Privacy Policy — GDPR & Data Protection Act 2018 Compliance Notice

Be Smart Global, LLC (“DocReport Ireland”, “we”, “our”, or “us”), a Delaware Limited Liability Company, provides the DocReport Ireland B2B SaaS platform. This Privacy Policy is a legally binding agreement governing the processing of personal data within the jurisdiction of Ireland and the European Union. This policy is structured in strict compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act 2018 (Ireland), the Health Information and Quality Authority (HIQA) standards for health information, the Medical Practitioners Act 2007, and the regulations of the Irish Medical Council (IMC).

As a digital health documentation infrastructure provider, we align our platform with the HIQA “National Standards for Safer Better Healthcare” and the IMC Guide to Professional Conduct and Ethics for Registered Medical Practitioners regarding clinical confidentiality, electronic medical records, and the use of digital clinical tools.

This policy applies to all registered healthcare practitioners, private hospitals, GP practices, specialist clinics, and their authorised administrative staff (collectively referred to as “Subscribers” or “Data Controllers”) who upload, dictate, or transmit data through our clinical AI copilot, as well as the patients whose administrative and clinical coordinates are processed (“Data Subjects”).

The DocReport Ireland platform is owned and operated by Be Smart Global, LLC, a corporate entity registered in the State of Delaware, United States of America, under File Number 10620833. Our registered corporate agent and address are as follows:

All financial operations, payment gateway routing, subscription licensing, and corporate accounting are managed through our US bank accounts and our Stripe integration. Subscription fees calculated in Euro (EUR) are billed dynamically and processed securely. Our contact email for all legal, compliance, and data protection inquiries is info@be-smart-business.de.

Under the GDPR and Data Protection Act 2018, the classification of parties is determined by who decides the purpose and means of processing personal data:

• Subscribing Clinic / Practitioner as Data Controller (Article 4(7) GDPR): The registered medical practitioner, clinic, or hospital network determines the clinical purpose for compiling medical reports, dictating patient consultations, and filing insurance appeals. The Subscriber is the Data Controller and bears the primary statutory obligations to the patient (the Data Subject) under the GDPR and DPA 2018, including the obligation to obtain valid consent, provide Article 13/14 notices, and respond to data subject rights requests.
• DocReport Ireland as Data Processor (Article 4(8) GDPR): We process personal data solely on behalf of the Subscriber in accordance with their instructions and the Data Processing Agreement (DPA) executed at subscription. We implement advanced technical and organisational measures to ensure compliance under GDPR Article 28. We do not interact directly with patients or make clinical determinations.

A GDPR-compliant Data Processing Agreement (DPA) is incorporated by reference into all subscription agreements. Irish-registered Subscribers require this agreement to lawfully engage us as a Data Processor under GDPR Article 28(3).

In compliance with GDPR Articles 13 and 14 (transparency obligations), we notify you of the specific categories of personal data processed on our platform:

A. Data Controller / Subscriber Account Data

To manage accounts and billing, we collect the following professional details from registered practitioners and administrators:

• Full Name and Professional Title (e.g., MB BCh BAO, MD, MRCPI, MICGP).
• IMC Registration Number (issued by the Irish Medical Council).
• Clinic or Hospital Name, physical address (including Eircode), and corporate contact details.
• Email address, telephone number, and authentication credentials (hashed passwords using bcrypt).
• Subscription tier selections, transaction histories, and Stripe billing tokens. We do not store raw payment card numbers.

B. Ambient Clinical Dictation and Patient Data

To generate structured clinical documentation, medical necessity letters, prior authorisations, and billing payloads, the platform processes:

• Audio recordings and voice dictation transcripts of clinical consultations.
• Patient demographic data (including age, gender, and clinical history — but never PPSN in cleartext, which is redacted browser-side before transmission).
• Clinical observations, vital signs, physical examination records, and laboratory test results.
• Private health insurance claim details, rejection codes, policy numbers (VHI, Laya Healthcare, Irish Life Health), and case reference numbers.

As a health data processor, processing under DocReport Ireland involves special category data under GDPR Article 9 (health data). We rely on the following lawful bases:

• GDPR Article 6(1)(b) — Performance of a Contract: Processing is necessary to provide the B2B subscription service to Subscribing clinics and practitioners.
• GDPR Article 9(2)(h) — Medical Purposes: Processing of health data is necessary for the provision of health care or treatment and the management of health care systems, pursuant to Union or Member State law (DPA 2018, Schedule 2, Part 1).
• GDPR Article 6(1)(c) — Legal Obligation: Processing to maintain audit logs and records in compliance with applicable Irish health legislation.

The Subscribing practitioner (Data Controller) is responsible for establishing and documenting their independent lawful basis for processing patient health data in their clinical practice, including obtaining valid patient consent where required by IMC guidelines.

The Personal Public Service Number (PPSN) is a unique identifier assigned by the Irish Department of Social Protection under the Social Welfare Consolidation Act 2005. Its use in non-governmental contexts is highly restricted under the Data Protection Act 2018 (Ireland) and GDPR. DocReport Ireland implements a Zero-Trust architecture to ensure PPSNs are never transmitted to or stored on our cloud infrastructure:

• Browser-Based PPSN & PII Redaction: All patient-identifiable details — including PPSNs, names, dates of birth, Eircode addresses, and telephone numbers — are automatically detected and redacted inside the Subscriber's web browser before any data is transmitted to our remote servers. PPSN tokens are replaced with randomised placeholders (e.g., [IE_PPSN_REDACTED]). This redaction occurs in the browser's local memory using client-side JavaScript and does not touch our network infrastructure.
• Zero-Knowledge Cloud Architecture: Our AI processing layer only receives anonymised clinical summaries with secure placeholder tokens. No PPSN or identifiable patient data is ever accessible to our servers, AI models, or staff.
• Local Re-identification:The compilation and restoration of redacted identifiers occur strictly in the browser's active memory on the practitioner's own device. The cleartext patient record is never stored on or transmitted to our cloud database.
• AES-GCM Encryption Before Storage:Saved clinical summaries are encrypted locally in the browser using AES-GCM (256-bit) cryptography before uploading to our EU-hosted databases. The encryption key is generated locally and stored solely in the browser's secure localStorage. We only store encrypted ciphertext blobs. If the local key is lost, we cannot decrypt or recover the data.

Under the GDPR and Data Protection Act 2018, Data Subjects (patients) have the following statutory rights, which are primarily exercisable against the Data Controller (the Subscribing clinic or practitioner):

• Right of Access (Article 15): Patients may request access to their personal data processed through the platform. The Subscribing practitioner is the primary point of contact for such requests.
• Right to Rectification (Article 16): Patients may request correction of inaccurate or incomplete personal data.
• Right to Erasure — ‘Right to be Forgotten’ (Article 17): Patients may request deletion of their personal data, subject to overriding legal retention obligations under Irish health legislation. Upon receiving a valid erasure instruction from the Data Controller, we will delete all corresponding encrypted cloud records within 30 days.
• Right to Data Portability (Article 20): Where technically feasible and lawful, Subscribers may export their clinical records in a structured, machine-readable format.
• Right to Restriction of Processing (Article 18): Data Subjects may request that processing be restricted in circumstances specified under Article 18.
• Right to Object (Article 21): Data Subjects may object to processing in certain circumstances.

Requests to exercise these rights should be directed in the first instance to the Subscribing clinic or practitioner (Data Controller). Where we are required to act as Data Processor in fulfilling these requests, we will do so within the timeframes specified in our Data Processing Agreement.

Under GDPR Chapter V, transfers of personal data outside the European Economic Area (EEA) require appropriate safeguards. Our data infrastructure is configured as follows:

• EU Data Residency: All clinical data processed through DocReport Ireland is stored in EU-region cloud infrastructure (Ireland/EU data centres). No identifiable clinical data is stored in non-EEA jurisdictions.
• US Account Administration: Account administration, billing processing, and system telemetry are managed by Be Smart Global, LLC in the United States through Stripe. This processing is covered by Standard Contractual Clauses (SCCs) pursuant to GDPR Article 46(2)(c) and the EU-US Data Privacy Framework where applicable.
• Zero Cleartext Clinical Transfer: Because clinical consultation data is anonymised and encrypted before any transmission, no readable patient personal data is transferred outside the EEA. All B2B contracts incorporate Data Processing Agreements with strict data protection obligations.

The Health Information and Quality Authority (HIQA) sets national standards for health information management in Ireland. DocReport Ireland is designed to support Subscribers in meeting their obligations under relevant HIQA standards, including:

• National Standards for Safer Better Healthcare: Our documentation templates support structured, auditable clinical records consistent with HIQA quality and safety standards.
• National Standards for the Conduct of Reviews of Patient Safety Incidents: Clinical SOAP notes generated by DocReport include timestamped audit trails suitable for patient safety review processes.
• eHealth Ireland Standards:Our export formats are designed for compatibility with the HSE's electronic health strategy and HSE PCRS portal workflows.

Note: DocReport Ireland is a B2B administrative documentation tool. Compliance with clinical governance, medical record keeping obligations, and patient safety requirements under HIQA standards remains the responsibility of the Subscribing Data Controller.

Under GDPR Article 5(1)(e) (storage limitation), personal data must not be kept longer than necessary for the fulfilment of its processing purpose.

However, healthcare providers in Ireland are bound by Irish health legislation which mandates specific retention periods for clinical records:

• Adult patient medical records must generally be preserved for 7 years from the date of the last consultation.
• Paediatric patient records must be retained until the patient reaches the age of 25, or for 7 years after the final consultation, whichever is longer.
• Records relevant to medico-legal proceedings must be retained until the resolution of all proceedings or until limitation periods expire.

These statutory retention mandates override standard erasure requests under GDPR Article 17(3)(b). The Subscribing clinic is responsible for managing these retention schedules. Upon subscription termination, we will purge all corresponding encrypted cloud databases within 30 days, subject to applicable legal retention obligations.

Under GDPR Article 32, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These include:

• Data Encryption in Transit and at Rest: All data is encrypted in transit using TLS 1.3. Clinical data in our EU cloud databases is encrypted using AES-256. Client-side AES-GCM encryption provides an additional layer of Zero-Trust security.
• Access Control: Role-based access control (RBAC) and Multi-Factor Authentication (MFA) are enforced for all administrative interfaces.
• Penetration Testing & Security Audits: We conduct periodic security assessments of our infrastructure in accordance with industry best practices.
• Personal Data Breach Notification (GDPR Article 33 & 34): In the event of a personal data breach, we will notify the affected Data Controllers within 72 hours of becoming aware, as required by GDPR Article 33. Where the breach is likely to result in a high risk to the rights and freedoms of Data Subjects, we will assist the Data Controller in notifying the Data Protection Commission (DPC) and affected individuals as required.

The supervisory authority for data protection matters in Ireland is the Data Protection Commission (DPC). Data Subjects resident in Ireland have the right to lodge a complaint with the DPC if they believe their personal data has been processed in a manner inconsistent with the GDPR or DPA 2018:

For any privacy concerns, data access requests, erasure requests, or complaints regarding DocReport Ireland, please contact our Compliance Department: