Privacy Policy — Neurocuole

1. Who We Are

Neurocuole Ltd [Company Registration: PLACEHOLDER — to be updated upon registration] is a clinical health technology platform registered in England and Wales. We operate the Neurocuole platform — a secure, multi-organisation clinical record management and communication system used by registered healthcare organisations and practitioners.

Neurocuole acts as both a Data Controller (for platform infrastructure, user accounts and consent management) and a Data Processor (processing clinical data on behalf of registered healthcare organisations that are Joint Data Controllers).

ICO Registration: [PLACEHOLDER — ZBxxxxxxx — to be updated upon ICO registration]
Data Protection Officer: [PLACEHOLDER — to be appointed]
Contact: privacy@neurocuole.net

Registered Address: [PLACEHOLDER — registered address to be added]

2. Data We Collect

2.1 Platform Users (Clinicians and Administrators)

Full name, professional title and job role
Work email address and contact details
Professional registration number (e.g. GMC, NMC)
Login activity, session logs and audit trails
Communications sent via the platform

2.2 Patients (with consent)

Personal identifiers: name, date of birth, national patient identifier (e.g. NHS number)
Contact details: address, phone number, email
Clinical history: diagnoses, conditions, procedures, medications, allergies
Clinical correspondence: letters, referrals, discharge summaries
Appointments and encounter records
Diagnostic results and investigation reports
Care plans and clinical observations
Consent records and consent audit trail

2.3 Automatically Collected Data

IP addresses and device/browser information (security and fraud prevention only)
Access logs and session timestamps
Error logs (anonymised for technical diagnostics)

Special Category Data: Clinical health data constitutes special category personal data under UK GDPR Article 9. We only process this data under lawful conditions and with appropriate safeguards in place.

3. How We Use Your Data

Purpose	Data used	Legal basis
Delivering clinical care and managing patient records	Patient clinical data, identifiers	UK GDPR Art. 9(2)(h) — health purposes
Managing user accounts and platform access	Clinician account data	UK GDPR Art. 6(1)(b) — contract performance
Sending consent requests and notifications to patients	Patient contact details, consent records	UK GDPR Art. 9(2)(h); explicit consent
Audit, compliance and legal obligations	Audit logs, access records	UK GDPR Art. 6(1)(c) — legal obligation
Platform security, fraud prevention and monitoring	Access logs, IP addresses	UK GDPR Art. 6(1)(f) — legitimate interests
Sending clinical communications (letters, referrals)	Patient contact and clinical data	UK GDPR Art. 9(2)(h); clinician instruction
Appointment reminders	Contact details, appointment data	UK GDPR Art. 6(1)(b); legitimate interests

4. Legal Basis for Processing

We rely on the following legal bases depending on jurisdiction:

United Kingdom

Article 6(1)(b) — Contract performance (user accounts, service delivery)
Article 6(1)(c) — Legal obligation (audit, retention requirements)
Article 6(1)(e) — Public task (clinical care)
Article 6(1)(f) — Legitimate interests (security, fraud prevention)
Article 9(2)(h) — Health or social care purposes (clinical data)
Article 9(2)(a) — Explicit consent (patient-initiated consent portal)
Data Protection Act 2018 — Schedule 1, Part 1, Paragraph 2

Republic of Ireland

Health Research Regulations 2018; Data Protection Act 2018 (Ireland)
Supervised by the Data Protection Commission (DPC)

United Arab Emirates

UAE Federal Law No. 45 of 2021 — Personal Data Protection Law (PDPL)
DHA and MOHAP health data regulations where applicable
Consent and legitimate interest as defined under UAE PDPL

5. Who We Share Data With

We do not sell personal data. We share data only as described below:

Healthcare Organisations (Joint Data Controllers)

Registered healthcare organisations using the Neurocuole platform are Joint Data Controllers for the clinical records of their patients. They access data only within the scope of the patient's consent and have signed our Data Processing Agreement.

Sub-processors (Infrastructure)

Sub-processor	Purpose	Location
Microsoft Azure	Cloud hosting, database, storage, email delivery	UK (West Europe)
Microsoft Azure Communication Services	Transactional email and SMS	UK
Microsoft Entra ID / Azure AD	Staff authentication and identity	EU / UK
Azure Application Insights	Anonymised telemetry and error monitoring	EU / UK
Azure OpenAI Service	AI-assisted clinical documentation (opt-in)	EU

Legal Disclosure

We may disclose data where required by law, court order or regulatory authority. We will notify affected individuals where legally permitted to do so.

6. International Transfers

Data is primarily stored and processed in the United Kingdom and the European Economic Area using Microsoft Azure infrastructure. All transfers outside the UK/EEA are governed by appropriate safeguards including:

UK Adequacy Regulations for EEA transfers
Standard Contractual Clauses (SCCs) for transfers to non-adequate countries
Binding Corporate Rules where applicable

For UAE-based operations, data may be stored on Azure UAE North / West Africa infrastructure and is subject to UAE PDPL transfer requirements.

7. How Long We Keep Data

Data type	Retention period	Basis
Adult patient clinical records	10 years from last contact	NHS Records Management Code 2021
Children's clinical records	Until age 25 or 10 years from last contact (whichever is longer)	NHS Records Management Code 2021
Consent records and audit trail	10 years	Legal obligation
Platform user accounts	Duration of contract + 3 years	Contractual
Access and security logs	2 years	Security / fraud prevention
Consent tokens (unused/expired)	90 days from expiry	Technical necessity

8. How We Protect Your Data

Encryption at rest: All databases and blob storage encrypted with AES-256
Encryption in transit: TLS 1.2+ enforced on all connections; HSTS enabled
Access control: Role-based permissions; multi-factor authentication required for all staff
Audit trails: Every data access, modification and export permanently logged
Penetration testing: Regular third-party security assessments
Incident response: Breach notification to ICO within 72 hours as required by UK GDPR Article 33
Infrastructure: Microsoft Azure ISO 27001 / SOC 2 Type II certified data centres

To report a suspected security incident or data breach, contact us immediately at security@neurocuole.net.

9. Your Rights

Under UK GDPR and applicable law, you have the following rights:

Right	What it means
Access (SAR)	Request a copy of all personal data we hold about you. We will respond within 30 days.
Rectification	Request correction of inaccurate or incomplete data.
Erasure	Request deletion of your data where there is no overriding legitimate reason to retain it. Note: clinical records have mandatory minimum retention periods.
Restriction	Request that we stop using your data in certain ways while a dispute is resolved.
Portability	Receive your data in a machine-readable format where technically feasible.
Objection	Object to processing based on legitimate interests or public task.
Withdraw consent	Withdraw consent at any time without affecting the lawfulness of prior processing.
Lodge a complaint	Complain to the ICO (ico.org.uk / 0303 123 1113) or your national supervisory authority.

To exercise any of these rights, contact us at privacy@neurocuole.net. We will respond within 30 days.

10. Cookies

The Neurocuole platform uses only strictly necessary cookies required for authentication, session management and security. We do not use advertising, tracking or analytics cookies.

Cookie	Purpose	Duration
.AspNetCore.Session	Session management (authentication state)	Session
.AspNetCore.Antiforgery.*	CSRF protection	Session
msal.* / .auth.*	Microsoft authentication tokens	Session / 1 hour

11. Children

The Neurocuole platform handles clinical records for patients of all ages, including children, when instructed by registered healthcare organisations. Processing of children's data is carried out under Article 9(2)(h) (health purposes) with appropriate safeguards. Children's records are retained in accordance with NHS and applicable national records management guidelines.

Parents and legal guardians may exercise data rights on behalf of children under 16.

12. Changes to This Policy

We review and update this Privacy Policy periodically to reflect changes in law, technology or our practices. Material changes will be notified to registered users by email and to patients via updated consent forms. The "Last updated" date at the top of this page indicates when the most recent changes were made.

Continued use of the Neurocuole platform after notification of material changes constitutes acceptance of the updated policy.

13. Contact Us

Enquiry type	Contact
Privacy, data rights, Subject Access Requests	privacy@neurocuole.net
Security incidents and data breaches	security@neurocuole.net
General enquiries	hello@neurocuole.net
Data Protection Officer	[PLACEHOLDER — to be appointed]
ICO (UK supervisory authority)	ico.org.uk · 0303 123 1113
DPC (Irish supervisory authority)	dataprotection.ie