Privacy Policy

Last updated: 26/02/2026

1. Introduction

OTUS AI is committed to protecting the privacy of dentists, permitted staff, and patients. This Privacy Policy explains how we process audio, transcript, and note data in compliance with the UK GDPR and the Data Protection Act 2018.

2. Data Controller and Processor Roles

OTUS AI is designed as a dentist-facing drafting tool (not a practice/clinic management system). When a dentist uses OTUS AI to process patient consultation content, the dentist is the Data Controller and OTUS AI acts as aData Processor, processing data on the clinician’s behalf and under documented instructions.

For some limited data (for example, account administration, billing contacts, or support communications), OTUS AI may act as an independent controller.

3. Data We Process

  • Audio input: Voice recordings captured locally in the browser and sent to Azure Speech for transcription.
  • Transcripts: Text generated from audio for note drafting.
  • Draft notes: Text summaries generated via Azure OpenAI.
  • Visit metadata: Information you enter to organise work (e.g. patient name and visit timestamps).

OTUS AI is designed to minimise data. However, to support viewing recent visits and retrieving drafts, the app stores transcripts and generated notes in a secure database for a limited period (see Section 6). Please avoid entering more patient information than is necessary for your workflow.

4. Purpose and Legal Basis

The lawful basis for processing under Article 6 GDPR is the clinician’s legitimate interest or legal obligation to create clinical records. Processing of special-category (health) data is covered by Article 9(2)(h): necessary for medical diagnosis and provision of health care.

5. Data Residency and Security

OTUS AI uses Microsoft Azure services (including Azure Speech and Azure OpenAI) to provide transcription and drafting.

We aim to configure hosting and processing in UK and/or EU regionswhere available. Depending on your configuration, operational needs, and service availability, some processing may involve transfers outside the UK. Where required, appropriate safeguards (for example, UK transfer clauses) will apply.

Transcripts and generated notes are stored in a database to support clinician workflows (e.g. returning to a recent visit). We use encryption in transit (HTTPS/TLS) and apply access controls so clinicians can only access their own data.

6. Data Retention

OTUS AI retains visit data (including transcripts and generated notes) for a limited period to support drafting and retrieval of recent work. Data is automatically deleted after a configured retention period (currently 14 days).

Audio is processed for transcription and is not stored by the app as a long-term recording. You can also delete a visit manually from the app, which deletes associated transcripts and notes.

This retention period is set by OTUS AI (it is not user-configurable at this time). You can view the current retention period in Settings.

Audit logs may be retained separately for security and operational purposes.

7. Data Subject Rights

Patients whose data is processed through this tool retain all GDPR rights, including the rights of access, rectification, and erasure. Clinicians can delete visits from the app, which removes associated transcripts and notes. For additional requests, please contact us using the details below.

8. Cookies and Analytics

OTUS AI uses essential cookies for authentication (for example, to maintain your signed-in session). We do not use advertising trackers. If analytics are enabled in the future, this policy will be updated accordingly.

We may also use a limited preference cookie (for example, to remember whether to show onboarding guidance). This cookie does not contain clinical content.

9. Data Sharing

Data is not shared with any third party other than Azure services necessary to perform transcription and summarisation, under Microsoft’s GDPR-compliant Data Processing Addendum.

10. Subprocessors

OTUS AI uses vetted service providers (subprocessors) to operate the service. The subprocessors we use depend on your configuration and enabled features, but may include:

A current list is also available at /subprocessors.

  • Microsoft Azure (hosting and infrastructure, including database hosting where applicable)
  • Azure Speech (real-time transcription)
  • Azure OpenAI / Foundry (role mapping and draft note generation)
  • Resend (service emails such as invitations and password resets)
  • Identity providers (for example, Google OAuth and/or Microsoft Entra ID) to enable sign-in
  • Monitoring/telemetry (for example, Azure Application Insights) if enabled

We do not allow subprocessors to use patient consultation content for their own purposes. Where required, we apply appropriate contractual safeguards.

11. Contact

For any GDPR or data protection inquiries, please contact:
OTUS AI Privacy Lead
privacy@otusai.co.uk

Back to Dashboard