NHS DTAC 2.0 Compliant

Privacy Notice

Version 1.0 — Effective 6 April 2026 — Last reviewed 4 April 2026

1. Data Controller

Clarifia Ltd (“we”, “us”, “our”) is the Data Controller for all personal data processed through this service. We are registered with the Information Commissioner’s Office (ICO) under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Protection Officer: governance@clarifia.ai
ICO Registration Number: [Pending registration]

2. Sovereign Data Guarantee

Your data never leaves the United Kingdom.

All personal and clinical data processed by Clarifia is stored exclusively in AWS London (eu-west-2), a UK-domiciled data centre operated by Amazon Web Services EMEA SARL (UK Branch). No data is replicated, transferred, or accessible from any region outside the United Kingdom.

Storage region: AWS eu-west-2 (London, United Kingdom) — sole and exclusive
Encryption at rest: AES-256-GCM
Encryption in transit: TLS 1.3 (minimum)
Database: Supabase (London region instance)
Edge compute: Vercel lhr1 (London) — region lock enforced at infrastructure and middleware layers
No third-party analytics: No Google Analytics, Google Fonts, or any US-domiciled CDN is loaded by this service

This guarantee is technically enforced, not merely contractual. Region binding is applied at the deployment configuration layer (Vercel regions: ["lhr1"]) and at the application middleware layer, both independently rejecting requests served from outside London.

3. Data We Collect

Clarifia processes the following categories of data to provide SDEC decision support:

Category	Examples	Legal Basis (UK GDPR)
Clinician identity	Name, NMC/GMC number, trust email	Art. 6(1)(b) — Contract
Clinical decision data	SDEC pathway selections, triage outputs	Art. 9(2)(h) — Healthcare
Audit trail	Timestamps, user ID, action taken	Art. 6(1)(c) — Legal obligation (DCB0129)
Technical data	Session tokens (AES-256 encrypted, zero-PII logs)	Art. 6(1)(f) — Legitimate interests

4. How We Protect Your Data

Clarifia employs defence-in-depth security controls aligned with NHS Cyber Essentials Plus and the DSPT (Data Security and Protection Toolkit):

Encryption at rest: AES-256-GCM (AWS KMS, customer-managed keys stored in eu-west-2)
Encryption in transit: TLS 1.3 enforced via HSTS (max-age 63,072,000 seconds; preload)
Access control: Role-based access, MFA mandatory for all clinical users
Zero-PII logging: Application logs contain no patient-identifiable information
Content Security Policy: Strict CSP blocks all external scripts, fonts, and third-party connections
Penetration testing: Annual CREST-accredited assessment

5. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of access — Request a copy of your data (Art. 15)
Right to rectification — Correct inaccurate data (Art. 16)
Right to erasure — Request deletion where no legal obligation requires retention (Art. 17)
Right to restriction — Limit processing in certain circumstances (Art. 18)
Right to portability — Receive data in a structured, machine-readable format (Art. 20)
Right to object — Object to processing based on legitimate interests (Art. 21)

To exercise any of these rights, contact: governance@clarifia.ai. We will respond within 30 days. You have the right to lodge a complaint with the ICO at ico.org.uk.

6. Data Retention

Clinical audit data is retained for 8 years from the date of the clinical episode, in line with NHS Records Management Code of Practice 2021. Clinician account data is deleted within 30 days of account closure. All deletion is cryptographic (AES-256 key destruction).

7. Contact & Policy Updates

This notice was last updated on 4 April 2026. We will notify registered users of material changes by email at least 30 days before they take effect.

Postal address: Clarifia Ltd, [Registered Address], United Kingdom
Email: governance@clarifia.ai