Privacy Policy
This Privacy Policy explains how H&N Communications Limited (company number 17055811) trading as Clara (“Clara”, “we”, “us”, “our”) collects, uses, and protects personal data when you use our websites, products, and services, or otherwise interact with us.
Clara provides administrative, communication, and workflow automation services for healthcare clinics and related organisations. Depending on the context, Clara may act as either:
- a data controller, where we decide how and why personal data is processed for our own business purposes, such as operating our website, managing customer and supplier relationships, handling billing, and providing support; or
- a data processor, where we process personal data on behalf of a clinic or other customer in order to provide the Clara services in line with that customer’s instructions.
Where Clara acts as a processor, the relevant clinic or customer remains responsible for its relationship with patients and end users, including providing any privacy information required under applicable law and identifying the appropriate lawful basis for processing.
1. Who we are
Clara is the provider of the Clara platform and related services.
If you have any questions about this Privacy Policy or about how personal data is handled, you can contact us using the details in section 10 below.
2. What personal data we collect
The personal data we process depends on how you interact with Clara and how our customers configure the services. It may include:
Customer and business contact data
Such as:
- name
- work email address
- phone number
- job title
- organisation name
- billing and procurement details where relevant
Account and authentication data
Such as:
- login identifiers
- account credentials or authentication-related information
- security logs
- session data
- access history
- similar technical account information
Service configuration and operational data
Such as:
- clinic settings
- services, practitioners, locations, and availability data
- frequently asked questions, knowledge base content, and templates
- messaging or workflow configurations
- integrations and related setup information
- content uploaded or entered into Clara by customers
Communications data
Such as:
- messages sent to us for support, sales, onboarding, or account management
- records of communications with us
- associated metadata such as timestamps and communication channel details
End-user and patient-related data
Where a clinic or customer uses Clara to communicate with patients or other end users, we may process personal data such as:
- name
- phone number
- email address
- date of birth
- internal or practice-system identifiers
- appointment details, including date, time, location, practitioner, service, booking status, and related operational notes
- conversation content, including chat, voice interactions, call transcripts, and messaging history where those features are enabled
- insurance-related information where relevant to appointment or administrative workflows
- technical and session metadata associated with those interactions
Special category data
Depending on how Clara is used, communications handled through the platform may include health-related information or other special category personal data. Where this occurs, such data is processed only as necessary to deliver the services requested by the relevant clinic or customer and in accordance with applicable law.
Technical and usage data
Such as:
- IP address
- browser type
- device type
- operating system
- approximate location derived from IP address where relevant
- diagnostic logs
- audit trails
- security and abuse-prevention records
3. Why we process personal data and lawful bases
We process personal data only where we have a valid lawful basis under applicable data protection law, including the UK GDPR, the Data Protection Act 2018, and, where relevant, the EU GDPR.
Where Clara acts as a controller
We may process personal data for the following purposes:
To operate our website and business
Including managing enquiries, customer relationships, supplier relationships, and account administration.
Lawful basis: legitimate interests and, where applicable, performance of a contract or steps prior to entering into a contract.
To provide support, onboarding, and account management
Including assisting customers with implementation, troubleshooting, and service-related communications.
Lawful basis: performance of a contract and/or legitimate interests.
To secure, maintain, and improve our services
Including system monitoring, troubleshooting, analytics, product improvement, quality assurance, and preventing misuse.
Lawful basis: legitimate interests.
To comply with legal and regulatory obligations
Including tax, accounting, compliance, and responding to lawful requests from authorities.
Lawful basis: legal obligation.
To send marketing communications
Where permitted by law, we may send business-related updates or marketing communications.
Lawful basis: consent where required, or legitimate interests where permitted by law. You can opt out at any time.
Where Clara acts as a processor
Where we process personal data on behalf of a clinic or other customer, we do so in accordance with that customer’s documented instructions and the terms agreed with them. In those cases, the relevant customer is responsible for identifying the appropriate lawful basis for the processing.
Where Clara processes personal data on behalf of customers, we do not use that personal data to train, fine-tune, or improve any general-purpose artificial intelligence model or broader product system.
4. Who we share personal data with
We may share personal data with:
- service providers and subprocessors who help us host, operate, support, secure, and improve Clara;
- professional advisers, such as lawyers, accountants, insurers, and auditors, where necessary and subject to appropriate confidentiality protections;
- regulators, authorities, courts, or other third parties where required by law or where necessary to establish, exercise, or defend legal rights; and
- actual or prospective purchasers, investors, or corporate advisers in connection with a merger, acquisition, investment, financing, or sale of assets, subject to appropriate safeguards.
We do not sell personal data.
Key subprocessors
A non-exhaustive list of key subprocessors we may use in connection with Clara includes:
| Subprocessor | Purpose |
|---|---|
| Railway | Cloud hosting, application infrastructure, databases, networking, and storage |
| ElevenLabs | Voice processing and conversational audio features, where enabled |
| Twilio | Telephony, messaging, WhatsApp, and related communications channels, where enabled |
| Pinecone | Retrieval and vector search features, where enabled |
| Google Workspace / Gmail | Email communications, notifications, and related support workflows |
We may update our service providers and subprocessors from time to time as the product evolves.
5. International transfers
Some of our service providers may process personal data outside the United Kingdom or European Economic Area.
Where personal data is transferred internationally and the destination is not recognised as providing an adequate level of protection under applicable law, we use appropriate safeguards, such as:
- the UK International Data Transfer Agreement or Addendum;
- the European Commission’s Standard Contractual Clauses; or
- another lawful transfer mechanism recognised under applicable law.
You may contact us for further information about relevant transfer safeguards.
6. Retention
We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
Retention periods depend on the nature of the data and the context in which it is processed, including:
- the duration of our relationship with the customer;
- the way the customer has configured the Clara service;
- operational needs such as security, audit, backup, and disaster recovery;
- the need to resolve disputes or enforce agreements; and
- applicable legal, regulatory, tax, or accounting obligations.
Where Clara acts as a processor, retention may also depend on the instructions of the relevant customer.
Backups may retain information for a limited period before deletion or overwriting in accordance with standard recovery practices.
7. Your rights
Depending on your location and the circumstances of the processing, you may have rights under applicable data protection law, including the right to:
- request access to your personal data;
- request correction of inaccurate or incomplete personal data;
- request deletion of your personal data in certain circumstances;
- request restriction of processing;
- object to processing based on legitimate interests;
- request portability of certain personal data; and
- withdraw consent where processing is based on consent.
Where Clara processes personal data on behalf of a clinic or other customer, we may need to refer your request to that organisation, or act only on its instructions, because that organisation is the relevant controller for that processing.
8. Complaints
If you have concerns about how your personal data is handled, we would appreciate the opportunity to address them first.
You also have the right to lodge a complaint with a supervisory authority. In the United Kingdom, this is the Information Commissioner’s Office (ICO).
9. Security
We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure.
For a high-level summary of our approach to data protection and security, please refer to our Data Protection & Information Security Overview.
10. Contact
For privacy questions, data protection queries, or to exercise your rights, contact:
Email: nick@askclara.co
11. Changes to this Privacy Policy
We may update this Privacy Policy from time to time.
When we do, we will post the updated version on this page and revise the “Last updated” date. Where required by law, we will also provide additional notice of material changes.