Privacy information for therapists and clinics

Who we are

Citt.ai operates the platform. Declan Ahern is the named privacy contact for GDPR, DPO, and EU representative enquiries at declan@citt.ai. Our correspondence address is 90 Clapham Common North Side, London, UK, SW49SG.

Your role

When you use Citt.ai to deliver care, you typically act as an independent controller (or joint controller with your practice) for clinical decisions and records. For specific clinical-AI flows in the product — managed patient records and the patient claim journey, patient messaging and AI support (including optional channels such as WhatsApp where enabled), assessments and check-ins, and session recording with transcription and AI-assisted notes — you and Citt.ai are joint controllers under Article 26 GDPR. The Joint Controller Agreement you accept in the product sets out how responsibilities are allocated.

For other processing (for example your own marketing site visits, therapist account administration, billing and payouts as between you and Citt.ai, and platform security), Citt.ai may act as sole controller for its own purposes. You remain responsible for your lawful bases and transparency toward patients for everything you do in your practice outside or beyond the platform.

What we process about you and your practice

• Professional account data: identity, contact, credentials, licensure details you provide, practice settings, and audit events tied to your user ID.
• Patient-care data you upload or generate: messages, notes, transcripts, assessments, billing records, and configuration you apply for each patient.
• Technical and security data: device and connection metadata, logs, and abuse-prevention signals needed to secure the Service.

What we process on your behalf for patients

The patient-facing privacy policy describes categories of patient data, purposes, retention, and subprocessors in detail. In short, we host and process patient data you direct through the product so that AI support, scheduling, billing, and related workflows can run. You must only add patients and data you are lawfully permitted to process, and you must give patients appropriate transparency (including your own privacy notice and, where needed, a link to the Citt.ai patient notice for the platform layer).

Sub-processors and transfers

We use vetted infrastructure and service providers (for example cloud hosting, AI inference, transcription, messaging channels, email, and payments). A summary of key providers and security practices is in our Trust Center. Where personal data is transferred internationally, we rely on lawful mechanisms such as adequacy decisions, standard contractual clauses, or UK addenda, consistent with the disclosures in the patient privacy policy.

Data subject requests

Patients may contact you or Citt.ai to exercise GDPR or similar rights. Either party may be the first point of contact. By default, requests that mainly concern clinical content (messages, transcripts, assessments, care plans) are fulfilled by you with platform assistance; requests that mainly concern platform accounts, authentication, security logs, or vendor processing are fulfilled by Citt.ai with notice to you when clinically relevant. The parties cooperate to meet statutory timelines.

Security and breach notification

Citt.ai maintains technical and organisational measures appropriate to the risk, including encryption, access control, logging, and vendor oversight. Each joint controller has its own legal duties if a breach occurs. Where a breach affects joint-scope data, Citt.ai will inform you without undue delay so you can meet your own obligations.

Retention

Retention for patient and clinical artefacts follows the schedules described in the patient privacy policy and product settings, subject to lawful overrides (clinical record retention, accounting, and security). Therapist account and billing records are retained as needed to operate the Service and meet legal duties.

Your rights

As an individual user, you may exercise access, rectification, erasure, restriction, objection, or portability rights in respect of your own account and professional profile data by contacting declan@citt.ai or using in-product tools where available.

Changes and contact

We may update this notice when the product or legal context changes. Material updates may require re-acceptance alongside other legal documents. Questions: declan@citt.ai; post to 90 Clapham Common North Side, London, UK, SW49SG.