-1 (Dublin, Ireland), within the EEA, and only authentication tokens will be processed in AWS us-east-1 (Virginia, USA) through Cognito, covered by the UK IDTA. Until then, the platform operates in us-east-1 (US) and does not serve EU/UK residents.

11. Data Retention

We retain your data only as long as necessary for the purposes described in this policy and to comply with legal obligations.

11.1 Retention Schedule

Data Category	Retention Period	Legal Basis
Medical records (SOAP notes, prescriptions, vitals, consultation history)	Minimum required by law: 8 years for adults, until 25th birthday for children (GMC guidance). Klinivo retains for the longer of the applicable period or ongoing clinical need.	GMC guidance, NHS Records Management Code
Account data (profile, identity, contact)	Duration of account + 6 years	Limitation Act 1980, contractual obligations
Payment records (invoices, transactions)	6 years	HMRC requirements, Companies Act 2006
Audio recordings (consultation audio)	24 hours maximum	Data minimisation principle
AI session data (conversation checkpoints, cache)	90 days	Performance optimisation
Consent records	7 years (immutable storage)	UK GDPR accountability (Art. 5(2))
Analytics events	26 months	Product improvement (PostHog default)
Error reports	90 days	Technical support
System logs	30 days	Security auditing
NPS survey responses	2 years	Service quality improvement

11.2 What Happens After the Retention Period

Medical records: Securely destroyed or anonymised for statistical purposes
Audio recordings: Automatically deleted via infrastructure lifecycle policy (S3 lifecycle + backup Lambda cleanup)
Account data: Permanently deleted from databases and backups
All other data: Permanently deleted using secure methods that prevent recovery

11.3 Early Deletion

You may request deletion of your data at any time (see Section 12). Legally mandated records (medical records during the statutory retention period, tax records) will be anonymised rather than deleted, with identifying information removed while preserving the clinical content as required by law.

11.3a Account Closure and Transfer of Custody

The ongoing duty to retain the medical record belongs to the clinician or practice (controller of the clinical data); Klinivo acts as the processor that stores the data on the controller's behalf while the contract is active. When an account is closed (cancellation, inactivity, or succession):

90-day export window — we provide a complete, structured export of all clinical records and account data (data portability), with advance notices at 30, 7, and 1 day before closure.
End of active operational custody — after the window we stop keeping the data in the production environment; the retention duty is exercised by the controller, who received the full export.
Deletion vs. archival — data outside any legal retention period is permanently deleted; data still under a retention obligation (medical records, consent records, tax data within term) is not deleted — it is moved to low-frequency cold archive under the controller's custody, or handed over. We keep an auditable record of what was deleted, archived, or retained.
Inactive free accounts (no login for over 12 months and never on a paid plan) follow the same flow; free accounts holding actual clinical records are never deleted.
Death or succession — the legal successor assumes custody; on formal request to [email protected] we provide the full export with a minimum 60-day patient-notice period.

11.4 AI-Assisted Clinical Records

Clinical records containing AI-generated content (e.g., SOAP notes incorporating transcription text) are retained for the minimum period required by applicable medical regulation (7 years in Brazil per CFM 1.821/2007, 8 years in UK per GMC guidance, 5 years minimum in EU). Data deletion requests remove raw audio recordings, AI session data, and cached predictions, but finalized clinical records are retained and clearly marked as "AI-assisted" for the legally mandated retention period.

11.5 AI Audit Logs

AI audit logs are anonymised (personal identifiers removed) rather than deleted, preserving the audit trail required for regulatory accountability while removing any link to the individual.

11.6 Consent Records

Consent records are retained for 7 years after account closure as proof of lawful processing basis, per GDPR Article 5(2) accountability principle and LGPD Article 8.

12. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data. We are committed to facilitating the exercise of these rights promptly and transparently.

12.1 Rights Summary

Right	UK GDPR Article	Description
Right of access	Art. 15	Obtain a copy of all personal data we hold about you
Right to rectification	Art. 16	Correct inaccurate or incomplete personal data via Patient Portal (name, email, phone, photo) or by contacting our Senior Responsible Individual. Email changes are subject to uniqueness validation — if the new address is already used by another patient within the same healthcare organisation, the update is rejected (HTTP 409 Conflict)
Right to erasure	Art. 17	Request deletion of your personal data ("right to be forgotten")
Right to restriction	Art. 18	Request that we limit how we process your data
Right to data portability	Art. 20	Receive your data in a structured, machine-readable format
Right to object	Art. 21	Object to processing based on legitimate interests
Right regarding automated decisions	Art. 22	Not be subject to solely automated decisions with legal effects
Right to withdraw consent	Art. 7(3)	Withdraw consent for optional processing at any time

12.2 How to Exercise Your Rights

Self-service: Many rights can be exercised directly through the Patient Portal (My Health, Settings, Privacy sections)
Email: Send your request to [email protected]
Via your provider: Your healthcare provider can assist with clinical data requests

12.3 Response Timelines

Request Type	Standard Response	Extension (Complex Requests)
All data subject requests	Within 1 calendar month	Up to 2 additional months (we will inform you within the first month)
Receipt acknowledgement	Within 5 working days	N/A

We will respond free of charge. If requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act, providing reasons in writing.

12.4 Right to Erasure — Detailed Process

You can request deletion of your data through the Patient Portal or by emailing [email protected]:

Submit request — via Patient Portal (Settings > Privacy > Request Deletion) or email
30-day grace period — you may cancel during this period
Legal hold check — we verify whether any data is subject to statutory retention
Execution — non-mandatory data is permanently deleted
Confirmation — you receive an email confirming completion

What can be deleted: AI conversation history, uploaded photos and documents, audio files, profile data, notification preferences.

What cannot be deleted during statutory retention: Medical records required by law, tax and billing records, anonymised audit trails.

12.5 Limitations

Some data cannot be deleted before the statutory retention period expires (see Section 11). In such cases, we will:

Anonymise identifying information where possible
Retain only the minimum data required by law
Document the partial fulfilment of your request
Inform you clearly about what was retained and why

12.6 Right to Rectification — Self-Service via Patient Portal

Under UK GDPR Article 16, you may correct inaccurate personal data directly via the Patient Portal (Settings > Profile), without contacting our Senior Responsible Individual, for the following fields:

Full name
Email (subject to uniqueness — see Section 12.1)
Primary and secondary phone numbers
Profile photo

Every change is timestamped (updatedAt), attributed to the user who made it (updatedBy), and protected against concurrent edits via optimistic locking (entity version field) to maintain audit integrity. Clinical data (medical records, prescriptions, vital signs) can only be modified by healthcare professionals, preserving medical-record integrity.

13. Children's Privacy

13.1 Age Thresholds Applied by Klinivo

Two age thresholds are relevant on the Klinivo platform:

Digital-consent age (13 years). Under Section 9 of the Data Protection Act 2018, a child aged 13 or older may consent to information-society services. This governs general platform usage.
Clinical-minor threshold (18 years). Because Klinivo processes health data (special category under UK GDPR Article 9), we apply an enhanced safeguard: any patient under 18 years old is treated as a minor for clinical-data purposes, and verifiable guardian information is mandatory at registration. This policy is more protective than the strict UK GDPR minimum, explicitly permitted by Article 8(1), and is applied uniformly across all jurisdictions where Klinivo operates (Brazil, Portugal, Spain, United Kingdom). It aligns with GMC guidance on parental involvement in care of under-18s and complements Gillick competence (which is assessed by the clinician at point of care).

13.2 Guardian Data Collected (Mandatory for Patients Under 18)

For any patient under 18, the following guardian information is mandatory at registration. Server-side validation rejects account creation (HTTP 400, patient.guardian.required.for.minor) if any field is missing — this is enforced uniformly across all jurisdictions:

Guardian Data	Purpose	Mandatory
Full name	Unambiguous identification of consent-giver	Yes
National identifier (NINO, Passport, NIF, DNI/NIE, CPF or SSN)	Identity verification (UK GDPR Art. 8(2) — verifiable consent)	Yes
National identifier type	Jurisdiction-specific validation	Yes
Phone number	Consent confirmation, emergency contact	Yes
Relationship to patient (MAE, PAI, AVO, TIO, TUTOR_LEGAL, OUTRO)	Evidence of legal relationship	Yes
Consent timestamp (`guardian_consent_at`)	Immutable proof of consent moment. Recorded server-side via `timeProvider.nowOffsetUtc()` at the moment the guardian affirmatively grants consent. Client-supplied timestamps are explicitly rejected to prevent back-dating and to maintain the consent-evidence integrity required by UK GDPR Article 7(1) (accountability — controller burden of proof)	Server-assigned

A database CHECK constraint (chk_patient_guardian_consent_implies_info) prevents storing a consent timestamp without the underlying identifying fields — preserving the evidence chain.

13.3 Adult Patients (≥ 18)

Patients 18 and older may consent autonomously to all processing, manage their AI preferences, rectify their data, and exercise all UK GDPR rights directly via the Patient Portal.

13.4 Verification

We request date of birth at registration
The server calculates age at the moment of record creation and applies the guardian rule for patients under 18
Healthcare providers retain professional responsibility for assessing Gillick competence at the point of clinical care, independently of the platform's registration safeguards

14. Security Measures

We implement comprehensive technical and organisational measures to protect your data in accordance with UK GDPR Article 32.

14.1 Technical Safeguards

Measure	Implementation
Encryption in transit	TLS 1.3 enforced for all communications
Encryption at rest	AES-256 for databases, file storage, and backups
Access control	Role-based access control (RBAC) via AWS Cognito; 8 distinct roles with principle of least privilege
Multi-tenant isolation	Hibernate database filters ensure organisations cannot access each other's data
Authentication	Multi-factor authentication supported; session timeout after inactivity
Audit logging	Comprehensive logging of all data access and modifications
Integrity controls	Database constraints, checksums, immutable consent records (S3 Object Lock)
Availability	AWS multi-availability-zone deployment, automated backups
Pseudonymisation	AI processing uses de-identified data; analytics use pseudonymised identifiers
Per-record audit trail	Each patient record carries `createdAt`/`updatedAt` (UTC), `createdBy`/`updatedBy` user attribution (Cognito UUID), and a `version` field for optimistic locking against concurrent modifications
Modification integrity	Optimistic locking rejects concurrent updates with HTTP 409 Conflict, preserving the integrity of the edit timeline and preventing silent data loss during simultaneous edits
Database integrity constraints	PostgreSQL CHECK constraints enforce clinical and consent rules independently of the application layer: `chk_patient_blood_type` (regex pattern), `chk_patient_emergency_contact_complete`, `chk_patient_guardian_consent_implies_info`, `chk_patient_guardian_relationship`

14.2 Organisational Safeguards

Access to personal data is limited to authorised personnel on a need-to-know basis
All team members are bound by confidentiality obligations
Regular security reviews and vulnerability assessments
Incident response procedures documented and tested
Sub-processor security assessed before engagement and reviewed periodically

14.3 Incident Response

In the event of a personal data breach:

Containment: We act within a maximum of 4 hours to contain the breach
Assessment: We assess the nature, scope, and likely impact within 48 hours
ICO notification: We notify the Information Commissioner's Office within 72 hours of becoming aware of a breach that poses a risk to individuals (UK GDPR Article 33)
Individual notification: We notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms (UK GDPR Article 34)
Documentation: All breaches are documented in our breach register, including those that do not require notification

14.4 What You Will Be Told

If we notify you of a breach, you will receive:

A description of the nature of the breach
The categories and approximate number of records affected
The likely consequences
Steps we have taken or propose to take to address the breach
Recommendations for steps you can take to protect yourself
Contact details for our Senior Responsible Individual

15. Cookies & Tracking

15.1 Cookies We Use

Type	Purpose	Required
Strictly necessary	Authentication, security, session management	Yes — platform cannot function without these
Functional	Language preferences, UI settings	No — can be declined
Analytics	Understanding platform usage (PostHog)	No — can be declined

15.2 Analytics Privacy

Our analytics provider (PostHog) is configured with the following privacy protections:

Hosted in the EU (Frankfurt)
No health data is collected
User identifiers are pseudonymised
All form inputs are automatically masked
Clinical screens use additional CSS masking
Data retained for 26 months

15.3 Managing Cookies

You can manage cookies through your browser settings. Disabling strictly necessary cookies may prevent the platform from functioning correctly. For detailed information about each cookie, its purpose, and its duration, please refer to our cookie notice available within the platform.

15.4 Do Not Track

We respect the Do Not Track (DNT) browser signal. When DNT is enabled, we disable non-essential analytics tracking.

16. Changes to This Policy

16.1 How We Notify You

Material changes (changes affecting your rights, new data processing activities, new third-party sharing): We notify you by email at least 30 days in advance and display a prominent notice within the platform
Minor changes (clarifications, formatting, updated contact details): We update the effective date and publish the revised version
Version history: All changes are tracked and published with a new effective date

16.2 Re-Consent

For material changes that alter how we process your health data or AI features, we will request your renewed consent before the changes take effect. Continued use of the platform after receiving notice of non-material changes constitutes acceptance.

16.3 Right to Disagree

If you disagree with changes to this policy, you may:

Withdraw your consent for optional processing
Request deletion of your data (subject to legal retention requirements)
Close your account

17. Contact & Complaints

17.1 Senior Responsible Individual (SRI)

For any questions about this policy or to exercise your data protection rights:

Email: [email protected]
Response time: Within 1 calendar month (data subject requests); within 5 working days (general enquiries)

17.2 Complaints to the ICO

If you are not satisfied with our response, or if you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office:

Website: https://ico.org.uk
Complaints portal: https://ico.org.uk/make-a-complaint/
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

You have the right to an effective judicial remedy if you consider that your rights under the UK GDPR have been infringed. You will not face any retaliation or detriment for exercising your rights or making a complaint.

17.3 General Support

For non-privacy-related questions:

Email: [email protected]
Hours: Monday to Friday, 9:00 AM to 6:00 PM (GMT/BST)

Glossary

Term	Definition
AI Scribe	Klinivo module that provides real-time transcription and AI-generated clinical notes
AES-256	Advanced Encryption Standard with 256-bit key; industry-standard encryption
Controller	The person or organisation that determines the purposes and means of data processing
Data Protection Act 2018	UK legislation that supplements the UK GDPR
De-identification	Removing or replacing information that could identify an individual
Diarisation	Technology that identifies different speakers in a recording
DUAA	Data Use and Access Act 2025; UK legislation modernising the data protection framework
GDPR	General Data Protection Regulation; EU data protection law, retained in UK law as the UK GDPR
GMC	General Medical Council; regulates doctors in the United Kingdom
ICO	Information Commissioner's Office; the UK's independent data protection authority
IDTA	International Data Transfer Agreement; UK mechanism for transferring data internationally
Processor	A person or organisation that processes data on behalf of a controller
Pseudonymisation	Replacing identifying information with artificial identifiers
RBAC	Role-Based Access Control; access permissions determined by user role
SCCs	Standard Contractual Clauses; EU-approved transfer mechanism
Smart Intake	Klinivo module that uses AI to collect patient symptoms before a consultation
SOAP	Clinical note format: Subjective, Objective, Assessment, Plan
Special category data	Personal data requiring additional protection under UK GDPR Art. 9, including health data
SRI	Senior Responsible Individual; person accountable for data protection compliance under DUAA
TLS	Transport Layer Security; protocol for encrypted communications
UK GDPR	The EU GDPR as retained in UK law after Brexit, with UK-specific amendments

Data Retention Summary

Data Category	Retention	Enforcement	Legal Basis
Medical records	8 years (adults) / until 25th birthday (children) minimum	Application-level retention controls	GMC guidance, NHS Records Management Code
Account data	Account duration + 6 years	Soft delete with scheduled purge	Limitation Act 1980
Payment records	6 years	Application logic	HMRC requirements
Consent records	7 years	S3 Object Lock (COMPLIANCE mode, immutable)	UK GDPR accountability
Audio recordings	24 hours	S3 lifecycle policy + Lambda cleanup	Data minimisation
AI session cache	90 days	DynamoDB TTL	Performance optimisation
Analytics events	26 months	PostHog retention policy	Product improvement
NPS responses	2 years	Application logic	Service quality
Error reports	90 days	Sentry retention policy	Technical support
System logs	30 days	CloudWatch retention policy	Security auditing

After the retention period, data is securely deleted or anonymised in accordance with our deletion procedures.

This Privacy Policy is effective as of 5 April 2026.

HC Desenvolvimento de Softwares Ltda.

For the avoidance of doubt, this policy is governed by the laws of England and Wales.