Privacy Policy
LAST UPDATED: 27 JUNE 2026
Legal pages
Contents
Introduction
Contents
Introduction
1. Introduction
ClinicQuest ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered professional medical education, reference, portfolio, and drafting tools.
This policy applies to all users of ClinicQuest, including UK General Practitioners (GPs) and GP trainees. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller:
ClinicQuest, a service of Appocrates Ltd
Company No. 17014851 — registered in England and Wales
Registered office: 195 Turner Road, Colchester, CO4 5XW
support@clinicquest.uk
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address (required for authentication via Google OAuth or email + password)
- Name (required)
- Profile picture (optional, via Google OAuth)
- Google OAuth identifier (if signing in with Google)
- Email Preferences (marketing, updates, alerts)
2.2 Usage Data
We automatically collect:
- Chat threads and messages
- Task and board data inside Tasks
- Portfolio entries
- Training Calendar data — calendar settings and planning events you create, including training dates, LTFT percentage, leave assumptions, bank-holiday region, event dates/ranges, event type, half-day/full-day amount, and optional title/custom label. The calendar does not ask for sickness reasons, patient details, or clinical notes, and v1 does not make calendar data available to the AI assistant.
- AKT study records — your mock and revision sessions, individual question attempts (the option you selected, your stated confidence, and time spent), AKT Teacher chat threads, AI-generated remedial questions and your answers to them, and AKT-tagged flash cards. We also maintain per-user AKT knowledge-graph performance edges (short structured records of which clinical entities you have been confused by, are weak at, or have demonstrated strength in) to personalise remedial generation. These edges live in a separate UK-hosted graph database (see §6B) and are deleted with your account.
- Session information (Device type, browser, IP address)
- Credit usage metrics
- Analytics events — Page views, feature usage (e.g. chat sessions, tasks created, subscription changes), account-linked identifiers (user ID and email), and AI processing metrics (model used, response time, request volume, and credit/cost reporting) collected via PostHog (EU). Message content, portfolio text, and clinical data are never captured in analytics.
- Error diagnostics & performance traces — Unexpected application
errors, application routes, error traces, diagnostic metadata, and sampled performance
traces collected via Sentry (Germany / EU). Every Sentry event passes through a
server-side
beforeSendhook that redacts known sensitive keys before the payload leaves our infrastructure. The redaction list covers message content, notebook content, transcripts, SOAP notes, portfolio entries, audio URLs, request and response bodies, query strings, cookies, auth headers, tokens, and identifiers such as patient names, NHS numbers, and dates of birth. Console, fetch, and XHR breadcrumbs are disabled. Session replay and request data capture are disabled. We treat this scrubbing as defence-in-depth and continue to instruct users not to submit any patient-identifiable information to the Service.
2.3 Payment Information
If you subscribe to a paid plan, payment processing is handled by Stripe. We store your Stripe Customer ID and Subscription ID. We do not store credit card numbers, CVCs, or bank account details on our servers.
What we send to Stripe: your email address and the chosen plan or top-up price ID, plus your Supabase user ID as opaque metadata so subscription events can be reconciled. We do not send clinical content, portfolio entries, message history, or any patient-related metadata to Stripe. Stripe processes this data as a sub-processor under its Data Processing Addendum (see stripe.com/legal/dpa) with UK/EU Standard Contractual Clauses in place.
Stripe identifiers in error telemetry: when a Stripe API call fails (for
example, a subscription cancellation during account deletion), our error logs and Sentry
breadcrumbs may include the affected Stripe Customer ID (cus_…) or Subscription
ID (sub_…) so support can correlate the incident in the Stripe dashboard. These
identifiers are opaque references to your Stripe billing record only — they do not contain
or reveal payment-card data, clinical content, or any patient-related information. Sentry
events are still passed through the redaction hook described in §2.2 to strip raw Stripe
response bodies and headers.
2.5 Referral Programme Data
If you participate in the ClinicQuest referral programme (as referrer or referee):
- Referral code: a unique 10-character identifier assigned to your account. Sharing this code creates a link between your account and any accounts registered using it. Your referral code is stored in your profile.
- Referee attribution: when someone signs up using your referral link, their account is permanently linked to yours internally. We record their canonical email address to enforce the one-bonus-per-email limit (see §4.3). You can view a masked version of their email address, their signup date, and whether they have upgraded to a paid plan in your Referrals dashboard.
- Masked email visibility: as the referrer, you see partially masked email
addresses (e.g.
s***h@test.local) for users who signed up via your code. This is visible only to you. - Lifetime claim record: to prevent one email address from claiming the referral bonus multiple times, we store the canonical form of the referee's email in a separate, access-controlled table. This record may persist after account deletion for the same abuse-prevention period as other deletion-cooldown identifiers (see §4.3).
- Referee notice: if you sign up using someone's referral code, your account is permanently linked to that referrer. They can see a masked version of your email address, your signup date, and whether you have upgraded to a paid plan in their Referrals dashboard. We do this on the basis of our legitimate interest in operating the referral programme. Your referral-association data is kept for the lifetime of your account and removed when you delete your account, except for the referral lifetime-claim record described above (retained up to 2 years per §4.3).
Important: Patient Data Prohibition
ClinicQuest is a tool for professional medical education, reference review, drafting support, and portfolio reflection. It is not intended for clinical decision-making for real patients. You must NOT upload, input, or store any patient identifiable information into the chat, portfolio, or tasks. All clinical cases discussed must be fictional, simulated, or fully anonymised in accordance with GMC confidentiality guidance.
As a defence-in-depth layer, ClinicQuest applies a server-side input pre-scrubber to main chat / portfolio prompts, fact-check inputs, task labels, and ordinary dictation transcripts. Structured identifiers — NHS numbers (validated by Mod-11 checksum), full UK postcodes, UK phone numbers, email addresses, and dates that appear in a date-of-birth context — are stripped at ingress and replaced with redaction placeholders before the text is persisted, sent to the AI subprocessor, or surfaced in logs. AKT Teacher and Notebook Agent prompts, including AI dictation launched from those panels, are educational-study inputs and are not pre-scrubbed. See section 6B and the Terms section 4.1B for the full description. The scrubber is pattern-based and does not detect free-text patient names; it is non-substitutive and does not replace the prohibition above.
3. How We Use Your Information
We use your information to:
- Provide our services (AI queries, tasks, portfolio entries)
- Maintain your account
- Process payments via Stripe
- Improve our services using account-linked and aggregated analytics
- Communicate with you (transactional and marketing emails)
- Ensure security and prevent abuse
- Operate the referral programme: award one-time bonus credits to you and referred users when a referred user upgrades to a paid plan. Associate your account with users who signed up using your referral link.
Legal Basis for Processing (UK GDPR)
- Contract performance
- Legitimate interests
- Consent
- Legal obligation
4. Data Retention
4.1 Active Accounts
We retain your data for as long as your account is active and as needed to provide services. Some categories of account data have a fixed retention window, applied automatically by a daily background job (or, where noted, by our infrastructure provider on its own schedule):
- Completed tasks: deleted 365 days after they are marked complete. Active (uncompleted) tasks have no time-based expiry — they remain until you delete them or your account.
- Notebook conversion job history: when you convert a chat thread into a notebook page, we keep a small job-history row (status, timestamps, error message if any) for diagnostic purposes. These job-history rows are deleted 30 days after the conversion completes or fails. The resulting notebook page itself is not affected — it remains in your account until you delete it.
- Leaflet submission job history: when you submit a patient-leaflet URL to be added to the library, we keep a small job-history row (status, timestamps, error message if any) for diagnostic purposes. These rows are deleted 30 days after the submission completes or fails. The resulting leaflet entry and your pin are not affected — they remain until you unpin or your account is deleted.
- Leaflet search counters: a per-day numeric counter of how many in-chat patient-leaflet searches you ran is kept for 30 days so we can enforce a fair-use cap on third-party search costs. The counter contains no search query text or clinical content.
- AI hygiene metadata: when ClinicQuest's PII pre-scrubber redacts a structured identifier from your input (NHS number, UK postcode, UK phone number, email, date of birth in context), we record content-free metadata about the event — the surface (chat / dictation / fact-check), the count of redactions, and which categories matched. AKT Teacher and Notebook Agent prompts do not create AI hygiene metadata. No prompt text, transcript text, or clinical content is ever stored. Per-event rows are deleted 90 days after they are recorded. The daily rollup that powers the AI hygiene dashboard is kept for 365 days so trainees can see year-on-year hygiene-score trends across an RCGP training year.
- Operational alert events: when a backend operational failure occurs (for example, a payment-processor customer deletion that needs manual follow-up), we record an alert row that may contain pseudonymous identifiers — your Supabase user ID and, where relevant, a Stripe customer/subscription reference. These rows contain no clinical content and are automatically deleted 90 days after they are recorded.
- Cloudflare Workflow step storage: features that run as multi-step background jobs (chat-to-notebook conversion, document ingestion, fact-checking, AKT remedial-question generation, and leaflet submission) execute on Cloudflare Workflows, which durably stores the job's input payload and each step's output for approximately 30 days to support retries and crash recovery. Any clinical content in those steps is the same pre-scrubbed text used elsewhere in the Service; Cloudflare deletes it on its own ~30-day platform schedule, which we cannot shorten on our current plan. See §6B for the residency detail.
- Credit and billing transaction records: records of AI credit purchases,
awards, reservations, and usage are retained for the lifetime of your active account and
deleted with your account (foreign-key cascade on
auth.users). Transaction records contain no clinical content — they record credit amounts, timestamp, and a feature-level reason string (e.g. "chat-turn", "notebook-conversion"). Stripe, our payment processor, retains its own copy of every payment under its Data Processing Addendum and applicable UK tax / financial-record obligations; that data lives with Stripe and is governed by their terms, not ours. - Chat threads and messages: retained for the lifetime of your active account and deleted when your account is deleted. There is no time-based expiry on active chat content — you may delete individual threads at any time via the interface, and all threads are removed immediately and irrecoverably when you delete your account.
- Training Calendar settings and events: retained for the lifetime of your active account and deleted when your account is deleted. You may delete individual calendar events at any time. Calendar rows are account-owned and are not sent to AI providers by the Training Calendar feature.
Future categories with fixed retention windows will be listed here.
4.2 Deleted Accounts
When you delete your account via the Settings page:
- Immediately deleted: All personal data, chat threads, messages, tasks, portfolio entries, Training Calendar settings and events, sessions, credit transaction history, and any Stripe Customer ID / Subscription ID we hold against your profile (the local mapping rows are removed by foreign-key cascade).
- Retained for Abuse Prevention: Your email address and Google OAuth identifier (if applicable) are stored in a separate, secure "Deleted Accounts" table.
- Retained for legal record-keeping: the durable proof-of-consent record of your acceptance of the immediate-supply terms at checkout (your acceptance, the terms and privacy versions you agreed to, and the timestamp — no clinical content) is retained for up to 6 years from the date of acceptance to meet UK contract-record obligations (Limitation Act 1980), then automatically deleted. This record may outlive the rest of your account.
Stripe itself retains its own records of any payments you made under its Data Processing Addendum and applicable UK tax/financial-record obligations — that data sits with Stripe and is governed by their terms, not ours.
4.3 Why We Retain Deleted Account Identifiers
We retain these specific identifiers to:
- Prevent abuse: Stop users from repeatedly creating accounts to exploit free credit allocations or trial periods.
- Maintain service integrity: Ensure fair usage of our platform resources.
This data is stored separately from active user data, not used for marketing or profiling, not shared with third parties, and retained for a minimum of 30 days to enforce cooldown periods. Deleted account identifiers are automatically purged 30 days after the cooldown period expires (up to 60 days total from account deletion in the standard case). If you re-register within 30 days, you will not receive free monthly credits until the cooldown expires.
Referral lifetime claim records: in addition to the above, we retain the canonical form of your email address in a separate referral lifetime-claims table to prevent any one email address from receiving the referee referral bonus more than once. This record is automatically deleted after the referral period expires (up to 2 years from the date the bonus was awarded). It follows the same non-marketing, access-controlled retention principles. If you delete your account and re-register within that 2-year window, you will not receive the referee referral bonus again on the new account.
6. Data Security
We implement industry-standard security measures:
- Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Access controls: Strict role-based access and secure session management.
- Secure Authentication: Sign-in via Google OAuth or email + password
(minimum 8 characters, server-validated). Sessions are managed by Supabase Auth using
HttpOnly,Secure,SameSite=Laxcookies with refresh-token rotation. Signup and password-reset forms are protected by Cloudflare Turnstile bot-challenge. - Monitoring: Continuous security logging and anomaly detection.
6B. UK-Hosted Storage & Zero-Retention Processing
ClinicQuest separates data at rest from data in transit for AI inference. The two are governed by different mechanisms, and we describe both here in full so Information Governance teams and Caldicott Guardians can audit our chain of processing.
Storage — UK only
- Authoritative relational store: Account, educational, portfolio, and anonymised clinical-content data at rest — chat threads, portfolio entries, notebooks, tasks, audit logs, Training Calendar settings and events, user records, AKT mock and revision sessions, AKT question attempts, and the AKT remedial-question queue — is stored in our Supabase database in the Europe West (London) region.
- AKT knowledge graph + personal document index (UK-hosted): A self-hosted SurrealDB instance, deployed on a virtual machine in OVH Limited's London (UK) data centre via Dokploy, holds the AKT clinical knowledge graph (curriculum entities, drug/condition/guideline relationships, and your per-user performance edges marking which entities you have been confused by, are weak at, or have demonstrated strength in), and the per-user vector index used to retrieve passages from your personal document store. Performance edges are keyed to your account and are deleted with your account.
- Access control: Enforced with row-level security (RLS) plus role-based access controls in Supabase, and equivalent user-id scoping on every query against the SurrealDB instance. Each authenticated clinician can only read and write their own rows / their own graph edges.
- Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- No replication outside the UK: Neither the Supabase database nor the SurrealDB instance is replicated, backed up, or synced to any non-UK region.
- Cloudflare compute residency note (Durable Objects, KV, Workflows): ClinicQuest runs on Cloudflare Workers. Active chat and portfolio turn state held in Durable Objects, the Cloudflare KV namespace, and Cloudflare Workflow step-state are processed on Cloudflare's global network and are not contractually pinned to a specific region on our current Cloudflare plan. This state is ephemeral — Durable Object turn state is wiped at the end of each chat / portfolio turn lifecycle and is not a retention layer. Cloudflare Workflow step-state is different: Cloudflare durably stores the job payload and each step's output for approximately 30 days for retries and crash recovery (the multi-step background jobs are listed in §4.1), then deletes it on its platform schedule; we cannot shorten this window on our current plan. Strict UK/EU-only processing for this compute would require a Cloudflare Enterprise plan with the data-residency add-on, which we do not currently hold.
AI inference — transient, ZDR, never stored
- Zero Data Retention (ZDR): All anonymised clinical-content AI workloads (chat, fact-checking, document processing, AI drafting) are routed through the Vercel AI Gateway to model providers under a Zero Data Retention contract. Prompts and responses are processed in volatile memory at the model endpoint and discarded immediately. No prompt, response, or transcription is written to disk by the AI provider, retained beyond the request lifecycle, or used to train AI models.
- Transient cross-border transfer: Inference takes place on the model provider's infrastructure, which is global and primarily US-based. The data is in transit only — it is not stored outside the UK because it is not stored at all by the provider. Cross-border transfers for inference are covered by the UK Extension to the EU-US Data Privacy Framework (where the provider is certified) and Standard Contractual Clauses.
- Training prohibition: All AI providers engaged by ClinicQuest are contractually prohibited from using API-submitted data to train their AI models — this applies regardless of routing path or retention period.
Audio privacy
- No audio file retention: Source recordings are discarded after transcription completes.
- Per-tier providers: Free uses Cloudflare Workers AI Speech, Pro uses
Groq, Max uses Deepgram. Cloudflare Workers AI operates under its Workers AI ZDR contract;
Groq ZDR is enabled in Data Controls for STT; Deepgram receives
mip_opt_out=trueand retains opted-out request data only for processing duration. See our Subprocessors list for the precise wording, regions, transfer mechanisms, and the Cloudflare Workers AI residency note. - Input pre-scrubbing on clinical chat, fact-check, task, and ordinary dictation inputs: Server-side regex guards strip structured identifiers (NHS numbers validated by Mod-11 checksum, full UK postcodes, UK phone numbers, email addresses, and dates that appear in a date-of-birth context) from main chat / portfolio prompts, fact-check inputs, task labels, and ordinary STT transcripts before the text is persisted, sent to the AI subprocessor, or surfaced in logs. The scrubbed text is the canonical version for those surfaces — what is stored in our database, what reaches the AI provider, and what you see in your message history all match. AKT Teacher and Notebook Agent prompts, including their AI dictation contexts, are not pre-scrubbed and must not contain patient-identifiable information. This control supplements (and does not replace) the user's anonymisation duty in Terms section 4.1.
Infrastructure and payment controls
- Edge security layer: WAF, DDoS protection, and request isolation are applied at Cloudflare's edge before any traffic reaches application logic.
- Payments: Stripe processes all card payments under PCI-DSS. Card details are never stored on ClinicQuest servers.
* The features that call Google Gemini directly with up to 30-day retention are: (1) the
Notebook agent, (2) the AKT Teacher feature, (3) AKT remedial-question generation and AKT
remedial study planning, (4) standalone medicine-information leaflet analysis, including
arbitrary public HTTPS health-resource URLs you submit on the /leaflets universal-resource
feature, and (5) the chat-mode search_leaflets tool's leaflet-metadata extraction
step. Notebook Agent, AKT Teacher, AKT remedial generation, and AKT-tagged flash-card generation
may retry once through OpenRouter ZDR after transient provider failures. These features process
educational and public-content material only — they do not process patient-identifiable information.
Cross-border transfers for direct-Gemini calls are covered by the UK Extension to the EU-US Data
Privacy Framework and Standard Contractual Clauses; OpenRouter fallback calls use ZDR processing
controls and SCCs.
6A. Data Protection Roles
For the purposes of UK GDPR:
- The individual clinician using ClinicQuest acts as the Data Controller in respect of any clinical information they choose to input into the service.
- ClinicQuest acts as a Data Processor, processing information solely on the clinician's documented instructions and in accordance with this Privacy Policy.
- The AI infrastructure provider, as the provider of the underlying model and transcription services, acts as a Sub-processor engaged by ClinicQuest to generate responses. The provider processes data under a contractual Data Processing Addendum and does not use API-submitted data to train its models.
- Clinicians are strictly required to ensure that no patient-identifiable information is entered into the service. Users remain responsible for complying with their professional, contractual, and statutory data protection obligations.
7. Your Rights (UK GDPR)
7.1 Access
Request a copy of your personal data.
7.2 Rectification
Request correction of inaccurate data.
7.3 Erasure ("Right to be Forgotten")
Request deletion of your data. Note: Deleted account identifiers are retained as described in Section 4.2 for fraud prevention.
When you delete your account, referral attribution data linking your account to referees (or to your referrer) is removed from your profile. The canonical email entry in our referral lifetime-claims table may be retained for the same period as other deletion-cooldown identifiers under §4.3, solely to prevent bonus re-claiming.
7.4 Restriction
Request restriction of processing in certain circumstances.
7.5 Data Portability
Request a copy of your account data in a structured, machine-readable format. Email support@clinicquest.uk with the subject line "Data export request" and we will provide a JSON export of the records you have authored or contributed (profile, tasks, chat threads, portfolio entries, portfolio training sessions, PDP workspace and goals, Training Calendar settings and events, notebooks, fact-checks, leaflet pins, referral history, and AKT records — your mock and revision sessions, individual question attempts, AKT Teacher chat threads, remedial-question queue items, AKT-tagged flash cards, and your performance edges in the AKT knowledge graph) within one calendar month, in line with UK GDPR Article 20. The export covers personal data we hold under contract with you; it does not include third-party content (for example, RCGP-licensed leaflet text or curriculum topic-guide source material), other users' data, or operational telemetry that is not personal data.
7.6 Object
Object to processing based on legitimate interests.
7.7 Withdraw Consent
Withdraw consent at any time (where processing is based on consent).
7.8 Complaint
Lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
To exercise your rights: support@clinicquest.uk
9. International Transfers
All data at rest — clinical, account, portfolio, and analytics — is stored in the UK or the EU. Cross-border transfers happen only for AI inference (which is transient) and for Stripe card processing. Safeguards by provider:
- AI providers (anonymised clinical-content paths): Inference takes place on global, primarily US-based model infrastructure. No prompt, response, or transcription is retained by the provider — Zero Data Retention is contractual. Transfers are covered by the UK Extension to the EU-US Data Privacy Framework (where the provider is certified) and Standard Contractual Clauses / International Data Transfer Addendum.
- AI providers (educational paths — direct Gemini, transient OpenRouter ZDR fallback): Notebook agent, AKT Teacher, AKT remedial-question generation, AKT remedial study planning,
standalone leaflet analysis, and the chat-mode
search_leafletstool's leaflet-metadata extraction step normally send public/educational content to the Google Gemini API directly with up to 30-day retention. Notebook Agent, AKT Teacher, AKT remedial generation, and AKT-tagged flash-card generation may retry once through OpenRouter ZDR after transient provider failures. UK Extension to the EU-US Data Privacy Framework + SCCs apply for Google; OpenRouter fallback calls use ZDR processing controls and SCCs. - Search and retrieval providers: Parallel.ai (US, UK Extension to EU-US
DPF + SCCs) for the chat assistant's
web_searchtool; Perplexity (US, UK Extension to EU-US DPF + SCCs) for the fact-check feature; Tavily (US, SCCs) for patient-information leaflet search; Voyage AI (US, SCCs) and Jina AI (Germany / EU, UK GDPR adequacy) for AKT clinical-knowledge-graph query reranking using de-identified clinical taxonomy terms. Personal document retrieval uses cosine-only ranking. None retain query content for training. - Speech-to-text: Cloudflare Workers AI Speech (Free — Cloudflare's global
edge, typically UK/EU PoPs but not contractually pinned on the current plan), Groq (Pro,
US, UK Extension to EU-US DPF + SCCs), Deepgram (Max, US, UK Extension to EU-US DPF +
SCCs). Cloudflare and Groq are ZDR for STT; Deepgram uses
mip_opt_out=truewith processing-duration retention. See section 5 (Audio privacy) and the Subprocessors list for the residency note and per-provider wording. - Cloudflare edge compute (Durable Objects, KV, Workflows): Active turn state and Workflow step-state run on Cloudflare's global network; the current plan does not contractually pin them to UK/EU. Durable Object turn state is ephemeral; Workflow step-state is durably retained by Cloudflare for ~30 days for job recovery — see section 6B's Cloudflare compute residency note and §4.1.
- PostHog: Analytics data is stored and processed in the European Union (EU region). No transfer outside the UK/EU occurs for analytics.
- Sentry: Error and performance telemetry is stored and processed in Germany / the European Union.
- Stripe (payments): US-based with global infrastructure. Transfers from the UK/EU are covered by UK/EU Standard Contractual Clauses under Stripe's Data Processing Addendum at stripe.com/legal/dpa. No clinical content is sent to Stripe.
- FourteenFish (UK): No cross-border transfer — FourteenFish is hosted in the UK.
- Email (Brevo, EU): Hosted in France. UK GDPR adequacy applies; no SCC required for UK→EU transfers.
10. Children's Privacy
ClinicQuest is a professional tool intended for users 18 years of age and older. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this policy. We will notify you of significant changes via email or in-app notification.
12. Contact Us
Privacy Enquiries
Email: support@clinicquest.uk