Indra Clinic

Privacy Policy (GDPR)

Introduction


Indra Clinic (RPH Medica LTD, Company No. 1613066, “we”, “us”) is committed to protecting your personal data and complying with the UK GDPR and Data Protection Act 2018. This Privacy Policy explains how we collect, use, share, and safeguard your data.

Data controller


The data controller is RPH Medica LTD (Company No. 1613066), trading as Indra Clinic.


We utilise secure AI-assisted systems to support clinical documentation and patient monitoring. These systems operate under clinician oversight and in compliance with UK GDPR.


Information we collect


  • Personal details: name, address, date of birth, contact details.

  • Medical data: health records, consultation notes, prescriptions.

  • Payment information: billing details, transactions.

  • Technical data: IP address, device type, browser type, cookies.

  • AI-Generated Clinical Data: Structured summaries, extracted clinical information, questionnaire responses, and longitudinal progress metrics generated via our Clinical Intake AI systems (Summari and Q-Be™).

  • Communications: emails, calls, messages.


How we use your data


  • To deliver safe and effective medical care.

  • To manage appointments, prescriptions, and treatment.

  • To process payments and invoices.

  • To comply with legal and regulatory obligations.

  • To improve our website and services.

  • To generate structured clinical summaries from uploaded medical documents via our Clinical Intake AI (Summari).

  • To collect and analyse patient-reported outcomes and validated screening tools via Q-Be™, enabling longitudinal monitoring of symptom trends and treatment response.

  • To identify urgent clinical risks (for example, positive responses to suicidality screening questions) and trigger appropriate clinical review.

  • To send marketing communications (only with your consent).


Processing via Scriptie (Script-to-Invoice Engine)


When a prescription is issued, we share limited personal and clinical data (such as your name, email, and prescribed items) with our administrative partner, JRH Pharma Ltd (trading as JRH ICSP), to operate our Scriptie invoicing engine.


Purpose: This processing is strictly for the administrative purpose of generating accurate billing and facilitating payment for your medication.


Fulfilment: Data extracted by Scriptie is used to notify the Pharmacy of your paid order to allow for dispensing and delivery.


Data Protection: This data is processed in accordance with UK-GDPR and is hosted on secure UK-based servers.


Processing via Summari (Clinical Intake AI)


Summari is an AI-assisted clinical document intake engine developed and operated by JRH Pharma Ltd (trading as JRH ICSP) for exclusive deployment at Indra Clinic.


Purpose: Summari processes uploaded medical PDFs to extract structured clinical information and generate formatted summaries for inclusion in patient records (e.g., Semble).


Data Minimisation: Only information necessary for clinical documentation and patient record management is processed.


Security: Summari operates via secure Azure infrastructure hosted in the United Kingdom. No patient data is stored on public-facing servers.


Human Oversight: All AI-generated outputs are subject to clinician review before being relied upon for clinical decision-making.


Processing via Q-Be™ (Questionnaire & Outcome Engine)


Q-Be™ is a modular clinical questionnaire and patient-reported outcome (PRO) system developed by JRH Pharma Ltd (trading as JRH ICSP) for exclusive use at Indra Clinic.


Purpose: Q-Be™ collects structured questionnaire data (including validated tools such as PHQ-9 and GAD-7) to support clinical monitoring, treatment evaluation, and patient safety.


Automated Risk Flags: Certain responses (for example, positive suicidality indicators on PHQ-9) may trigger automated alerts to clinical staff to ensure timely review.


Data Storage: Questionnaire data is processed and stored within secure UK-based Microsoft Azure infrastructure.


Pseudonymised Analytics: Where data is used for service improvement or anonymised research purposes, identifying information is removed or pseudonymised in accordance with UK GDPR Article 89.


Legal basis for processing

We process data on the basis of:

  • Consent – when you give it explicitly.

  • Contract – to provide medical services.

  • Legal obligation – to comply with UK law and regulators.

  • Legitimate interests – improving and operating our services.

  • Automated Processing – Certain data may be processed using AI-assisted tools (Summari and Q-Be™) to structure clinical documentation and identify risk indicators. These systems support, but do not replace, clinical judgement.


Sharing your data

We may share data with:

  • Healthcare professionals involved in your care.

  • Pharmacies dispensing your medication.

  • Regulators (CQC, GMC, MHRA, ICO) where legally required.

  • Trusted service providers (including cloud hosting providers, AI processing infrastructure, IT support services, secure email providers, and payment systems).

  • We do not sell personal data.


International transfers

If data is transferred outside the UK/EEA, safeguards such as adequacy regulations or contractual clauses are used.


Data retention

  • Medical records: kept for at least 8 years (per NHS/GMC requirements).

  • Other data: retained only as long as necessary.


Data security

  • Encrypted storage and secure servers.

  • Strict access controls.

  • Regular audits and monitoring.


Your rights

You can:

  • Access your data.

  • Request corrections.

  • Request erasure (where legally possible).

  • Restrict or object to processing.

  • Request data portability.

  • Withdraw consent.

To exercise these rights, contact privacy@indra.clinic.


Complaints

If you are dissatisfied, you can complain to the Information Commissioner’s Office (ICO): www.ico.org.uk


Updates

We may update this Privacy Policy occasionally. The latest version will always be published on our website.