GDPR & Data Processing Agreement
Controller/processor responsibilities, lawful bases, data categories, subject rights, retention schedule, and Art. 32 technical measures.
What a clinic signs with Hi Human Ltd when they start using the platform.
Controller and processor
- Controller - The clinic (NHS trust or private practice). They decide the purposes and means of processing patient data.
- Processor - Hi Human Ltd. We process patient data strictly on the clinic's documented instructions under the DPA signed at onboarding.
Lawful bases
| Processing activity | Art. 6 basis | Art. 9 basis (special category) |
|---|---|---|
| Appointment booking, scheduling, reminders | 6(1)(b) contract | - |
| Clinical consultations, diagnosis, treatment planning | 6(1)(b) + 6(1)(c) | 9(2)(h) healthcare provision |
| Prescribing | 6(1)(b) + 6(1)(c) | 9(2)(h) |
| Billing and payments | 6(1)(b) contract + 6(1)(c) tax obligation | - |
| SMS / email / WhatsApp communications | 6(1)(f) legitimate interest | - |
| Voice call recording + AI assistance | 6(1)(b) + explicit consent for recording | 9(2)(h) |
| Audit logging | 6(1)(c) legal obligation (NHS DSPT) | - |
Data categories
Patient personal data
Name, DOB, email, phone, address. NHS number. Next of kin contact.
Special category (health)
Clinical notes, diagnoses, treatment plans. Prescriptions, allergies, medications. Voice call transcripts.
Financial
Invoice amounts, payment status. Card tokens (via Stripe — we never see the PAN).
Staff & system
Staff emails, hashed passwords, TOTP secrets. Audit logs (who did what, when, from which IP). Application telemetry.
Data subject rights
| Right | How it is served | Endpoint / process |
|---|---|---|
| Access (Art. 15) | Clinic staff export on behalf of the patient | GET /api/v2/gdpr/subject-access-request |
| Rectification (Art. 16) | Clinic staff with patient:write permission | PUT /api/v2/patients/{id} |
| Erasure (Art. 17) | Patient request to clinic, clinic submits | POST /api/v2/gdpr/erasure-request (clinical records exempt under Art. 17(3)(c) healthcare) |
| Portability (Art. 20) | JSON + CSV export | GET /api/v2/exports |
| Restriction (Art. 18) | Patient deactivation flag | Clinic-side UI |
| Objection (Art. 21) | Per-channel opt-out | Unsubscribe link in every email / SMS |
Retention schedule
| Data type | Retention | Basis |
|---|---|---|
| Patient clinical records | 10 years after last visit | NHS Records Management Code of Practice |
| Audit logs | 7 years | NHS DSPT |
| Voice call recordings | 7 years (immutable blob policy) | PECR + NHS guidance |
| Financial records | 6 years | HMRC requirements |
| Authentication logs | 2 years | Security best practice |
| AI conversation context (Redis) | 24 hours of inactivity | Operational |
Technical and organisational measures (Art. 32)
See Security controls for the full list. Summary:
- AES-256-GCM encryption at rest for all PII fields
- TLS 1.2+ for all data in transit
- RBAC + row-level security + automatic tenant context
- PII scrubbing on all outbound LLM / webhook traffic
- Audit trail on every data access and modification
- Private endpoints for all data stores (no public internet exposure)
- Zero-knowledge password storage (bcrypt cost 12)
- MFA enforcement for admin roles
- 35-day point-in-time recovery with geo-redundant backups
Incident notification
- Hi Human Ltd notifies the clinic (controller) within 24 hours of becoming aware of a personal data breach.
- Clinic has the legal obligation to notify the ICO within 72 hours.
- Hi Human Ltd provides all technical detail needed for the clinic's ICO notification.
DPO contact
Data Protection Officer: dpo@hihumanai.com