Privacy Policy

AnalystAssist — Global Privacy Policy

Effective Date: 12 February 2026
Last Updated: 12 February 2026

This Privacy Policy (“Policy”) is issued by Naturecure Academy Ltd, trading as AnalystAssist, a company incorporated in England and Wales with its registered office at Wilbees Road, Polegate, East Sussex, BN26 6RU, United Kingdom (“AnalystAssist”, “Company”, “we”, “us”, or “our”).

This Policy governs the processing of Personal Data and Protected Health Information (“PHI”) in connection with:

(a) the AnalystAssist software-as-a-service healthcare platform located at app.analystassist.com (the “Platform”); and
(b) the marketing website located at www.analystassist.com (the “Website”).

1. DEFINITIONS

For the purposes of this Policy:

“Personal Data” has the meaning given under the UK GDPR and EU GDPR and includes any information relating to an identified or identifiable natural person.

“Special Category Data” has the meaning set out in Article 9 UK GDPR and includes data concerning health.

“Protected Health Information” or “PHI” has the meaning given under HIPAA (45 CFR §160.103).

“Controller”, “Processor”, “Data Subject”, and “Processing” shall have the meanings set out in applicable data protection legislation.

“Covered Entity” and “Business Associate” have the meanings set out under HIPAA.

2. REGULATORY FRAMEWORK

2.1 This Policy is designed to ensure compliance with:

  • UK General Data Protection Regulation and Data Protection Act 2018

  • Regulation (EU) 2016/679

  • HIPAA (including the Privacy Rule and Security Rule)

  • PIPEDA (Canada)

  • Privacy Act 1988 (Australia)

  • Privacy Act 2020 (New Zealand)

2.2 Where multiple regulatory regimes apply, the Company shall apply the standard that affords the highest level of data protection.

3. DATA PROTECTION ROLES

3.1 Practitioners as Controllers

Healthcare practitioners who create accounts and upload patient data to the Platform act as Controllers with respect to such data.

Practitioners are solely responsible for:

  • Determining lawful bases for processing;

  • Obtaining required consents;

  • Meeting professional confidentiality duties;

  • Responding to data subject requests;

  • Ensuring HIPAA compliance where applicable.

3.2 AnalystAssist as Processor

In respect of patient data uploaded to the Platform, AnalystAssist acts solely as a Processor.

The Company processes PHI exclusively:

  • On documented instructions from the Practitioner;

  • To provide hosting, storage, encryption, retrieval, and secure access functionality;

  • To maintain system security and integrity;

  • As required by law.

The Company does not use PHI for analytics, advertising, profiling, artificial intelligence model training, or product marketing.

4. CATEGORIES OF PERSONAL DATA PROCESSED

4.1 Practitioner Account Data

The Company processes:

  • Email address

  • Encrypted password hash

  • Multi-factor authentication enrolment data

  • Account configuration settings

  • Subscription metadata

  • Audit logs relating to account access

Passwords are stored only as irreversible cryptographic hashes.

4.2 Patient Health Information

The Platform enables Practitioners to upload and process:

  • Patient identifying information

  • Contact details

  • Dates of birth

  • Addresses

  • Clinical notes

  • Appointment records

  • Uploaded images and documents

  • Intake forms and assessments

  • Speech-to-text transcripts

  • Generated clinical reports

All PHI remains under the control of the Practitioner.

4.3 Subscription and Payment Data

Subscription payments are processed via Stripe, Inc.

The Company transmits:

  • Practitioner email address

  • Stripe Customer ID

  • Subscription ID

Payment card data is collected directly by Stripe via secure tokenised fields. The Company does not store or process raw cardholder data.

Stripe acts:

(a) as Processor for subscription administration; and
(b) as independent Controller for fraud detection, regulatory compliance, and financial reporting.

Stripe retains transaction records in accordance with statutory financial retention requirements.

4.4 Automatically Collected Technical Data

When accessing the Platform, the following data is processed:

  • IP address

  • Browser type

  • Device metadata

  • HTTP request metadata

  • Authentication session identifiers

  • Operational logs (excluding PHI content)

  • Application performance telemetry

No advertising cookies or tracking technologies are deployed within the Platform.

4.5 Support Communications

Where a user contacts support, the Company processes:

  • Name

  • Email address

  • Message content

  • Attachments

  • Communication history

Support email services are hosted via Google Workspace (Google LLC), acting as a Processor.

Retention period: 12 months from final correspondence unless required for legal or regulatory purposes.

5. PURPOSES AND LEGAL BASES FOR PROCESSING

Under UK/EU GDPR, processing is carried out pursuant to:

  • Article 6(1)(b) — Performance of contract

  • Article 6(1)(f) — Legitimate interests (security, fraud prevention, system reliability)

  • Article 6(1)(c) — Legal obligation

  • Article 6(1)(a) — Consent (Website analytics and advertising cookies)

  • Article 9(2)(h) — Provision of healthcare

6. DATA STORAGE, SECURITY, AND INFRASTRUCTURE

6.1 Hosting Environment

The Platform is hosted on Microsoft Azure cloud infrastructure.

Data is stored in the Azure region geographically closest to the user.
Currently operational region: United Kingdom (UK South).

Each region operates as an isolated infrastructure stack with separate:

  • SQL databases

  • Blob storage

  • Encryption keys

  • Speech processing services

6.2 Encryption and Access Controls

Security controls include:

  • TLS encryption in transit

  • AES-256 encryption at rest

  • Azure Key Vault secret management

  • Microsoft Entra Managed Identity

  • Multi-factor authentication

  • Role-based access control

  • Automatic session timeouts

  • Azure Web Application Firewall

  • Private database endpoints

  • Azure SQL auditing

  • Microsoft Defender for Cloud monitoring

  • CI/CD deployment via GitHub Actions using OIDC federation

7. SUBPROCESSORS

The Company engages the following subprocessors:

  • Microsoft Azure (hosting, storage, speech processing)

  • Stripe, Inc. (billing)

  • GitHub, Inc. (deployment infrastructure)

  • Squarespace, Inc. (Website hosting)

  • Google LLC (Analytics and Ads — Website only)

  • ActiveCampaign, LLC (marketing communications)

  • Google LLC (Workspace email hosting)

No PHI is disclosed to marketing or advertising vendors.

8. INTERNATIONAL DATA TRANSFERS

Where data is transferred outside the UK or EEA, safeguards include:

  • EU Standard Contractual Clauses

  • UK International Data Transfer Agreement

  • Vendor Data Processing Agreements

No PHI is transferred for advertising or profiling purposes.

9. DATA RETENTION

Active accounts: retained for duration of subscription.
Closed accounts: PHI and account data permanently deleted upon closure.

Inactive accounts (all tiers): Accounts with no login activity for one hundred and eighty (180) consecutive days are automatically locked. Users must contact customer support to request reinstatement. No data is deleted while an account is locked.

Inactive Free Trial accounts: Free Trial accounts with no login activity for twelve (12) consecutive months are permanently deleted without prior notice, including all associated data.

Inactive Pro Subscription accounts: Pro Subscription accounts with no login activity for twenty-four (24) consecutive months may be permanently deleted

Operational logs: 30 days.
Audit logs: approximately 6 years.
SQL backups: 7 days point-in-time retention.
Support communications: 12 months.
Marketing data: until unsubscribe.

Stripe retains financial transaction records independently.

10. HIPAA BUSINESS ASSOCIATE STATUS

10.1 Where a Practitioner qualifies as a Covered Entity or Business Associate under HIPAA and uses the Platform to create, receive, maintain, or transmit PHI, AnalystAssist acts as a Business Associate.

10.2 The Company shall execute a separate Business Associate Agreement (“BAA”) upon written request.

10.3 The Company implements administrative, technical, and physical safeguards consistent with the HIPAA Security Rule (45 CFR Part 164 Subpart C).

10.4 The Platform must not be used for HIPAA-regulated PHI in the absence of an executed BAA.

11. DATA BREACH NOTIFICATION

In the event of a personal data breach:

  • Supervisory authorities shall be notified within statutory timeframes;

  • Affected individuals shall be notified where required;

  • Incidents shall be documented and remediated.

12. DATA SUBJECT RIGHTS

Data subjects may request:

  • Access

  • Rectification

  • Erasure

  • Restriction

  • Objection

  • Portability

  • Withdrawal of consent

Data Portability for Cancelled Subscribers: If User’s paid subscription has been cancelled or expired, they may request a temporary 48-hour access window from the login page to export their data in a portable format (ZIP containing structured JSONL files and optional document/image binaries). During this window they may also delete their account or choose to resubscribe. Only one active access window is permitted at a time.

Practitioners remain responsible for responding to HIPAA patient access requests.

13. GOVERNING LAW AND JURISDICTION

This Policy shall be governed by and construed in accordance with the laws of England and Wales.

Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of England and Wales, without prejudice to the right of data subjects to lodge complaints with supervisory authorities in their jurisdiction.

14. AMENDMENTS

The Company reserves the right to amend this Policy at any time. Material changes shall be communicated via email or in-Platform notification.

Continued use of the Platform constitutes acceptance of the revised Policy.