Privacy Policy
1. Who we are
This privacy policy explains how Neos Wave Limited ("Neos Wave", "we", "us", "our") handles personal data in connection with the AVA service and the website at avasupport.co.uk.
- Company: Neos Wave Limited, registered in England and Wales, company number [INSERT].
- Registered office: [INSERT].
- Data protection contact: info@neoswave.com.
AVA is a conversational AI service for clinics and pharmacies. It answers calls, engages website visitors, recovers missed enquiries, supports appointment booking, and (through AVA Companion) produces post-consultation summaries for patients, with a human team behind the technology.
We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where applicable to users or clinics in the EU, we also comply with the EU GDPR and the EU AI Act (see Section 10).
2. Our two roles: controller and processor
We are the data controller for personal data relating to:
- Visitors to our website and people who try our voice/chat demo;
- Prospective clients and their staff who contact us or book a walkthrough;
- Our clinic and pharmacy clients and their staff (account administration, billing, support);
- Business contacts, marketing recipients, and applicants.
We are a data processor when we handle personal data about patients and end-callers on behalf of our clinic and pharmacy clients. In that context, the clinic or pharmacy is the controller. If you are a patient, please contact the clinic or pharmacy you dealt with.
This policy describes our processing as a controller. Our processing as a processor is governed by our DPA with each client. A copy is available at [INSERT link] or on request.
3. The personal data we collect
- Identity and contact data: name, business name, role, email, phone number, postal address.
- Enquiry and demo data: messages, calls or demo conversations with AVA, including voice recordings and transcripts.
- Client account data: credentials, configuration, branding settings and authorised users.
- Billing data: billing contact, plan and transaction records. Card payments are processed by Stripe; we do not store full card details.
- Technical and usage data: IP address, device/browser info, pages viewed, interactions (via cookies — see Section 13).
- Communications data: records of correspondence and support interactions.
We do not seek special category data from website visitors or prospective clients. Health-related data in live clinic use is processed as a processor (see Sections 2 and 7).
4. How we use your data and our lawful bases
| Purpose | Lawful basis |
|---|---|
| Responding to enquiries and running the website demo | Legitimate interests; steps prior to a contract |
| Providing, configuring and supporting AVA | Performance of a contract |
| Billing and payments | Performance of a contract; legal obligation |
| Improving AVA and our services | Legitimate interests (and consent where required) |
| Marketing to business contacts | Consent, or legitimate interests where permitted |
| Security and fraud prevention | Legitimate interests; legal obligation |
| Complying with law and regulators | Legal obligation |
5. AI interactions, recordings and transcripts
Your interactions with AVA may be recorded and transcribed so we can respond to your enquiry, operate the service, and improve quality.
- AI disclosure: you will be told when you are speaking with AI at the start of any AVA interaction.
- Voice cloning: where a clinic opts for a custom AI voice, this is only done with the documented consent of the individual whose voice is used.
- AI-generated content (including synthetic audio and Companion summaries) is identifiable as AI-generated.
6. Automated processing and human oversight
AVA uses AI to understand requests, answer questions, and route enquiries. AVA does not make solely automated decisions that produce legal or similarly significant effects. It does not give medical advice or decide clinical suitability — clinical matters are handled by qualified humans at the relevant clinic.
7. Special category (health) data
In live clinic deployments, AVA may handle health-related information. We process such data only as a processor, on the documented instructions of the clinic or pharmacy, under a DPA. The clinic is responsible for the appropriate lawful basis and informing its patients.
8. Who we share data with
- Service providers: cloud hosting, telephony, speech-to-text, AI/language model providers, ticketing tools, analytics. Including Stripe (payments), Twilio (telephony), ElevenLabs (voice), and our hosting and CRM providers. Sub-processor list available at [INSERT link].
- Our clinic/pharmacy clients where we process patient data on their behalf.
- Professional advisers, auditors and authorities where required by law.
- A successor entity in the event of reorganisation, merger or sale.
We do not sell your personal data.
9. International transfers
We aim to process data in the UK or EEA. Where a provider processes data outside the UK/EEA, we use appropriate safeguards such as the UK IDTA or UK Addendum to EU SCCs. Details available on request.
10. EU AI Act compliance
AVA is an AI system that interacts directly with people and generates synthetic content. Where the EU AI Act applies, we comply with its requirements.
- Transparency: anyone interacting with AVA is informed they are interacting with an AI system. Synthetic audio and AI-generated text are marked as AI-generated.
- Risk classification: AVA is designed as a limited-risk AI system. It is not a medical device and does not perform clinical diagnosis or triage.
- Governance: we maintain technical documentation, human oversight, logging and quality processes.
Our primary regulatory framework is UK data protection law. We monitor the developing UK approach to AI regulation alongside the EU AI Act standards.
11. How long we keep data
- Enquiry and demo data: [e.g. 24 months] from last contact.
- Client account and billing data: duration of relationship and [e.g. 6 years] afterwards.
- Voice recordings and transcripts: [INSERT retention period].
Retention of patient data in live deployments is set by each clinic in its DPA.
12. How we protect data
We use encryption in transit and at rest, access controls, secure UK/EEA hosting, supplier due diligence, staff confidentiality, and monitoring. Health-related data is subject to enhanced controls.
13. Cookies and analytics
Our website uses cookies for essential functionality and, with your consent, for analytics. You can manage non-essential cookies through our cookie banner and browser settings. See our Cookie Policy for details.
14. Your rights
Under UK GDPR you have the right to: access your data; have inaccurate data corrected; have data erased; restrict or object to processing; data portability; and withdraw consent. To exercise your rights, contact us at info@neoswave.com. We respond within one month.
If you are a patient, please contact the clinic or pharmacy you dealt with, as they are the controller.
You can also complain to the Information Commissioner's Office (ICO) — ico.org.uk, helpline 0303 123 1113.
15. Children
AVA and our website are intended for clinics, pharmacies and adults. Our services are not directed at children.
16. Changes to this policy
We may update this policy and will post the updated version here with a revised date. Where changes are significant, we will notify you directly.
17. Contact us
Neos Wave Limited
[Registered office address]
Email: info@neoswave.com
AVA — your clinic companion. Powered by Neos Wave.