Clara Data Protection & Information Security Overview

Last updated: 1 April 2026

This document provides a customer-facing summary of how Clara approaches privacy, data protection, and information security. It is intended to give clinics and other external parties confidence in our practices without disclosing sensitive internal operational details that could weaken security.

For information about the personal data we collect, the purposes for which we process it, lawful bases, individual rights, and contact details, please see our Privacy Policy. Contractual commitments may also be set out separately in your agreement with Clara, including any applicable Data Processing Agreement.

Scope: This document is intended as a high-level overview only. It does not constitute legal advice, does not replace your own compliance obligations as a healthcare organisation, and does not override the specific terms of your agreement with Clara.

1. Governance and accountability

Clara treats the protection of personal and sensitive information as a core responsibility. We maintain internal policies and controls appropriate to our size, stage, and risk profile, and we review our practices as the product, customer base, and regulatory environment evolve.

We assign responsibility for service security and data protection matters internally and aim to ensure that privacy and security considerations are reflected in how Clara is designed, operated, and supported.

2. Categories of data processed

Depending on how clinics use Clara, the data processed may include:

  • patient and staff identifiers and contact details;
  • appointment, scheduling, service, and related operational information;
  • conversation content, including text, messaging, and voice interactions where enabled;
  • clinic configuration data, knowledge content, and workflow inputs supplied by the clinic;
  • authentication, audit, and access logs; and
  • technical metadata required to operate, maintain, and secure the service.

Health-related and other special category personal data may be processed where it is included in workflows, communications, or service interactions.

3. Controller and processor roles

In most cases, the clinic determines why and how patient and end-user data is processed in connection with its care delivery and administrative operations, and therefore acts as the data controller for that processing.

Clara typically acts as the data processor when providing the Clara platform and related services on the clinic’s behalf and in accordance with the clinic’s instructions.

For certain activities, such as Clara’s own business operations, website administration, billing, compliance, and direct relationships with clinic staff, suppliers, or prospective customers, Clara may act as a data controller in its own right.

Where these roles differ depending on the context, responsibilities are allocated in accordance with applicable law and the relevant contractual arrangements.

4. Nature of the service

Clara provides administrative, communication, and workflow automation tools for clinics and related organisations. The service may support activities such as patient communications, appointment-related workflows, clinic configuration, onboarding, support, and related operational processes.

Clara is not a medical, diagnostic, clinical, or emergency service and does not replace professional healthcare judgment, clinical decision-making, or emergency response processes.

5. Access controls and least privilege

Access to production systems and customer data is limited to authorised personnel and contractors who have a legitimate business need for that access.

We apply least-privilege principles, aim to separate administrative access from end-user access where appropriate, and use authentication and authorisation controls consistent with industry practice.

6. Encryption and secure hosting

Clara uses reputable cloud infrastructure and service providers to support the delivery of the platform.

We protect data in transit using strong transport-layer security and apply appropriate safeguards to credentials, secrets, and other sensitive operational data. We do not publish detailed technical architecture, infrastructure diagrams, or security configurations in this overview.

7. Use of service providers and subprocessors

Clara uses carefully selected third-party service providers to support functions such as hosting, communications, automated conversational and voice features, retrieval or search functionality, and support-related communications.

These providers are engaged under written arrangements that include data protection obligations appropriate to their role. A summary of key providers is set out in our Privacy Policy, and additional contractual or notice commitments may apply under customer agreements where relevant.

8. Use of customer data in Clara systems

Where Clara processes personal data on behalf of a clinic, it does so in accordance with that clinic’s instructions and the applicable customer agreement.

Clara does not use personal data processed on behalf of customers to train, fine-tune, or improve any general-purpose artificial intelligence model or broader product system.

9. Backup, business continuity, and disaster recovery

Clara maintains backup and recovery capabilities appropriate to the nature and availability requirements of the service.

Recovery processes and objectives are managed internally. While we do not guarantee uninterrupted availability in all circumstances, we work to restore service functionality as quickly and safely as possible following a disruptive event.

10. Incident response and breach notification

Clara maintains procedures designed to detect, assess, contain, and respond to security incidents.

Where Clara processes personal data on behalf of a clinic and a personal data breach occurs, we will notify the relevant clinic without undue delay in accordance with our legal and contractual obligations. We will also cooperate reasonably with the clinic to support its own assessment and regulatory obligations where required.

11. Staff confidentiality and training

Personnel with access to customer or patient-related data are subject to confidentiality obligations and are expected to complete training, guidance, or onboarding appropriate to their role.

Access to sensitive systems and data is granted only where required for legitimate operational purposes.

12. Retention and deletion

Data retention is determined by contractual requirements, clinic configuration where applicable, legal and regulatory obligations, and legitimate operational needs such as security, backup, fraud prevention, dispute resolution, and service continuity.

When services end, Clara supports the deletion or return of customer data in accordance with the relevant agreement, subject to limited retention where required by law or by standard backup and recovery processes.

13. Data subject rights

Individuals who wish to exercise privacy rights in relation to personal data processed for a clinic through Clara should usually contact the relevant clinic first, as that clinic will typically be the data controller for that information.

Clara assists clinic customers, within the scope of our role and contractual commitments, in responding to such requests where required. Individuals may also contact Clara directly using the details below, and we will coordinate with the relevant clinic where Clara acts as processor.

14. Contact

For privacy and security queries, please contact:

Email: nick@askclara.co