Privacy Policy

1) We're here to help. Get in touch.

If you have questions about how we handle your information—or you want to exercise your rights—please contact us:

• Email (general/privacy): privacy@docyment.com
• Support: support@docyment.com
• Postal address: Docyment Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, UK

You can contact us to:

• ask questions
• update your information
• update or delete your Docyment Platform account
• change your preferences (e.g., marketing)
• register a concern or complaint
• opt out of marketing
• exercise your data protection rights (see Section 11)

If you're not satisfied with our response, you have the right to contact the Information Commissioner's Office (ICO) at ico.org.uk.

2) About us

• "Docyment", "we", "our", or "us" means Docyment Ltd (Company No. 16697940) of 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, UK.
• Our services means the provision of the Docyment Platform and related services to qualified medical practitioners and healthcare organisations (together, "Practitioners").
• The "Platform" is our web and/or mobile application(s) made available to Practitioners for clinical documentation support.
• "You" means the reader of this policy (e.g., a Practitioner user, website visitor, job applicant, or other individual interacting with us).
• "Your information" means personal data about you.
• "Privacy laws" means UK GDPR, the Data Protection Act 2018, and other applicable data protection and health information laws.

Data controller vs data processor

Depending on the context, Docyment may act as:

• Data Controller: for personal data we collect about Practitioners, website visitors, billing contacts, and for our own analytics/operations.
• Data Processor: for patient data that Practitioners input to, or generate via, the Platform. In this case, the Practitioner (or their clinic/organisation) is the Data Controller, and Docyment processes data on their instructions, under a Data Processing Agreement (DPA).

If you're a patient and your clinician uses Docyment, please contact your clinician (the controller) first regarding your personal data. We will support them in responding.

3) What information do we collect?

We collect and hold the following categories of information, including personal information, health information, payment information, device information, and general information to help us improve our services.

When you access and use our website, Platform, or other services, we collect and hold the following main categories of information as detailed in the table below. The collection of extensive data sets, including device information, is crucial for enhancing user experience, optimising service functionality, and ensuring robust security measures. We process such information based on legitimate interests—improving our services and maintaining security—and where applicable, through explicit consent, which is transparently obtained at the point of data collection. If you choose not to provide the requested information, it may impact our ability to deliver these services to you fully.

If you choose not to provide certain data, we may be unable to deliver parts of the Platform or support you fully.

4) How do we collect your information?

• Directly from you: when you register, sign in, contact support, complete forms, or interact with the Platform and website.
• Automatically: via cookies, SDKs, logs, and similar technologies when you browse or use the Platform (see Section 9).
• From third parties:
  • identity/credential verification services (for Practitioner status checks)
  • payment processors (for billing status)
  • your employer/clinic (for enterprise onboarding)
  • recruitment agencies and referees (for applicants)

5) How do we use your information?

We adhere to privacy by design principles by integrating data protection from the outset of designing our systems and business practices. Our measures include robust encryption, stringent access controls, and continuous threat monitoring. Privacy impact assessments are conducted regularly to ensure potential risks are identified and mitigated, ensuring data protection is a foundational aspect of our operations.

We implement rigorous de-identification techniques to ensure personal and health data are pseudonymised, stripping identifiable markers to prevent re-identification by malicious actors. These processes are reinforced by stringent security protocols, including multi-layered encryption and access controls, to safeguard the integrity and confidentiality of the de-identified data.

Main purposes and legal bases

AI model training: For the avoidance of doubt, we do not use any patient data to train, develop, or improve our AI models. Where we use synthetic data or de-identified datasets for improvement, we ensure there is no reasonable likelihood of re-identification.

If we intend to use data in a way not described here, we will update this notice and, where required, seek your consent.

6) Marketing and how to opt out

We may send you direct marketing communications and information about our services or products. This may take the form of emails or other forms of communication. We'll always conduct our marketing practices in accordance with privacy laws and other applicable laws.

If we do send you marketing messages using your information, you'll be able to opt out at any time. We may also market our services to you generally – including via social media, advertising through our website and other digital or non-digital platforms. We'll always do this in accordance with our legal requirements. You can opt out at any time by:

• clicking Unsubscribe in our emails; or
• emailing privacy@docyment.com.

Without your consent, we will not:

• use any of your health information to send you marketing communications; or
• disclose any of your information to a third party in order for them to market to you.

7) Do we store or share information outside of your country?

Your personal information is stored in the UK

We recognise the importance of data security and privacy and are committed to protecting your information. For customers located in the United Kingdom, all data is stored within the UK, and all processing takes place within the UK or the European Economic Area (EEA). We do not transfer personal data outside of these jurisdictions.

Some functionalities of our Platform rely on third-party service providers; however, we ensure that any such processing occurs within the UK or EEA and is governed by data processing agreements that enforce strict compliance with UK GDPR and the Data Protection Act 2018. These agreements ensure that your personal data remains secure, confidential, and protected against unauthorised access or disclosure, while enabling us to provide essential functionalities through trusted service providers.

Enterprise customers can request our Data Processing Addendum and Sub-processor List: DPA | Sub-processors

8) Who do we share your information with?

We may share your personal information with our other partners and for other reasons we tell you about in this policy, on our website, on our Platform or where we otherwise communicate this to you.

We may share your personal information with:

• our employees and related companies;
• third party suppliers and service providers (including providers for the operation of our Platform, websites and/or our business) - see our sub-processor list;
• professional advisers, dealers and agents;
• payment systems operators (e.g., merchants receiving card payments);
• anyone to whom our assets or businesses (or any part of them) are transferred;
• specific third parties authorised by you to receive information held by us, and other parties involved in the delivery of healthcare services; and/or
• other persons, including government agencies, regulatory bodies and law enforcement agencies, or as required, authorised or permitted by law.

We require recipients to handle personal data securely and lawfully in accordance with applicable data protection laws.

9) Cookies and similar technologies

Our website and Platform use cookies and similar technologies to operate, secure, and improve the service.

Cookie categories

• Strictly necessary (authentication, security, load-balancing)
• Functional (remembering preferences)
• Performance/analytics (aggregate usage—no PHI)
• Marketing (only with consent; never using PHI)

You can configure your internet browser to accept all cookies, reject all cookies or notify you when a cookie is sent. If you refuse the use of cookies in this way you may not be able to access the full functionality of our website. Please refer to your internet browser's instructions or help screens to learn more about these functions.

We may also use third-party analytics tools to help us gather and analyse information about your use of our website and Platform. These tools assist us in understanding usage patterns, improving user experience, and optimising the performance of our services. For the avoidance of doubt, no Protected Health Information (PHI) or sensitive health information is shared with or transmitted to third-party analytics tools for these purposes. Any information collected through these tools is limited to non-sensitive data and does not include any details that could identify patients or relate to their health conditions, treatment, or care.

Cookie details & lifetimes: see Cookie Policy.

10) How do we protect your information?

We employ administrative, technical and physical safeguards appropriate to the sensitivity of the data.

Further details: Security Whitepaper / Trust Center.

11) Your rights

Subject to conditions and exemptions under UK GDPR, you have rights to:

• Access your personal data
• Rectify inaccurate or incomplete data
• Erase your data (right to be forgotten)
• Restrict processing
• Object to processing (including where based on legitimate interests or direct marketing)
• Data portability
• Withdraw consent (where processing is based on consent)

How to exercise your rights: When you contact us regarding a request for access, correction, erasure, or to make a complaint, or if you wish to object to processing, withdraw consent, or request data portability, please include your name and contact details (such as email address and phone number) and clearly describe your request. We are committed to addressing your enquiries promptly and will acknowledge receipt of your correspondence swiftly. We aim to formally respond to all requests within 30 days. If we are unable to fulfil your request due to legal or other reasons, we will explain why. Verification of your identity may be required to protect your information and ensure it is not disclosed improperly.

Contact us: Email privacy@docyment.com with your requests or questions.

• Patients: please contact your clinician (data controller) first; we will support them in fulfilling your request.
• Complaints: If you are not satisfied with how we handle your query or manage your information, including our response to your requests, you have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk. We would appreciate the chance to address your concerns first.

12) How long do we keep your information?

We retain personal data only as long as necessary for the purposes set out in this policy, in accordance with UK GDPR principles of data minimisation and storage limitation.

We review our retention practices regularly and will securely delete or anonymise personal data when it is no longer needed. You may request earlier deletion by contacting privacy@docyment.com, subject to our legal and contractual obligations.

13) Children

The Platform is intended for use by Practitioners and healthcare organisations, not by children directly. We do not knowingly collect personal data from children as end-users of the Platform. Patient data may include information about children processed under the Controller's instructions for the provision of care.

14) Employees & applicants

If you are a current/former employee or an applicant, we may process:

• General personal data: name, contact details, image, identifiers
• Educational & professional information: qualifications, references, memberships
• Sensitive information (where lawful): health information, certain criminal background data (where role-appropriate)
• Financial information: bank details, tax status
• Work-related information: performance, training, compliance records

Contact people@docyment.com or privacy@docyment.com for our Employee Privacy Notice.

15) Key service providers

Docyment Ltd is a standalone company. We work with trusted third-party service providers to deliver our Platform:

• Data Controller: Docyment Ltd (Company No. 16697940), 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, UK.
• Hosting & Infrastructure: Vercel (for website and application hosting)
• Database Services: Supabase (for secure data storage and management)
• Additional sub-processors: See our complete sub-processor list

These service providers process personal data on our behalf under strict contractual agreements that require them to protect your data and use it only as instructed by us. We regularly review and assess our service providers to ensure they maintain appropriate security standards.

16) Third-party services & integrations

If you choose to connect Docyment with third-party services (e.g., EHRs, cloud storage, identity providers), their collection and use of your data is governed by their privacy policies. You are responsible for reviewing and managing those integrations.

• Current sub-processors: See our comprehensive sub-processor list for full details including locations, purposes, and data protection safeguards

We do not transmit PHI/sensitive health data to third-party analytics tools for marketing or product analytics.

17) Automated decision-making

Docyment may use automated processing to suggest structure or phrasing in clinical documents. These features do not make clinical decisions: they are assistive and remain under the control and professional judgement of the Practitioner. We do not engage in automated decision-making producing legal or similarly significant effects about individuals.

18) Data Protection Officer (DPO) / Privacy contact

• DPO (Data Protection Officer): dpo@docyment.com
• Privacy contact: privacy@docyment.com

19) Changes to this policy

If we need to change this policy in a way that affects the way we handle your information, if you use our Platform, you'll receive an alert from us. We will also publish the changes to it on our website. We encourage you to check our website periodically to ensure that you are aware of our current Privacy Policy. The latest version will always be available at: docyment.com/legal/privacy-policy.

20) Key commitments (at a glance)

• No model training on patient data.
• UK/EEA hosting by default for UK customers; transfers only with appropriate safeguards.
• Strong security: encryption in transit/at rest, access controls, monitoring, incident response.
• Clear roles: Controller (our own data) vs Processor (patient data for Practitioners).
• Your rights respected under UK GDPR.

Helpful links

• Data Processing Addendum (DPA): /legal/data-processing-agreement
• Sub-processor List: /legal/subprocessors
• Security & Compliance (Trust Center): /legal/trust
• Cookie Policy: /legal/cookies
• Privacy contact: privacy@docyment.com