PharmaSafe
Sign in
Legal

Privacy

Last updated 15 May 2026

PharmaSafe processes pharmacy team data — names, emails, the incidents you choose to record. We keep this short and honest. If a clause confuses you, email privacy@deephumanstudios.com.

Who's the controller

DeepHuman Studios Ltd (England & Wales). Postal address available on request — write to privacy@deephumanstudios.com.

Our UK Data Protection Officer is contactable at the same address.

What we collect

  • Account info — your email, name, role, the org and pharmacies you belong to.
  • Authored content — incidents, SOPs and acknowledgements you create.
  • Voice recordings — only when you tap the mic to file an incident. Used to produce the transcript; raw audio is deleted within 30 days.
  • Diagnostics — anonymised crash and performance data via Sentry. Never linked to your identity.
  • Analytics — Google Analytics 4 on the marketing site only, gated behind cookie consent in the UK/EU.

Lawful basis

Most processing is on the lawful basis of contract(Art. 6(1)(b) UK GDPR) — you've agreed to the Terms so we can run the service for you. Some processing — analytics, diagnostics — is on legitimate interests (Art. 6(1)(f)) with opt-out. Where you record voice you give explicit consent(Art. 9(2)(a)) inside the capture flow.

Where your data lives

Postgres + Auth + Storage live in Supabase EU West (Ireland). AI inference (Speech-to-Text, Claude on Azure Foundry) runs in Azure UK South, with no traffic leaving the UK/EU sovereign cloud. The Vercel CDN serves the web app from EU edges.

Subprocessors

Listed in our DPA (see below). The current set:

  • Supabase Inc. — database, auth, storage (SCC-compliant).
  • Microsoft Azure — Speech-to-Text + Claude Sonnet 4.5 via Azure AI Foundry (UK).
  • Vercel Inc. — web hosting (EU edge).
  • Sentry — anonymised error logs.

How long we keep it

  • Account + authored content: while your org is active, then 90 days post-termination.
  • Raw voice audio: 30 days (transcript retained as part of the incident).
  • Audit log: 7 years (regulatory).
  • Diagnostics: 30 days.

Your rights

You can, at any time:

  • Request a copy of everything we hold on you (Art. 15) — your Settings page has a one-click export, or email privacy@deephumanstudios.com.
  • Ask us to delete your account (Art. 17). One click in Settings; we anonymise authored content and retain only the audit trail.
  • Withdraw consent for analytics — click "Cookie preferences" in the footer.
  • Lodge a complaint with the ICO (ico.org.uk) if you think we've got it wrong.

DPA

B2B customers get our Data Processing Agreement on request. Email dpa@deephumanstudios.com and we'll send the countersigned version. See also the DPA page.

Changes to this policy

We'll change it. We'll tell you in-app when we do. Material changes give you 30 days' notice before they take effect.