Privacy Policy

AnalystAssist — Global Privacy Policy

Effective Date: 12 February 2026
Last Updated: 4 June 2026

This Privacy Policy (“Policy”) is issued by Naturecure Academy Ltd, trading as AnalystAssist, a company incorporated in England and Wales with its registered office at Wilbees Road, Polegate, East Sussex, BN26 6RU, United Kingdom (“AnalystAssist”, “Company”, “we”, “us”, or “our”).

This Policy governs the processing of Personal Data and Protected Health Information (“PHI”) in connection with:

(a) the AnalystAssist software-as-a-service healthcare platform located at app.analystassist.com (the “Platform”); and
(b) the marketing website located at www.analystassist.com (the “Website”).

1. DEFINITIONS

For the purposes of this Policy:

“Personal Data” has the meaning given under the UK GDPR and EU GDPR and includes any information relating to an identified or identifiable natural person.

“Special Category Data” has the meaning set out in Article 9 UK GDPR and includes data concerning health.

“Protected Health Information” or “PHI” has the meaning given under HIPAA (45 CFR §160.103).

“Controller”, “Processor”, “Data Subject”, and “Processing” shall have the meanings set out in applicable data protection legislation.

“Covered Entity” and “Business Associate” have the meanings set out under HIPAA.

2. REGULATORY FRAMEWORK

2.1The Company designs and operates the Platform to meet full compliance with the following legislative frameworks, each applicable to one or more of the Company's four hosting regions:

Framework | Jurisdiction | Hosting Region

  • UK General Data Protection Regulation and Data Protection Act 2018 | United Kingdom | UK South

  • Regulation (EU) 2016/679 (EU GDPR) | European Union and EEA | UK South (via EU-UK Adequacy Decision)

  • Health Insurance Portability and Accountability Act (HIPAA) | United States | Central US

  • Personal Information Protection and Electronic Documents Act (PIPEDA) | Canada | Canada Central

  • Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) | Australia | Australia East

  • Privacy Act 2020 | New Zealand | Australia East |

2.2 Users accessing the Platform from countries outside these six jurisdictions — including but not limited to countries in Asia, the Middle East, Africa, Latin America, and the Caribbean — have their data hosted in the geographically closest compliant region (see Section 6.1). A cross-border transfer of personal data therefore occurs. By accepting these Terms and this Policy, such users explicitly consent to that transfer and to their data being processed under the legal framework applicable to the hosting region.

2.3Where multiple regulatory regimes apply, the Company shall apply the standard that affords the highest level of data protection.

2.4 The Company does not claim compliance with the domestic privacy laws of countries other than those listed in clause 2.1. Users in those countries are served under the protections of the applicable hosting-region framework, which the Company considers to represent a high global standard.

3. DATA PROTECTION ROLES

3.1 Practitioners as Controllers

Healthcare practitioners who create accounts and upload patient data to the Platform act as Controllers with respect to such data.

Practitioners are solely responsible for:

  • Determining lawful bases for processing;

  • Obtaining required consents;

  • Meeting professional confidentiality duties;

  • Responding to data subject requests;

  • Ensuring HIPAA compliance where applicable.

3.2 AnalystAssist as Processor

In respect of patient data uploaded to the Platform, AnalystAssist acts solely as a Processor.

The Company processes PHI exclusively:

  • On documented instructions from the Practitioner;

  • To provide hosting, storage, encryption, retrieval, and secure access functionality;

  • To maintain system security and integrity;

  • As required by law.

The Company does not use PHI for analytics, advertising, profiling, artificial intelligence model training, or product marketing.

4. CATEGORIES OF PERSONAL DATA PROCESSED

4.1 Practitioner Account Data

The Company processes:

  • Email address

  • Encrypted password hash

  • Multi-factor authentication enrolment data

  • Account configuration settings

  • Subscription metadata

  • Audit logs relating to account access

Passwords are stored only as irreversible cryptographic hashes.

4.2 Patient Health Information

The Platform enables Practitioners to upload and process:

  • Patient identifying information

  • Contact details

  • Dates of birth

  • Addresses

  • Clinical notes

  • Appointment records

  • Uploaded images and documents

  • Intake forms and assessments

  • Speech-to-text transcripts

  • Generated clinical reports

All PHI remains under the control of the Practitioner.

4.3 Subscription and Payment Data

Subscription payments are processed via Stripe, Inc.

The Company transmits:

  • Practitioner email address

  • Stripe Customer ID

  • Subscription ID

Payment card data is collected directly by Stripe via secure tokenised fields. The Company does not store or process raw cardholder data.

Stripe acts:

(a) as Processor for subscription administration; and
(b) as independent Controller for fraud detection, regulatory compliance, and financial reporting.

Stripe retains transaction records in accordance with statutory financial retention requirements.

4.4 Automatically Collected Technical Data

When accessing the Platform, the following data is processed:

  • IP address

  • Browser type

  • Device metadata

  • HTTP request metadata

  • Authentication session identifiers

  • Operational logs (excluding PHI content)

  • Application performance telemetry

No advertising cookies or tracking technologies are deployed within the Platform.

4.5 Support Communications

Where a user contacts support, the Company processes:

  • Name

  • Email address

  • Message content

  • Attachments

  • Communication history

Support email services are hosted via Google Workspace (Google LLC), acting as a Processor.

Retention period: 12 months from final correspondence unless required for legal or regulatory purposes.

5. PURPOSES AND LEGAL BASES FOR PROCESSING

Under UK/EU GDPR, processing is carried out pursuant to:

  • Article 6(1)(b) — Performance of contract

  • Article 6(1)(f) — Legitimate interests (security, fraud prevention, system reliability)

  • Article 6(1)(c) — Legal obligation

  • Article 6(1)(a) — Consent (Website analytics and advertising cookies)

  • Article 9(2)(h) — Provision of healthcare

6. DATA STORAGE, SECURITY, AND INFRASTRUCTURE

6.1 Hosting Environment

The Platform is hosted on Microsoft Azure cloud infrastructure across four regional stacks. User data is stored in the region that serves the user's country, as determined at the network level before any data is processed.

Hosting regions (all operational):

Region | Azure Location | Countries Hosted

  • UK South | United Kingdom | United Kingdom; all 27 EU member states; EEA countries (Iceland, Liechtenstein, Norway); Israel; Lebanon; United Arab Emirates; South Africa |

  • Central US | United States | United States; Mexico; all Central American countries; all South American countries; all Caribbean territories |

  • Canada Central | Canada | Canada |

  • Australia East | Australia | Australia; New Zealand; Russia; Thailand; Singapore; Vietnam; India; Indonesia; South Korea |

Each region operates as a fully isolated infrastructure stack with separate SQL databases, blob storage accounts, encryption keys, speech processing services, and audit logging. No data is shared between regional stacks.

Users in EU/EEA member states are routed to the UK South region. This is lawful because the United Kingdom holds an adequacy decision from the European Commission under Article 45 EU GDPR (most recently renewed 27 June 2025).

New Zealand users are routed to the Australia East region. This is lawful because Australia is designated as a comparable country under Schedule 2 of New Zealand's Privacy Act 2020, meaning that a transfer of personal information to Australia does not require additional safeguards beyond those already provided by the Australian Privacy Act 1988 (Cth) framework under which the hosting region operates.

Users in Asia, the Middle East, Africa, Latin America, and the Caribbean are routed to the nearest compliant regional stack as listed above. Their data is subject to a cross-border transfer (see Section 8).

6.2 Encryption and Access Controls

Security controls include:

  • TLS encryption in transit

  • AES-256 encryption at rest

  • Azure Key Vault secret management

  • Microsoft Entra Managed Identity

  • Multi-factor authentication

  • Role-based access control

  • Automatic session timeouts

  • Azure Web Application Firewall

  • Private database endpoints

  • Azure SQL auditing

  • Microsoft Defender for Cloud monitoring

  • CI/CD deployment via GitHub Actions using OIDC federation

7. SUBPROCESSORS

The Company engages the following subprocessors:

  • Microsoft Azure (hosting, storage, speech processing)

  • Stripe, Inc. (billing)

  • GitHub, Inc. (deployment infrastructure)

  • Squarespace, Inc. (Website hosting)

  • Google LLC (Analytics and Ads — Website only)

  • ActiveCampaign, LLC (marketing communications)

  • Google LLC (Workspace email hosting)

No PHI is disclosed to marketing or advertising vendors.

8. INTERNATIONAL DATA TRANSFERS

8.1 UK Users — Data Processed in the United Kingdom

Personal data of UK-based users is processed in the United Kingdom (UK South region). No international transfer occurs.

8.2 EU and EEA Users — Transfer to the United Kingdom

Personal data of EU and EEA users is processed in the United Kingdom (UK South region). This transfer is lawful under Article 45 EU GDPR on the basis of the European Commission's adequacy decision in respect of the United Kingdom, most recently renewed on 27 June 2025. The UK provides an equivalent level of data protection to the EU.

8.3 US Users — Data Processed in the United States

Personal data of US-based users is processed in the United States (Central US region). No international transfer occurs. US Practitioners who qualify as Covered Entities or Business Associates under HIPAA are covered by the Company's Business Associate Agreement (see Section 10).

8.4 Canadian Users — Data Processed in Canada

Personal data of Canadian-based users is processed in Canada (Canada Central region). No international transfer occurs. Processing complies with PIPEDA.

8.5 Australian and New Zealand Users — Data Processed in Australia

Personal data of Australian and New Zealand users is processed in Australia (Australia East region). No international transfer occurs. Processing complies with the Privacy Act 1988 (Cth) and Australian Privacy Principles for Australian users, and the Privacy Act 2020 for New Zealand users.

8.6 Users in Other Countries — Cross-Border Transfer

Users accessing the Platform from countries not listed in Sections 8.1–8.5 have their data processed in the nearest compliant regional stack:

Countries | Data Processed In | Legal Framework Applied

  • Israel, Lebanon, United Arab Emirates, South Africa | UK South (United Kingdom) | UK GDPR / Data Protection Act 2018 |

  • Mexico, Central America, South America, Caribbean | Central US (United States) | HIPAA-grade security safeguards |

  • Russia, Thailand, Singapore, Vietnam, India, Indonesia, South Korea | Australia East | Privacy Act 1988 (Cth) |

By creating an account or using the Platform, users in these countries explicitly:

a) acknowledge that a cross-border transfer of their personal data to the applicable hosting country will occur;

b) consent to their data being processed under the legal framework of that hosting country; and

c) accept that the Company does not claim compliance with the domestic privacy or data protection laws of their country of residence.

The Company considers each hosting-region framework to represent a high international standard of data protection.

8.7 Onward Transfers to Third-Country Vendors (All Regions)

Regardless of the user's region, certain subprocessors operate in the United States. Where this involves a transfer from the UK or EU, the Company relies on:

  • UK International Data Transfer Agreement (IDTA) and/or UK Addendum to the EU Standard Contractual Clauses — in place with Microsoft (Azure, GitHub), Stripe, Squarespace, Google (Analytics, Ads, Workspace), and ActiveCampaign.

  • EU Standard Contractual Clauses (Module 2) — in place with the same vendors for EU/EEA-originating data flows.

  • EU-US and UK-US Data Privacy Framework certification — Stripe, GitHub, Google LLC, and ActiveCampaign are certified under the applicable framework as an additional safeguard.

Where data originates in the US, Canada, or Australia and is shared with these vendors, such sharing is governed by the vendor's own terms and applicable local law.

8.8 Scope Limitation

  • No PHI is transferred to marketing, analytics, or advertising vendors.

  • Speech dictation audio and transcripts are processed in the same Azure region as the app and do not cross any international border beyond what is described in this Section.

  • Subscription billing via Stripe involves only non-clinical identifiers (email address, subscription metadata).

9. DATA RETENTION

Active accounts: retained for duration of subscription.
Closed accounts: PHI and account data permanently deleted upon closure.

Inactive accounts (all tiers): Accounts with no login activity for one hundred and eighty (180) consecutive days are automatically locked. Users must contact customer support to request reinstatement. No data is deleted while an account is locked.

Inactive Free Trial accounts: Free Trial accounts with no login activity for twelve (12) consecutive months are permanently deleted without prior notice, including all associated data.

Inactive Pro Subscription accounts: Pro Subscription accounts with no login activity for twenty-four (24) consecutive months may be permanently deleted

Operational logs: 30 days.
Audit logs: approximately 6 years.
SQL backups: 14 days point-in-time retention; long-term retention up to 3 years.
Uploaded files (documents, images, audio): retained for the duration of the subscription; recoverable for 30 days via backup and 35 days via soft delete following deletion.
Support communications: 12 months.
Marketing data: until unsubscribe.

Stripe retains financial transaction records independently.

10. HIPAA BUSINESS ASSOCIATE STATUS

10.1 Where a Practitioner qualifies as a Covered Entity or Business Associate under HIPAA and uses the Platform to create, receive, maintain, or transmit PHI, AnalystAssist acts as a Business Associate.

10.2 The Company's Business Associate Agreement ("BAA") is automatically entered into by qualifying Covered Entities and Business Associates upon acceptance of the Terms and Conditions of Use. A copy of the BAA is available for download at www.analystassist.com/s/Business-Associate-Agreement.pdf. Covered Entities who require a countersigned copy may contact support@analystassist.com.

10.2.1 The Company's infrastructure sub-processor, Microsoft Azure, provides HIPAA BAA coverage automatically through the Microsoft Product Terms and Data Protection Addendum (DPA). This BAA does not require a separately signed document. A copy is retained on file and is available from the [Microsoft Service Trust Portal](https://aka.ms/BAA).

10.3 The Company implements administrative, technical, and physical safeguards consistent with the HIPAA Security Rule (45 CFR Part 164 Subpart C).

10.4 The Platform must not be used for HIPAA-regulated PHI in the absence of an executed BAA.

11. DATA BREACH NOTIFICATION

In the event of a personal data breach:

  • Supervisory authorities shall be notified within statutory timeframes;

  • Affected individuals shall be notified where required;

  • Incidents shall be documented and remediated.

12. DATA SUBJECT RIGHTS

Data subjects may request:

  • Access

  • Rectification

  • Erasure

  • Restriction

  • Objection

  • Portability

  • Withdrawal of consent

Data Portability for Cancelled Subscribers: If User’s paid subscription has been cancelled or expired, they may request a temporary 48-hour access window from the login page to export their data in a portable format (ZIP containing structured JSONL files and optional document/image binaries). During this window they may also delete their account or choose to resubscribe. Only one active access window is permitted at a time.

Practitioners remain responsible for responding to HIPAA patient access requests.

13. EU AND EEA DATA SUBJECTS — DIRECT CONTACT

AnalystAssist is a company incorporated in England and Wales. At the current stage of its EU operations, the Company's EU user base is small and processing of EU residents' data is limited in scale. EU and EEA data subjects may contact the Company's data protection team directly at any time:

Email: support@analystassist.com

Subject line: "GDPR — Data Subject Request" or "EU Data Protection Enquiry" 

Response time: Within 72 hours on business days.

EU and EEA data subjects also have the right to lodge a complaint with the supervisory authority in their EU member state of residence. A directory of EU supervisory authorities is available at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

14. GOVERNING LAW AND JURISDICTION

This Policy shall be governed by and construed in accordance with the laws of England and Wales.

Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of England and Wales, without prejudice to the right of data subjects to lodge complaints with supervisory authorities in their jurisdiction.

15. AMENDMENTS

The Company reserves the right to amend this Policy at any time. Material changes shall be communicated via email or in-Platform notification.

Continued use of the Platform constitutes acceptance of the revised Policy.