Privacy Policy

General provisions

AI Bot is software for healthcare organizations to communicate with patients. We act as a data processor on behalf of the clinic, which is the controller of its own patient data. This document covers the website, the application and the API.

What data we collect

• Clinic account data: name, work email, organization name, role, SSO identifier.
• Operational data: settings, event logs, usage statistics.
• Patient correspondence: message text and attachments delivered through connected channels.
• Technical data: IP, device type, browser language — the minimum required.

Purpose of processing

We process data only to:

• provide the AI assistant and hand off conversations to operators;
• maintain the integration with Clinica Web and other EMRs;
• ensure security, audit logging and regulatory compliance;
• improve the product in an anonymized form.

Patient medical data

AI Bot does not diagnose and does not prescribe treatment. The service handles informational requests. If sensitive medical data appears in correspondence, we process it solely on behalf of the clinic, encrypted and with role-based restricted access. We do not use this information to train external models.

Legal basis

We process data on the basis of the contract with the clinic, your consent (where applicable) and to pursue legitimate interests — such as security and abuse prevention. Processing complies with GDPR and the Law of Ukraine "On Personal Data Protection".

Storage and security

• Data is stored in data centers within the EU.
• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Access is granted only to authorized personnel under the principle of least privilege.
• Backups, audit logging, regular independent pentests.
• Retention period — for the duration of the contract plus the period required by law.

Sharing with third parties

We do not sell data. Sharing is only possible with trusted sub-processors (hosting, monitoring, AI model providers) under DPA agreements, and only to the extent necessary to provide the service. The list of sub-processors is available on request.

Your rights

You have the right to:

• obtain a copy of your data;
• request correction or deletion;
• restrict processing or object to it;
• transfer data to another operator;
• withdraw consent at any time.

Requests can be submitted via [email protected] — we respond within 30 days.

Deletion of Meta data (Facebook and Instagram)

If you have interacted with the clinic via Facebook Messenger or Instagram, you can initiate data deletion via the Meta Apps and Websites settings, the Meta data deletion instructions page, or by writing to us at [email protected].

After receiving a technical request from Meta, we delete or anonymize direct Meta identifiers, usernames, service payload data and links to patient authentication. Anonymized correspondence records may be retained only where required for handling the inquiry, security, quality audit and the clinic's legal obligations.

The Meta callback returns a confirmation code and a link to the request status.

Cookies and analytics

We use technical cookies for authentication and saving settings, as well as anonymized product analytics. There are no advertising cookies or trackers from third-party ad networks. Cookies can be managed in the browser settings.

Contacts

Data Protection Officer: [email protected]
General support: [email protected]

If you believe your rights have been violated, you have the right to contact the Ukrainian Parliament Commissioner for Human Rights or the regulator in your country of residence.