Privacy Policy
Effective date: 13/05/2026
This Privacy Policy explains how MSK Software Ltd (“MSK Software”, “we”, “us”) collects, uses, shares and protects personal data when you use our software (“the Service”), our website msksoft.uk, and the Communications Agent module that interacts with patients of our subscribing clinics.
We are registered in England and Wales (company number 16710022) at 6 The Crescent Ottery St Mary Devon UK EX11 1US. We are registered with the UK Information Commissioner’s Office under registration ZC080859.
Who the data controller is
- For our clinic customers (the clinic principal, their staff, and anyone we directly invoice): we are the data controller.
- For patients of our subscribing clinics: the clinic is the data controller and we act as a data processor on their behalf under a written Data Processing Agreement.
What personal data we collect
Clinic customers — we collect:
- Name, job title, work email, work phone
- Billing and payment information (processed by Stripe — we do not store card numbers)
- Login credentials (hashed)
- Device and browser information when you use the Portal
Patients of subscribing clinics — we process (on behalf of the clinic):
- Name, email address, mobile number, date of birth, home address
- Appointment history (date, time, practitioner, clinic, appointment type)
- Message content from email, SMS, WhatsApp, Facebook Messenger, Instagram DMs and our web chat widget
- Platform identifiers (Facebook sender ID, Instagram Business account ID, web chat session token)
- Verification codes issued for identity confirmation (deleted automatically after 10 minutes or when used)
- GDPR data-storage consent records
We deliberately do not collect or send to the AI model: clinical notes, diagnoses, treatment records, payment card numbers, or any information that is not strictly needed to process the patient’s current request.
Lawful basis for processing
We rely on the following lawful bases under UK GDPR Article 6:
- Contract — to provide the Service to our clinic customers and to the patients they manage
- Legitimate interests — to operate, secure and improve the Service, to prevent fraud and abuse, to maintain audit logs for safety and accountability. Our legitimate-interests balancing assessments are available on request
- Consent — where we specifically ask for it (e.g. when a new patient registers via the Communications Agent, we capture their explicit consent to store their details before any data is written)
- Legal obligation — to respond to regulatory enquiries, tax/accounting obligations, and valid law-enforcement requests
For any special category data (e.g. health-adjacent details a patient mentions in a message), the additional condition under Article 9 is either explicit consent or the provision of healthcare in partnership with a regulated healthcare professional.
Who we share your data with
We do not sell personal data. We share data only with the following categories of processors, all of whom are bound by written contracts that meet UK GDPR requirements:
| Provider | Purpose | Location of processing |
|---|---|---|
| Anthropic PBC | AI model (Claude) that powers the Communications Agent. Data is sent with zero-data-retention enabled, which means Anthropic cannot use it for training and it is not retained beyond processing | USA — adequacy route: Standard Contractual Clauses + UK Addendum |
| Meta Platforms Ireland Ltd | Delivery of Facebook Messenger, Instagram DMs, and WhatsApp Business messages | Ireland/EU; Meta’s own onward transfers to USA under SCCs |
| Twilio Inc. | SMS delivery and phone-number hosting | USA — SCCs + UK Addendum |
| Migadu | Email mailbox hosting for clinic inbound addresses | Switzerland (adequacy decision) |
| Cliniko (Red Guava Pty Ltd) | Clinic management system — stores your appointment and practitioner data at your clinic’s instruction | Australia (adequacy decision) |
| Stripe Payments UK Ltd | Subscription billing for clinic customers | UK/EU |
| Amazon Web Services EMEA Sarl | Infrastructure hosting for the Portal | United Kingdom (eu-west-2) |
We may also disclose personal data where required by law (for example, in response to a valid court order or investigation by the ICO, HMRC, or law-enforcement agencies).
International transfers
Where we transfer personal data outside the UK, we rely on one of:
- An adequacy decision issued by the UK government (e.g. the EU, Switzerland, Australia)
- Standard Contractual Clauses with the UK International Data Transfer Addendum
- Your explicit consent for a specific transfer
Copies of our SCCs with Anthropic, Twilio and AWS are available on request.
How long we keep personal data
| Data type | Retention |
|---|---|
| Patient message content (body) | 12 months, then deleted. Summarised audit entries retained for accountability |
| Raw inbound payloads (full email headers, webhook bodies) | 90 days, then deleted |
| Conversation records (who contacted who, when, via what channel, what actions were taken) | Retained for the life of the subscribing clinic’s account, plus 12 months after termination, for safety and accountability |
| Tool call audit log | As above |
| Verification codes | 10 minutes, then marked used or expired; purged nightly |
| Facebook / Instagram sender IDs linked to a verified patient | Up to 90 days from last verification, then re-verified or purged |
| Clinic customer account data | For the duration of the subscription, plus 7 years for UK tax/accounting records |
| Billing records | 7 years (Companies Act requirement) |
| Website analytics | 26 months |
Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Rectification of inaccurate data
- Erasure (“right to be forgotten”) subject to our legal retention obligations
- Restriction of processing while a concern is being resolved
- Data portability for data you have provided to us
- Objection to processing based on legitimate interests
- Withdraw consent at any time where consent is the lawful basis (this does not affect lawfulness of processing before withdrawal)
To exercise any of these rights, or to delete your data, visit Data Deletion or email [email protected]. We will respond within one calendar month.
If you are a patient of a clinic that subscribes to MSK Software, you should also be able to exercise these rights directly through that clinic, since they are the data controller for your clinical record.
You also have the right to complain to the Information Commissioner’s Office at ico.org.uk — though we’d always like the chance to resolve things with you first.
How we protect personal data
- All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
- API keys, tokens and access credentials are stored encrypted or in secured environment variables — never in plain text
- Access to patient data is role-based; every access is logged in the audit trail
- Verification codes are single-use and expire in 10 minutes
- We apply the principle of data minimisation — only the data strictly needed for a request is sent to any third-party processor
- We maintain written security policies and review them annually
- In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay
Cookies
Our website uses a small number of cookies: strictly necessary cookies for login/session management, and optional analytics cookies (Google Analytics 4, anonymised IP) that you can accept or reject via the cookie banner on first visit. See our Cookie Notice for details.
Changes to this policy
We will post any material change to this policy on this page with a revised “Effective date”. For clinic customers we will additionally notify you by email at least 14 days before the change takes effect.
Contact
Questions about this policy, or any concern about how we handle personal data:
- Email: [email protected]
- Postal: Data Protection, MSK Software Ltd, 6 The Crescent Ottery St Mary Devon UK EX11 1US
- Data Protection Officer: Jonathan Boxall
ICO registration: ZC080859.