Security & GDPR
Last updated: 15 June 2026
Our model
You are the data controller for your patients' data; MyNewClinic is your data processor. We process patient data only to provide the service to you, and we give you the tools to meet your data-protection obligations.
Infrastructure & encryption
Data at rest: AES-256 encryption via Supabase, hosted in the UK (London region). Supabase is SOC 2 Type II certified.
Data in transit: TLS 1.2+ enforced on every connection, browser to API, API to database, and API to sub-processors.
Access controls: role-based staff permissions, strict tenant isolation between clinics, record-access logging, and optional two-factor authentication.
Data location: patient data is stored in the UK. Some sub-processors may process limited data outside the UK under appropriate transfer safeguards (e.g. the UK International Data Transfer Addendum).
AI & patient data
The AI Assistant is off by default. No patient data is sent to Anthropic until your clinic explicitly enables AI features in Settings, after your data-processing agreement is in place. Per Anthropic's commercial API data-processing agreement, API inputs and outputs are not used to train models and are retained for up to 30 days for trust-and-safety purposes only. This describes our provider's contractual terms, not something MyNewClinic separately enforces in code, confirm it against Anthropic's current DPA. Card details are never stored by MyNewClinic, they are held by Stripe.
Our AI, safety & trust page sets out, feature by feature, exactly what each AI feature does, what data it sees, and where a clinician stays in the loop.
Your data-protection toolkit
Built into MyNewClinic so you can answer patient requests directly:
- Subject-access export, one click downloads everything held on a patient.
- Right to erasure, anonymises a patient's identity while keeping de-identified records for your retention period.
- Access log, see who viewed or changed each patient's record.
- Two-factor authentication for staff logins.
Sub-processors
The third-party services that process data on our behalf:
| Sub-processor | Purpose | Trains on data? | Location |
|---|---|---|---|
| Supabase | Database, authentication & file hosting | No | UK (London) |
| Stripe | Card payments, cards on file & subscription billing | No | EU / US (PCI DSS) |
| Anthropic | AI Assistant (only when enabled) | No | US (API) |
| Telnyx | SMS reminders (optional) | No | US / global |
| Vercel | Web app hosting (no patient data at rest) | No | EU / global |
The "Trains on data?" and retention positions reflect each provider's own contractual terms, which we surface here but do not separately enforce in code.
Data Processing Agreement
A signed Data Processing Agreement is available to clinics on request, email hello@mynewclinic.com.
Data retention
Clinical records are kept for the period required by healthcare record-keeping rules (typically 8 years for adults), then securely deleted or anonymised.
Reporting a security issue
If you believe you've found a vulnerability, please email hello@mynewclinic.com and we'll respond promptly.
Who operates MyNewClinic
MyNewClinic is operated by OsteoRise Limited, a company registered in England & Wales (company no. 15200521), registered with the UK Information Commissioner's Office (ICO) under reference ZB762812.