Inquira Health Logo

Product Privacy Policy

Last updated: 28 Mar 2025

Versionsâ–ľ

You are viewing an outdated version of this document.View the latest version

Introduction

This Product Privacy Policy (“Policy”) explains how Inquira Technologies B.V. (“Inquira Health,” “we,” “us,” or “our”) handles personal data in connection with our Conversational AI solutions, which may include both voice/phone call services and chat-based interactions. We provide these services to:

  • Healthcare organizations (e.g. hospitals, clinics)
  • Technical suppliers (e.g. EHR systems or other healthcare IT vendors)

In this context, we typically act as a Data Processor under the General Data Protection Regulation (GDPR), processing personal data on behalf of our customers (the “Data Controllers”).

Note for Patients / End-Users: If you have questions about the personal data processed through our services (e.g. via a hospital’s or EHR’s integration), please contact the healthcare organization or IT supplier that provided your data to us. They remain the primary Data Controller responsible for determining how and why your data is processed.

For general questions or requests, you may also reach us at support@inquira.health.

Our Role as a Data Processor

  1. Data Controller: The organization (healthcare provider or technical supplier) that decides the purposes and means of processing personal data.
  2. Data Processor: Inquira Health processes personal data strictly on behalf of and according to the instructions of the Data Controller. This relationship is governed by a Data Processing Agreement (DPA) or similar contractual arrangement.

Types of Data We Process

Depending on the workflow or integration designed by our customers, we may process:

  1. Patient & User Identifiers
    • Name, phone number, email address, date of birth, patient ID, etc.
  2. Interaction Data
    • Voice Calls: Call metadata (time, date, duration), transcripts (if generated for scheduling or intake), call recordings (if enabled).
    • Chat Sessions: Chat messages and metadata (timestamps, user identifiers), which may include personal or health-related information if shared by the user.
  3. File Uploads in Chat
    • Users may optionally upload files (e.g. documents or images) during chat interactions. We store and process the content of these files solely to provide the requested service (e.g. extracting specific data points or sharing the file content with the Data Controller as part of the chat flow).
  4. Appointment & Healthcare Information
    • Appointment dates, times, locations, clinician names, or other scheduling details.
    • Additional health-related data the Data Controller instructs us to collect or process (e.g. triage questions, symptom descriptions).

We do not determine the scope of personal data collected; our customers configure the workflows and decide what information is collected via call, chat, and file uploads.

Purpose of Processing

We process personal data solely to deliver the Conversational AI services requested by our customers, including but not limited to:

  1. Scheduling Appointments: Automating booking, rescheduling, or confirmations.
  2. Patient/Client Intake: Gathering demographic or medical history details when authorized.
  3. General Support or Triage: Providing chat or voice assistance to address user questions or direct them to the right department.
  4. Service Improvements: Using aggregated data to ensure quality control and enhance service reliability.
  5. Customer Support: Troubleshooting or resolving technical issues related to our voice or chat services.

We do not process personal data for independent marketing or profiling. All processing is performed on our customers’ behalf, following their instructions.

Legal Basis (GDPR)

As a Data Processor, we rely on our customers’ legal bases for processing under GDPR. Common legal bases for healthcare providers or IT suppliers include:

  • Patient Consent (if required by local regulations)
  • Contractual Necessity (e.g. providing care, scheduling, or client services)
  • Legal Obligations (compliance with healthcare regulations)
  • Legitimate Interests (e.g. improving patient care, reducing administrative burden), provided this does not override the data subject’s rights

Data Storage & Retention

  1. Retention: We store personal data for as long as instructed by our customer. Once the data is no longer needed or upon termination of our contract, we delete or anonymize the data, unless a longer retention is required by law or specific contractual obligations.
  2. Deletion upon Request: If a Data Controller requests us to delete specific personal data (e.g. in response to a user exercising their right to erasure), we comply promptly, in line with our contractual obligations.

Subprocessors

We may engage trusted Subprocessors to assist in delivering our AI-based services (e.g. cloud hosting, telephony infrastructure, chat platform providers). Each subprocessor is vetted to ensure compliance with relevant data protection laws, and we enter into written agreements requiring them to process data only according to our instructions and with appropriate safeguards.

For more details, please see our Subprocessors List or contact us at support@inquira.health.

International Data Transfers

We do not transfer any patient or end-user data outside of the region in which it is stored, unless explicitly agreed with the customer. For example, if your data is stored in Europe, it will remain within Europe and will not be transferred to other regions. This applies to all patient, chat, and interaction data processed by Inquira.

  • Billing Information: The only instance of international data transfer involves customer billing information (e.g. for healthcare organizations or technology suppliers) to Stripe, for invoicing and payment processing. This may include details such as company name, billing address, and payment method.
  • No patient or end-user information is transferred outside the region (e.g. Europe) as part of this billing process.

When a transfer does occur for billing purposes, we ensure appropriate legal safeguards, such as Standard Contractual Clauses (SCCs) with Stripe or any other relevant payment processor.

Security & Confidentiality

We take technical and organizational measures to secure personal data from unauthorized access, disclosure, alteration, or destruction. These may include:

  • Encryption in transit and at rest
  • Access Controls (role-based permissions, multi-factor authentication)
  • Regular Security Assessments and penetration testing
  • Staff Training on data privacy and security best practices

Inquira Health employees and authorized contractors are bound by confidentiality obligations regarding any personal data they handle. For additional information, visit our Trust Center.

Data Subject Rights

Since we act as a Data Processor, individuals who wish to exercise their rights under GDPR (access, rectification, erasure, etc.) or other data protection laws should contact the Data Controller (the healthcare provider or IT supplier). We will cooperate with the Data Controller to help fulfill such requests in accordance with our contractual obligations.

Breach Notification

If we become aware of a personal data breach affecting the data we process on behalf of a customer, we will:

  1. Notify the Data Controller without undue delay.
  2. Provide the Data Controller with all necessary information to comply with any regulatory or legal requirements (e.g. notifying supervisory authorities or affected individuals).

Children’s Data

Our services may process children’s data only under the Data Controller’s instructions. For example, if a pediatric clinic uses our scheduling services or chat, they may send information about a child. We do not knowingly process children’s data outside of such instructions, and we rely on the Data Controller to ensure they have any necessary parental or guardian consent.

Changes to This Product Privacy Policy

We may update this Policy periodically to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we update the Policy, we will revise the “Last Updated” date. Significant changes may be communicated to our customers directly.

Contact Information

Inquira Technologies B.V.

Dutch Chamber of Commerce Number (KvK): 95495460

Westplein 12, 3016 BM, Rotterdam, The Netherlands

support@inquira.health
PGP key
Contact Form

For responsible disclosure of security vulnerabilities, please visit our responsible disclosure page.