Legal

Privacy Policy

Last updated: March 2026

Sanctum ("we", "us", or "our") is committed to protecting the privacy of the practitioners and patients who use our platform. This policy explains what data we collect, how we use it, and your rights.

1. Who we are

Sanctum is an AI-powered patient communication platform for holistic health practitioners, operated from the United Kingdom. Our contact address is hello@sanctum.support.

2. Data we collect

We collect the following categories of data:

• Practitioner account data — name, email address, practice details, billing information.
• Patient communication data — email content, message history, and patient contact details processed on behalf of practitioners.
• Usage data — how you interact with the platform, features used, and performance logs.
• Email channel credentials — IMAP/SMTP credentials stored encrypted and used solely to connect your inbox.

3. How we use your data

• To provide and operate the Sanctum platform
• To process patient messages through our AI pipeline
• To send notifications and approval requests to practitioners
• To improve our service, fix bugs, and develop new features
• To comply with legal obligations

4. Data processing and AI

Patient messages are processed by our AI system (powered by Anthropic's Claude) to generate draft responses. Message content is sent to Anthropic's API for this purpose. Anthropic's data usage policies apply. We do not use your patient data to train AI models.

5. Data sharing

We do not sell your data. We share data only with:

• Anthropic — for AI message processing
• Infrastructure providers — hosting (Railway), email delivery (Resend), database storage
• Payment processors — for billing purposes only

All third-party providers are subject to data processing agreements and appropriate safeguards.

6. Data storage and security

Your data is stored on servers within the EU. We use encryption in transit (TLS) and at rest. Credentials (such as email passwords) are stored using strong encryption. Each practitioner's data is completely isolated from other accounts.

7. Data retention

We retain your data for as long as your account is active. When you close your account, your data is deleted within 30 days, except where we are required to retain it by law.

8. Your rights (GDPR)

If you are based in the UK or EU, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Object to or restrict processing
• Data portability
• Lodge a complaint with the ICO (UK) or your national data protection authority

9. Cookies

Our marketing website uses no tracking cookies. The application may use session cookies strictly necessary for authentication. We do not use advertising or analytics cookies.

10. Changes to this policy

We may update this policy from time to time. We will notify practitioners of material changes by email. Continued use of Sanctum after changes constitutes acceptance.