Skip to content
Data ProtectionAligned

EU & UK General Data Protection Regulation

Desha.ai processes personal and health data in line with the EU GDPR (2016/679) and the UK GDPR / Data Protection Act 2018. Processing is consent-governed and purpose-limited, data subjects can exercise their rights at any time, and we operate as a processor under Article 28 terms for our healthcare customers.

Request documentation Last reviewed June 2026
DESHA.AI Trust Center

GDPR

EU & UK General Data Protection Regulation
Status: Aligned
Jurisdiction: United Kingdom & European Union
Reviewed: June 2026

At a glance

Regulation
EU 2016/679, UK GDPR / DPA 2018
Our role
Processor (and controller for our own account data)
Lawful bases
Consent, Contract, Legitimate interests
Data residency
UK / EU regions
DPIA
Completed and maintained
DPA
Available with SCCs for transfers

Scope

This statement covers all personal data Desha.ai processes through MedNote, DocNote, the Health Responsibility Score and the HeartBeat platform, including identity data, contact details, prescription and medication data, adherence events, and conversation content captured with consent.

Lawful basis & consent

Every processing activity is mapped to a lawful basis. Patient-facing health processing relies on explicit, granular, plain-language consent captured at onboarding; clinician and operational processing relies on contract and legitimate interests assessed via an LIA.

  • Consent is granular (per channel and per purpose), logged, and revocable at any time without affecting care.
  • Special-category (health) data is processed under Article 9 conditions with explicit consent and, where relevant, the provision-of-healthcare condition.
  • No selling of personal data; no use of identifiable patient data to train third-party foundation models.

Data subject rights

We support all GDPR data subject rights end-to-end, with a target response well inside the statutory one-month window.

RightHow it is served
AccessSelf-service export plus DSAR handling via the customer / DPO
RectificationIn-app editing and correction workflows
ErasureAccount and data deletion with downstream propagation
PortabilityStructured, machine-readable export (incl. FHIR R4)
Restriction & objectionConsent withdrawal and processing holds

Governance

  • Records of Processing Activities (Article 30) maintained.
  • Data Protection Impact Assessment (DPIA) completed for high-risk processing and kept current.
  • A named data protection contact / DPO function and an incident response process with a 72-hour breach-notification path.
  • Article 28 processor terms (DPA), including sub-processor flow-down and Standard Contractual Clauses for any international transfer.

International transfers

Primary processing and storage use UK / EU regions. Where a transfer outside the UK/EEA is unavoidable, it is covered by the UK IDTA or EU Standard Contractual Clauses together with a transfer risk assessment.

Documentation available on request

  • Data Processing Agreement (DPA) with SCCs / IDTA
  • DPIA summary
  • Records of Processing Activities (ROPA) summary
  • Sub-processor list

Provided to qualified reviewers under a mutual NDA via contactus@desha.ai.

This page summarises Desha.ai’s posture for due-diligence review and does not disclose internal systems or security-sensitive detail. It is informational and not a warranty or legal advice. For contractual terms request our DPA / BAA at contactus@desha.ai.