Legal

Privacy Policy

Last updated: January 2025

Privacy by Design

RSD-RS is built with privacy as a core principle. We collect no personally identifiable information (PII) about patients. Our system is designed so that even we cannot identify individual patients from the data we store.

1. Introduction

This Privacy Policy explains how RSD-RS ("we", "our", or "us") collects, uses, and protects information when you use our clinical assessment platform. We are committed to protecting your privacy and handling any personal information we obtain with care and respect.

This policy should be read alongside our Terms of Service and Data Protection Policy.

2. Data Controller

For the purposes of applicable data protection laws, the data controller is:

RSD-RS

Email: privacy@rsdrs.com

3. Information We Collect

3.1 Clinic Account Information

When you register as a clinic or healthcare professional, we collect:

  • Email address (for account access and communication)
  • Organisation name and type
  • Country of practice
  • Professional role (optional)
  • Account preferences and settings

3.2 Patient Assessment Data

We do NOT collect any personally identifiable information about patients. Patient data is limited to:

  • System-generated anonymous identifier (e.g., RSD-4X7K-2M9P-AB)
  • Age band (not date of birth)
  • Sex (male, female, other, prefer not to say)
  • ADHD status (diagnosed, under assessment, suspected)
  • Country (for research stratification only)
  • Assessment responses (numerical values 0-4)
  • Calculated scores and severity bands

Important: We never collect patient names, dates of birth, addresses, NHS numbers, or any other information that could identify an individual patient. The link between our system ID and the actual patient is maintained only by the clinic in their own records.

3.3 Research Enhancement Data (Optional)

For clinics participating in research, we may also collect (all anonymised):

  • ADHD subtype (Inattentive, Hyperactive-Impulsive, Combined)
  • Age of diagnosis (band, not exact age)
  • Medication status (yes/no, type of medication)
  • Comorbid conditions (from a predefined list)
  • Treatment/intervention context for follow-ups
  • Educational setting (for children)

3.4 Technical Data

We automatically collect certain technical information:

  • IP address (for security and fraud prevention)
  • Browser type and version
  • Device information
  • Access times and pages viewed
  • Cookies and similar technologies (see Section 8)

4. How We Use Your Information

4.1 Clinic Account Data

  • To provide and maintain your account
  • To communicate important updates about the service
  • To respond to support requests
  • To send product updates and newsletters (with consent)
  • To verify professional credentials where required

4.2 Patient Assessment Data

  • To calculate and display assessment scores
  • To generate clinical reports
  • To track changes over time for individual patients
  • To provide clinic-level analytics
  • If research mode is enabled: to contribute to aggregate research datasets

4.3 Research Purposes

If you opt in to research contribution (enabled by default, can be disabled):

  • Anonymised data is included in aggregate research datasets
  • Used to validate the RSD-RS instruments
  • Used to develop population norms
  • May be included in published scientific research
  • No individual patients or clinics are identifiable in publications

5. Legal Basis for Processing

Under the UK GDPR and EU GDPR, we process your information on the following legal bases:

  • Contract: Processing necessary to provide the service you have requested (account management, assessment functionality)
  • Legitimate Interests: Processing necessary for our legitimate interests (security, fraud prevention, service improvement) where these are not overridden by your rights
  • Consent: Where you have given explicit consent for specific processing (marketing communications, research contribution)
  • Scientific Research: For aggregate research data, we rely on the research exemption under Article 89 GDPR, with appropriate safeguards

6. Data Sharing

6.1 We Do Not Sell Your Data

We will never sell, rent, or trade your personal information to third parties for marketing purposes.

6.2 Service Providers

We may share data with trusted service providers who assist in operating our platform:

  • Supabase: Database hosting and authentication (EU/UK data centres)
  • Vercel: Website hosting and delivery
  • Email providers: For transactional and communication emails

All service providers are bound by data processing agreements and are required to protect your data in accordance with applicable laws.

6.3 Research Collaboration

Aggregate, anonymised research data may be shared with:

  • Academic research institutions
  • Healthcare organisations
  • Published in peer-reviewed journals

This data is always aggregated and cannot be used to identify individual patients or clinics.

6.4 Legal Requirements

We may disclose information if required by law, court order, or to protect our rights, property, or the safety of our users.

7. Data Storage and Security

7.1 Where We Store Data

Your data is stored on secure servers located in the European Union. We use Supabase for our database infrastructure, which provides enterprise-grade security and compliance.

7.2 Security Measures

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Row-level security policies in our database
  • Regular security audits and penetration testing
  • Access controls and authentication requirements
  • Automated backups with point-in-time recovery
  • DDoS protection and Web Application Firewall

7.3 Data Retention

  • Clinic accounts: Retained while account is active, plus 7 years after closure
  • Assessment data: Retained while clinic account is active
  • Research data: Anonymised aggregate data may be retained indefinitely for research purposes
  • Technical logs: Retained for 90 days

8. Cookies and Tracking

We use essential cookies to:

  • Maintain your login session
  • Remember your preferences
  • Ensure security of your account

We do not use tracking cookies for advertising purposes. We may use analytics cookies (such as Plausible or similar privacy-focused tools) to understand how the platform is used, but these do not track individual users across websites.

You can control cookies through your browser settings, but disabling essential cookies may affect the functionality of the platform.

9. Your Rights

Under data protection laws, you have the following rights regarding your personal data:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data (subject to legal retention requirements)
  • Portability: Request your data in a machine-readable format
  • Restriction: Request limitation of processing in certain circumstances
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Where processing is based on consent, withdraw at any time

To exercise these rights, contact us at privacy@rsdrs.com. We will respond within 30 days.

Note on Patient Data: Since we do not hold personally identifiable patient data, patients cannot exercise individual rights against us directly. The clinic maintains the link between system IDs and patients and is responsible for patient data requests.

10. International Transfers

Our primary data storage is within the European Economic Area. If data is transferred outside the EEA (e.g., for certain service providers), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Binding Corporate Rules where relevant

11. Children's Privacy

Our platform is designed for use by healthcare professionals, not directly by children. When assessments are completed about children, no personally identifiable information about the child is collected by our platform. The clinic is responsible for any consent requirements for assessments involving minors.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email and/or a notice on the platform. The "Last updated" date at the top indicates when the policy was last revised. Continued use of the platform after changes constitutes acceptance of the updated policy.

13. Complaints

If you have concerns about how we handle your data, please contact us first at privacy@rsdrs.com.

You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk

14. Contact Us

For questions about this Privacy Policy or our data practices, please contact: privacy@rsdrs.com