GDPR
At a glance
- Regulation
- EU 2016/679, UK GDPR / DPA 2018
- Our role
- Processor (and controller for our own account data)
- Lawful bases
- Consent, Contract, Legitimate interests
- Data residency
- UK / EU regions
- DPIA
- Completed and maintained
- DPA
- Available with SCCs for transfers
Scope
This statement covers all personal data Desha.ai processes through MedNote, DocNote, the Health Responsibility Score and the HeartBeat platform, including identity data, contact details, prescription and medication data, adherence events, and conversation content captured with consent.
Lawful basis & consent
Every processing activity is mapped to a lawful basis. Patient-facing health processing relies on explicit, granular, plain-language consent captured at onboarding; clinician and operational processing relies on contract and legitimate interests assessed via an LIA.
- Consent is granular (per channel and per purpose), logged, and revocable at any time without affecting care.
- Special-category (health) data is processed under Article 9 conditions with explicit consent and, where relevant, the provision-of-healthcare condition.
- No selling of personal data; no use of identifiable patient data to train third-party foundation models.
Data subject rights
We support all GDPR data subject rights end-to-end, with a target response well inside the statutory one-month window.
| Right | How it is served |
|---|---|
| Access | Self-service export plus DSAR handling via the customer / DPO |
| Rectification | In-app editing and correction workflows |
| Erasure | Account and data deletion with downstream propagation |
| Portability | Structured, machine-readable export (incl. FHIR R4) |
| Restriction & objection | Consent withdrawal and processing holds |
Governance
- Records of Processing Activities (Article 30) maintained.
- Data Protection Impact Assessment (DPIA) completed for high-risk processing and kept current.
- A named data protection contact / DPO function and an incident response process with a 72-hour breach-notification path.
- Article 28 processor terms (DPA), including sub-processor flow-down and Standard Contractual Clauses for any international transfer.
International transfers
Primary processing and storage use UK / EU regions. Where a transfer outside the UK/EEA is unavoidable, it is covered by the UK IDTA or EU Standard Contractual Clauses together with a transfer risk assessment.
Documentation available on request
- Data Processing Agreement (DPA) with SCCs / IDTA
- DPIA summary
- Records of Processing Activities (ROPA) summary
- Sub-processor list
Provided to qualified reviewers under a mutual NDA via contactus@desha.ai.
