1. Who we are and who controls your data

This notice covers two data controllers whose activities are connected through the Patient Thread platform. Depending on how you interact with us, one or both entities may hold data about you.

Data Controller

Patient Thread Ltd

Registered in England and Wales. Company number 17167409. Registered office: Aston Park Farm, Stringers Lane, Aston, Hertfordshire, SG2 7EF. Controls data relating to clinician accounts, subscriptions, and communications with Patient Thread.

Data Controller

Lawrence Medical Limited

Registered in England and Wales. Company number 08316952. Controls all clinical patient data processed within Patient Thread when used by Dr Christopher Lawrence and his practice, Herts Kidney Care.

Both companies are registered with the Information Commissioner's Office (ICO). Lawrence Medical Limited's ICO registration number is ZA053166.

To contact us about your data: chris@patientthread.com

2. What data we collect and why

A. Clinician and practice data

Patient Thread Ltd is the data controller for this category.

When a clinician or practice subscribes to Patient Thread, we collect:

We use this data to provide and administer your subscription, issue invoices, communicate service updates, and comply with our legal obligations.

B. Patient data

Lawrence Medical Limited is the data controller for this category.

When Patient Thread is used to manage patient care, the following categories of personal data are processed:

C. AI scribe and video transcription

Where the AI clinical scribe feature is used during your consultation, the audio is transmitted to a third-party transcription service (Deepgram) and converted to text. Before that text is passed to an AI system (Anthropic Claude) for draft note generation, all known patient identifiers — including name, NHS number, and dates of birth — are automatically replaced with anonymised placeholders. Claude therefore receives pseudonymised clinical content only, not identifiable data. The raw audio is deleted as soon as the transcript is written. The transcript itself is not stored. The AI-generated draft note is reviewed and edited by your clinician before forming any part of your permanent record.

3. How long we keep your data

4. Who we share your data with

We do not sell personal data. We share data only with sub-processors engaged to deliver the Patient Thread service. All sub-processors are bound by data processing agreements requiring them to process data only on our written instructions and to maintain appropriate security standards.

Sub-processor Role Location
Supabase Inc Database hosting and file storage United States (data stored on EU servers, Frankfurt)
Netlify Inc Web application hosting United States (EU infrastructure)
Anthropic Inc AI processing for clinical scribe draft generation United States
Deepgram Inc Audio transcription for AI scribe and video consultations United States
Daily.co Inc Video consultation infrastructure United States
Stripe Inc Payment processing for clinician subscriptions United States
Healthcode Ltd Private medical insurance billing United Kingdom
Apple Inc iOS app distribution via the App Store United States

We may also disclose personal data where required to do so by law, by court order, or where necessary to protect the vital interests of a patient.

5. International data transfers

Several of our sub-processors are headquartered in the United States. The United Kingdom has not adopted a general adequacy decision covering US organisations. Where we transfer personal data to US-based processors, we rely on the UK International Data Transfer Agreement (UK IDTA) or the equivalent approved transfer mechanism incorporated into each sub-processor's data processing agreement.

Clinical audio and consultation content transmitted to Anthropic (Claude) and Deepgram is processed solely for the purpose of generating a draft clinical note. Neither processor retains data beyond the duration of the immediate processing request, in accordance with their respective data processing agreements and usage policies.

All primary patient record data is stored on European infrastructure (Frankfurt, Germany) and does not leave the European Economic Area for storage purposes.

6. Security

We implement the following technical and organisational measures to protect personal data:

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, and affected individuals without undue delay where the risk is high.

7. Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

Right of access

Request a copy of the personal data we hold about you (a Subject Access Request).

Right to rectification

Ask us to correct inaccurate or incomplete personal data.

Right to erasure

Ask us to delete your data. Note: we are legally required to retain clinical records for minimum periods and cannot always comply with erasure requests for health records.

Right to restriction

Ask us to restrict processing of your data in certain circumstances.

Right to portability

Receive data you have provided to us in a structured, machine-readable format.

Right to object

Object to processing based on legitimate interests.

To exercise any of these rights, contact us at chris@patientthread.com. We will respond within one calendar month. There is no charge for making a request.

8. Complaints

If you are unhappy with how we have handled your personal data, please contact us first at chris@patientthread.com. We take all complaints seriously and will respond within 14 days.

You also have the right to lodge a complaint directly with the Information Commissioner's Office:

Information Commissioner's Office (ICO)

ico.org.uk

Telephone: 0303 123 1113

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

9. Cookies

The Patient Thread web application uses only technically necessary session cookies required for authentication. We do not use advertising, analytics, or tracking cookies. No cookie consent banner is required.

The patientthread.com marketing website does not set any cookies.

10. Changes to this notice

We will notify registered clinicians by email of any material changes to this privacy notice. The version date at the top of this page will always reflect the most recent update. Previous versions are available on request.