Privacy Notice

ConsultAI — pharmacy consultation simulation platform
Version 1.0 · DRAFT — pending review by University of Strathclyde Data Protection Office

This notice explains what personal data ConsultAI collects, why we collect it, who we share it with, how long we keep it, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

ConsultAI is an educational simulation platform developed at the Strathclyde Institute of Pharmacy and Biomedical Sciences (SIPBS), University of Strathclyde, to support MPharm consultation-skills training.

• Data Controller: University of Strathclyde, 16 Richmond Street, Glasgow, G1 1XQ
• Project lead: David Breen, SIPBS — david.breen@strath.ac.uk
• Data Protection Officer: Mrs Elaine Grant — elaine.grant@strath.ac.uk
• Information Governance Unit (University of Strathclyde):
  Room 8.28, Graham Hills Building
  50 George Street, Glasgow, G1 1QE
  dataprotection@strath.ac.uk · +44 (0)141 548 2539

2. What data we collect

Account data

• Your student ID (used as your login)
• Your name (first, last, and a display name)
• Your university email address (optional)
• Year group (e.g. Year 2, Year 3) for scenario filtering
• An encrypted (bcrypt-hashed) form of your password — we never store your password in readable form
• Session authentication tokens (used to keep you logged in)

Consultation data

• Full text of each consultation you carry out with the AI patient (your messages and the patient's responses)
• Voice recordings of your spoken input, used only to generate a text transcript (see "Third parties" below) and then discarded — we do not retain audio
• The AI-generated assessment of each consultation, including overall score, per-competency feedback, written commentary, and a timeline of evidence used to assess each competency
• Timestamps showing when each session started, when each turn occurred, and when the session ended

Behavioural data

• Which scenarios you've attempted and how often
• Experience-point and level progress, trophies awarded, and items in your scenario library
• Feedback you submit (ratings and free-text comments about scenarios)

Operational data

• Your IP address (recorded in server access logs for security monitoring)
• Error reports — if the application encounters an error while you're using it, technical details (which page, what failed, your browser type) are sent to our error-monitoring service for diagnosis
• One session cookie (cai_session) — strictly necessary to keep you logged in. We use no analytics, advertising, or tracking cookies.

3. Why we collect this data and the legal basis

The University processes this data on the legal basis of performance of a task in the public interest (UK GDPR Article 6(1)(e)) — specifically, the delivery of formal university education to enrolled students.

Where you have explicitly consented to participation in research using anonymised or pseudonymised consultation data, we additionally rely on consent (Article 6(1)(a)). Consent is collected at account registration and you can withdraw it at any time without affecting your ability to use the platform for learning.

4. Third parties who process your data

To deliver the simulation, parts of your consultation are processed by the following external services. All operate under contracts that require them to handle your data in line with UK GDPR and to act only on our instructions.

Service	What it does	What it receives	Where it processes
Anthropic (Claude API)	Generates the AI patient's responses and the end-of-session assessment	The current scenario prompt and your conversation text	USA / EU
Deepgram	Converts spoken audio to text	Audio of your spoken input (deleted after transcription)	USA
ElevenLabs	Generates the patient's spoken voice	Text of the patient's reply (not your input)	USA
Fish Audio	Alternative text-to-speech provider	Text of the patient's reply (not your input)	USA
D-ID (when video-avatar mode is enabled)	Generates animated patient video	Text of the patient's reply and a still image of the avatar	Israel / USA
Sentry	Application error monitoring	Technical error metadata (no consultation content)	Germany / USA
Hostinger	Hosts the application server	Server access logs (IP, request paths)	UK
Hetzner	Stores encrypted backups	Encrypted nightly database backups	Germany

Database and consultation content are stored on a private server hosted by Hostinger in the United Kingdom. Backups are encrypted and stored at Hetzner in Germany. Both countries are covered by the UK's GDPR adequacy regulations.

Data transferred to providers outside the UK / EU (USA, Israel) is covered by Standard Contractual Clauses or equivalent legal safeguards as required by UK GDPR Articles 44–49.

5. How long we keep your data

• Account data: retained while your account is active and for 12 months after you become inactive (no logins or consultations), after which it is deleted.
• Consultation transcripts and assessments: retained for 6 years from the date of the consultation, in line with university record-keeping standards for educational records. You can hide individual sessions from your own history at any time; hidden sessions remain on file for the same 6-year period and are then permanently deleted.
• Audio recordings: not retained — they are sent to Deepgram for transcription and discarded immediately.
• Server access logs: retained for 90 days for security monitoring, then automatically rotated and deleted.
• Backups: nightly database backups are kept for 30 days (daily), 12 weeks (weekly), and 12 months (monthly), then automatically deleted. Erasure requests are propagated to backups at the next backup cycle.

6. Your rights

Under UK GDPR you have the following rights regarding your personal data:

• Right of access — request a copy of all your data
• Right to rectification — correct inaccurate data
• Right to erasure — request deletion of your account and data
• Right to restrict processing — limit how we use your data
• Right to data portability — receive your data in a machine-readable format
• Right to object — object to processing on certain legal bases
• Right to withdraw consent — for any processing based on consent (e.g. research use)

To exercise any of these rights, email the Information Governance Unit at dataprotection@strath.ac.uk or the project lead at david.breen@strath.ac.uk. Requests are handled by the University's Data Protection Officer (Mrs Elaine Grant). We will respond within one calendar month.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Automated decision-making

ConsultAI uses AI (large language models, specifically Anthropic's Claude) to generate the patient's responses during your consultation and to produce your end-of-session assessment report. The assessment is a formative learning tool: it does not contribute to your formal university grades and is not used for any decision that has legal or similarly significant effects on you within the meaning of UK GDPR Article 22.

All AI-generated assessments can be reviewed by an academic tutor on request. If you believe an assessment was unfair or inaccurate, please contact the project lead.

8. Security

• All data is transmitted over encrypted connections (TLS).
• Passwords are stored as one-way bcrypt hashes, never in readable form.
• The database lives on a private server with no public internet exposure.
• Backups are encrypted at rest.
• Access to the database and admin functions is restricted to the project lead and authorised SIPBS staff.

9. Changes to this notice

We may update this notice to reflect changes in how we process your data or in legal requirements. The "Version" number at the top of this page changes each time. If we make substantial changes affecting how your data is used, we will ask you to re-consent at your next login.

10. Contact

Questions about this notice, the project, or how your data is handled: david.breen@strath.ac.uk.