At Citrus AI, we prioritize data protection, security, and regulatory compliance in all aspects of our AI-powered medical scribing and Intelligent Medical Records searching platform. We are fully committed to adhering to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring that patient and clinician data is handled with transparency, security, and integrity.

This page outlines how Citrus AI aligns with GDPR principles and maintains high standards of data protection for our users.

1. Lawful, Fair & Transparent Data Processing

Citrus AI processes personal and health-related data only when legally justified. Our lawful basis for processing data includes:

●      Consent – When users provide explicit consent to use our AI-powered Assistant.

●  Contractual Necessity – When processing is required to deliver our services as agreed with healthcare organizations or individual users.

●  Legitimate Interest – When processing data is necessary for platform improvement, provided that users’ rights and freedoms are not compromised.

We ensure full transparency by clearly explaining:

What data we collect
Why we collect it
How it is used
Who it is shared with

This information is communicated via our Privacy Policy and Terms of Service.

2. Data Minimization & Purpose Limitation

Citrus AI follows the principle of data minimization, meaning we only collect and process the data necessary to provide our clinic workflow assistant services effectively.

●  We DO NOT collect unnecessary patient information beyond what is needed for clinic workflow assistance.

●      Data is ONLY used for its intended purpose and not repurposed for marketing or unrelated activities.

●  Any de-identified or anonymized data if used for AI model improvement is handled with strict compliance controls.

3. Data Security & Protection Measures

We implement robust security measures to protect personal and medical data from unauthorized access, loss, or misuse. These include:

End-to-End Encryption – All data transmissions are encrypted in transit and at rest using industry-leading security protocols.
Access Controls – Only authorized personnel can access sensitive data.
Data Breach Response Plan – In the event of a breach, we have a rapid incident response process in place to notify affected users and regulatory authorities as required.

4. Individual Rights Under GDPR

Citrus AI fully supports individuals’ rights under UK GDPR, ensuring users have control over their data.

Users can request to:

Access – Obtain a copy of their personal data processed by Citrus AI.[3]
Rectify – Request corrections to any inaccurate or incomplete data.
Erase ("Right to be Forgotten") – Request deletion of personal data when legally applicable.
Restrict Processing – Limit the way we use their data in certain circumstances[4]  (Anonymisation).
Data Portability – Request their data in a structured format for transfer to another provider.
Object – Opt out of data processing activities where applicable.

To exercise these rights, users can contact our Data Protection Officer (DPO) at admin@getcitrus.ai.

5. Data Storage & Retention Policies

Citrus AI only stores data for as long as necessary to fulfill our contractual and legal obligations. Our retention policy ensures:[5] 

●  Clinical records are only stored as required by relevant healthcare regulations.

●  When data is no longer needed, it is securely and automatically deleted (in 15 days).

●  Users can request early deletion of their data, subject to compliance with medical record-keeping laws.

6. Third-Party Data Sharing & International Transfers

Citrus AI does not sell or share personal data with third-party advertisers.

●  Trusted Service Providers: We may share data with approved third-party vendors (e.g., cloud hosting providers) who must meet our strict GDPR-compliant security standards.

●  NHS & Healthcare Organizations: When integrated with NHS services or private healthcare providers, data is shared only under contractual agreements that comply with GDPR.

●      International Data Transfers: If any data is processed outside the UK, we ensure adequate safeguards, such as Standard Contractual Clauses (SCCs) or UK GDPR equivalency agreements.

7. Compliance with UK Data Regulators

Citrus AI is fully registered with the UK Information Commissioner’s Office (ICO) and adheres to all regulatory guidance on health data processing.

If you have any concerns regarding your data rights, you may contact the ICO or our Data Protection Officer (DPO) at admin@getcitrus.ai

8. Ongoing Compliance & Updates

We continuously review and update our GDPR compliance policies in line with evolving UK data protection laws and industry best practices. Any major updates will be communicated transparently to our users.

Citrus AI: AI-Powered Clinic Assistant with Full GDPR Compliance

We are committed to responsible AI, patient data security, and full transparency in how we handle medical records. Our GDPR-compliant approach ensures that both clinicians and patients can trust our platform with sensitive healthcare data.