ClinicalAssist

Privacy & Data Handling

Last updated: 8 March 2026

At a glance

  • Your account profile is stored in Firebase Authentication and Firestore.
  • Your in-progress assessment workspace is cached locally in your browser.
  • If you run AI analysis, ask follow-up questions, or generate exports, the relevant assessment content is transmitted to ClinicalAssist server routes to fulfil that request.
  • AI requests are routed through Vercel AI Gateway to OpenAI and Anthropic. Those providers say API/customer data is not used for model training by default.
  • ClinicalAssist is not a patient record system and does not store assessment drafts in Firestore.

Looking for the enterprise-facing summary? See the Enterprise Data Protection Policy (EDP).

1. Who we are

ClinicalAssist provides an AI-powered clinical decision support tool for UK healthcare professionals. For privacy or data protection queries, contact hello@clinicalassist.io.

2. Data we collect

Account and onboarding data: when you register, we collect your email address and display name. During onboarding we also collect your clinical role, country, work setting, and organisation so the app can tailor outputs to your context.

Browser-stored workspace data: the app saves your in-progress assessment, analysis output, follow-up chat, selected medications and management actions, custom templates, role/country/location cache, and certain interface preferences in browser storage on your device.

Clinical content you choose to process: if you use AI analysis, follow-up questions, or document export, the relevant assessment content is sent to our backend endpoints so we can generate the requested output.

Usage analytics: we use Vercel Analytics and Vercel Speed Insights to understand traffic and performance.

3. Where data is stored

Firebase Authentication: manages sign-in, password resets, and Google sign-in.

Firestore: stores your user profile record. Firestore rules in this application restrict profile access to the signed-in user who owns that document.

Browser storage: stores the working assessment session and templates locally on your device so the workflow can resume if you navigate away and return.

No server-side assessment database: this codebase does not store assessment drafts in Firestore or another ClinicalAssist database. Assessment content is processed when you invoke AI or export features, but it is not persisted as a patient record in the application database.

4. How AI requests are handled

When you ask ClinicalAssist to analyse an assessment, answer a follow-up question, or generate a response that depends on model output, the relevant request content is sent to our `/api/chat` endpoint and then routed through Vercel AI Gateway.

ClinicalAssist currently uses OpenAI and Anthropic models via the Vercel AI Gateway. Based on the providers' published documentation as of 8 March 2026:

  • OpenAI says customer data sent via the API is not used to train OpenAI models by default. OpenAI also says API data may be retained for abuse and misuse monitoring for up to 30 days unless a separate agreement applies.
  • Anthropic says it does not train on customer data from the Anthropic API by default and says prompts and outputs are deleted from its backend within 30 days unless a longer period is required for security, legal, or contractual reasons.
  • Vercel documents AI Gateway as using zero data retention by default, meaning prompts and responses are deleted after the request completes. Downstream model providers may still apply their own retention policies.

Because AI requests leave your device when you use these features, you should avoid entering direct patient identifiers unless your organisation's governance process explicitly allows it.

5. Export generation

If you generate a PDF, DOC, or TXT export, the data required for that document is sent to our export endpoint so the file can be produced and returned to you. In this codebase the export route performs transient processing only; it does not write export data into a dedicated database.

6. How we use your data

  • To authenticate you and maintain your ClinicalAssist account.
  • To tailor role, country, and location-aware decision support.
  • To preserve your in-progress session locally in your browser.
  • To generate AI analysis, follow-up answers, and export documents when you request them.
  • To monitor performance and improve the service using analytics and operational telemetry.
  • To respond to support, legal, and security issues.

7. Processors and service providers

  • Google Firebase / Google Cloud: authentication and Firestore profile storage.
  • Vercel: application hosting, analytics, speed insights, and AI Gateway routing.
  • OpenAI: model processing for part of the AI workflow.
  • Anthropic: model processing for structured analysis in part of the AI workflow.

8. Retention

User profile data: retained while your account remains active, subject to support, legal, and operational requirements.

Browser-stored workspace data: remains on your device until you clear browser storage, overwrite it with a new session, or remove saved templates and preferences.

AI request and provider retention: follows the provider policies described above.

Deletion requests: there is not currently a self-serve account deletion tool in the app. If you need your account/profile data deleted, contact us at hello@clinicalassist.io.

9. Legal basis

  • Contract: to provide the service you have signed up to use.
  • Legitimate interests: to secure, monitor, and improve the service.
  • Consent or local policy controls: where a separate consent basis is required by your organisation or applicable law.

10. Security

We use HTTPS in transit, Firebase Authentication for sign-in, and Firestore rules that limit user-profile access to the authenticated owner. No system is risk-free, so you should use ClinicalAssist in line with local governance, minimise identifiers, and apply professional judgement to all outputs.

11. Your rights

Under UK GDPR, you may have rights to:

  • access the personal data we hold about you
  • correct inaccurate information
  • request deletion or restriction of processing
  • object to certain processing
  • request portability where applicable
  • complain to the Information Commissioner's Office

12. Changes to this policy

We may update this page as the product, infrastructure, or processor relationships change. Material updates will be reflected in the date at the top of this page.

ClinicalAssist is a decision support tool only and does not replace clinical judgement. Read full disclaimer