UK GDPR · DPA
GDPR and DPA-compliant AI receptionist for UK clinics
Putting an AI on your phone line means it will hear patient names, dates of birth, symptoms, and contact details — special-category health data under UK GDPR. For a clinic, “it answers calls” isn’t enough: you need to know where that data lives, who processes it, how long it’s kept, and that there’s a Data Processing Agreement in place before a single call is recorded.
AfterCaller is built to be GDPR and DPA-compliant for UK clinics from day one. Call audio and transcripts are stored in EU/UK regions only, a DPA is signed at onboarding, data is encrypted in transit and at rest, every settings change is audit-logged, and recordings auto-delete after 90 days unless you change the policy.
A signed DPA before you go live
Under UK GDPR, AfterCaller acts as a data processor and your clinic remains the data controller. We sign a Data Processing Agreement during onboarding that sets out the scope of processing, the lawful basis, our obligations, and your rights as controller — so your compliance file is complete before the first call is answered.
The DPA also governs our subprocessors. We maintain a documented subprocessor list (telephony, voice infrastructure, storage) with their own data-protection commitments, and we notify you of material changes so your records stay current.
Data residency, encryption, and retention
Call recordings and transcripts are stored in EU/UK regions only — patient data does not leave the region by default. Data is encrypted in transit (TLS) and at rest, and access is restricted to the systems that need it to operate your receptionist.
Retention is configurable. By default, recordings auto-delete after 90 days, which keeps you in line with data-minimisation expectations. You can shorten or extend this to match your own retention policy, and you can request deletion of a specific caller’s data to support subject-access and erasure requests.
Auditable, transparent, and consent-aware
Every call is recorded, transcribed, and auto-scored, and every change to your receptionist’s settings is written to an audit log — so you can show who changed what and when. That paper trail matters for clinical governance and for demonstrating accountability under GDPR.
The receptionist opens calls with a clear greeting and can include a consent and recording notice tailored to your clinic. It’s designed to capture only the data it needs to book and triage, and to escalate to a human when a request falls outside its scope rather than guessing.
Signed DPA at onboarding
A Data Processing Agreement in place before your first call — you stay the controller.
EU/UK data residency
Recordings and transcripts stored in EU/UK regions only by default.
Encrypted in transit & at rest
TLS in transit and encryption at rest, with least-privilege access.
90-day auto-delete
Configurable retention with automatic deletion to support data minimisation.
Full audit log
Every settings change recorded for accountability and clinical governance.
Consent-aware greeting
Optional recording and consent notice tailored to your clinic.
QUESTIONS
Frequently asked.
Do you sign a Data Processing Agreement?
Yes. A DPA is signed during onboarding, before you go live. It sets out the scope of processing, our obligations as processor, and your rights as the data controller under UK GDPR.
Where is patient call data stored?
In EU/UK regions only by default. Recordings and transcripts do not leave the region, are encrypted in transit and at rest, and access is restricted to the systems that operate your receptionist.
How long are recordings kept?
Recordings auto-delete after 90 days by default. Retention is configurable to match your own policy, and you can request deletion of a specific caller’s data to support erasure requests.
Can I see who changed settings and when?
Yes. Every change to your receptionist’s configuration is written to an audit log, giving you a clear accountability trail for governance and compliance reviews.
Does it ask callers for consent to record?
The receptionist can open calls with a consent and recording notice tailored to your clinic, and it captures only the data needed to book and triage.
READY?
Put an AI on your line without the compliance risk.
Get a GDPR and DPA-compliant AI receptionist with a signed DPA and EU/UK data residency. Live in 24 hours.
Onboard your clinic