LoginGet Started




BookedSolid Privacy Policy

Effective Date: 10/07/2025

1. Introduction

BookedSolid Ltd provides AI receptionist services for healthcare clinics. This Privacy Policy explains how we collect, use, process, and protect your personal data when you use our services.

Who we are: BookedSolid Ltd is a UK-based company providing AI receptionist services. We are the data controller for the personal data we process through our services.

Who this policy applies to:

  • Clinic Users: Healthcare professionals and clinic staff who use our AI receptionist service
  • Patients: Individuals who interact with our AI receptionist when contacting participating clinics

This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For clients and patients in Australia, we also comply with the Privacy Act 1988. For those in New Zealand, we comply with the Privacy Act 2020.

2. Personal Data We Collect

2.1 Data Categories

We collect the following categories of personal data:

Identity Data:

Name, age, date of birth, gender

Contact Data:

Phone number, email address, postal address

Technical Data:

IP address, login data, browser type, device information, location data

Usage Data:

Information about how you use our services, call and message logs, interaction patterns

Transaction Data:

Payment information, billing details, subscription information

Profile Data:

Username, password, account preferences, service settings

Interaction Data:

Call transcripts, voice recordings, message content, appointment requests

Special Category Data:

Health information disclosed during patient interactions with our AI receptionist

2.2 How We Collect Personal Data

We collect personal data:

  • Directly from you when you register for an account or use our services
  • From patient interactions with our AI receptionist
  • From integrated third-party booking systems (such as Cliniko or Nookal)
  • Through our website using cookies and analytics tools
  • From publicly available sources where relevant

3. Legal Basis for Processing

Under UK GDPR, we must have a legal basis for processing your personal data. The table below shows our legal bases:

Purpose
Data Categories
Legal Basis
Providing AI receptionist services and account management
Identity, Contact, Profile, Technical
Performance of contract
Processing patient appointments and enquiries
Identity, Contact, Interaction, Special Category
Performance of contract; Legitimate interests (healthcare service provision)
Voice recording and transcription storage
Interaction, Special Category
Legitimate interests (service quality and training); Consent where required
Integration with practice management systems
Identity, Contact, Transaction
Performance of contract
Customer support and communication
Identity, Contact, Interaction
Performance of contract; Legitimate interests (customer service)
Service improvement and AI training through review of selected communications
Usage, Technical, Interaction
Legitimate interests (improving services and technology)
Analytics and reporting for clinics
Usage, Interaction, Transaction
Legitimate interests (providing business insights to clients)
Marketing communications
Identity, Contact
Consent
Billing and payment processing
Identity, Contact, Transaction
Performance of contract; Legal obligation
Legal compliance and fraud prevention
Any relevant data
Legal obligation; Legitimate interests (protecting business and users)
Emergency situations
Identity, Contact, Special Category
Vital interests (protecting life and health)

3.1 Special Category Data

Health information requires additional protection under UK GDPR. We process health data when:

  • A patient discloses such information to the AI
  • Processing is necessary for healthcare purposes and carried out by healthcare professionals
  • Processing is necessary to protect vital interests where consent cannot be obtained
  • Processing is required by law

4. How We Use Your Personal Data

We use your personal data to:

  • Provide and maintain our AI receptionist service across selected channels (calls, SMS, WhatsApp, email)
  • Process appointment bookings and patient enquiries
  • Create transcripts and store voice recordings for quality assurance (where enabled by clinic)
  • Integrate with your practice management systems
  • Improve our AI technology and service quality through review of selected communications
  • Generate analytics reports for clinics (including call duration, message counts, appointment statistics)
  • Provide customer support and respond to enquiries
  • Process payments and manage billing
  • Send marketing communications (with your consent)
  • Comply with legal obligations
  • Protect against fraud and ensure service security

5. Data Sharing and Recipients

We may share your personal data with:

Service Providers:

Third-party companies that help us provide our services, including:

  • Cloud hosting providers (Render)
  • Database services (MongoDB via AWS, stored in Ireland and Germany)
  • AI and language processing services (OpenAI, Anthropic, Google, Deepgram, ElevenLabs)
  • Payment processors
  • Customer support platforms

Practice Management Systems:

Integrated systems like Cliniko or Nookal for appointment scheduling

Healthcare Providers:

Your clinic staff for appointment management and patient care

Legal Authorities:

When required by law or to protect our rights and safety

Business Transfers:

In the event of a merger, acquisition, or sale of assets

We do not sell your personal data to third parties for marketing purposes. All third-party processors are bound by data processing agreements that ensure appropriate data protection standards.

6. International Data Transfers

We primarily store and process data within the European Union (Ireland and Germany via our MongoDB/AWS infrastructure). Our web hosting is provided by Render. When we transfer personal data outside the UK/EU, we ensure adequate protection through:

  • Transfer to countries with UK/EU adequacy decisions
  • Use of Standard Contractual Clauses (SCCs)
  • Other appropriate safeguards as required by UK GDPR

Specific third-party processors and their locations:

  • Database storage: MongoDB (AWS Ireland/Germany)
  • AI processing: OpenAI, Anthropic, Google, Deepgram, ElevenLabs (various locations with appropriate safeguards)

For clients in Australia and New Zealand, we ensure compliance with local data transfer requirements.

7. Data Retention

We retain personal data only as long as necessary for:

  • Fulfilling the purposes for which it was collected
  • Complying with legal, regulatory, and professional obligations
  • Resolving disputes and enforcing agreements

Typical retention periods:

Account data: Duration of active account plus 6 years
Patient interaction data: 7 years (in line with healthcare record-keeping requirements)
Voice recordings: 2 years unless longer retention is required for legal purposes (note: voice recordings are excluded from automatic backups)
Technical and usage data: 2 years
Analytics and reporting data: 3 years

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of Access: Request copies of your personal data
Right to Rectification: Correct inaccurate or incomplete data
Right to Erasure: Request deletion of your personal data in certain circumstances
Right to Restrict Processing: Limit how we process your data
Right to Data Portability: Receive your data in a structured, machine-readable format
Right to Object: Object to processing based on legitimate interests, including marketing
Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time
Rights Related to Automated Decision-Making: Request human review of automated decisions that significantly affect you

To exercise these rights, contact us at privacy@bookedsolid.co.uk.

9. Emergency Situations

In exceptional circumstances where we reasonably believe there is a serious risk to life, health, or safety, we may contact emergency services or speak with family members, partners, or support persons without obtaining prior consent, relying on the vital interests legal basis.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit and at rest
  • Access controls
  • Staff training on data protection
  • Incident response procedures

11. Cookies and Website Analytics

We use cookies and similar technologies on our website to:

  • Enable essential website functionality
  • Remember your preferences and settings
  • Analyse website usage and performance
  • Support marketing and advertising activities

You can manage cookie preferences through your browser settings. For more information, see our Cookie Policy or contact us.

12. Voice Recording Consent

Voice recordings of patient interactions are controlled by clinic settings and are not subject to individual patient opt-out. Clinics can disable call recordings through their account settings. When call recording is enabled:

  • Patients will be informed that calls may be recorded (unless otherwise configured by the clinic)
  • Recordings are used for quality assurance and service improvement
  • Recordings are excluded from automatic data backups
  • Recordings are retained for up to 2 years

13. Age Restrictions and Minors

Our services are intended for use by healthcare professionals aged 18 and over. While we cannot control the age of individuals who contact clinics through our AI receptionist, we:

  • Do not knowingly collect personal data from minors for marketing purposes
  • Process minor's data only as necessary for healthcare appointment scheduling
  • Encourage clinics to have appropriate safeguarding policies for minor patients

14. Data Processing Agreements

Clinic clients enter into Data Processing Agreements (DPAs) with us that specify the terms of personal data processing.

15. Data Breach Response

In the event of a personal data breach, we will:

  • Assess the breach and take immediate containment measures
  • Notify the ICO within 72 hours where required by law
  • Inform affected individuals without undue delay where there is a high risk to their rights and freedoms
  • Document the breach and our response measures
  • Review and update our security measures as necessary

We maintain an incident response plan and conduct regular security assessments to minimise the risk of data breaches.

16. Analytics and Reporting

We provide clinics with analytics reports and downloadable data (CSV format) that may include:

  • Call duration and frequency statistics
  • Message counts across different channels
  • Appointment booking, cancellation, and rescheduling metrics
  • Types of appointments booked
  • General usage patterns and trends

This aggregated data helps clinics understand their patient communication patterns and service utilisation.

17. Automated Decision-Making

Our AI receptionist uses automated processing to:

  • Understand and respond to patient enquiries
  • Schedule appointments
  • Route calls to appropriate staff

These automated decisions are designed to assist rather than replace human judgment. You have the right to request human review of any automated decision that significantly affects you.

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

  • Posting the updated policy on our website
  • Sending email notifications to account holders
  • Updating the effective date at the top of this policy

19. Contact Information and Complaints

All Privacy Enquiries: privacy@bookedsolid.co.uk

Right to Complain: If you're not satisfied with how we handle your personal data, you have the right to lodge a complaint with:

  • UK residents: Information Commissioner's Office (ICO) - www.ico.org.uk
  • Australian residents: Office of the Australian Information Commissioner (OAIC)
  • New Zealand residents: Office of the Privacy Commissioner

This Privacy Policy was last updated on 10/07/2025.