Legal

Cerebric Ltd - Privacy Notice

25 min read
Cerebric Logo

Written by

Cerebric Team

Introduction

Welcome to Cerebric Ltd's ("Cerebric", "we", "us", "our") privacy notice. Cerebric respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data, explain your privacy rights, and how the law protects you. We encourage you to read this notice carefully.

1. Purpose of This Privacy Notice

This privacy notice aims to give you information on how Cerebric Ltd collects and processes your personal data. It outlines why we are able to process your information, the purposes for which we process it, how long we store it, who we might share it with, and your rights regarding your personal data.

2. Who We Are

Cerebric Ltd is a limited company registered in the United Kingdom (Companies House No. 16033558). Our registered address is 128 City Road, London, UK, EC1V 2NX.

We are registered with the Information Commissioner's Office (ICO) under registration no. ZB801973.

Our Data Protection Officer (DPO) can be contacted at support@cerebric.io. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact our DPO.

3. The Data We Collect About You and Our Roles

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Cerebric processes personal data in two main capacities:

  • As a Data Controller: When we determine the purposes and means of processing personal data for our own business operations (e.g., our website visitors, direct business contacts, marketing, HR).
  • As a Data Processor: When we process personal data on behalf of our clients (e.g., mental health clinics) through services like our Cerebric EHR Platform. In these cases, our client is the Data Controller.

3.1. When Cerebric Acts as a Data Controller

When we act as a Data Controller, we may collect, use, store and transfer different kinds of personal data about you. This primarily includes Identity Data (e.g., name, username), Contact Data (e.g., email address, phone numbers), Technical Data (e.g., IP address, browser type), Usage Data (e.g., how you use our website and services), and Marketing and Communications Data (e.g., your preferences in receiving marketing). We do not typically collect Special Categories of Personal Data for our own business operations unless essential and legally permissible (e.g., for HR purposes).

We obtain information about you when:

  • You use our website.
  • You contact us about products and services.
  • You or your organisation conducts business with us.
  • You make an enquiry or complaint to us.
  • You wish to attend or have attended an event we have organised.
  • You apply for a job with us.
  • You work with or for us.

We may also receive personal information indirectly:

  • From your organisation if they provide your details to us.
  • If you've made your contact information publicly available (e.g., on your organisation's website or a social media platform).
  • From referees if you apply for a job with us.
  • If an employee gives your details as an emergency contact.

Where we indirectly receive personal data as a Data Controller, we will inform you, unless doing so would involve disproportionate effort or prejudice your rights.

How your personal data is collected:

We use different methods to collect data from and about you including through:

  • Direct interactions: You may give us your Identity and Contact Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you apply for our products or services, create an account on our website, subscribe to our service or publications, request marketing to be sent to you, or give us some feedback.
  • Automated technologies or interactions: As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. Please see Section 10 (Visitors to Our Website & Use of Cookies) for further details.
  • Third parties or publicly available sources: We may receive personal data about you from various third parties and public sources, such as your organisation if they provide your details to us, or if you've made your contact information publicly available (e.g., on your organisation's website or a social media platform). We may also receive data from referees if you apply for a job with us.

We may also receive personal information indirectly:

Where we indirectly receive personal data as a Data Controller, we will inform you, unless doing so would involve disproportionate effort or prejudice your rights.

If you fail to provide personal data:

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

3.2. When Cerebric Acts as a Data Processor (Cerebric EHR Platform)

When providing the Cerebric EHR Platform and AI-powered assistant to mental health clinics, we process personal data, including special category health data, solely on behalf of and as instructed by our client clinics (the Data Controllers).

The types of patient data processed may include:

  • Patient clinical documentation
  • Clinician notes
  • Consultation notes
  • Informant reports
  • Patient identifiers (e.g., Name, NHS Number, Date of Birth, if provided by the clinic)
  • System metadata related to the use of the platform.

Details of this processing are governed by a Data Processing Agreement (DPA) with each client clinic. For the avoidance of doubt, no patient data processed on behalf of our clients is used to train, develop, or improve any of our AI models.

4. How We Use Your Personal Data (Lawful Basis)

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data where we need to perform the contract we are about to enter into or have entered into with you, where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests, or where we need to comply with a legal or regulatory obligation. Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending direct marketing communications to you via email or text message, where applicable. You have the right to withdraw consent to marketing at any time by contacting us.

4.1. When Cerebric Acts as a Data Controller:

Website Use & Cookies:

  • For essential cookies: Legitimate Interests (to ensure website functionality).

Enquiries & Business Communications:

  • Responding to enquiries: Legitimate Interests (to respond to your enquiry and provide information).
  • Conducting business and managing contracts: Performance of a Contract (UK GDPR Art. 6(1)(b)) and Legitimate Interests (to manage our business relationships).

Marketing: Consent (UK GDPR Art. 6(1)(a)).

HR & Recruitment:

  • Processing job applications: Legitimate Interests (to assess suitability).
  • Managing employee records: Performance of a Contract (UK GDPR Art. 6(1)(b)) and Legal Obligation (UK GDPR Art. 6(1)(c)).

Compliance with Legal Obligations: Legal Obligation (UK GDPR Art. 6(1)(c)) (e.g., responding to data subject rights requests).

When relying on legitimate interests, we conduct a balancing test to ensure our interests do not override your rights and freedoms.

4.2. When Cerebric Acts as a Data Processor (Cerebric EHR Platform):

Cerebric processes patient data based on the documented instructions of our client clinics (the Data Controllers) and in accordance with our Data Processing Agreement (DPA) with them. Our lawful basis as a Processor for this activity is the Performance of a Contract (UK GDPR Art. 6(1)(b)) with the clinic and our Legal Obligation to comply with Article 28 of the UK GDPR (Processor obligations).

Our client clinics (as Data Controllers) are responsible for establishing their lawful basis for processing patient data. This typically includes:

  • UK GDPR Article 6(1)(e): 'processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.'
  • UK GDPR Article 9(2)(h): 'processing is necessary for the purposes of preventive or occupational medicine... medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...'
  • Data Protection Act 2018, Schedule 1, Part 1, Paragraph 2: 'Health or social care purposes.'

4.3. Common Law Duty of Confidentiality (CLDC):

For patient data processed for direct care purposes via the Cerebric EHR Platform, our client clinics (as Data Controllers) typically rely on implied consent under the Common Law Duty of Confidentiality. Cerebric processes this confidential patient information strictly in accordance with the clinic's instructions and within the scope of this established confidentiality.

5. Automated Decision-Making or Profiling

Cerebric does not undertake automated decision-making or profiling that produces legal effects concerning individuals or similarly significantly affects them. Our AI-powered assistant is used to generate draft clinical reports, which are subsequently reviewed, and approved by, authorised clinicians at our client clinics. The AI does not make automated decisions about individuals that would have a legal or similarly significant effect without human oversight by the Data Controller (the clinic). Furthermore, no patient data is used to train, develop, or improve these AI assistance models.

6. Data Retention

6.1. Data Controlled by Cerebric:

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We retain personal data only for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

  • Client communications & contracts: 6 years post-contract end.
  • Internal HR/finance records: 6 years.
  • System logs & metadata (for our own systems): 12 months, unless required for audit or legal purposes.
  • Job applicant data: 6 months for unsuccessful applicants, or for the duration of employment + 6 years for successful applicants.

Further details are available in our internal Records Management Policy.

6.2. Data Processed by Cerebric for Clients (EHR Platform):

Patient-related data processed on behalf of our client clinics is retained strictly in accordance with the instructions of the clinic (the Data Controller) and as detailed in our Data Processing Agreement with them. This is typically aligned with the NHS Records Management Code of Practice. Upon instruction from the Data Controller, data is securely deleted or returned in accordance with our DPA.

7. Your Data Protection Rights

Under data protection law, you have rights including:

  • Your right of access: To ask for copies of your personal information.
  • Your right to rectification: To ask us to rectify inaccurate personal information or complete information you think is incomplete.
  • Your right to erasure: To ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing: To ask us to restrict the processing of your personal information in certain circumstances.
  • Your right to object to processing: To object to the processing of your personal information in certain circumstances (e.g., for direct marketing).
  • Your right to data portability: To ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

To exercise these rights, please contact our Data Protection Officer (DPO) via email at support@cerebric.io.

No fee usually required:

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you:

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond:

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Important Note for Patients of Clinics using Cerebric EHR: If your request pertains to personal data processed by Cerebric on behalf of one of our client clinics (e.g., your patient data within the Cerebric EHR Platform), you should direct your request to the relevant clinic, as they are the Data Controller for your data. We will assist the clinic in responding to your request as required by data protection law and our contractual agreements.

8. Disclosures of Your Personal Data

We will not share your information with any third parties for their direct marketing purposes.

8.3. Legal Obligations:

In some circumstances, we are legally obliged to share information, for example, to comply with a court order or for law enforcement purposes. We will always ensure we have a lawful basis for such sharing.

9. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

9. International Transfers

Personal data processed by Cerebric as a Data Controller is stored in the UK. Patient data processed via the Cerebric EHR Platform is stored within the UK.

processors/sub-processors outside the UK to a country not deemed adequate by the UK government (i.e., without an adequacy decision), we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: we will use specific contracts approved by the UK authorities which give personal data the same protection it has in the UK, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), along with any necessary supplementary measures.

10. Visitors to Our Website & Use of Cookies

Our website, www.app.cerebric.io, uses cookies. Cookies are small pieces of information sent by a website to your device and stored to enable key functionalities. We use cookies that are strictly necessary for the operation of our website and services. These include cookies essential for user authentication (e.g., to keep you logged in) and to ensure core website functionality.

These essential cookies do not require explicit consent under data protection laws like GDPR, as they are indispensable for providing the services you request, such as accessing secure areas of the website. By signing up for an account and using our services, you acknowledge and agree to the use of these essential cookies.

While you can typically configure your browser to refuse cookies or alert you when cookies are being sent, please be aware that disabling these essential cookies will likely affect the functionality of our website and may prevent you from using certain parts of our service. We do not use cookies for tracking user behavior for advertising or non-essential analytics purposes.

11. Links to Other Websites

Our website may contain links to other websites run by other organisations. This privacy notice applies only to our website. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy statements on other websites you visit.

12. Information Specific to the Cerebric EHR Platform

This section provides additional details for when Cerebric acts as a Data Processor for our client clinics.

Purpose of Processing: Cerebric processes patient data via its EHR platform solely on behalf of and as instructed by our client mental health clinics (the Data Controllers). The primary purpose is to accelerate administrative workflows, specifically for clinical report generation, through our AI-powered assistant. No patient data is used to train, develop, or improve our AI models; its use is strictly limited to assisting with the generation of content under the direct supervision of clinicians for specific patient cases.

Data Controller and Data Processor: In this context, the clinic is the Data Controller, and Cerebric Ltd is the Data Processor.

Data Processed: As detailed in section 3.2, this includes patient clinical documentation, clinician notes, consultation notes, informant reports, and potentially patient identifiers if provided by the clinic.

Data Security: We implement robust technical and organisational measures to protect patient data, as detailed in our Data Processing Agreement with clinics. These measures align with industry best practices and include:

  • Comprehensive staff training on data protection and security protocols.
  • Encryption of data at rest and in transit.
  • Strict Identity and Access Management (IAM) controls and role-based access.
  • Multi-Factor Authentication (MFA) for access to systems.
  • Regular, encrypted backups.
  • Audit logging.
  • Implementation of de-identification techniques for data when required for specific processing purposes as agreed with the Data Controller (the clinic) and detailed in the DPA, ensuring patient privacy is maintained.
  • Use of ISO27001-certified infrastructure).

Data Subject Rights (Patients): Patients wishing to exercise their data protection rights concerning data held within the Cerebric EHR Platform should contact their mental health clinic (the Data Controller) directly. Cerebric will provide full assistance to the clinic in responding to such requests.

Data Retention (Patient Data): Patient data is retained and disposed of strictly according to the instructions of the client clinic (Data Controller), typically in line with the NHS Records Management Code of Practice and as detailed in the DPA.

13. How to Make a Complaint

We strive to meet the highest standards when collecting and using personal information. If you have any concerns or complaints about our use of your personal information, please contact our Data Protection Officer in the first instance:

Email: support@cerebric.io

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.

ICO website: www.ico.org.uk

ICO helpline: 0303 123 1113

14. Changes to This Privacy Notice

We keep this privacy notice under regular review and may update it from time to time. This version was last updated on the date shown at the beginning of this notice. Historic versions can be obtained by contacting us. Any changes will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

16. Glossary

Lawful Basis

  • Legitimate Interest: Means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
  • Performance of Contract: Means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
  • Comply with a legal or regulatory obligation: Means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

Other Terms

  • Controller: Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processor: Means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Personal Data: Means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.