Privacy Policy

Illumate provides software for mental health professionals to document sessions, generate drafts, and work with AI-assisted tools. Processing personal data — including potentially sensitive health-related information you choose to store — is central to providing the Service.

This Policy describes what categories of data we process, for which purposes, on which legal bases (including EU/UK GDPR where applicable), who we share data with, how long we keep it, which security measures we apply, and which rights you have. By using the Service, you acknowledge that you have read this Policy.

If you use the Service on behalf of a practice or organisation, you confirm that you are authorised to bind that organisation to this Policy where required.

The data controller responsible for personal data processed in connection with the Service is the Illumate operating entity that provides the Service to you. For privacy requests and questions, contact us at hello@illumate.me. We may ask you to verify your identity before fulfilling certain requests.

Where you upload or enter information about patients or other third parties, you are typically the controller of that information in your professional capacity, and Illumate processes such data on your behalf as a processor, to the extent applicable data protection law distinguishes these roles. Your agreements with patients and your professional rules remain your responsibility.

This Policy applies to personal data processed when you visit our marketing website, create or use an account, upload or generate session-related content, contact support, or otherwise interact with the Service.

Third-party websites, integrations, or tools that we link to are governed by their own terms. Our Security page describes technical measures at a high level and should be read together with this Policy.

Account and identity data: for example name, professional email address, authentication identifiers, organisation, billing identifiers (where applicable), and communication preferences.

Service and clinical workflow data: session transcripts or text you provide, audio where you enable recording or upload, progress notes and drafts, AI-generated outputs, patient identifiers or pseudonyms as you choose to enter them, and related metadata (timestamps, format, status of processing jobs).

Technical and security data: IP address, device and browser type, approximate location derived from IP, diagnostic logs, audit records, and similar information needed to operate and secure the Service.

Support and correspondence: messages you send to us (e.g. email or in-product support), including attachments you choose to provide.

We apply data minimisation: we do not ask for more information than reasonably needed for the Service, and we encourage use of pseudonyms or initials for patient references where that fits your practice.

We process personal data to provide, maintain, and improve the Service (including note generation, transcription, AI chat features, exports, and authentication), to secure accounts and prevent abuse, to analyse reliability and performance in aggregate form, to communicate with you about the Service, and to comply with legal obligations.

Depending on the situation and applicable law, we rely on: (a) performance of a contract with you (Art. 6(1)(b) GDPR); (b) legitimate interests that are not overridden by your interests or rights, such as securing the platform, limited product analytics, and fraud prevention (Art. 6(1)(f) GDPR), where we balance these interests; (c) your consent where we are required to ask for it (Art. 6(1)(a) GDPR), for example for certain optional communications or non-essential cookies; (d) legal obligations (Art. 6(1)(c) GDPR).

Where we process special categories of personal data (such as health-related information), we additionally rely, as applicable, on Art. 9(2)(h) GDPR (health or social care, with professional safeguards), Art. 9(2)(f) GDPR (legal claims), or explicit consent where that is the appropriate basis in your context. You should use the Service consistently with your professional duties and local law.

Content you upload about therapy sessions may reveal health information about data subjects. You are responsible for having a valid legal basis under professional and data protection rules to enter such information into the Service and for informing data subjects where required.

We do not use your confidential clinical content to train general-purpose public models. Product improvement uses aggregated or de-identified techniques where possible, consistent with our agreements and settings.

If you require a data processing agreement (DPA) or business associate agreement (BAA) for regulated health data, you must obtain a separate written agreement with us that reflects your regulatory context — availability may depend on product tier and infrastructure choices.

We use cookies and similar storage where necessary to operate the site (for example session authentication, security, load balancing, and remembering preferences).

Where we use analytics or marketing cookies that are not strictly necessary, we will request your consent where required by law. You can control cookies through your browser settings and any cookie banner we provide.

We engage infrastructure, hosting, database, logging, email delivery, payment, and AI inference providers as subprocessors to deliver the Service. They receive data only as needed for their function and under contractual obligations consistent with this Policy.

Illustrative categories of providers include: cloud hosting and storage; transcription and speech-to-text services; large language model and embedding providers; payment processors (e.g. Stripe) for billing; and support tooling. Specific vendors may change over time; we maintain an overview of categories in our documentation and notify you of material changes where required.

We do not sell your personal data. We may disclose information if required by law, regulation, court order, or governmental request, or to establish, exercise, or defend legal claims, subject to applicable safeguards.

If Illumate is involved in a merger, acquisition, or asset sale, personal data may be transferred as part of that transaction; we will require the successor to honour this Policy or notify you of changes.

We may process and store data in the European Economic Area and in other countries where our subprocessors operate. If we transfer personal data from the EEA, UK, or Switzerland to countries not recognised as providing adequate protection, we use appropriate safeguards such as the EU Commission Standard Contractual Clauses (SCCs) and supplementary measures where required.

You may request further information about transfers and safeguards by contacting hello@illumate.me.

We retain account data for as long as your account is active and for a reasonable period afterwards to resolve disputes, enforce agreements, and comply with law (including tax and accounting rules).

Session and clinical workflow data are retained according to Service functionality and settings (for example configurable deletion of audio after transcription). When you delete content or your account, we delete or irreversibly anonymise personal data within a reasonable period, except where a longer retention is required by law or legitimate interest (for example encrypted backups with defined rotation).

Security and audit logs may be kept for a limited period consistent with security monitoring and compliance needs.

We implement technical and organisational measures designed to protect personal data, including encryption in transit (TLS), encryption for sensitive fields at rest where implemented, access controls, separation between tenants, monitoring, and staff access limitations.

No method of transmission or storage is completely secure. You are responsible for maintaining strong passwords, protecting your devices, and configuring the Service consistently with your risk assessment.

Depending on your location, you may have the right to: access your personal data; rectify inaccurate data; erase data (“right to be forgotten”) in certain cases; restrict processing; data portability; object to processing based on legitimate interests or for direct marketing; and withdraw consent where processing was consent-based.

You may exercise these rights by contacting hello@illumate.me. You may also lodge a complaint with a supervisory authority in your country of residence, workplace, or an alleged infringement (for EEA residents, a list of authorities is available on the European Data Protection Board website).

If you are a California resident, you may have additional rights under the CCPA/CPRA regarding disclosure, deletion, and opt-out of certain sharing; contact us to exercise those rights and we will respond as required by law.

The Service uses automated and AI-assisted processing to generate suggestions, summaries, and answers. These outputs are assistive only and may be incomplete or incorrect. They do not constitute clinical decisions about patients.

We do not make solely automated decisions that produce legal or similarly significant effects about you without human review, within the meaning of Art. 22 GDPR, in relation to account holders.

The Service is intended for adults and professionals. We do not knowingly collect personal data from children under the age where parental consent is required in your jurisdiction. If you believe we have collected such data, contact us and we will delete it.

We may update this Policy to reflect legal, technical, or business changes. We will post the revised version with an updated “Last updated” date. Where changes are material, we will provide additional notice (for example by email or in-product notification) where required by law.

Questions about this Privacy Policy or our data practices: hello@illumate.me.