Legal
This notice covers two data controllers whose activities are connected through the Patient Thread platform. Depending on how you interact with us, one or both entities may hold data about you.
Data Controller
Registered in England and Wales. Company number 17167409. Registered office: Aston Park Farm, Stringers Lane, Aston, Hertfordshire, SG2 7EF. Controls data relating to clinician accounts, subscriptions, and communications with Patient Thread.
Data Controller
Registered in England and Wales. Company number 08316952. Controls all clinical patient data processed within Patient Thread when used by Dr Christopher Lawrence and his practice, Herts Kidney Care.
Both companies are registered with the Information Commissioner's Office (ICO). Lawrence Medical Limited's ICO registration number is ZA053166.
To contact us about your data: chris@patientthread.com
Patient Thread Ltd is the data controller for this category.
When a clinician or practice subscribes to Patient Thread, we collect:
We use this data to provide and administer your subscription, issue invoices, communicate service updates, and comply with our legal obligations.
Legal basis
Performance of a contract (UK GDPR Article 6(1)(b)); legitimate interests in operating our business securely (Article 6(1)(f)); compliance with legal obligations (Article 6(1)(c)).
Lawrence Medical Limited is the data controller for this category.
When Patient Thread is used to manage patient care, the following categories of personal data are processed:
Legal basis — health data
Processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health care treatment, or the management of health care systems, carried out by a health professional subject to professional secrecy obligations (UK GDPR Article 9(2)(h); Data Protection Act 2018, Schedule 1, Part 1, paragraph 2).
Legal basis — administrative data
Performance of a contract for the provision of healthcare services (UK GDPR Article 6(1)(b)).
Where the AI clinical scribe feature is used during your consultation, the audio is transmitted to a third-party transcription service (Deepgram) and converted to text. Before that text is passed to an AI system (Anthropic Claude) for draft note generation, all known patient identifiers — including name, NHS number, and dates of birth — are automatically replaced with anonymised placeholders. Claude therefore receives pseudonymised clinical content only, not identifiable data. The raw audio is deleted as soon as the transcript is written. The transcript itself is not stored. The AI-generated draft note is reviewed and edited by your clinician before forming any part of your permanent record.
We do not sell personal data. We share data only with sub-processors engaged to deliver the Patient Thread service. All sub-processors are bound by data processing agreements requiring them to process data only on our written instructions and to maintain appropriate security standards.
| Sub-processor | Role | Location |
|---|---|---|
| Supabase Inc | Database hosting and file storage | United States (data stored on EU servers, Frankfurt) |
| Netlify Inc | Web application hosting | United States (EU infrastructure) |
| Anthropic Inc | AI processing for clinical scribe draft generation | United States |
| Deepgram Inc | Audio transcription for AI scribe and video consultations | United States |
| Daily.co Inc | Video consultation infrastructure | United States |
| Stripe Inc | Payment processing for clinician subscriptions | United States |
| Healthcode Ltd | Private medical insurance billing | United Kingdom |
| Apple Inc | iOS app distribution via the App Store | United States |
We may also disclose personal data where required to do so by law, by court order, or where necessary to protect the vital interests of a patient.
Several of our sub-processors are headquartered in the United States. The United Kingdom has not adopted a general adequacy decision covering US organisations. Where we transfer personal data to US-based processors, we rely on the UK International Data Transfer Agreement (UK IDTA) or the equivalent approved transfer mechanism incorporated into each sub-processor's data processing agreement.
Clinical audio and consultation content transmitted to Anthropic (Claude) and Deepgram is processed solely for the purpose of generating a draft clinical note. Neither processor retains data beyond the duration of the immediate processing request, in accordance with their respective data processing agreements and usage policies.
All primary patient record data is stored on European infrastructure (Frankfurt, Germany) and does not leave the European Economic Area for storage purposes.
We implement the following technical and organisational measures to protect personal data:
In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, and affected individuals without undue delay where the risk is high.
Under UK GDPR, you have the following rights in relation to your personal data:
Request a copy of the personal data we hold about you (a Subject Access Request).
Ask us to correct inaccurate or incomplete personal data.
Ask us to delete your data. Note: we are legally required to retain clinical records for minimum periods and cannot always comply with erasure requests for health records.
Ask us to restrict processing of your data in certain circumstances.
Receive data you have provided to us in a structured, machine-readable format.
Object to processing based on legitimate interests.
To exercise any of these rights, contact us at chris@patientthread.com. We will respond within one calendar month. There is no charge for making a request.
If you are unhappy with how we have handled your personal data, please contact us first at chris@patientthread.com. We take all complaints seriously and will respond within 14 days.
You also have the right to lodge a complaint directly with the Information Commissioner's Office:
Telephone: 0303 123 1113
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
The Patient Thread web application uses only technically necessary session cookies required for authentication. We do not use advertising, analytics, or tracking cookies. No cookie consent banner is required.
The patientthread.com marketing website does not set any cookies.
We will notify registered clinicians by email of any material changes to this privacy notice. The version date at the top of this page will always reflect the most recent update. Previous versions are available on request.