Privacy Policy

1. Introduction

Welcome to Ask Your Surgeon. We are committed to protecting your privacy and personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our service.

Ask Your Surgeon is an educational chatbot designed to provide evidence-based urology information to patients after diagnosis. We are not a diagnostic tool or a replacement for professional medical advice.

2. Information We Collect

2.1 Personal Information

• Name and email address (provided during registration)
• Medical condition information (voluntarily provided in your profile)
• Reading level and language preferences
• Authentication data (encrypted password)

2.2 Usage Information

• Questions you ask the chatbot
• Chatbot responses and conversation history
• Session timestamps
• IP address (hashed for security logging only, not stored in raw form)

3. How We Use Your Information

We use your information to:

• Provide personalised educational information relevant to your condition
• Improve the accuracy and relevance of chatbot responses
• Enable clinicians to view conversations with their linked patients (with your consent)
• Monitor service quality and usage patterns
• Comply with legal and regulatory requirements

4. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit (HTTPS/TLS) and at rest
• Access Control: Application-level access controls and parameterised queries ensure you can only access your own data
• Authentication: Secure email/password authentication (bcrypt hashed)
• Database Security: Azure SQL Database hosted in UK South with Transparent Data Encryption (TDE)
• Limited Access: Only authorized personnel can access backend systems

5. Data Sharing

We do not sell or share your personal data with third parties, except:

• Your Clinician: If you link your account to a clinician, they can view your conversation history
• Service Providers: We use Microsoft Azure (UK South) for database hosting and OpenAI for chatbot responses (no patient identifiers sent to OpenAI)
• Legal Requirements: We may disclose data if required by law or to protect user safety

6. Your Rights

You have the right to:

• Access: View all personal data we hold about you
• Correction: Update or correct your profile information
• Deletion: Request deletion of your account and all associated data
• Data Portability: Download a copy of all your data via your profile
• Withdraw Consent: Unlink from your clinician at any time

To exercise these rights, contact us at askyoursurgeonteam@gmail.com.

7. Data Retention

• Chat History: Retained for 24 months from your last interaction, then automatically deleted
• Patient Profiles: Retained while your account is active, plus 30 days after account deletion
• Consent Forms: Retained for 8 years from signing or retraction, in line with NHS Records Management Code of Practice
• Audit Logs: Retained for 7 years for regulatory compliance
• Inactive Accounts: You will be notified after 18 months of inactivity. Accounts are deleted after 24 months of inactivity
• Deleted Accounts: All data permanently deleted upon account deletion (except consent forms and audit logs, which are retained per the periods above)

8. Cookies and Tracking

We use essential cookies for:

• Session management (keeping you logged in)
• Security (CSRF protection)
• User preferences (text size, language, audio settings)

We do not use advertising or analytics cookies.

9. Third-Party Services (Sub-Processors)

• Microsoft Azure: Database hosting (Azure SQL, UK South region) and application hosting (Azure App Service, UK South). Microsoft Data Protection Agreement applies.
• OpenAI: Powers the chatbot responses. Only your question text and retrieved clinical context are sent — no patient identifiers (name, email, NHS number, DOB) are included. OpenAI Data Processing Agreement applies.
• Azure Speech Services: Text-to-speech accessibility feature. Only response text is sent — no patient identifiers. Hosted in UK South.

10. Children's Privacy

Our service is designed for adults (18+) or children using the service under parental/guardian supervision. We do not knowingly collect data from children under 13 without parental consent.

11. International Data Transfers

Your data is stored on Azure SQL Database servers in the UK South (London) region. When you ask a question, the question text and retrieved clinical context passages are sent to OpenAI's API for response generation, which may involve processing outside the UK. No patient identifiers are included in these requests. Appropriate safeguards including standard contractual clauses and data processing agreements are in place.

12. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this privacy policy or how we handle your data, please contact:

Email: askyoursurgeonteam@gmail.com

14. Legal Basis for Processing

We process your data under the following legal bases:

• Health data: Explicit consent under UK GDPR Article 9(2)(a). You provide this consent when setting up your clinical profile.
• Account management: Legitimate interest under UK GDPR Article 6(1)(f), necessary for service delivery and security.
• Clinician access: Your explicit consent when you link your account to a specific clinician. You can unlink at any time.

15. Regulatory Compliance

• UK GDPR: We comply with the UK General Data Protection Regulation
• UK Data Protection Act 2018: We comply with UK data protection laws
• NHS Data Security Standards: We follow NHS guidelines for patient data protection

16. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113

Home