Indra Clinic

Privacy Policy (GDPR)

Introduction


Indra Clinic (RPH Medica LTD, Company No. 1613066, “we”, “us”) is committed to protecting your personal data and complying with the UK GDPR and Data Protection Act 2018. This Privacy Policy explains how we collect, use, share, and safeguard your data.

Data controller


Data Controller


The data controller responsible for your personal data is:

RPH Medica Ltd

Company No: 16130663

Trading as Indra Clinic


RPH Medica Ltd determines the purposes and means of processing your personal data in connection with the healthcare services provided by Indra Clinic.


For any questions regarding data protection or this Privacy Policy, you may contact us at:

Email: privacy@indra.clinic

Website: https://indra.clinic


Data Processors


Certain services used by the clinic are operated by trusted technology partners acting as data processors on behalf of Indra Clinic.

These include JRH Pharma Ltd (trading as JRH ICSP), which develops and operates certain clinical workflow systems used by the clinic (including Indra Scribe™, Summari™, Scriptie™, and Q-Be™). These systems operate under strict contractual data processing agreements and comply with UK GDPR requirements.


We utilise secure AI-assisted systems to support clinical documentation, patient monitoring, and structured analysis of clinical information.


Use of Artificial Intelligence


Indra Clinic uses AI-assisted tools to support certain administrative and clinical documentation processes. These systems may assist with:


• clinical transcription and note structuring

• extraction of information from medical documents

• analysis of questionnaire responses

• identification of clinical risk indicators.


AI systems used by the clinic operate under strict human clinical oversight and do not independently diagnose conditions or determine treatment. All outputs are reviewed by qualified clinicians before being relied upon for clinical decision-making.


Information we collect


  • Personal details: name, address, date of birth, contact details.

  • Medical data: health records, consultation notes, prescriptions.

  • Payment information: billing details, transactions.

  • Technical data: IP address, device type, browser type, cookies.

  • Audio Data: Temporary live audio recordings captured during consultations strictly for the purpose of generating clinical transcripts (recordings are not retained).

  • AI-Generated Clinical Data: Structured summaries, extracted clinical information, questionnaire responses, and longitudinal progress metrics generated via our Clinical Intake AI systems (Summari and Q-Be™).

  • Communications: emails, calls, messages.


How we use your data


  • To deliver safe and effective medical care.

  • To manage appointments, prescriptions, and treatment.

  • To process payments and invoices.

  • To comply with legal and regulatory obligations.

  • To improve our website and services.

  • To generate structured clinical summaries from uploaded medical documents via our Clinical Intake AI (Summari).

  • To collect and analyse patient-reported outcomes and validated screening tools via Q-Be™, enabling longitudinal monitoring of symptom trends and treatment response.

  • To identify urgent clinical risks (for example, positive responses to suicidality screening questions) and trigger appropriate clinical review.

  • To send marketing communications (only with your consent).


Processing via Indra Scribe (AI Transcription & Summarisation)


Indra Scribe is a proprietary AI-assisted clinical transcription and documentation tool developed by JRH Pharma Ltd (trading as JRH ICSP) for exclusive use at Indra Clinic.


Purpose: Indra Scribe securely captures live audio during your consultation to generate verbatim transcripts, speaker-diarised dialogue, and structured clinical summaries for your patient record.


Audio Processing & Data Minimisation: Audio recordings are processed in secure, encrypted segments. The raw audio files are strictly temporary; they are permanently deleted from the processing servers immediately after the text transcript is successfully generated.

Security: The system operates via secure, enterprise-grade Microsoft Azure infrastructure. Your consultation audio and resulting transcripts are strictly confidential and are never used to train public or third-party AI models.


Human Oversight: Indra Scribe is an assistive tool that does not replace clinical judgement. All AI-generated transcripts and clinical summaries must be rigorously reviewed, edited, and manually verified for accuracy by your attending clinician before being permanently saved to your electronic health record.


Processing via Scriptie (Script-to-Invoice Engine)


When a prescription is issued, we share limited personal and clinical data (such as your name, email, and prescribed items) with our administrative partner, JRH Pharma Ltd (trading as JRH ICSP), to operate our Scriptie invoicing engine.


Purpose: This processing is strictly for the administrative purpose of generating accurate billing and facilitating payment for your medication.


Fulfilment: Data extracted by Scriptie is used to notify the Pharmacy of your paid order to allow for dispensing and delivery.


Data Protection: This data is processed in accordance with UK-GDPR and is hosted on secure UK-based servers.


Processing via Summari (Clinical Intake AI)


Summari is an AI-assisted clinical document intake engine developed and operated by JRH Pharma Ltd (trading as JRH ICSP) for exclusive deployment at Indra Clinic.


Purpose: Summari processes uploaded medical PDFs to extract structured clinical information and generate formatted summaries for inclusion in patient records (e.g., Semble).


Data Minimisation: Only information necessary for clinical documentation and patient record management is processed.


Security: Summari operates via secure Azure infrastructure hosted in the United Kingdom. No patient data is stored on public-facing servers.


Human Oversight: All AI-generated outputs are subject to clinician review before being relied upon for clinical decision-making.


Processing via Q-Be™ (Questionnaire & Outcome Engine)


Q-Be™ is a modular clinical questionnaire and patient-reported outcome (PRO) system developed by JRH Pharma Ltd (trading as JRH ICSP) for exclusive use at Indra Clinic.


Purpose: Q-Be™ collects structured questionnaire data (including validated tools such as PHQ-9 and GAD-7) to support clinical monitoring, treatment evaluation, and patient safety.


Automated Risk Flags: Certain responses (for example, positive suicidality indicators on PHQ-9) may trigger automated alerts to clinical staff to ensure timely review.


Data Storage: Questionnaire data is processed and stored within secure UK-based Microsoft Azure infrastructure.


Pseudonymised Analytics: Where data is used for service improvement or anonymised research purposes, identifying information is removed or pseudonymised in accordance with UK GDPR Article 89.


Clinical Audit, Service Improvement and Research


We may use anonymised or pseudonymised clinical data derived from patient records, questionnaires, and treatment outcomes for the purposes of:


• clinical audit

• service evaluation

• quality improvement

• epidemiological or medical research.


Wherever reasonably possible, identifying information is removed prior to such use. Aggregated or anonymised findings may be used for academic publications, presentations, or educational purposes intended to improve patient care.

This secondary use of data does not affect the care you receive.


Legal basis for processing

We process personal data under the following lawful bases under UK GDPR Article 6:

Consent – where you explicitly consent to specific processing activities (such as marketing communications).
Contract – where processing is necessary to provide healthcare services requested by you.
Legal obligation – where processing is necessary to comply with regulatory obligations (for example, CQC or safeguarding requirements).
Legitimate interests – where processing is necessary to operate, improve, and secure our services.

Because medical information constitutes special category personal data, we process this data under Article 9(2)(h) of UK GDPR: processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or treatment.


This processing is carried out by or under the responsibility of healthcare professionals subject to duties of confidentiality.


Sharing your data

We may share data with:

  • Healthcare professionals involved in your care.

  • Pharmacies dispensing your medication.

  • Regulators (CQC, GMC, MHRA, ICO) where legally required.

  • Trusted service providers (including cloud hosting providers, AI processing infrastructure, IT support services, secure email providers, and payment systems).

  • We do not sell personal data.


International transfers

We primarily store and process personal data within the United Kingdom.


In limited circumstances, certain service providers may process data outside the UK or European Economic Area. Where this occurs, we ensure appropriate safeguards are in place, including:


• adequacy regulations recognised by the UK government
• Standard Contractual Clauses approved by the UK Information Commissioner
• equivalent contractual safeguards ensuring an appropriate level of data protection.


Your rights

You can:

  • Access your data.

  • Request corrections.

  • Request erasure (where legally possible).

  • Restrict or object to processing.

  • Request data portability.

  • Withdraw consent.

To exercise these rights, contact privacy@indra.clinic.


Complaints

If you are dissatisfied, you can complain to the Information Commissioner’s Office (ICO): www.ico.org.uk


Updates

We may update this Privacy Policy occasionally. The latest version will always be published on our website.