Privacy Policy

SimPatient ("SimPatient", "we", "us", "our") provides an AI-powered medical training simulation platform that enables learners to practise clinical communication with virtual patients in text, audio, and video modes.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to:

• Visitors to our marketing website at simpatient.co.uk
• Users of our application at app.simpatient.co.uk
• Prospective customers, learners (students), organisation administrators, and super administrators

If you are using SimPatient as part of a university, NHS organisation, or other institution, that institution is the Controller of your personal data for the purposes of the simulation service, and SimPatient acts as a Processor on its behalf. Where you have signed up directly as an individual, SimPatient is the Controller.

SimPatient is operated by St Andrews Medical Innovations Limited (trading as SimPatient), a company registered in Scotland (SC705314).

• Registered address: Walter Bower House, Main Street, Guardbridge, St Andrews, Fife, KY16 0US
• Company number: SC705314
• ICO registration number: ZB284261
• Data Protection Officer: Mr Christopher Milne, Head of Information Assurance and Governance (dataprot@st-andrews.ac.uk)
• Contact: hello@simpatient.co.uk

At a glance:

• We store all customer personal data on servers located in the European Union / United Kingdom.
• We do not transfer your personal data outside the EU/UK in identifiable form.
• Your conversation transcripts and any derived data are never used to train third-party AI models.
• SimPatient is designed for simulated clinical scenarios. You must not enter real patient data into the platform.
• You can request access, correction, deletion, export, or restriction of your personal data at any time by emailing hello@simpatient.co.uk.

• We do not knowingly collect real patient medical data.
• We do not collect payment card data directly. Any future billing will be processed by a PCI-DSS-compliant payment processor.
• We do not purchase personal data from data brokers.

SimPatient generates synthetic clinical scenarios. Simulated patient personas and the medical content within them are fictional and are not the personal data of any real person.

Your use of the platform may produce content that resembles health data (because you are practising clinical consultations). Because this content relates to a simulated patient and reflects your own educational performance, we do not treat it as Article 9 "special category" data about a real data subject.

We do not rely on the contractual prohibition alone. To reduce the foreseeable risk of real patient data being entered, we apply technical and organisational guardrails, including in-product warnings at the point of input, detection and redaction measures where feasible, and data-protection training for administrators. We assess this risk in our Data Protection Impact Assessment and keep these measures under review.

You can withdraw any consent you have given at any time by emailing hello@simpatient.co.uk or updating your preferences in the app. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

We share your personal data only with the sub-processors listed below, all of which are contractually bound by Data Processing Agreements and process your data exclusively on EU/UK infrastructure.

We use a small number of carefully selected sub-processors (for cloud hosting, database and authentication, AI model inference, voice and avatar generation, transactional email, and in-app support) to deliver the Service. Each is bound by a written Data Processing Agreement, processes personal data exclusively on EU/UK infrastructure, and is contractually prohibited from using your data to train AI models.

A current, itemised list of our sub-processors (including the specific providers, their role, the data they process, and their processing region) is available to customers and prospective customers on request, by emailing hello@simpatient.co.uk. We will notify customers at least 90 days before adding or replacing a sub-processor that handles personal data. Institutional customers may object in accordance with their Data Processing Agreement.

We may also share your personal data with:

• Professional advisers: lawyers, accountants, auditors, bound by confidentiality
• Regulators and law enforcement: where we are legally required to do so
• A successor entity: in the event of a merger, acquisition, or sale of assets, subject to the same privacy protections

We do not sell your personal data, and we do not share it with advertising networks.

All sub-processors listed above have committed to processing SimPatient customer personal data on infrastructure located within the European Union or the United Kingdom.

Where a sub-processor is a US-headquartered company (for example, OpenAI, ElevenLabs, Resend, Userback, Vercel, or Google Cloud), your personal data is nevertheless processed exclusively in an EU or UK region under a Data Processing Agreement that restricts the transfer of personal data outside those regions in identifiable form.

In the limited circumstances where a transfer outside the UK/EU becomes necessary (for example, support engineering access), we rely on:

• The UK International Data Transfer Addendum to the EU Standard Contractual Clauses; or
• The UK International Data Transfer Agreement (IDTA),

together with supplementary technical measures including encryption in transit (TLS 1.2+), encryption at rest, and role-based access controls. A copy of the transfer mechanism in use for any particular sub-processor is available on request.

We keep your personal data only for as long as necessary for the purposes described in this policy.

When you request account deletion, we delete or irreversibly anonymise your personal data within 30 days, subject to any legal obligation that requires us to retain specific data for longer (for example, financial records).

You have the following rights in relation to your personal data:

• Right of access (Art. 15): obtain a copy of the personal data we hold about you.
• Right to rectification (Art. 16): ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17): ask us to delete your personal data ("right to be forgotten").
• Right to restriction (Art. 18): ask us to limit how we process your data.
• Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interests, including profiling and direct marketing.
• Right to withdraw consent: where processing is based on consent, you can withdraw it at any time.
• Right not to be subject to solely automated decision-making (Art. 22): we do not make legally significant decisions about you through automated means.

To exercise any of these rights, email hello@simpatient.co.uk. We will respond within the applicable time period under the UK GDPR. That period runs from the latest of: the date we receive your request, the date we have verified your identity (where we reasonably need to do so), and the date we receive any fee we are permitted to charge. It is normally one month, extendable by up to two further months for complex or numerous requests (we will tell you if an extension applies).

We may need to verify your identity before acting on a request. This is to protect your data from unauthorised disclosure.

Complaining to us first. If you are unhappy with how we have handled your personal data, we ask that you raise it with us first by emailing hello@simpatient.co.uk, so we have the opportunity to put things right. We will acknowledge your complaint within 30 days of receiving it, keep you informed of our progress, and aim to provide a substantive response within three months. We provide this complaints route in accordance with section 164A of the Data Protection Act 2018.

Complaining to us does not remove your right to complain to the UK's supervisory authority. You may complain to us, to the Information Commissioner's Office, or both:

• Information Commissioner's Office (ICO)
• Website: https://ico.org.uk/
• Helpline: 0303 123 1113

We use a small number of cookies and similar technologies:

All of the cookies we currently use are essential: they are strictly necessary to sign you in, keep you signed in, authenticate administrators, apply invitations, and run the in-app feedback and support tool. Under the Privacy and Electronic Communications Regulations (PECR) these may be set without consent. We do not use analytics, advertising, or third-party tracking cookies in the app.

If in future we introduce any non-essential cookies (for example, analytics), we will not set them until you have given explicit consent through a cookie banner that lets you accept or reject them with equal prominence, and you will be able to change your choice at any time.

Full details are available in our separate Cookie Policy at simpatient.co.uk/cookies.

We take the security of your personal data seriously. Our measures include:

• Encryption in transit via TLS 1.2 or higher
• Encryption at rest for all database and file storage
• Password hashing with bcrypt (salted, 10 rounds)
• Role-based access control enforced on every server-side route
• Server-side-only database access (no direct client-to-database writes)
• JWT-based session tokens with HttpOnly and Secure flags
• Multi-factor authentication for privileged administrator accounts
• Audit logging of administrator access to learner data
• Backups and disaster recovery via Google Cloud's resilient infrastructure
• Regular security reviews of our codebase and dependencies

No system is 100% secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify you without undue delay.

SimPatient is designed for adult medical learners (age 18+) using the platform in an educational context, either through an institution or as an individual learner.

You must be at least 18 years old to create an account as an individual. Where a learner under 18 uses the platform under institutional supervision (for example, a university or NHS trust), the institution is responsible for obtaining any necessary parental or guardian consent before inviting the learner.

Where any user of the platform is under 18, we treat their personal data as meriting higher protection. We have regard to the heightened protections for children's data under the Data (Use and Access) Act 2025 and to the ICO's Age Appropriate Design Code (the Children's Code), and we assess the processing of any under-18 user's data in our Data Protection Impact Assessment. The UK age at which a child can consent to information society services on their own behalf is 13; we do not rely on a child's own consent as a lawful basis for the simulation service, which is instead provided to institutional learners under the institution's lawful basis.

If you believe a child has provided us with personal data outside an institutional arrangement, contact hello@simpatient.co.uk and we will delete it.

We do not make decisions about you that produce legal or similarly significant effects using solely automated means (Art. 22 UK GDPR).

Our platform uses AI models to generate simulated patient responses and educational feedback. These outputs are educational in nature and are not decisions about you that have legal effect. A human (you, and where applicable your tutor) remains in control of any educational evaluation.

The AI-generated feedback is a formative learning aid. It is not designed or intended to be used as an automated assessment, grading, or examination tool, and it must not be used as the sole basis for any academic or professional decision about a learner. Any summative assessment remains the responsibility of the learner's institution and its human assessors.

Where you have opted in, we may send you occasional emails about new features, product updates, or SimPatient-related educational content.

You can unsubscribe at any time via the link in every marketing email, or by emailing hello@simpatient.co.uk. Unsubscribing from marketing does not affect transactional emails (such as invitations, password resets, and service notices), which you cannot opt out of while you hold an account.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Publish the updated policy at simpatient.co.uk/privacy and app.simpatient.co.uk/privacy
• Increment the version number and update the "Effective date"
• Notify registered users by email and/or in-app notification where the change materially affects how your data is processed

Previous versions are available on request.

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us using the details below.