Privacy Policy

1. Data controller

Slatewick is a trading name of Kronaxis Limited, a company registered in England and Wales. We are the data controller for the personal data described in this policy.

Privacy contact: privacy@slatewick.co.uk

We have not appointed a Data Protection Officer because we are not required to under Article 37 of the UK GDPR. Our privacy contact answers questions in the role a DPO otherwise would.

2. What we collect

Account data

When you register, we collect your name, email address, and a password. The password is hashed using scrypt before storage. We never store passwords in plain text.

Organisation data

Practice or business name, address, postcode, phone number, staff names and roles, regulator details, and service configuration.

Compliance documents

Standard operating procedures, incident reports, complaint records, controlled-drug register entries, training records, inspection checklists, COSHH assessments, and any other documentation you create or upload within the service.

AI-generated content

Document drafts generated by our AI assistant, along with structured inputs you provide (procedure type, substance name, condition, etc.).

Usage data

Pages visited, features used, timestamps, browser type, and IP address. We do not use third-party analytics tools.

Contact form data

Name, email, company, industry, message text, IP address, and submission timestamp.

Billing data

For paid plans, we collect billing name, billing address, VAT number where applicable, plan and seat count, and invoice history. Card details are never stored on our servers and are handled by Stripe under PCI DSS Level 1.

3. Legal basis for processing

• Contract (Article 6(1)(b)): account creation, service delivery, document generation and storage, billing, account support.
• Legitimate interest (Article 6(1)(f)): usage data for service improvement, error detection, fraud prevention, and security. We have balanced these interests against your rights and consider them proportionate. You may object as set out in clause 7.
• Consent (Article 6(1)(a)): marketing emails, optional cookie categories, and optional features such as SMS notifications. Withdrawn at any time without affecting the lawfulness of prior processing.
• Legal obligation (Article 6(1)(c)): tax records, anti-fraud checks, responding to lawful requests from regulators.

4. Special category and criminal-conviction data

The Service is built for industries that routinely handle special category data within UK GDPR Article 9 (such as health information in care, dental, GP, vet, optician, hearing-aid, and pharmacy contexts) and Article 10 criminal-conviction data (such as DBS check status). Where you upload such data into your account, we process it on your behalf as your processor under the Data Processing Agreement. You are responsible for identifying your own lawful basis under Articles 9 and 10 for that processing.

We do not knowingly use special category data for any purpose other than providing the Service to you, and we do not sell, share, or use it for advertising or for training general-purpose AI models.

5. AI processing

We use the Google Gemini API to generate document drafts. When you request an AI-generated document, we send structured inputs (for example: procedure type, substance name, consultation details) to the Gemini API. We do not send patient or client names, dates of birth, or NHS or clinical identifiers unless you explicitly type them into a free-text field.

Google processes these requests under its data-processing addendum and does not use Slatewick API inputs or outputs to train its general-purpose models. AI inputs and outputs are logged within Slatewick for quality assurance and retained for 90 days, after which they are permanently deleted.

Gemini API requests are processed in the EU/UK region where available, with the United States as a fallback. International transfers are governed by the UK addendum to the EU Standard Contractual Clauses.

6. Automated decision-making and profiling

We do not make automated decisions that have legal or similarly significant effects on individuals (Article 22). The AI assistant produces drafts; a human professional reviews and decides. We do not run automated profiling for advertising, scoring, or eligibility decisions.

7. Data storage and security

Your data is stored on dedicated servers located in UK data centres. The database is encrypted at rest. All connections use TLS 1.2 or higher in transit. Passwords are hashed with scrypt, a memory-hard key-derivation function designed to resist brute-force attacks.

Access to production systems is restricted to authorised personnel with multi-factor authentication and IP allow-listing. Privileged actions are logged and reviewed.

Full security posture is described at slatewick.co.uk/security.

8. Data sharing and sub-processors

We do not sell your data. We do not share your data with advertisers. We engage a small number of sub-processors strictly to operate the Service. The current list, with location of processing and transfer mechanism, is published at slatewick.co.uk/sub-processors. Customers receive at least 30 days' notice before any sub-processor change.

We may disclose personal data when required to do so by law (for example, in response to a court order or a lawful regulator request), or to protect our rights, property, or safety, or those of others.

9. Your rights

Under the UK GDPR, you have the following rights in respect of personal data we hold about you as a controller:

• Access: request a copy of all personal data we hold about you.
• Rectification: correct inaccurate personal data.
• Erasure: request deletion of your account and associated data, subject to retention requirements set out below.
• Portability: export your data in CSV format at any time from within the Service.
• Restriction: request that we limit processing in certain circumstances.
• Objection: object to processing based on legitimate interest.
• Withdraw consent: for processing that relies on consent, withdrawn at any time.
• Not to be subject to automated decisions: we do not make any — see clause 6.

To exercise any of these rights, email privacy@slatewick.co.uk. We will respond within one calendar month, extendable by up to two further months for complex or numerous requests, and will tell you if an extension applies.

Where you upload personal data about other people (your staff, residents, patients, clients), data-subject rights requests should be addressed to you as their controller. We assist you in responding under clause 7 of the Data Processing Agreement.

10. Data retention

• Active accounts: retained for the duration of your subscription.
• Free accounts inactive for 12 months: we email a 30-day deletion warning, then delete the account.
• Deleted accounts: production data purged within 30 days. Encrypted backups overwritten on a rolling 90-day cycle.
• AI logs: input/output pairs retained for 90 days, then permanently deleted.
• Contact-form submissions: retained for 24 months, then permanently deleted.
• Billing and tax records: retained for seven years to comply with UK tax legislation.
• Authentication logs: retained for 12 months for security and fraud-prevention purposes.
• Marketing email subscriptions: retained until you unsubscribe, then deleted within 30 days.

11. Personal data breaches

If we become aware of a personal data breach affecting your data, we will notify you without undue delay and in any event within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to your rights and freedoms. Notifications describe the nature of the breach, the categories and approximate volumes of data and data subjects affected, the likely consequences, and the measures taken or proposed.

We will also notify the Information Commissioner's Office where required under Article 33, and affected data subjects directly under Article 34, in accordance with the law.

12. Cookies

We use one essential session cookie for authentication. We do not use analytics cookies, advertising cookies, or third-party cookies. See our Cookie Policy for full details.

13. Children

The Service is designed for regulated businesses and professional organisations. It is not intended for individuals under 18 years of age. We do not knowingly collect personal data directly from children. Where you upload data about children (for example, in nursery or childminder records), you are the controller and the DPA applies.

14. International transfers

Customer data is stored in the United Kingdom. Where a sub-processor processes data outside the UK, the transfer is governed by the UK International Data Transfer Agreement, the UK addendum to the EU Standard Contractual Clauses, or another mechanism approved under Article 46 of the UK GDPR. The mechanism for each sub-processor is identified at slatewick.co.uk/sub-processors.

15. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email at least 30 days before they take effect. We will also publish the change in our changelog.

16. Complaints

If you are not satisfied with how we handle your data, please contact us first at privacy@slatewick.co.uk so we can try to put it right. You also have the right to lodge a complaint with the Information Commissioner's Office:

Website: ico.org.uk
Telephone: 0303 123 1113

17. Contact

Data protection enquiries: privacy@slatewick.co.uk

General enquiries: hello@slatewick.co.uk

Security incidents: security@slatewick.co.uk