This policy describes which personal data Peoples Doctor ApS processes, why we process it, how we protect it, and what rights you have. The policy covers both use of the Peoples Clinic platform and visits to peoplesdoctor.com.
1 Who we are
Peoples Clinic is provided by Peoples Doctor ApS, Teglværksvej 2, 5600 Faaborg, Denmark (CVR 40930809).
Enquiries can be directed to:
- General contact: compliance@peoplesdoctor.com
- Privacy matters and rights requests: privacy@peoplesdoctor.com
- Security incidents: security-incident@peoplesdoctor.com
- DPO (external): Søren Tang Hansen, sth@peoplesdoctor.com
- CEO: Michael Hein, mhe@peoplesdoctor.com
2 Roles — data controller and data processor
In relation to patient data, transcriptions and AI-generated summaries, the clinic is the data controller and Peoples Doctor ApS is the data processor. We process this data solely on the clinic's documented instructions under a data processing agreement (GDPR Art. 28).
In relation to user accounts, invoicing and technical security logs, Peoples Doctor ApS is itself the data controller.
3 What data we process
- Consultation data: live audio during the consultation (deleted immediately after transcription and never persistently stored), transcription and AI-generated summary in PSOAP format.
- User data: name, authorisation number, email address, phone number and login details for clinic staff.
- Technical logs: IP address, timestamp, system activity and login attempts.
- Invoicing data: contact person, invoice address, company registration number (CVR) and payment history.
- Website data: minimal — see section 16.
We do not store patient identifiers (personal ID, name, contact details) in the consultation database. Consultations are identified by an internal consultation ID and timestamp. Linking to the individual patient happens solely in the clinic's own journaling system.
4 Purposes and legal basis
Each category of data is processed for a specific purpose with a specific legal basis:
- Consultation data — purpose: deliver AI-assisted journal documentation. Legal basis: GDPR Art. 9(2)(h) (processing necessary for medical diagnosis and health care), via the clinic's processing.
- User data — purpose: create and manage user accounts and deliver the service. Legal basis: GDPR Art. 6(1)(b) (performance of contract).
- Technical logs — purpose: maintain operational security, detect misuse and document access. Legal basis: GDPR Art. 6(1)(f) (legitimate interest). Balancing test: the interest in protecting health data from unauthorised access outweighs the clinic user's interest in not having activity logged. Logs contain no patient data, are retained for a maximum of 185 days and are used solely for security purposes.
- Invoicing data — purpose: fulfil contractual obligation and statutory accounting duty. Legal basis: GDPR Art. 6(1)(b) and (c), in conjunction with the Danish Bookkeeping Act (5-year retention obligation).
5 Special rules for health data
Health data is a special category of personal data with enhanced protection under GDPR Art. 9. The processing takes place within the framework of the Danish Health Act §§ 40-46a on professional secrecy and disclosure, and the journaling regulation.
The clinic has full journaling responsibility toward the patient. Peoples Doctor ApS provides the technical tool and is subject to the clinic's instructions. The final journal text and editorial responsibility rest with the treating doctor.
6 AI, automation and human oversight
Peoples Clinic is classified as non-high-risk under the EU AI Act (Regulation (EU) 2024/1689 Art. 6(3)) — the purpose is administrative support, not clinical decisions.
Concrete measures:
- Human oversight (AI Act Art. 14): The doctor reviews and approves every AI-generated note before storage. A draft is never stored as finalised journal text without explicit approval.
- No automated decision-making (GDPR Art. 22): The AI's output is a draft for the doctor's assessment, not a decision in itself.
- Frozen model baseline: The AI model runs on a validated, version-locked baseline. Model replacement requires internal validation before production.
- Model selection and risk assessment are documented under AI Act Art. 53 (downstream provider obligations).
7 No training on patient data
Our AI models are hosted on our own servers at our hosting provider (see section 9). Patient data is never sent to external AI APIs — not to OpenAI, Anthropic, Google or any other third-party provider.
The model runs in inference-only mode. Consultation data is not used for training, fine-tuning or model optimisation — not even in anonymised or aggregated form. Model updates come from external, documented sources and undergo internal validation before being put into production.
8 Retention and deletion
We retain data only as long as it is necessary for the purpose for which it was collected:
| Data category | Retention period |
|---|---|
| Live audio | Deleted on transcription (seconds of lifetime; not persistently stored) |
| Transcription | Max 90 days, automatic deletion |
| AI-generated summary | Max 90 days, automatic deletion |
| User account | Duration of contract + up to 30 days for offboarding |
| Invoicing data | 5 years (Danish Bookkeeping Act) |
| Technical logs (standard) | 185 days |
| Technical logs (enhanced audit requirements) | Up to 730 days — specified in the data processing agreement |
| Encrypted backups | Included in the periods above; deletion requests are reapplied to restored backups via our deletion register |
Deletion is technically irreversible after the retention period. The clinic can request earlier deletion via the Peoples Clinic platform or in writing to privacy@peoplesdoctor.com.
9 Sub-processors
We use the following sub-processors in delivering the service:
| Party | Role | Location |
|---|---|---|
| netcup GmbH |
IaaS hosting (servers, storage, AI inference) for consultation data, user data, logs and backups | Data centre Nürnberg, Germany (EU). ISO/IEC 27001 and ISO/IEC 27701 certified, verified annually. |
| Google Ireland Ltd |
Corporate email (Google Workspace) for customer and supplier correspondence — not patient data | EU/EEA. Any technical transfer to the US is covered by EU Standard Contractual Clauses and the EU-US Data Privacy Framework. |
Clinic customers receive an updated list of sub-processors via service notifications when changes occur, with at least 30 days' notice for additions, as per the data processing agreement.
10 Data location
Consultation data, transcriptions, AI summaries, user data, logs and backups are stored exclusively on servers located in the EU (Germany).
We do not use US-controlled cloud infrastructure (AWS, Azure, Google Cloud) or US-controlled AI APIs as part of the service. Peoples Clinic is therefore not exposed to US CLOUD Act requests for customer or patient data.
11 Transfers outside the EU/EEA
For the core service, no transfers outside the EU/EEA take place.
For corporate communication via Google Workspace, data transfers to the US may theoretically occur through Google's global infrastructure. Such transfers are covered by EU Standard Contractual Clauses (SCC) in Google Cloud Data Processing and Security Terms and the EU-US Data Privacy Framework, under which Google LLC is certified. We have conducted a Transfer Impact Assessment for this use.
12 Technical and organisational security measures
We have taken the measures that, under GDPR Art. 32, are appropriate to the risk of processing special categories of personal data:
Encryption:
- In transit: TLS 1.2 or newer on all network traffic.
- At rest: LUKS full-disk encryption on database servers.
- Backups: AES-256 encryption on separate EU storage.
Access control:
- Role-based access control (RBAC) with principle of least privilege.
- MFA/TOTP required for all privileged access.
- WireGuard VPN required for administrative access to production.
- Four-eyes principle on production changes.
Monitoring and integrity:
- Daily file integrity monitoring (AIDE) on production nodes.
- Centrally collected system logs.
- SHA-256 hashing of critical transaction logs (immutable audit trail).
- Antivirus on workstations and servers.
Organisational:
- Staff do not as a rule have access to consultation data (no-access support model). Access in specific support situations requires the clinic's prior approval and is documented.
- Non-disclosure agreements for all personnel with access to the production environment.
- Regular security training.
13 Audit and certification
Our controls are audited under ISAE 3000 Type 1 by BDO. The report is available to clinic customers and prospective customers on request under a confidentiality agreement.
Our hosting provider netcup GmbH is certified under ISO/IEC 27001 and ISO/IEC 27701, verified annually.
14 Your rights
You have the following rights under GDPR. How your request is routed depends on whether we process your data as data controller (user account, invoicing, logs) or as data processor (consultation data):
- Access (Art. 15): Obtain confirmation of whether we process data about you, and a copy of the data.
- Rectification (Art. 16): Have incorrect data corrected. Note: a transcription is an objective recording of what was said and cannot be rectified in content — only deleted.
- Erasure (Art. 17): Have data deleted without undue delay when one of the conditions in Art. 17(1) is met.
- Restriction (Art. 18): Restrict our processing in specific situations.
- Data portability (Art. 20): Receive data in a structured, commonly used and machine-readable format.
- Objection (Art. 21): Object to processing based on legitimate interest.
- Withdrawal of consent (Art. 7(3)): Where processing is based on consent, the consent can be withdrawn with forward-looking effect.
How to exercise the rights:
- For consultation data (we are data processor): contact the clinic. The clinic can delete or export data via the Peoples Clinic platform using the consultation ID.
- For user account, invoicing and logs (we are data controller): contact privacy@peoplesdoctor.com.
We respond within 30 days, as per GDPR Art. 12(3). Complex requests may be extended by up to two months with reasoned notice within the same deadline. We charge no fee unless the request is manifestly unfounded or excessive (Art. 12(5)).
15 Security breaches
If a personal data breach occurs:
- The Danish Data Protection Agency is notified within 72 hours of detection, as per GDPR Art. 33.
- Affected clinics (data controllers) are notified as quickly as possible — internal target 48 hours from breach detection.
- Affected data subjects are notified by the clinic under Art. 34 if the breach is likely to result in a high risk to their rights and freedoms.
- Our DPO has sole responsibility for assessing whether an incident constitutes a breach in the sense of Art. 33.
Security incidents can be reported to security-incident@peoplesdoctor.com.
16 Cookies and website tracking
peoplesdoctor.com uses only strictly necessary cookies (session ID and language preference). We do not use marketing trackers, fingerprinting or cross-site tracking on our public website.
The Peoples Clinic platform itself uses session cookies for authentication and function — no tracking cookies.
17 Complaint to the Data Protection Authority
You can complain to the Danish Data Protection Agency if you believe that our processing of your data is in breach of the data protection rules:
Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
Phone: +45 33 19 32 00
dt@datatilsynet.dk
www.datatilsynet.dk
You don't need to have contacted us first, but we encourage you to give us the opportunity to find a solution before you complain.
18 Changes to this policy
Material changes are communicated to registered clinic customers by email at least 30 days before they take effect. Minor changes (clarifications, updated contact details) can be published without separate notice.
Previous versions can be requested via privacy@peoplesdoctor.com. Version history is maintained in our ISAE 3000 documentation system.