Privacy Policy
Last updated: June 27, 2026
This Privacy Policy explains how Illumate (“we”, “us”) processes personal data when you use our websites, applications, and related services (collectively, the “Service”). It is provided for transparency and does not replace legal advice about your own obligations as a clinician or organisation.
Introduction
Illumate provides software for mental health professionals to document sessions, generate drafts, and work with AI-assisted tools. Processing personal data — including potentially sensitive health-related information you choose to store — is central to providing the Service.
This Policy describes what categories of data we process, for which purposes, on which legal bases (including EU/UK GDPR where applicable), who we share data with, how long we keep it, which security measures we apply, and which rights you have. By using the Service, you acknowledge that you have read this Policy.
If you use the Service on behalf of a practice or organisation, you confirm that you are authorised to bind that organisation to this Policy where required.
Data controller and contact
The controller for account and website data is the sole proprietor (preduzetnik) NIKITA KRUGOVOI PREDUZETNIK BEOGRAD (VRAČAR), registration number (matični broj) 68394830, tax ID (PIB) 115475768, registered address Sredačka 11, floor 2, apt 6, Belgrade (Vračar), Serbia. Privacy and rights requests: hello@illumate.me. We may ask you to verify your identity before fulfilling certain requests.
No separate Data Protection Officer (DPO) is appointed during early access; for data protection matters contact hello@illumate.me. No EU/UK representative (Art. 27 GDPR) is appointed during early access; one will be appointed if and when required by applicable law.
For patient/session content you upload or enter, you are typically the controller and Illumate acts as a processor acting on your documented instructions under a Data Processing Addendum (DPA). The split of roles is described below and in the DPA. Your agreements with patients and your professional rules remain your responsibility.
Controller and processor roles
To operationalise roles, we separate processing by data type:
Website analytics — Illumate: controller.
Account registration — Illumate: controller; you: data subject / business customer.
Billing — Illumate: controller (jointly or independently with Stripe); you: customer.
Session audio, transcripts, and content — Illumate: processor; you: controller.
Support requests containing clinical content — Illumate: processor or controller depending on context; you: controller.
Security logs — Illumate: controller or processor depending on content; you: controller/customer.
Scope
This Policy applies to personal data processed when you visit our marketing website, create or use an account, upload or generate session-related content, contact support, or otherwise interact with the Service.
Third-party websites, integrations, or tools that we link to are governed by their own terms. Our Security page describes technical measures at a high level and should be read together with this Policy.
Categories of personal data
Account and identity data: for example name, professional email address, authentication identifiers, organisation, billing identifiers (where applicable), and communication preferences.
Service and clinical workflow data: session transcripts or text you provide, audio where you enable recording or upload, progress notes and drafts, AI-generated outputs, patient identifiers or pseudonyms as you choose to enter them, and related metadata (timestamps, format, status of processing jobs).
Technical and security data: IP address, device and browser type, approximate location derived from IP, diagnostic logs, audit records, and similar information needed to operate and secure the Service.
Support and correspondence: messages you send to us (e.g. email or in-product support), including attachments you choose to provide.
We apply data minimisation: we do not ask for more information than reasonably needed for the Service, and we encourage use of pseudonyms or initials for patient references where that fits your practice.
Purposes and legal bases
We process personal data to provide, maintain, and improve the Service (including note generation, transcription, AI chat features, exports, and authentication), to secure accounts and prevent abuse, to analyse reliability and performance in aggregate form, to communicate with you about the Service, and to comply with legal obligations.
Depending on the situation and applicable law, we rely on: (a) performance of a contract with you (Art. 6(1)(b) GDPR); (b) legitimate interests that are not overridden by your interests or rights, such as securing the platform, limited product analytics, and fraud prevention (Art. 6(1)(f) GDPR), where we balance these interests; (c) your consent where we are required to ask for it (Art. 6(1)(a) GDPR), for example for certain optional communications or non-essential cookies; (d) legal obligations (Art. 6(1)(c) GDPR).
Where we process special categories of personal data (such as health-related information), we additionally rely, as applicable, on Art. 9(2)(h) GDPR (health or social care, with professional safeguards), Art. 9(2)(f) GDPR (legal claims), or explicit consent where that is the appropriate basis in your context. You should use the Service consistently with your professional duties and local law.
Health-related and sensitive information
Content you upload about therapy sessions may reveal health information. For such Customer Clinical Content, you as the controller identify the applicable Art. 6 lawful basis and Art. 9 condition (for example Art. 9(2)(h) — health or social care with professional safeguards, or explicit consent). Illumate processes this content on your documented instructions under the DPA and does not select an Art. 9 basis on its own.
You are responsible for having a valid legal basis and for informing data subjects where professional and regulatory rules require it.
Our approach to model training is described in "Clinical content and model training". A DPA is available on request (template on the DPA page, /dpa); for US regulated health data, see the "US / HIPAA" section.
Clinical content and model training
"Customer Clinical Content" means session audio, transcripts, notes, patient identifiers, prompts, AI outputs, and related metadata submitted or generated in connection with your clinical workflow.
Illumate does not use Customer Clinical Content to train, fine-tune, or improve general-purpose or customer-independent AI models unless the Customer has expressly opted in under a separate written agreement.
We may use de-identified and aggregated operational metrics that do not identify patients, clinicians, or sessions to maintain security, reliability, and performance.
Illumate personnel do not access Customer Clinical Content except as necessary to provide support requested by the Customer, investigate security incidents, comply with law, or maintain the Service, under strict access controls and audit logging.
Cookies and similar technologies
We use cookies and similar storage where necessary to operate the site (for example session authentication, security, load balancing, and remembering preferences).
Where we use analytics or marketing cookies that are not strictly necessary, we will request your consent where required by law. You can control cookies through your browser settings and any cookie banner we provide.
Recipients, subprocessors, and disclosure
We engage infrastructure, hosting, database, logging, email delivery, payment, and AI inference providers as subprocessors to deliver the Service. They receive data only as needed for their function and under contractual obligations consistent with this Policy.
Illustrative categories of providers include: cloud hosting and storage; transcription and speech-to-text services; large language model and embedding providers; payment processors (e.g. Stripe) for billing; and support tooling. Specific vendors are listed on the Subprocessors page; we notify you of material changes where required.
We do not sell your personal data. We may disclose information if required by law, regulation, court order, or governmental request, or to establish, exercise, or defend legal claims, subject to applicable safeguards.
If Illumate is involved in a merger, acquisition, or asset sale, personal data may be transferred as part of that transaction; we will require the successor to honour this Policy or notify you of changes.
Subprocessors
We engage subprocessors for hosting, transcription (speech-to-text), AI inference and embeddings, payment processing, and support. The current list — with vendors, purposes, data categories, locations, and transfer mechanisms — is published on the Subprocessors page.
We provide notice of new subprocessors where required. A list of categories is on the Subprocessors page (/subprocessors); the current named list is available on request at hello@illumate.me.
International transfers
We may process and store data in the European Economic Area and in other countries where our subprocessors operate. If we transfer personal data from the EEA, UK, or Switzerland to countries not recognised as providing adequate protection, we use appropriate safeguards such as the EU Commission Standard Contractual Clauses (SCCs) and supplementary measures where required.
You may request further information about transfers and safeguards by contacting hello@illumate.me.
Retention
Account data: while the account is active and for a reasonable period afterwards to resolve disputes and comply with law; billing records are kept for the period required by applicable (including Serbian) law.
Audio: deleted shortly after transcription by default.
Transcripts, notes, and AI outputs: retained until you delete the relevant session or account.
Audit logs and backups are kept for a limited period consistent with security and operational needs, then deleted or rotated. Support attachments are deleted within a reasonable period after the ticket is closed.
When you delete content or your account, we delete or irreversibly anonymise personal data within the periods above, except where a longer retention is required by law.
DPIA and risk assessment assistance
Taking into account the nature of processing and the information available to us, we provide Customers with reasonable assistance for data protection impact assessments (DPIAs), prior consultations with supervisory authorities, and responses to data subject requests.
Internally we maintain a record of processing (RoPA), a risk assessment, and an incident response procedure. Details are available to business customers on request as part of due diligence: hello@illumate.me.
Security incident notification
Upon a confirmed personal data breach, we notify affected Customers without undue delay, within the timeframes required by applicable law (typically within 72 hours after confirmation) where required.
The notice includes available information about the nature of the incident, the categories and approximate volume of affected data, likely consequences, and measures taken or proposed. Specific obligations are set out in the DPA.
Security
We implement technical and organisational measures designed to protect personal data, including encryption in transit (TLS), encryption for sensitive fields at rest where implemented, access controls, separation between tenants, monitoring, and staff access limitations.
No method of transmission or storage is completely secure. You are responsible for maintaining strong passwords, protecting your devices, and configuring the Service consistently with your risk assessment.
US / HIPAA
During early access, Illumate does not offer a Business Associate Agreement (BAA) and is not offered as HIPAA-compliant. Do not use the Service to process PHI subject to HIPAA.
If you need to process PHI under HIPAA, please wait until we introduce BAA support. For status: hello@illumate.me.
Your rights
Depending on your location, you may have the right to: access your personal data; rectify inaccurate data; erase data (“right to be forgotten”) in certain cases; restrict processing; data portability; object to processing based on legitimate interests or for direct marketing; and withdraw consent where processing was consent-based.
You may exercise these rights by contacting hello@illumate.me. You may also lodge a complaint with a supervisory authority in your country of residence, workplace, or an alleged infringement (for EEA residents, a list of authorities is available on the European Data Protection Board website).
If you are a California resident, you may have additional rights under the CCPA/CPRA regarding disclosure, deletion, and opt-out of certain sharing; contact us to exercise those rights and we will respond as required by law.
Automated processing and AI
The Service uses automated and AI-assisted processing to generate suggestions, summaries, and answers. These outputs are assistive only and may be incomplete or incorrect. They do not constitute clinical decisions about patients.
We do not make solely automated decisions that produce legal or similarly significant effects about you without human review, within the meaning of Art. 22 GDPR, in relation to account holders.
Minors
The Service is intended for use by adult professionals, not by patients or children directly. However, Customer Clinical Content may include information about minors where a Customer is legally permitted to process such information.
The Customer is responsible for obtaining parental or guardian consents and other legal bases where required by applicable law.
Changes to this Policy
We may update this Policy to reflect legal, technical, or business changes. We will post the revised version with an updated “Last updated” date. Where changes are material, we will provide additional notice (for example by email or in-product notification) where required by law.
Contact
Questions about this Privacy Policy or our data practices: hello@illumate.me.
Illumate is in early access, so these documents may be updated as the service evolves. The provider and contact details are set out in the sections above.