Privacy Policy

Data Controller: PsychiatristAI Ltd
Registered Office: [Address to be completed]
Company Number: [Number to be completed]
ICO Registration: [Number to be completed]
Contact: privacy@psychiatrist.ai

Where we process health data on behalf of NHS Trusts or other healthcare organizations, we act as a Data Processor. The NHS Trust or healthcare organization remains the Data Controller.

We process personal data under the following legal bases:

• •
  Article 6(1)(e) UK GDPR: Performance of a task carried out in the public interest (provision of healthcare services)
• •
  Article 9(2)(h) UK GDPR: Health or social care purposes, including the management of health or social care systems and services
• •
  Article 9(2)(j) UK GDPR: Archiving, research, and statistical purposes (where applicable, with appropriate safeguards)

All processing is conducted in accordance with NHS Information Governance standards, the Caldicott Principles, and the common law duty of confidentiality.

Direct Care Purposes:

• Recording and tracking patient observations
• Generating clinical summaries and reports (discharge, tribunal, CPA)
• Supporting clinical decision-making and risk assessment
• Facilitating multidisciplinary team communication
• Medication management and safety monitoring

Service Management:

• Clinical audit and quality improvement
• Compliance monitoring (CQC, observation schedules)
• Service planning and resource allocation
• Staff performance and training (aggregated, anonymized)

System Operations:

• Security monitoring and incident response
• System troubleshooting and performance optimization
• Audit trail maintenance for governance

We do not sell, rent, or share patient data with third parties for marketing purposes.

We may share data with:

• •
  Healthcare providers: GPs, community mental health teams, and other NHS services involved in patient care (with lawful basis)
• •
  NHS infrastructure providers: NHS Digital, NHS X (for integration with Spine, Summary Care Record, etc.)
• •
  Cloud service providers: AWS/Azure (UK-hosted, GDPR-compliant data processing agreements in place)
• •
  Regulators: CQC, ICO, NHS England (when legally required)

All third-party processors are bound by Data Processing Agreements (DPAs) and must comply with UK GDPR standards.

We implement robust technical and organizational measures to protect your data:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Role-based access control (RBAC) with multi-factor authentication
• Regular penetration testing and vulnerability assessments
• ISO 27001 certified information security management
• Cyber Essentials Plus certification
• 24/7 security monitoring and incident response
• Regular staff security awareness training
• Secure backup and disaster recovery procedures

Data retention periods are determined in collaboration with the NHS Trust or healthcare organization:

• Clinical records: Retained per NHS Records Management Code of Practice (typically 8-20 years post-discharge)
• Audit logs: Minimum 6 years (longer if required for litigation)
• System performance logs: 90 days (unless required for incident investigation)
• Anonymized/pseudonymized research data: As per study protocol and ethical approval

Data is securely destroyed at the end of the retention period using certified data destruction methods.

Under UK GDPR, you have the following rights:

Important: Some rights may be limited where processing is necessary for direct care, public health, or legal compliance. Requests should be directed to your healthcare provider's Data Protection Officer in the first instance.

Our website and platform use cookies for the following purposes:

• Essential cookies: Required for login, session management, and security (cannot be disabled)
• Functional cookies: Remember preferences and settings (can be disabled)
• Analytics cookies: Understand how users interact with the platform (anonymized, can be disabled)

We do not use third-party advertising or tracking cookies. You can manage cookie preferences via your browser settings.

PsychiatristAI processes data for patients of all ages, including children and young people (under 18) and vulnerable adults. Additional safeguards are applied:

• Parental/guardian consent obtained where appropriate
• Enhanced safeguarding risk flags and monitoring
• Adherence to Gillick competence principles for consent
• Compliance with Children Act 1989 and Care Act 2014 information-sharing duties