Privacy PolicyPrivacy Policy
Effective Date: 13 June 2025
Last Updated: 13 June 2025
Version: 1.1
1. Who We Are
Samsa is an Irish‑registered healthcare technology company (Company No. 763881) with its registered office at 51 Bracken Road, Dublin 18 (D18 CV48), Ireland.
2. What Personal Data We Process
2.1 Patient Data (processed on behalf of healthcare providers)
- Referral documents and clinical correspondence
- Special‑category health data (Article 9 GDPR)
- Occasional criminal‑offence data where clinically relevant (Article 10 GDPR)
2.2 Employee, Contractor & Business‑Contact Data
- Identification and contact details
- Employment and vetting information (including criminal‑record checks where legally required)
- User credentials, access logs and audit trails
3. How We Collect Personal Data
- Indirectly from referring clinicians and healthcare organisations that use our platform.
(See Section 11 for the information‑provision obligations that apply.)
- Directly from staff, contractors and business contacts.
4. Purposes & Legal Bases
| Purpose | Legal Basis |
|---|---|
| Structured clinical‑triage support | Art 6(1)(e) public‑interest healthcare; Art 9(2)(h) provision of health care |
| Employment administration & safeguarding | Art 6(1)(b) contract; Art 6(1)(f) legitimate interests; Art 10 DPA‑authorised processing |
| Platform security, audit & fraud‑prevention | Art 6(1)(f) legitimate interests |
| Compliance with legal obligations | Art 6(1)(c) legal obligation |
| Where consent is expressly sought (e.g. optional research analytics) | Art 6(1)(a) & Art 9(2)(a) consent |
5. Recipients & Sub‑Processors
We never sell personal data. We disclose it only to:
| Category | Entity | Location | Safeguard |
|---|---|---|---|
| Cloud infrastructure | Amazon Web Services EMEA SARL (AWS) | Dublin, Ireland (EEA) | N/A (in‑EEA) |
| AI language‑model services | OpenAI, L.L.C. | United States | EU SCCs + UK IDTA Addendum (DPF once final) |
| DevOps tooling† | GitHub, Inc. | United States | EU SCCs + UK IDTA Addendum |
† GitHub is used for code, CI artefacts and issue tracking; only incidental personal data (e.g. usernames in logs) is processed.
A current list of sub‑processors is maintained at https://samsa.health/subprocessors and advance notice of changes is provided to customers.
6. International Data Transfers
Primary storage and processing occur in AWS’s eu‑west‑1 (Dublin) region. Where data is transferred outside the EEA or UK (e.g. to OpenAI or GitHub in the US), we rely on one or more of the following safeguards:
- European Commission Standard Contractual Clauses (2021/914/EU)
- UK International Data Transfer Agreement (IDTA) and Addendum
- Participation in the EU–US and UK–US Data Privacy Frameworks, once applicable
7. Data Security
- TLS 1.2+ encryption in transit; AES‑256 encryption at rest
- Role‑based access control and mandatory multi‑factor authentication
- Immutable audit logging and strict environment segregation
- Information‑security management aligned to ISO/IEC 27001
8. Data Retention
| Data Category | Typical Retention | Rationale |
|---|---|---|
| Clinical data | As instructed by the healthcare provider (controller) | Contractual & clinical governance |
| Employment & vetting records | 7 years after employment ends | Statutory limitation periods |
| Audit logs | 12–24 months | Security & forensic investigation |
Where retention periods are based on legitimate interests, we re‑assess annually.
9. Automated Decision‑Making (ADM)
Our platform provides decision‑support recommendations only. No decisions that produce legal or similarly significant effects on patients are made solely by automated means (Article 22 GDPR).
10. Children’s Data
We may process data relating to individuals under 18 where it forms part of a referral. Where explicit consent is required, we obtain it via a secure online form completed by the child’s parent or legal guardian.
11. Indirect Collection Notice (Article 14)
Because patient data is supplied to us by healthcare providers, patients do not interact with SAMSA directly. The referring provider must supply patients with the information set out in Articles 13–14 GDPR within one month of referral or at first communication. We make this Privacy Policy available to controllers for onward sharing and will, upon request, assist them in meeting this obligation.
12. Your Data‑Subject Rights
Subject to legal conditions, you can:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase data (right to be forgotten)
- Restrict or object to processing
- Data portability – receive your data in a structured, machine‑readable format and transmit it to another controller
- Withdraw consent at any time (where processing is based on consent)
To exercise any right, contact our DPO using the details in Section 1. We will respond within one month. You will not normally have to pay a fee.
13. Supervisory Authorities
If you are dissatisfied with our response, you have the right to lodge a complaint with:
Data Protection Commission (DPC)
Website: https://www.dataprotection.ie
Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Information Commissioner’s Office (ICO)
Website: https://ico.org.uk
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
14. Changes to This Policy
We will post any future changes on this page and, where material, notify users via in‑app notification and email.