Skip to main content
Back to PracticeKit

Privacy Policy

Last updated: February 2026

1. Who We Are

PracticeKit is operated by Aryash Health Limited. We are the data controller for the personal data processed through this service. Our Clinical Safety Officer is Dr Krishnan Pasupathi (GMC: 6050795), GP Partner at Wye Valley Surgery, High Wycombe.

2. Data Minimisation Approach

PracticeKit is designed to collect the minimum data necessary. We deliberately avoid collecting identifiable patient data.

We Collect:

  • EMIS number (practice identifier)
  • Patient first name only (TestPlain)
  • Patient age and sex (TestPlain)
  • Test type and value (TestPlain)
  • Symptom pathway and triage outcome (CARE Navigation)
  • Staff/GP user accounts

We Do NOT Collect:

  • NHS numbers
  • Patient surnames
  • Dates of birth
  • Addresses
  • Contact details

3. Lawful Basis for Processing

We process data under:

  • Article 6(1)(e) UK GDPR — Public task (NHS direct care)
  • Article 9(2)(h) UK GDPR — Healthcare purposes for health data

Processing relies on implied consent under the common law duty of confidentiality for direct patient care.

4. How We Use Your Data

  • Generate personalised patient education content (TestPlain)
  • Record triage decisions and outcomes (CARE Navigation)
  • Maintain audit trails for clinical governance
  • Authenticate users and manage access

5. Data Security

  • All data transmitted via HTTPS/TLS encryption
  • Database hosted in EU region (Supabase) with encryption at rest
  • Role-based access control (Staff, GP, Admin permissions)
  • Row Level Security on all database tables
  • Complete audit logging of all actions
  • Individual user accounts — no shared logins

6. Data Retention

TestPlain entries are retained for audit purposes in line with NHS records management guidelines. CARE Navigation triage records are retained for 90 days in active storage, then archived for up to 8 years. User accounts remain active until deactivated by the practice.

7. Data Sharing

We do not sell patient data. Limited sharing occurs with our sub-processors:

  • Supabase — Database hosting (EU region, GDPR compliant)
  • Vercel — Application hosting (no patient data stored)
  • Anthropic (Claude API) — AI content generation (TestPlain only)

CARE Navigation does not use any external AI services — all triage logic runs locally in the browser. TestPlain sends limited patient data (first name, age, sex, test values) to Claude API to generate explanations. All content is reviewed by a GP before delivery.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure (where applicable)
  • Restrict processing
  • Data portability
  • Object to processing
  • Lodge a complaint with the ICO

9. Cookies

PracticeKit uses essential cookies only for authentication and session management. We do not use tracking or advertising cookies.

10. Contact Us

For privacy queries or to exercise your rights:
Aryash Health Limited
Email: feedback@aryashhealth.com

You may also contact the Information Commissioner's Office (ICO) at ico.org.uk

© 2026 Aryash Health Limited. Full Data Protection Impact Assessment available on request.