Privacy written for clinical teams, not for filler.

WhiteFieldHealth Ltd (“WhiteFieldHealth”, “we”, “us”) is a company registered in England and Wales and the provider of the WhiteFieldHealth AI medical scribe platform (the “Service”).

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, WhiteFieldHealth Ltd is the data controller for account data. For patient and clinical data, your organisation is the data controller and WhiteFieldHealth acts as a data processor under a Data Processing Agreement (DPA).

We are registered with the Information Commissioner’s Office (ICO) under registration number ZB123456. Our privacy team can be contacted at [email protected].

Clinical notes, transcripts, and audio recordings may contain health data, which is classified as special category data under Article 9 of the UK GDPR. This data is processed under Article 9(2)(h) — processing necessary for preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health or social care systems and services.

A Data Processing Agreement is in place with each customer organisation governing the processing of patient data. Your organisation, as data controller, is responsible for ensuring a lawful basis exists for recording and processing patient consultations.

For US healthcare use cases, WhiteFieldHealth supports HIPAA-aligned safeguards and can provide a Business Associate Agreement (BAA) where required by contract and deployment scope.

We use personal data for the following purposes:

• Providing the AI transcription and clinical note generation service.
• Authenticating users and managing account access within your organisation.
• Maintaining audit logs for compliance, security, and clinical governance.
• Improving service reliability and performance through anonymised analytics.
• Communicating service updates, security alerts, and, where consented, marketing.
• Responding to support requests and data subject access requests.

All patient data and clinical content is processed and stored within data centres located in the United Kingdom. We do not transfer personal data outside the UK unless required by a specific customer arrangement, in which case we rely on UK adequacy decisions or Standard Contractual Clauses (SCCs) as approved by the ICO under Article 46 of the UK GDPR.

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — request correction of inaccurate data.
• Right to erasure (Art. 17) — request deletion where there is no compelling reason for continued processing.
• Right to restrict processing (Art. 18) — request that we limit how we use your data.
• Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interest.
• Rights related to automated decision-making (Art. 22) — request human review of decisions made solely by automated processing.

To exercise any of these rights, contact our support team at [email protected]. We will respond within 30 calendar days.

We implement layered technical and organisational measures to protect personal data and clinical content across account, API, and infrastructure boundaries.

Controls include AES-256 encryption at rest, TLS 1.3 encryption in transit, role-based access controls, multi-factor authentication support, regular penetration testing, and immutable audit logging.

For fuller detail on our security posture, see our Security & Compliance page.

We may update this Privacy Policy from time to time. Material changes will be communicated via email to account holders and posted on this page at least 30 days before taking effect. The “Last updated” date at the top of this page indicates the most recent revision.