• Home
  • Executives
  • Team
  • Terms
  • Privacy
  • More
    • Home
    • Executives
    • Team
    • Terms
    • Privacy
  • Home
  • Executives
  • Team
  • Terms
  • Privacy

Privacy Policy

Effective Date: 14 September 2025
Jurisdiction: England and Wales
Controller: Serenica AI (“Serenica AI”, “we”, “us”, “our”)


This Privacy Policy (this “Policy”) governs the collection, use, disclosure, storage, and protection of personal data and other information by Serenica AI in connection with its web site, software as a service platform, mobile applications, telemedicine services and any related services, features, or content provided by or on behalf of Serenica AI (collectively, the “Service”). By accessing or using the Service in any manner, you acknowledge that you have read, understand, and agree to be bound by this Policy. If you do not agree, do not access or use the Service.


1 — Scope / Binding Effect / Hierarchy

This Policy applies to all personal data that Serenica AI collects about identifiable individuals through the Service. To the fullest extent permitted by law, any terms, agreements, consents, or notices inconsistent with this Policy are superseded by it. Nothing in this Policy shall be construed to create any fiduciary duty or other special duty owed by Serenica AI to you beyond those imposed by applicable law.


2 — Data We Collect

We collect and process the following categories of information:

  • Identity and Contact Data: name, title, date of birth, gender, email address, telephone numbers, postal address, emergency contact information, and other identifiers.
  • Account Data: username, password (hashed), account preferences, subscription and billing records, service usage logs, and authentication tokens.
  • Health and Clinical Data: medical history, symptoms, diagnoses, medications, treatment plans, teleconsultation transcripts, clinician notes, clinical images, test results, and other health-related information that you or your clinicians provide or that is generated by the Service. This category includes “special category” data under UK GDPR.
  • Device and Usage Data: device identifiers, IP addresses, browser and operating system information, crash logs, analytics and telemetry, session lengths, feature usage, and cookies.
  • Communications: inbound and outbound communications with clinicians, support teams, and automated messages (including audio, text, and video).
  • Payment Data: billing address and payment instrument metadata (full payment instrument details are processed by our third-party payment processors).
  • Derived and Aggregated Data: anonymised, pseudonymised, or aggregated datasets derived from personal data, including risk scores and predictive outputs produced by our models.

3 — Legal Bases for Processing

We process personal data only where we have a lawful basis under applicable data protection laws, including without limitation:

  • Contractual Necessity: to perform the contract with you or to take steps at your request prior to entering into a contract (e.g., to provide the Service, fulfil clinical appointments, deliver prescriptions or billing).
  • Legal Obligation: to comply with statutory or regulatory obligations to which Serenica AI is subject (including health and public health reporting obligations).
  • Vital Interests: where necessary to protect the life or safety of any person.
  • Consent: where required for processing sensitive health data or other personal data for which consent is required; consent may be withdrawn but such withdrawal will not affect the lawfulness of processing prior to withdrawal.
  • Legitimate Interests: where processing is necessary for our legitimate interests (e.g., fraud prevention, service improvement, safeguarding, security), provided such interests are not overridden by your rights and freedoms.

4. Purposes of Processing

We collect and use personal data for the following purposes (without limitation):

  • Provision, operation, support, maintenance, and optimisation of the Service and associated telemedicine offerings.
  • Enabling clinical interactions between patients and licensed healthcare professionals, including scheduling, remote consultations, clinical decision support and documentation.
  • Billing, invoicing and payment processing.
  • Authentication, account management, and security, including fraud detection and abuse prevention.
  • Compliance with legal, regulatory, accreditation, or contractual obligations.
  • Research, development, and improvement of algorithms, models, and Service features — where such research involves personal data we will use appropriate safeguards (including de-identification and data minimisation).
  • Service communications and notices (including operational and security notices).
  • Analytics, monitoring, and quality assurance to enhance care delivery and platform performance.
  • Enforcement of our terms, protection of rights, detection and prevention of misuse, and defence of legal claims.

5 — Treatment of Health Data / Special Category Data

Health and other special category data are subject to heightened protections. We will process such data only where permitted by applicable law, including where:

  • necessary for the provision of health or social care or treatment;
  • necessary for reasons of public interest in the area of public health;
  • you have given explicit consent; or
  • otherwise permitted by law.

We implement technical and organisational safeguards proportional to the sensitivity of such data, including pseudonymisation, strict access controls, encryption, auditing, and data minimisation. To the maximum extent practicable, clinical decisions are made by licensed clinicians, and our models and tools are intended only to assist clinicians and not to replace clinician judgment.


6 — Recipients and Third-Party Processors

We may disclose personal data to:

  • Healthcare professionals and care teams directly involved in your care.
  • Service providers and subprocessors that perform services on our behalf (hosting, analytics, payment processing, teleconferencing, identity verification, and clinical services). Such providers are contractually bound to process data only on our instructions and to implement appropriate security measures.
  • Affiliates, successors and acquirers in the event of corporate transactions, mergers, or reorganisations.
  • Regulators, courts, law enforcement, and authorities where required by law or regulation or in response to lawful requests
  • Other third parties where you have given explicit consent or as otherwise described in this Policy.

We will use reasonable contractual and technical means to ensure third-party processors meet equivalent data protection standards.


7 — International Transfers

Personal data may be transferred and stored outside the UK or EEA. Where personal data is transferred to jurisdictions that do not provide an adequate level of protection under UK law, we will put in place appropriate safeguards such as standard contractual clauses, binding corporate rules, or other lawful transfer mechanisms permitted by applicable data protection law. By using the Service you consent to such transfers as necessary for the provision of the Service.


8 — Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy and to meet legal, regulatory, and contractual obligations. Retention periods vary by data category and purpose; health records are retained in accordance with applicable healthcare retention requirements and our internal policies. Where retention is no longer necessary, we will securely delete or anonymise the data. Notwithstanding anything to the contrary, we may retain records as needed to defend legal claims.


9 — Security Measures

We employ administrative, technical, and physical safeguards designed to protect personal data against accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, access, or use. Safeguards include, without limitation: role-based access controls, encryption at rest and in transit, multi-factor authentication, logging and audit trails, intrusion detection, vulnerability management, secure development practices, employee training, and incident response procedures. Nevertheless, no system is impenetrable; Serenica AI disclaims any warranty that the Service or our security measures are or will be free from vulnerabilities or breaches.


10 — Data Subject Rights

Subject to applicable law and limitations, you have rights in relation to your personal data, including the right to:

  • access your personal data and obtain a copy;
  • rectify inaccurate or incomplete personal data;
  • erase personal data (the “right to be forgotten”), subject to legal and clinical recordkeeping obligations;
  • restrict or object to certain processing activities;
  • receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller (data portability); and
  • withdraw consent where processing is based on consent.

Requests to exercise these rights should be submitted to privacy@serenicaai.com.

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

Accept