Legal

Privacy Policy

Last updated: March 2026  ·  Effective: March 2026

Sanctum ("we", "us", or "our") is committed to protecting your privacy and handling all personal data responsibly, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy explains how we collect and use the personal data of practitioner users (people who sign up for a Sanctum account). If you are a patient whose data is processed through the platform, your practitioner is the Data Controller responsible for your data — please contact them directly with any queries.

1. Who we are

Sanctum is operated by [COMPANY NAME] Ltd, a company registered in England and Wales (company number [NUMBER]), whose registered address is [ADDRESS].

ICO Registration: [ZxxxxxxX]
Data protection contact: privacy@sanctum.support

2. What data we collect about you (as a practitioner)

Account data

• Name and email address
• Practice name, address, and phone number
• Practice type (herbal, acupuncture, combined, or other)
• Password (stored as a one-way hash — we cannot read it)

Subscription and billing data

• Subscription plan and payment history (billing is handled by Stripe; we do not store card details)

Configuration data

• Email channel credentials (IMAP/SMTP — stored encrypted, used only to connect your inbox)
• AI persona settings, FAQ and knowledge base content, and booking link configuration
• Twilio SMS credentials (stored encrypted) and Google Reviews URL, if you choose to configure these

Usage and technical data

• Log data including IP address, browser type, and actions taken within the platform
• Audit records of significant actions (e.g., data exports, account changes)

3. What data we process on your behalf (patient data)

When you use Sanctum to manage patient communications, you are the Data Controller and we are the Data Processor acting on your instructions. The patient data we process on your behalf includes:

• Patient names, email addresses, and phone numbers
• Message and conversation history (email, SMS)
• Appointment history and booking data
• Clinical notes and health information you enter into the platform
• Patient satisfaction survey responses

Our obligations as your Data Processor are set out in the Data Processing Agreement, which forms part of your contract with us.

4. How we use your data

Purpose	Lawful basis
Providing and operating your Sanctum account	Performance of contract (Art. 6(1)(b))
Sending account notifications and approval alerts	Performance of contract (Art. 6(1)(b))
Billing and subscription management	Performance of contract (Art. 6(1)(b))
Responding to support requests	Legitimate interests (Art. 6(1)(f))
Improving and developing the platform	Legitimate interests (Art. 6(1)(f))
Security monitoring and fraud prevention	Legitimate interests (Art. 6(1)(f))
Complying with legal obligations	Legal obligation (Art. 6(1)(c))

5. AI processing

The platform uses Claude, an AI model operated by Anthropic, to process patient messages and generate draft responses. Before any message content is sent to Anthropic's API, we apply a technical layer that removes or pseudonymises directly identifying information (patient names and contact details).

Your patient data is not used to train AI models. This is contractually guaranteed in our agreement with Anthropic.

6. Who we share data with

We do not sell your data or your patients' data to anyone. We share data only with the following sub-processors, each bound by a data processing agreement:

Sub-processor	Purpose	Location
Supabase	Database hosting and storage	EU
Amazon Web Services	Encryption key management (AWS KMS)	UK / EU
Anthropic	AI message processing (Claude)	United States
Twilio	SMS delivery	United States
Stripe	Payment processing	United States
[Email provider]	Transactional email delivery	[Location]

The full sub-processor list, including transfer mechanisms, is available at sanctum.support/sub-processors.

7. International transfers

Some of our sub-processors are based in the United States, which does not have an automatic adequacy decision from the UK. For these transfers, we use the UK International Data Transfer Agreement (IDTA) — a standard contract approved by the ICO that requires the recipient to protect your data to UK GDPR standards.

Specifically:

• Anthropic (Claude AI) — IDTA in place; anonymisation layer applied before transfer
• Twilio — IDTA in place
• Stripe — IDTA / SCCs in place

8. Security

We protect your data using:

• Column-level AES-256 encryption for clinical notes, credentials, and sensitive fields
• Per-practitioner encryption keys managed via AWS KMS
• Row-level security so each practitioner's data is completely isolated
• TLS 1.2+ for all data in transit
• Append-only audit logs for accountability
• Short-lived JWT authentication tokens

9. Data retention

Data type	Retention period
Practitioner account data	Duration of subscription + 6 years
Patient clinical records and health notes	8 years from last entry (UK health records minimum)
Patient message and conversation history	3 years from last message
Patient satisfaction surveys	3 years (aggregate anonymised statistics retained indefinitely)
Audit logs	Retained for the duration of the platform
Backups	Maximum 30 days behind live data

When your account is closed, your account data and all patient data will be exported to you or deleted within 30 days, at your election.

10. Your rights

Under UK GDPR you have the right to:

• Access — request a copy of your personal data
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data (subject to legal retention obligations)
• Restriction — ask us to pause processing while a dispute is resolved
• Portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent

To exercise any of these rights, email privacy@sanctum.support. We will respond within one calendar month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.

11. Cookies

Our marketing website uses no tracking or analytics cookies. The Sanctum application uses session cookies strictly necessary for authentication. We do not use advertising cookies or share data with ad networks.

12. Changes to this policy

We may update this policy from time to time. We will notify practitioner account holders of material changes by email with at least 14 days' notice before changes take effect. The current version is always available at this URL.