Citrus Ai
UK GDPR COMPLIANCE POLICY
Citrus Ai
UK GDPR COMPLIANCE POLICY
Citrus Ai
UK GDPR COMPLIANCE POLICY
Citrus AI is committed to protecting the privacy and confidentiality of patient and healthcare provider data. As an AI-powered medical scribing solution, we adhere to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the secure and lawful processing of personal and sensitive data.
This policy outlines how Citrus AI collects, processes, and protects personal data in compliance with UK GDPR.
Citrus AI operates as a data processor when handling patient data on behalf of healthcare providers and as a data controller when managing user accounts and service-related data.
1. Legal Basis for Processing Personal Data
Under UK GDPR, Citrus AI processes personal data based on the following lawful grounds:
Lawful Basis | Application to Citrus AI |
Legitimate Interest | AI-assisted transcription and health record analysis for healthcare providers to streamline documentation. |
Performance of a Contract | Providing our AI-powered services as per user agreements. |
Legal Obligation | Compliance with medical, regulatory, and data protection laws. |
Consent | When users opt-in for additional features, marketing, or research initiatives. |
Citrus AI does not use patient data for advertising or non-healthcare purposes.
2. Data We Process
Citrus AI processes the following types of data:
2.1 Personal Data
Healthcare provider information (e.g., name, email, role, clinic details).
User account data (e.g., login credentials, subscription details).
2.2 Special Category Data (Sensitive Health Data)
Patient consultation transcripts (AI-generated notes from clinical encounters).
Medical history and diagnoses (as dictated/uploaded by healthcare providers).
We never process genetic, biometric, or non-essential health data.
3. How We Protect Your Data
Citrus AI employs robust security measures to safeguard personal data, including:
End-to-End Encryption – Secure encryption for data in transit and at rest.
Access Controls – Restricted access based on user roles.
Audit Logs & Monitoring – Continuous monitoring to detect unauthorized access.
Data Breach Response Plan – Immediate action in case of a security incident.
For detailed security measures, visit our [Security & Compliance Page].
4. Data Sharing & Third-Party Processing
Citrus AI does not sell or share patient data with unauthorized third parties.
We only share data with:
● Cloud storage providers (for encrypted data storage).
● Healthcare IT integrations (with user consent).
● Regulatory authorities (if legally required).
All third-party processors undergo rigorous security audits and sign Data Processing Agreements (DPAs).
5. Data Retention Policy
Citrus AI retains personal and special category data only as long as necessary:
● User account data: Retained for the duration of the subscription + 12 months for auditing.
● Patient data: Retained for 15 days, then automatically deleted.
● Legal & compliance records: Retained per regulatory requirements.
Users can request early deletion of their data by contacting admin@getcitrus.ai.
6. Your Rights Under UK GDPR
Under UK GDPR, users and patients have the following rights regarding their personal data:
Right | Description |
Right to Access | Request a copy of personal data processed by Citrus AI. |
Right to Rectification | Correct inaccurate or incomplete data. |
Right to Erasure (Right to Be Forgotten) | Request deletion of data if no longer necessary. |
Right to Restrict Processing | Limit how data is processed under certain conditions. |
Right to Data Portability | Receive a copy of data in a structured, commonly used format. |
Right to Object | Object to processing based on legitimate interest. |
Rights Related to Automated Decision-Making | Request human intervention in AI-driven processing. |
To exercise your rights, email admin@getcitrus.ai
7. International Data Transfers
Citrus AI stores and processes data within the UK & EEA to ensure compliance with UK GDPR.
For data transfers outside the UK/EEA, we ensure:
UK/EU adequacy decisions or Standard Contractual Clauses (SCCs).
Encryption & access controls for secure transfers.
We never store patient data in regions with inadequate data protection laws.
8. Data Breach Reporting
Citrus AI has a strict incident response plan:
If a data breach occurs, we will:
1. Investigate and assess the risk.
2. Notify affected users within 72 hours, as per UK GDPR requirements.
3. Mitigate damage and strengthen security controls.
For reporting a data breach, contact admin@getcitrus.ai.
9. Compliance Audits & Certifications
To maintain regulatory compliance, Citrus AI undergoes:
Regular UK GDPR & Data Protection Act audits.
Independent security assessments.
Penetration testing to identify vulnerabilities.
For compliance documentation, request a report at admin@getcitrus.ai.
Citrus AI is committed to protecting the privacy and confidentiality of patient and healthcare provider data. As an AI-powered medical scribing solution, we adhere to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the secure and lawful processing of personal and sensitive data.
This policy outlines how Citrus AI collects, processes, and protects personal data in compliance with UK GDPR.
Citrus AI operates as a data processor when handling patient data on behalf of healthcare providers and as a data controller when managing user accounts and service-related data.
1. Legal Basis for Processing Personal Data
Under UK GDPR, Citrus AI processes personal data based on the following lawful grounds:
Lawful Basis | Application to Citrus AI |
Legitimate Interest | AI-assisted transcription and health record analysis for healthcare providers to streamline documentation. |
Performance of a Contract | Providing our AI-powered services as per user agreements. |
Legal Obligation | Compliance with medical, regulatory, and data protection laws. |
Consent | When users opt-in for additional features, marketing, or research initiatives. |
Citrus AI does not use patient data for advertising or non-healthcare purposes.
2. Data We Process
Citrus AI processes the following types of data:
2.1 Personal Data
Healthcare provider information (e.g., name, email, role, clinic details).
User account data (e.g., login credentials, subscription details).
2.2 Special Category Data (Sensitive Health Data)
Patient consultation transcripts (AI-generated notes from clinical encounters).
Medical history and diagnoses (as dictated/uploaded by healthcare providers).
We never process genetic, biometric, or non-essential health data.
3. How We Protect Your Data
Citrus AI employs robust security measures to safeguard personal data, including:
End-to-End Encryption – Secure encryption for data in transit and at rest.
Access Controls – Restricted access based on user roles.
Audit Logs & Monitoring – Continuous monitoring to detect unauthorized access.
Data Breach Response Plan – Immediate action in case of a security incident.
For detailed security measures, visit our [Security & Compliance Page].
4. Data Sharing & Third-Party Processing
Citrus AI does not sell or share patient data with unauthorized third parties.
We only share data with:
● Cloud storage providers (for encrypted data storage).
● Healthcare IT integrations (with user consent).
● Regulatory authorities (if legally required).
All third-party processors undergo rigorous security audits and sign Data Processing Agreements (DPAs).
5. Data Retention Policy
Citrus AI retains personal and special category data only as long as necessary:
● User account data: Retained for the duration of the subscription + 12 months for auditing.
● Patient data: Retained for 15 days, then automatically deleted.
● Legal & compliance records: Retained per regulatory requirements.
Users can request early deletion of their data by contacting admin@getcitrus.ai.
6. Your Rights Under UK GDPR
Under UK GDPR, users and patients have the following rights regarding their personal data:
Right | Description |
Right to Access | Request a copy of personal data processed by Citrus AI. |
Right to Rectification | Correct inaccurate or incomplete data. |
Right to Erasure (Right to Be Forgotten) | Request deletion of data if no longer necessary. |
Right to Restrict Processing | Limit how data is processed under certain conditions. |
Right to Data Portability | Receive a copy of data in a structured, commonly used format. |
Right to Object | Object to processing based on legitimate interest. |
Rights Related to Automated Decision-Making | Request human intervention in AI-driven processing. |
To exercise your rights, email admin@getcitrus.ai
7. International Data Transfers
Citrus AI stores and processes data within the UK & EEA to ensure compliance with UK GDPR.
For data transfers outside the UK/EEA, we ensure:
UK/EU adequacy decisions or Standard Contractual Clauses (SCCs).
Encryption & access controls for secure transfers.
We never store patient data in regions with inadequate data protection laws.
8. Data Breach Reporting
Citrus AI has a strict incident response plan:
If a data breach occurs, we will:
1. Investigate and assess the risk.
2. Notify affected users within 72 hours, as per UK GDPR requirements.
3. Mitigate damage and strengthen security controls.
For reporting a data breach, contact admin@getcitrus.ai.
9. Compliance Audits & Certifications
To maintain regulatory compliance, Citrus AI undergoes:
Regular UK GDPR & Data Protection Act audits.
Independent security assessments.
Penetration testing to identify vulnerabilities.
For compliance documentation, request a report at admin@getcitrus.ai.