How Your Data Is Protected

This page describes the technical and organisational measures Chronicle Health uses to protect your health data during processing.

Single-Operator Model

Your data is handled by one person. There are no contractors or third parties with access to your health records. This eliminates the most common source of data breaches: unnecessary access.

What We Don’t Do with Your Data - Guaranteed

• Sell it to anyone
• Share your data with anyone other than the sub-processors listed on the privacy page
• Use AI providers that retain or train on your data
• Store health data on unencrypted devices or services
• Commit it into source control (e.g. Github)
• Process data outside the UK and EU
• Retain your data beyond the agreed retention period
• Use cookies, advertising, or third-party trackers on this website (we use only Cloudflare Web Analytics: cookieless, aggregate, no personal data)

Pseudonymisation Before AI Processing

Before any data is sent to an AI model, direct identifiers are removed:

• Full name, date of birth, addresses, postcodes
• Phone numbers, email addresses
• NHS numbers, hospital/patient IDs

What remains is the clinical content: appointment dates, diagnoses, test results, medications, and clinical correspondence. This is pseudonymised data - it retains medical utility while removing the information that directly identifies you.

The removal process runs in two independent stages as a defence-in-depth measure. Medical details and event dates are retained because they are essential for producing a useful health record.

Pseudonymised data is not the same as anonymised data. Your medical history is inherently unique to you, and a sufficiently motivated person could theoretically re-identify you from clinical details alone. The pseudonymisation reduces risk; it does not eliminate it entirely.

AI Processing Involves Zero-Retention of Your Data by Any Third-Party

AI-assisted processing (primarily transcription of handwritten clinical notes) uses AWS in the London region.

• Zero data retention: Prompts and responses are not stored, logged, or used for model training by AWS or the underlying model provider
• EU-only processing: Our technical policies enforce that all AI requests are routed to EU regions only. Non-EU requests are rejected at the AWS API level. This is enforced at two independent layers as a defence-in-depth measure
• No international transfers: Your data does not leave the UK and EU during AI processing

Evidence for zero data retention and EU-only enforcement is available on request.

Note that if you choose to use consumer versions of AI services once you receive your data, then these guarantees will not apply. That’s within your control, not ours.

Storage During Processing

During an engagement, your identifiable health data is stored on a single dedicated processing device, plus Proton Drive (Proton AG, Switzerland). Proton uses end-to-end encryption with a zero-access architecture, so your data is encrypted and Proton holds no decryption keys. The UK-Switzerland data adequacy decision means no additional transfer safeguards are required.

No health data is stored on third-party servers, cloud platforms, or SaaS tools other than Proton and AWS (which retains nothing).

Device Security

• Full-disk encryption (AES-256) protects the processing device when powered off or closed
• Biometric authentication and automatic screen lock
• Multi-factor authentication on all systems that access client data
• Separate user accounts for daily work and system administration

Data Deletion

All identifiable data, including any identity documents provided for SARs, is deleted at the next scheduled fortnightly deletion sweep on or after delivery of your personal health record plus 14 days (effective maximum 28 days), or immediately on request. See the Privacy Notice for the full retention policy.

Delivering Your Finished Record

Your finished health record is delivered as a single file (a ‘zip’ file). Before delivery you make two choices, recorded on your contract:

• Encryption. By default your pack is encrypted with AES-256 and protected by a password, so that not even your email provider can read the contents. The password is sent to you separately over WhatsApp, never in the same message as the file. You can opt out if you would prefer an unencrypted file.
• Delivery method. By default we send the pack as an email attachment. You can instead choose a secure, time-limited download link, so that no copy of your records sits in your mailbox at all.

We default both choices to the more protective option. We also believe security should never lock you out of your own record: if an encrypted pack is ever difficult to open on your device, tell us and we will send an unencrypted copy.

Communication Channels

Email (ProtonMail) and WhatsApp are used for client communication. WhatsApp is used for administrative conversation only: scheduling, questions, updates. No health data, identity documents, or files containing personal data are sent or received via WhatsApp. The one exception is the password for an encrypted pack, which is itself not health data; how the pack is delivered is described under “Delivering your finished record” above.

Encryption Summary

• In transit: All data transfers use TLS encryption
• At rest (local): Full-disk encryption (AES-256) on the processing device
• At rest (cloud): Proton Drive end-to-end encryption with zero-access architecture - Proton cannot read your files, and neither can anyone who compromises their servers
• Email: ProtonMail end-to-end encryption for any communication containing your data

What We Don’t Control

The measures above cover everything within Chronicle Health’s security boundary. However, we cannot control how data controllers (such as GP practices and hospital trusts) transmit your records to us in response to a Subject Access Request. Some practices send records via secure portals or secure download links with passworded files; others use email. If you have concerns about how your practice handles data in transit, you are welcome to raise this with them directly, or contact us.

Further Information

• Privacy Notice - how we handle your data as controller and processor
• Compliance and Regulatory Status - our regulatory position
• Terms of Service - your contractual rights

A Data Protection Impact Assessment (DPIA) has been completed for the processing described on this page and a copy is available on request. If you have questions about any of these measures, get in touch.