Where patient data is stored
Patient records, appointment data, and clinic configuration live in a Neon Postgres database hosted in AWS' eu-west-2 region (London). Each clinic is a logical tenant in a shared schema, with every query in the application scoped by tenant ID.
Encryption at rest is handled by Neon's underlying AWS storage. Encryption in transit is TLS for every connection, both between application and database and between browser and application. Database backups are managed by Neon under their standard policy and remain in the same region.
Tenant isolation is enforced at the application layer today, with every database query scoped by tenant ID. Database-level row-level security policies are on the roadmap as defence-in-depth; they are not active yet.
Where compute runs
Application code runs on Vercel. The current production deployment executes in iad1 (Vercel's US East region in Virginia). Static assets are served from Vercel's global edge, which includes EU points of presence, but request handlers and API endpoints process in the US until we move them.
The practical implication: when a patient sends a message through the chat widget, the request is handled by a US function, which calls the EU database for clinic configuration and the AI provider for a response, then writes back to the EU database. The patient's text is in transit through US infrastructure for the duration of that round-trip. The data at rest sits in the UK.
Moving compute into a Vercel European region is a planned change. Until then, transfers to US infrastructure are covered by the Standard Contractual Clauses and the UK International Data Transfer Agreement that govern Vercel's data processing terms.
Sub-processors
The third parties that may process patient data on our behalf, today:
Vercel Inc.
Hosting and request handling. Functions execute in iad1 (US). Static assets at the global edge. Transfers covered by SCCs and UK IDTA.
Neon Inc.
Postgres database hosting on AWS eu-west-2 (London). Patient and clinic data at rest sits here.
Anthropic PBC
AI inference for the chat concierge (Claude Haiku). Standard Anthropic API runs on US infrastructure. MediConcierge does not store Anthropic API requests or responses ourselves; Anthropic's own retention policy governs what they retain on their side. Anthropic's standard policy is 30 days for abuse monitoring, unless a zero-retention agreement is in place. Transfers covered by SCCs and UK IDTA.
Stripe Payments Europe Ltd. and Stripe, Inc.
Subscription billing for the clinic account. Card data and payment details are submitted directly to Stripe and never stored in MediConcierge. Stripe operates dual EU and US infrastructure under SCCs.
SMTP provider (configured by your clinic)
Outbound email for patient confirmations and clinic notifications uses the SMTP credentials your clinic provides during onboarding. The provider, region, and processing terms are governed by the contract you have with that provider directly.
We will give clinics 30 days' notice before adding or replacing a sub-processor.
What we collect
Patient enquiry messages submitted through the chat widget. Contact details a patient provides during a booking conversation (name, email, phone). Appointment metadata (clinician, time, consultation type, notes the patient or clinic adds). Clinic configuration (services, opening hours, doctor schedules, team accounts).
What we do not collect
Clinical notes. Prescription data. Medical history beyond what a patient volunteers in an enquiry. Diagnoses. Imaging or laboratory results. The AI concierge is explicitly constrained against asking for or recording any of these; if a patient volunteers something clinical, the concierge logs it as enquiry text and routes the conversation to the clinic, but the system is not built to be a clinical record and should not be used as one.
We do not sell patient data. We do not share patient data with third parties for marketing purposes. We do not use patient data to train AI models.
Retention
Retention is configured per clinic. We work to a per-clinic agreement at onboarding to set retention periods that match your clinical and operational needs. Where you specify a shorter or longer period than the platform default, your configuration applies.
Backups follow Neon's standard backup policy and roll out of retention according to that schedule.
Patient rights
Patients have rights under UK GDPR to access their data, correct inaccurate data, request erasure, restrict processing, and object to certain forms of processing.
The clinic is the data controller for its patients. Patients should direct requests to exercise these rights to the clinic in the first instance. The clinic uses MediConcierge admin tooling to action access, rectification, and erasure requests against patient records held in the system. Clinics can request bulk export or deletion via support; first-class self-serve tooling for these is on the roadmap.
Logging
Application logs are retained for operational purposes (debugging, incident response, fraud and abuse detection). Logs may include anonymised request metadata and error traces. They do not contain patient enquiry message text by default.
A formal mutation audit log (every clinic-side change recorded with actor, timestamp, and old/new values) is on the roadmap and not yet implemented as a first-class feature. Clinics with a regulatory need for one before it ships should flag this in onboarding so we can document compensating controls in your data processing agreement.
Incident response
In the event of a personal data breach, we will notify affected clinics without undue delay and in any case within 72 hours of becoming aware of the breach, in line with UK GDPR Article 33. The clinic, as data controller, is responsible for any onward notification to the ICO and to affected data subjects.
Notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed in response.
Cookies and analytics
The marketing site (mediconcierge.ai) uses minimal first-party cookies for session and consent state. Analytics is configured per environment; where enabled, it is Google Analytics with IP anonymisation. The clinic's embedded chat widget on a clinic website does not set tracking cookies on the patient's browser.
Talking to us
For data protection questions, sub-processor disclosures, the data processing agreement, or anything else on this page that needs more detail for your specific clinic context: hello@mediconcierge.ai. If your enquiry is regulatory or under time pressure, mention it in the subject line and we will reply within one working day.
