GDPR, UK data residency & the DPA

All clinicpilot databases are hosted on Neon Postgres, region lhr1 (London, United Kingdom). Patient records, treatment history, conversation transcripts, and outreach jobs never leave UK data centres at rest.

Application code runs on Vercel (Edge Network), which routes inbound requests to the closest healthy edge. For patient-data write paths (CSV imports, conversation persistence), Vercel routes to the function region closest to lhr1 to minimise cross-border movement of personal data.

The complete list of third parties who process patient data on our behalf:

• Neon (database hosting, region lhr1) — clinic and patient records.
• Vercel (application hosting + edge) — request routing, function execution.
• Anthropic (Claude API, EU/US) — message drafting. Patient first names, treatment type, and clinic-defined voice tone are sent in prompt context; full names, phone numbers, emails, addresses are never sent. Anthropic's data retention policy applies (zero training on API content).
• Twilio (SMS + WhatsApp Business API delivery) — outbound and inbound messaging.

We will give clinics 30 days' notice before adding a new sub-processor. Existing pilots may terminate without penalty if they object to a new sub-processor.

Sent to Anthropic for message generation: patient first name, the treatment type (e.g. "anti-wrinkle"), the number of weeks since last treatment, the flow and step intent, the clinic name and voice tone.

Never sent to Anthropic: full names, phone numbers, email addresses, full treatment history, revenue figures, free-text notes from CSV imports, conversation transcripts.

For approved templates, no LLM call happens at all — the exact text the clinic authored is sent directly to Twilio. This is the recommended mode for WhatsApp Business API where Meta requires pre-approved templates anyway.

UK marketing-consent rules (PECR) require an explicit opt-in before sending non-transactional marketing messages. clinicpilot enforces this at the engine level: the consent_marketing column in your CSV import controls eligibility, and a STOP reply opts a patient out instantly across all future flows.

Quiet hours (default 09:00–20:00 Europe/London) and per-clinic timezone are respected on every send.

Patient records persist for the lifetime of the clinic's clinicpilot account. On account closure or request, we delete the clinic and cascade delete all associated records (patients, treatments, conversations, messages, outreach jobs) within 30 days.

Patients can request data deletion under their UK GDPR rights at any time — the clinic owner deletes the patient row, which cascades to all related records.

We provide a standard UK GDPR Data Processing Agreement on request — it follows the ICO's controller-to- processor template and references the sub-processor list above. The DPA is signed before any pilot patient data lands on the platform.

Email dpa@clinicpilot.co.uk to request the DPA.

• All connections use TLS 1.2+.
• Database connections from app to Postgres use TLS with certificate verification.
• Twilio webhooks are validated via X-Twilio-Signature on every inbound message.
• Sessions use HTTP-only, Secure, SameSite=Lax cookies signed with a per-deployment AUTH_SECRET.
• Database credentials and API keys are stored as Vercel environment variables; never committed to the repo.

For data-protection questions, sub-processor objections, or DPA requests, email dpa@clinicpilot.co.uk.

For the public landing, return to the home page.