Privacy Notice

ELSA AI Ltd is the controller responsible for the personal data described in this Privacy Notice.

We may collect and use the following types of personal data:

1. Contact and enquiry data. This may include your name, work email address, organisation name, role, clinic type, enquiry details and any message you submit through the website or by email.
2. Discovery call and meeting data. This may include meeting notes, business contact details, role, organisation context, service requirements and follow-up actions.
3. Client engagement data. Where you engage ELSA AI, we may process business contact details, governance information, meeting notes, service documents, project correspondence and evidence provided for advisory review.
4. Billing and administration data. This may include billing contacts, invoice details, payment records, contract details and related business administration records.
5. Website and technical data. This may include IP address, browser type, device information, security logs, cookie preference records and basic website functionality data.
6. Marketing preference data. If you choose to receive updates from ELSA AI, we may process your name, email address and communication preferences.

ELSA AI does not ask users to submit patient-identifiable information, clinical records, consultation details or special category health data through website forms or general email.

Please do not include patient-identifiable information, clinical records, consultation details or special category health data in website forms or general email enquiries.

If client documents are required during an engagement, secure transfer arrangements, scope controls and appropriate contractual terms will be agreed before those materials are shared.

Where we rely on legitimate interests, those interests may include:

• responding to business enquiries;
• managing prospective client and client relationships;
• delivering and improving advisory services;
• operating and securing the website;
• keeping appropriate business records;
• protecting ELSA AI’s legal and commercial interests;
• communicating with professional contacts about relevant healthcare AI governance matters.

We consider whether our interests are overridden by your rights and freedoms before relying on legitimate interests.

We currently use only necessary cookies and similar technologies required to operate the website, remember cookie preferences, support basic security and process website enquiries.

We do not currently use analytics cookies, marketing cookies, advertising pixels or behavioural retargeting cookies.

If this changes, we will update our Cookie Notice and ask for consent where required.

Read our Cookie Notice

We may share personal data with trusted service providers where necessary to operate the website, manage communications, provide services, administer the business or meet legal obligations.

This may include:

• website hosting and infrastructure providers;
• email and communication providers;
• secure document transfer or storage providers;
• professional advisers such as accountants, legal advisers or insurance advisers;
• payment, invoicing or accounting providers;
• regulators, courts or public authorities where required by law.

We do not sell personal data.

We do not share website visitor data with advertisers.

Some service providers may process personal data outside the United Kingdom. Where this happens, ELSA AI will take steps designed to ensure appropriate safeguards are in place, such as adequacy regulations, approved contractual safeguards or other lawful transfer mechanisms.

Where client documents may involve sensitive governance or healthcare-related information, transfer arrangements should be reviewed as part of the engagement setup.

Retention periods may vary depending on the nature of the record, contractual requirements, legal obligations or the need to establish, exercise or defend legal claims.

Under UK data protection law, you may have the right to:

• ask for access to your personal data;
• ask for inaccurate data to be corrected;
• ask for data to be erased in certain circumstances;
• ask us to restrict processing in certain circumstances;
• object to processing in certain circumstances;
• ask for data portability in certain circumstances;
• withdraw consent where processing is based on consent.

To exercise your rights, contact: contact@elsaai.co.uk

We may need to verify your identity before responding.

ELSA AI may send occasional updates about healthcare AI governance, ambient scribes, shadow AI, evidence readiness and ELSA AI services where permitted.

You can unsubscribe at any time using the unsubscribe link in the email or by contacting: contact@elsaai.co.uk

We do not sell marketing lists or use purchased mailing lists for unsolicited bulk email.

ELSA AI uses reasonable organisational and technical measures designed to protect personal data from unauthorised access, loss, misuse or disclosure.

No website, email system or online service can be guaranteed to be completely secure. Please do not send patient-identifiable information, clinical records or special category health data through website forms or general email unless a secure route has been agreed.

This website may contain links to third-party websites or services. ELSA AI is not responsible for the privacy practices, content or security of third-party websites. You should read the privacy notices of any third-party services you use.

If you have concerns about how ELSA AI handles your personal data, please contact us first so we can try to resolve the issue.

You also have the right to complain to the UK Information Commissioner’s Office.

We may update this Privacy Notice from time to time if our services, website, suppliers or legal obligations change.

The latest version will be published on this page.