Privacy Policy
This policy explains how personal data is processed when you use any ReporaPro or ReporaPro-branded reporting tool, including web form clinical generators, DSM-5 summary tools, and workbook upload services. It applies under the UK GDPR, the Data Protection Act 2018, and all related UK data protection legislation.
Who we are
Controller: ReporaPro
Contact email: contact@reporapro.com
ReporaPro operates within the United Kingdom and is subject to UK data protection law.
ReporaPro is the controller for personal data relating to registered users of the platform, including clinician account information and support communications. For all patient data entered or uploaded into the clinical reporting tools, ReporaPro acts solely as the data processor. ReporaPro processes patient data solely on the documented instructions of the healthcare professional acting as controller.
All ReporaPro clinical services are designed for use by registered healthcare professionals only. ReporaPro provides software tools that assist with clinical report writing and structured DSM-5 summaries. For all services within this suite, we process personal data only on behalf of healthcare professionals using the tools. We never determine the purposes or means of processing patient data.
Role of healthcare professionals
When you enter clinical data into one of our web forms or upload a workbook, you are the data controller for that patient data. You decide what information is provided and confirm the lawful basis for your processing. ReporaPro handles that data only to perform the task you initiate within the application, such as Generate Report or Generate DSM-5.
Use of third-party sub-processors
We rely on trusted external providers to operate the platform and AI services. These include Render for hosting and infrastructure, and OpenAI for AI model inference. These include Render for hosting and infrastructure, and OpenAI as a sub-processor providing AI model inference services.
All patient data is pseudonymised before any transmission to OpenAI services. Data transmitted to OpenAI via API is used solely for inference and is not used to train AI models. The AI model receives anonymised assessment information with identifiers removed. Real names or identifiers are restored only in the final output returned directly to you. No restored identifiers are ever retained by ReporaPro or transmitted outside the organisation.
What we process
Clinical data entered through web forms
When you complete a clinical assessment form within the application, the fields may contain personal data and special category data relating to your patients. This can include names, pronouns, ages, background information, developmental history, clinical observations, and assessment findings. We process only the data you choose to provide in those fields.
Uploaded workbook data
If you upload an Excel workbook or similar file containing clinical information, it may include personal data and health-related special category data. We process only the content you upload and metadata strictly necessary to operate the service. All identifiers are pseudonymised before any assessment data is sent to external AI services.
Browser and session data
Form data may be temporarily stored in your browser's memory or local storage to allow you to complete the process. This temporary storage remains on your device and is only transmitted when you actively select Generate Report or Generate DSM-5. You can clear locally stored data at any time using your browser settings.
Audit logs
For security and reliability purposes, we keep operational audit logs containing metadata only. These logs include timestamps, IP addresses, and event types. They never contain patient names, clinical notes, or report content. Audit logs are retained for 30 to 90 days and are then automatically deleted through routine log rotation.
Support communications
Questions or issues sent to our support channels may be retained for up to 12 months for service improvement, dispute resolution, and continuity of service. These communications involve general personal data relating to the clinician user only, and do not include patient data. Lawful basis: Article 6(1)(f) legitimate interests.
Purposes and lawful bases
Providing the requested service
Personal data is processed to generate clinical reports and DSM-5 summaries on behalf of healthcare professional users. The lawful bases relied on are Article 6(1)(b) contract, necessary to provide the service you have requested, and Article 9(2)(h) health and social care purposes, necessary for medical diagnosis and clinical assessment.
Service operation and security
We process limited data to maintain secure and stable operation of the platform. The lawful basis for this processing is Article 6(1)(f) legitimate interests, ensuring the tools function correctly and are protected from misuse.
User responsibilities
As the healthcare professional acting as data controller, you must ensure you have an appropriate lawful basis for any patient data you enter or upload. ReporaPro is a tool to assist you in your clinical work. It does not replace your duties regarding patient confidentiality, record keeping, or compliance with data protection law.
International transfers
Where personal data is transferred outside the UK to OpenAI as our sub-processor for AI inference, the transfer is governed by recognised safeguards incorporated within our Data Processing Addendum with OpenAI, including the UK International Data Transfer Agreement and Standard Contractual Clauses. Copies of those mechanisms are available to registered users on request.
Data minimisation
Only information required to produce reports should be entered or uploaded. We encourage you to limit identifiers where possible. The system automatically pseudonymises all client names before any transmission to external services, in line with our data minimisation principles.
Retention and deletion
No server-side retention
ReporaPro does not retain form data, uploaded workbooks, or generated outputs on its own servers. All such data is processed in-memory only and deleted immediately after delivery to you.
Client-side retention
Any information held temporarily in your browser exists solely for your convenience and can be cleared by you at any time using browser or device settings.
Data Retention Schedule
| Data category | Retention period | Deletion method |
|---|---|---|
| Form or file data submitted for processing | Deleted immediately after processing completes | Automatic removal from memory buffers |
| Generated report text and DOCX files | Deleted immediately after delivery | Automatic deletion from memory |
| Audit logs metadata only | 30 to 90 days | Automated log rotation |
Your rights
Under applicable data protection law, you may request access, rectification, erasure, restriction, objection, and data portability where relevant in relation to platform user data.
Contact: contact@reporapro.com
Requests concerning patient data must be handled by the healthcare professional acting as controller who supplied the data. You also have the right to complain to the Information Commissioner's Office at ico.org.uk.
Security
We protect all processing with encryption in transit, strict access controls, and least-privilege administration. We maintain formal incident response procedures and will notify affected users of any personal data breach where legally required.
Children's data
Some tools may be used to process data relating to children as part of clinical assessments. We apply heightened safeguards to any such processing and expect that you, as the healthcare professional controller, have a lawful basis to provide that information.
Changes to this policy
We may update this Privacy Policy from time to time for legal or operational reasons. Material changes will be reflected on this page. Continued use of the tools indicates acceptance of the current version.
Contact
Questions about this policy or our data practices should be directed to:
contact@reporapro.com