Rhazes Clinician — Privacy Policy

Effective date: 22 September 2025

Applies to: Rhazes Clinician at clinician.rhazes.ai (the “Service”).

Controller: Rhazes AI Ltd (“Rhazes”, “we”, “us”, “our”), company registered in England, Company number 14955420. Contact: contact@rhazes.ai

1. Our role

Controller. We act as controller for your account/profile data, device and usage/telemetry data, billing/support data, and our marketing/operations.

Processor. For clinical content you capture or upload via the Service (e.g., consultation recordings, transcripts, notes, uploads, prompts and model outputs) about patients (“Customer Content”), we act as a processor and you act as the controller. You are responsible for having a lawful basis and providing any required notices/consents for recording and processing patient data.

2. Data we collect (illustrative; may evolve)

Account & profile (controller): name, email, password hashes, specialty, professional details you provide (e.g., licence numbers), country/region, preferences, communication settings.

Payments (controller): processed by third‑party payment processors. They collect payment details directly; we receive limited metadata (e.g., last‑four digits, status, amount).

Service & usage (controller): IP address, device and browser information, app version, language/time zone, session identifiers, crash/performance logs, feature‑usage events, authentication events, support interactions.

Customer Content (processor): audio/video recordings you initiate, transcripts, clinical notes, uploads, prompts and outputs generated for you, plus derived metadata (e.g., timestamps, speaker labels) required to provide the Service.

Marketing & communications (controller): newsletter sign‑ups, campaign/referral information, event registrations, survey/feedback.

Third‑party sources (controller): limited information from identity verification/anti‑fraud services or other services you authorise.

Inferences and derived data: we may create internal metrics, diagnostics, quality signals and other derived data from the above for the purposes described below.

3. How we use data (and legal bases)

We use data to:

• Provide and operate the Service (including recording/transcription, drafting documents and clinical decision support): contract necessity for your data; processor role for Customer Content.
• Secure, monitor and prevent abuse: legitimate interests and/or legal obligations.
• Improve and develop the Service (analytics, quality assurance, measurement, debugging): legitimate interests (with minimisation and, where required, controls for non‑essential analytics).
• Communicate with you about the Service and send updates: contract necessity/legitimate interests; consent for marketing where required (you can unsubscribe at any time).
• Comply with law (tax, accounting, lawful requests) and manage risk.
• Research, validation and insights: create analytics and insights, often in aggregated and/or anonymised form. Where personal data is involved beyond what the law otherwise permits, we rely on legitimate interests with safeguards or obtain consent where required.

Special‑category data. Patient/clinical data in Customer Content are health data. We process them only on your documented instructions. If we ever process such data as controller, we will rely on an appropriate GDPR Article 9 condition (typically explicit consent) and apply heightened safeguards.

Automated decision‑making. The Service provides decision support; we do not make solely automated decisions about you that produce legal or similarly significant effects.

4. Recordings, deletion & retention

Your controls. You can delete Customer Content (including recordings and transcripts) at any time.

No soft delete; 7‑day backup hold. When you delete Customer Content, it is removed from active systems without a recoverable “trash”. A restricted copy may persist in disaster‑recovery backups for 7 days solely for integrity and incident‑response purposes, after which it is irreversibly deleted. We cannot restore deleted items.

General retention. Controller‑side account, billing and support records are kept as long as necessary for the purposes above and to meet legal obligations. Technical logs and analytics are retained for operationally appropriate periods and may be kept longer where required by law or to establish, exercise or defend legal claims.

5. Sharing & disclosures

We share data as permitted by law and, for Customer Content, only under your instructions or where legally required. Typical recipients include:

• Vendors/sub‑processors: hosting/compute, storage, AI infrastructure, logging/monitoring, analytics/telemetry, communications, customer support, payment processing, security/anti‑fraud. Providers are bound by confidentiality, security, and (where applicable) data‑processing terms. We may update or replace providers over time.
• Affiliates and professional advisers: for internal operations, compliance and corporate administration.
• Corporate transactions: in a merger, acquisition or asset sale, subject to appropriate protections.
• Legal/safety: to comply with applicable law or valid legal process, or to protect rights, safety and security.

Model training. We do not use your Customer Content to train new models for our own purposes unless you instruct us to do so or you explicitly opt in via a clear, just‑in‑time notice. We may use de‑identified or aggregated information for evaluation and improvement.

6. Data commercialisation (sale/licensing)

To support research, market insights and industry analytics, we may commercialise datasets and insights, including by licensing or selling them to trusted partners under appropriate safeguards:

6.1 Clinician data (controller data)

We may license/sell datasets containing clinicians’ personal data for partners’ independent purposes (e.g., healthcare analytics, research, validation, market insights). These datasets may include professional profile data (e.g., specialty, role, country/region), cohort‑level or event‑level usage metrics, and survey/feedback data. We typically minimise or pseudonymise these datasets and avoid sharing direct identifiers unless necessary for the stated purpose.

Lawful basis: legitimate interests with data minimisation, security safeguards and transparency.

Your choices: You may object at any time to our use or sharing of your clinician personal data for partners’ independent purposes (including sale/licensing) by emailing contact@rhazes.ai; we will honour your objection going forward. Where available, in‑product controls may also be provided.

Measurement/matching: We may share hashed or otherwise encoded identifiers for measurement or audience matching; you can object as above.

6.2 Patient data (derived from Customer Content)

We may create and commercialise anonymised and/or aggregated datasets derived from Customer Content (e.g., statistical patterns, performance metrics, de‑identified clinical trends) and license or sell them to partners. We apply robust anonymisation techniques designed to prevent re‑identification and contractually prohibit re‑identification or targeting of individuals.

We do not sell or share identifiable patient data for partners’ independent purposes.

Where a jurisdiction defines “sale” of personal data, we follow that definition and will provide any required opt‑out/opt‑in mechanisms.

7. International transfers

Data may be transferred internationally (including outside the UK/EEA). We rely on appropriate safeguards such as standard contractual clauses, equivalent transfer tools, adequacy decisions where available, and supplementary measures where needed.

8. Cookies & similar technologies

We use strictly necessary cookies for core functionality (e.g., authentication, security). With consent where required, we may also use analytics/measurement technologies. You can manage preferences in your browser and, where available, within the Service.

9. Your responsibilities as a clinician

You are responsible for: (i) ensuring a lawful basis and required notices/consents for recording consultations and processing patient data; (ii) configuring retention and access controls to meet your obligations; and (iii) complying with applicable professional and local laws (including any rules on audio/video recording).

10. Your rights

When we act as controller for your personal data (e.g., account, usage, marketing), you may have rights to access, rectify, erase, restrict or object, obtain portability, and withdraw consent. We may need to verify your identity and will respond within applicable timeframes. You also have the right to complain to your local supervisory authority. To exercise rights—or to object to clinician‑data sale/licensing—email contact@rhazes.ai.

When we act as processor (for Customer Content), we will assist you in fulfilling data‑subject requests.

11. Security

We implement appropriate technical and organisational measures, including encryption in transit and at rest, access controls, least‑privilege, audit logging, vulnerability management and incident response. We will notify, where required by law, of qualifying personal data breaches.

12. Children

The Service is for licensed clinicians and is not directed to children.

13. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated in‑product or by email. The “Effective date” above shows the latest version.

Contact: contact@rhazes.ai