Privacy Policy

1. Data controller

Slatewick is a trading name of Kronaxis Limited, a company registered in England and Wales. We are the data controller for the personal data described in this policy.

Contact: privacy@slatewick.co.uk

2. What we collect

Account data

When you register, we collect your name, email address, and a password. The password is hashed using scrypt before storage. We never store passwords in plain text.

Organisation data

Practice or business name, address, postcode, phone number, staff names and roles, regulator details, and service configuration.

Compliance documents

Standard operating procedures, incident reports, complaint records, controlled drug register entries, training records, inspection checklists, COSHH assessments, and any other documentation you create or upload within the service.

AI-generated content

Document drafts generated by our AI assistant, along with structured inputs you provide (procedure type, substance name, condition, etc.).

Usage data

Pages visited, features used, timestamps, browser type, and IP address. We do not use third-party analytics tools.

Contact form data

Name, email, company, industry, message text, IP address, and submission timestamp.

3. Legal basis for processing

• Contract: We process your data to provide the service you have registered for, including document generation, storage, and export.
• Legitimate interest: We process usage data to improve the service, detect errors, and maintain security.
• Consent: If you opt in to marketing communications, we process your email for that purpose. You can withdraw consent at any time.

4. AI processing

We use the Google Gemini API to generate document drafts. When you request an AI-generated document, we send structured inputs (for example: procedure type, substance name, consultation details) to the Gemini API. We do not send patient or client names, dates of birth, or NHS/clinical identifiers unless you explicitly type them into a free-text field.

Google processes these requests under their data processing terms. AI inputs and outputs are logged for quality assurance and retained for 90 days.

Gemini API requests are processed in the EU/UK region where available.

5. Data storage and security

Your data is stored on dedicated servers located in UK data centres. The database is encrypted at rest. All connections use TLS encryption in transit. Passwords are hashed with scrypt (a computationally expensive key derivation function designed to resist brute-force attacks).

Access to production systems is restricted to authorised personnel with multi-factor authentication.

6. Data sharing

We do not sell your data. We do not share your data with advertisers. We share data with the following third parties, strictly as required to provide the service:

• Google (Gemini API): Structured inputs for AI document generation, subject to Google's data processing terms.
• Stripe: Payment card details for subscription billing. We do not store card numbers; Stripe handles all payment data under PCI DSS Level 1.
• Twilio: Phone numbers for SMS notifications, if enabled by you.

No other third parties receive your data.

7. Your rights

Under the UK General Data Protection Regulation, you have the following rights:

• Access: Request a copy of all personal data we hold about you.
• Rectification: Correct inaccurate personal data.
• Erasure: Request deletion of your account and all associated data.
• Portability: Export your data in CSV format at any time from within the service.
• Restriction: Request that we limit processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interest.

To exercise any of these rights, email privacy@slatewick.co.uk. We will respond within 30 days.

8. Data retention

• Active accounts: Data retained for the duration of your subscription.
• Deleted accounts: All data purged within 30 days of account deletion request.
• AI logs: Input/output pairs retained for 90 days, then permanently deleted.
• Contact form submissions: Retained for 2 years, then permanently deleted.

9. Cookies

We use one essential session cookie for authentication. We do not use analytics cookies, advertising cookies, or third-party cookies. See our Cookie Policy for full details.

10. Children

Our services are designed for regulated businesses and professional organisations. They are not intended for individuals under 18 years of age. We do not knowingly collect data from children.

11. International transfers

The Google Gemini API may process data outside the United Kingdom. These transfers are covered by Google's standard contractual clauses and their commitment to UK GDPR-equivalent safeguards.

All other data processing occurs within the United Kingdom.

12. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect.

13. Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113

14. Contact

Data protection enquiries: privacy@slatewick.co.uk

General enquiries: hello@slatewick.co.uk