Data & GDPR

Built for UK private practice — data residency first

Every other AI notes tool was built for the US market and leaves you to do the compliance homework. We eliminate it. Here is exactly how your patients’ data is handled.

✓Your patient data never leaves the UK

All processing and storage happens on UK-hosted infrastructure (UK South / London region). We do not transfer personal data to the United States or rely on the EU–US Data Privacy Framework.

✓ICO registered data controller

AlliedScribe is registered with the UK Information Commissioner's Office. Your patients' data is processed under UK GDPR and the Data Protection Act 2018.

✓You stay the controller; we are your processor

You remain the data controller for your patient records. We act as your data processor under a written Data Processing Agreement, available to every paying customer.

✓No training on your notes

Session content is used only to generate your note. It is never used to train AI models, and is not shared with any third party for marketing or analytics.

✓Consent without the gymnastics

Because nothing is sent overseas and notes aren't recorded as audio by default, you avoid the consent headaches that come with US tools. Standard clinical record-keeping consent is enough.

✓Right to erasure, built in

Delete a note and it's gone. Request full account deletion and we remove all associated personal data within 30 days.

Implementation note (for the build team, remove before launch): The single GDPR pinch-point is the AI model call (see src/lib/llm.ts). It defaults to Azure OpenAI in UK South, so once you supply your UK South resource details the model call stays in the UK under your DPA. Until those are configured, the app runs in fully on-device demo mode, where no session data leaves the browser at all.

This page is a plain-English summary for practitioners. Your formal privacy policy, DPA and ICO registration number should be linked here before public launch.