Privacy Policy

OsteoDesk (“we”, “us”, “our”) provides an AI-powered receptionist service for healthcare clinics, enabling the handling of patient calls, understanding callers' needs for booking and routing, and appointment booking into third-party practice management systems.

For the purposes of data protection law, including the UK GDPR and the Data Protection Act 2018:

• Clinics using OsteoDesk are typically the data controllers
• OsteoDesk acts as a data processor on behalf of those clinics

We may process the following categories of personal data:

a) Patient Data (on behalf of clinics)

• Name
• Phone number
• Appointment details
• Information provided during calls (which may include health-related information)

b) Call Data

• Audio recordings of calls
• Transcriptions of calls
• Metadata (e.g. time, duration, call outcome)

c) Clinic User Data

• Names and contact details of clinic staff
• Account and login information

d) Website Data

• Basic usage data (e.g. IP address, browser type), where applicable

Some of the data processed may include health-related information, which is considered special category data.

We process this data only:

• On documented instructions from our clinic customers
• For the purpose of delivering our services
• With appropriate safeguards in place

We process personal data solely to:

• Answer and manage incoming patient calls
• Understand caller needs and match them to practitioners for booking
• Book appointments into systems such as Cliniko
• Provide call summaries and insights to clinics
• Improve and maintain our service

We do not use patient data for marketing purposes.

As a data processor, we process personal data on behalf of clinics, who determine the lawful basis.

This may include:

• Performance of a contract
• Legitimate interests
• Provision of healthcare services

Where special category data is involved, processing is typically based on:

• Healthcare provision and management

We may share data with trusted third parties strictly where necessary, including:

• Practice management systems (e.g. Cliniko)
• Telephony providers
• Cloud infrastructure providers
• AI and transcription service providers

All third parties are subject to appropriate contractual and data protection safeguards.

Some of our service providers may process data outside the UK.

Where this occurs, we ensure appropriate safeguards are in place, such as:

• UK-approved standard contractual clauses
• Adequacy regulations

We retain personal data only for as long as necessary to provide our services and comply with legal obligations.

Retention periods are determined by:

• Instructions from our clinic customers
• Operational requirements
• Legal and regulatory obligations

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption where appropriate
• Access controls
• Secure cloud infrastructure
• Monitoring and logging

However, no system can be guaranteed to be completely secure.

Under the UK GDPR, individuals have rights including:

• Access to their personal data
• Correction of inaccurate data
• Erasure of data
• Restriction of processing
• Data portability
• Objection to processing

Requests should generally be directed to the relevant clinic (data controller). We will assist clinics in responding to such requests.

Our website may use cookies or similar technologies. Further details will be provided in a separate Cookie Policy where applicable.

Our service relies on third-party platforms and integrations. We are not responsible for the privacy practices of those third parties, but we ensure appropriate safeguards are in place.

We may update this Privacy Policy from time to time. Updates will be published on our website with a revised effective date.

If you have any questions about this Privacy Policy or how data is handled, please contact:

You have the right to lodge a complaint with the Information Commissioner's Office if you believe your data has been handled incorrectly.