Privacy Policy (UK Edition)

Be Smart Global, LLC ("DocReport", "we", "our", or "us") operates the DocReport platform accessible at https://docreport.eu/uk and associated mobile or web-based applications (collectively, the "Service").

This Privacy Policy is designed to comply with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018"). It describes how we collect, use, disclose, and protect personal data relating to UK users of our Service.

Please note that for the purposes of the UK GDPR, we act as a Data Controller for the administrative and account information you provide to use our Service (such as your name, credentials, billing email, and login details). For the clinical documentation drafts and audio transcripts processed via our Zero-Trust framework, we act strictly as a Data Processor on behalf of the individual medical practitioner or healthcare organisation (who acts as the Data Controller).

Be Smart Global, LLC is a Delaware Limited Liability Company (Delaware File No. 10620833) operating the DocReport platform. Our registered agent for service of process is Legalinc Corporate Services Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, United States.

For privacy inquiries or to contact our Data Protection Officer, you can email us at: info@be-smart-business.de.

To uphold the highest information governance standards, DocReport implements a browser-side Zero-Trust compliance workflow:

• Local Redaction: All patient Personally Identifiable Information (PII) — including patient names, NHS numbers, telephone numbers, addresses, and dates of birth — is automatically scrubbed locally within your web browser before clinical transcripts are sent over the network. Raw PII is never transmitted to our remote AI processing servers.
• Client-Side Encryption: Clinical documentation saved in our databases is encrypted locally inside your browser using a high-entropy key stored strictly on your local computer. We only store anonymised text and indecipherable encrypted blobs on our servers, ensuring we have no cleartext access to patient records.

Under the UK GDPR, we process your account and billing personal data based on the following legal grounds:

• Performance of a Contract: To set up, authenticate, and maintain your practice subscription and provide access to the Service.
• Legitimate Interests: To secure and monitor the performance of our web applications, troubleshoot bugs, and provide technical support.
• Compliance with Legal Obligations: To comply with financial reporting, taxation, and statutory requirements (e.g. maintaining accurate corporate transaction histories).

Because we are headquartered in the United States, your account administrative data (such as login credentials and subscription preferences) will be transferred to and stored in the United States.

Stripe Payment Processing & Disclosures: All billing, invoicing, and subscription payments are processed securely by our third-party payment provider, Stripe, Inc. When you subscribe, your payment details (billing name, credit card details, address) are transmitted directly to Stripe's servers in the United States.

Stripe, Inc. processes this payment data in accordance with its own privacy policies and transfers data internationally using Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO) or under adequacy decisions where applicable. DocReport does not store full credit card numbers or raw billing credentials on its own servers.

We retain account administration and billing information for as long as your practice subscription is active, or as required by applicable UK tax laws (typically 6 years for financial transaction invoices).

All locally encrypted clinical data stored on our servers is deleted immediately upon your request or within 30 days of subscription termination.

We implement comprehensive technical and organisational security controls, including TLS 1.3 encryption in transit, local AES-256 client-side encryption for saved files, role-based access management, and multi-factor authentication. Our backend databases are hosted on secure, ISO 27001 and SOC 2 Type II certified cloud infrastructure.

As a UK resident, you have the following rights regarding the personal data we hold about you as a Data Controller:

• Right of Access: Obtain a copy of your account and transactional data (Subject Access Request).
• Right to Rectification: Request correction of inaccurate professional details or credentials.
• Right to Erasure: Request the deletion of your account personal data, subject to statutory tax record retention rules.
• Right to Restriction of Processing: Request that we limit the processing of your account data.
• Right to Data Portability: Obtain a copy of your account information in a structured, machine-readable format.
• Right to Object: Object to processing carried out under our legitimate interests.

To exercise these rights, please email us at info@be-smart-business.de. We will respond to verified requests within one calendar month.

You also have the right to lodge a complaint with the UK supervisory authority: the Information Commissioner's Office (ICO) at ico.org.uk.

We may update this Privacy Policy to reflect regulatory changes. We will notify you of material changes by email or via a prominent notification on our platform 30 days before updates become effective.