1. Scope & Roles

• Processor role:patient data handled for Clinics. Clinic is Controller; PrimumAI follows instructions.
• Controller role:our own business data (accounts, billing, service emails, product telemetry, website analytics/consents, vendor management, security logs). We do not act as Controller for patient records.

2. Contact Details & DPO

• Email:harsh@primumai.eu (also for deletion requests)
• Office:Apartment 31, Block B02, Roselawn, Knocksinna Court, Blackrock, Co. Dublin, A94 A4T8

3. Personal Data We Process (Controller role)

• Identity/contact; account/usage; support tickets; billing (no card numbers stored); website/consent info. No patient records.

4. Our Purposes & Legal Bases

• Contract:provide service, support, billing.
• Legitimate interests:security, availability, product improvement (aggregated).
• Legal obligations:tax, lawful disclosures.
• Consent:marketing comms, non-essential cookies.

5. Special Category Data

• Not as Controller. As Processor, handle patient health data on Clinic instructions under Art 9(2)(h).

6. Children

• Service targets professionals. Clinics remain responsible if minors’ data is entered. Age of digital consent in IE = 16.

7. Sharing & Sub-processors (Controller role)

• AWS EU, Microsoft Azure EU, AWS SES/SNS, Twilio (EU endpoints), analytics (consent-based), payment providers (if used). All under DPAs. Live sub-processor list available.

8. International Transfers

• EEA by default. If transfer required: SCCs + TIAs + supplementary measures. Regions listed in Annex C.

9. Security

• We apply Annex B TOMs: encryption, MFA, RBAC, tenant isolation, logging/monitoring, incident response.

10. Retention

• Controller data:kept during account, then deleted/anonymised; backups purge within 30–45 days. Billing follows statutory rules.
• Processor data:retained only as instructed by Clinic. Requests for deletion should be sent to harsh@primumai.eu.

11. Your Rights (Controller data)

• Access, rectification, erasure, restriction, portability, objection, withdraw consent. Request via harsh@primumai.eu. One month to reply (extensions possible).

12. How to Make a Request

• Send email to harsh@primumai.eu. We verify identity, assess scope, act, and confirm. For patient data, contact your Clinic (we assist them).

13. AI Transparency

• AI suggestions are drafts; clinician approves. EU region AI services configured to not train on Clinic data. Clinics can disable AI features.

14. Cookies & Consent

• Essential cookies only. Analytics/performance cookies off by default, require opt-in. Consent stored.
• Examples:app_session (necessary); consent_state (necessary); analytics_id (consent).

15. Changes

• We update this policy and notify of material changes.

16. Complaints

• Contact harsh@primumai.eu. You may escalate to the Data Protection Commission (dataprotection.ie). We will cooperate fully.

17. Privacy Notice Addendum: Data Received from Third Parties (v1.1)

• How we get personal data from other sources (Article 14 GDPR) Sometimes we receive personal data about you from other sources instead of directly from you. When this happens, we will tell you clearly and quickly about it. We do this to stay transparent and to respect your rights. Typical sources - Your clinic or healthcare provider (for onboarding, appointment management, and care coordination) - Previous systems during data migration that your clinic asks us to perform - Telephony and messaging providers (e.g., Twilio) for call/SMS metadata and consent logs - Payment service providers (for tokenised payment confirmations and fraud prevention) - Referral partners or booking platforms used by your clinic - Public or professional directories (clinician details) where legally allowed - Our security and logging systems (technical and usage metadata) What we get Depending on the service, this can include: name, contact details, appointment details, billing references, call/SMS metadata, consent choices, and—only when your clinic instructs us—clinical note content or audio for transcription. We do not collect more than we need for the task. Why we get it (purposes) and legal bases - To provide services your clinic asked for (e.g., AI scribe, AI receptionist, booking/billing) — Contract (Art. 6(1)(b)) - To protect our platform and comply with law — Legal obligation (Art. 6(1)(c)) and Legitimate interests (Art. 6(1)(f)) - For health-related processing under a clinic’s responsibility — Health care (Art. 9(2)(h)) - Marketing only with your opt-in consent — Consent (Art. 6(1)(a)); you can withdraw any time Who we share with We use trusted providers to run our services: AWS (EU) for hosting and email, Microsoft/Azure (EU) including Azure OpenAI EU, and Twilio for calls/SMS. Any international routing is protected by EU-approved safeguards (e.g., SCCs/BCRs). How long we keep it We keep data only as long as needed: appointment reminders ≤12 months, support tickets ≤24 months, consent and cookie logs 13 months, security logs 12 months, and clinical content as instructed by your clinic. Backups are encrypted and time-limited. When and how we contact you about this If we received your data from someone else, we will provide you with this information: • our details and contact (including the DPO) • the purposes and legal bases • the types of data and the source • any recipients and transfers • retention and your rights (access, rectification, erasure, restriction, portability, objection) • how to complain to the Data Protection Commission. We will do this within one month of getting your data, or at the time of our first communication with you, or before sharing your data with anyone else — whichever happens first. If we cannot contact you If contacting you is impossible or would take a disproportionate effort (for example, no contact details or a large archival dataset), we will keep a record of why we could not contact you and how we still protect your data, as allowed by Article 14(5). Your choices You can ask questions or use your rights at any time by emailing harsh@primumai.eu. We answer as quickly as we can, and always within legal timelines. Version control Version | Date | Reviewed by | Approved by | Change 1.110 | October 2025 | Harsh Mangla (DPO) | Management | Added Article 14 section for third-party sources