- Organisation
- ScribeMat Ltd
- Version
- 1.0
- Effective date
- 3 April 2026
- Next review
- 2 April 2027
- Document ID
- PN-01
- Contact
- contact@scribemat.co.uk
1. Who we are
ScribeMat Ltd is a UK-based health technology company. We develop and provide a digital clinical scribing tool designed to support NHS clinical teams during obstetric and neonatal emergencies. We are registered in England and Wales.
ScribeMat Ltd is the data controller for personal data we collect and manage for our own business purposes (for example, staff records, website visitors, and supplier contacts). When we provide our clinical scribing tool to NHS Trusts, the NHS Trust is the data controller and ScribeMat acts as a data processor, processing personal data only on the instructions of the NHS Trust.
This Privacy Notice applies to all personal data we process, including information about patients, NHS staff users, website visitors, job applicants, contractors, and suppliers.
Our data protection contact is: contact@scribemat.co.uk
2. Who this notice is for
This notice covers all of the following groups of people:
- Patients whose data is captured by clinical staff using the ScribeMat tool during NHS clinical care
- NHS clinical staff who use the ScribeMat tool (for example, midwives and doctors)
- Visitors to our website (scribemat.co.uk)
- People who contact us by email, telephone, or via our website
- Job applicants and prospective contractors
- Existing employees, directors, and contractors
- Customer and supplier contacts
Each group's specific information is explained in the relevant section below. If you need this notice in a different format (for example, large print, another language, or audio), please contact us at contact@scribemat.co.uk.
3. What data we collect and why
3a. Patients
The ScribeMat tool is used by NHS clinical staff during emergencies to record a structured clinical transcript. We do this on behalf of the NHS Trust, who is the data controller. We collect only the minimum information necessary:
- NHS Number
- First name
- Emergency clinical narrative (a transcript of the emergency event, which may include health information)
We use this information to support the NHS Trust in delivering safe clinical care and to generate a structured record of the emergency event. We do not use patient data for marketing, research, or any purpose other than the agreed clinical purpose. We do not contact patients directly.
As a processor, we act strictly on the NHS Trust's instructions. If you have questions about how the NHS Trust uses your data, please contact the relevant Trust's Information Governance or Data Protection team. Their privacy notice will explain your rights in relation to that processing.
3b. NHS Staff Users
Clinical staff who use the ScribeMat tool have a user account created as part of the NHS Trust deployment. We collect:
- Name (used as your login identifier)
- User role and access level
- System audit logs (records of actions taken within the system, for security and governance purposes)
We process this data to manage system access, ensure appropriate use of the tool, and maintain an audit trail for the NHS Trust's governance requirements.
3c. Website Visitors
When you visit scribemat.co.uk we may collect limited technical data to help the website function, including:
- IP address and browser type (collected automatically via website hosting)
- Pages visited and time spent on the site
- Referral source
We use this information to understand how our website is used and to improve it. We do not use this data to identify individuals, and we do not serve advertising. If you submit an enquiry via our website contact form, we will use the information you provide solely to respond to you.
3d. Job Applicants and Contractors
If you apply to work with us or engage with us as a contractor, we will collect and use information you provide as part of that process, including:
- Name, contact details, and address
- CV, covering letter, and work history
- References and qualifications
- Right to work documentation
We use this information to assess your suitability for the role. If your application is unsuccessful, we will retain your information for a reasonable period (no longer than 6 months after the process concludes) in case of queries or future opportunities you have consented to. If you join us, your information is transferred to your personnel record.
3e. Employees and Directors
We hold personal data relating to our directors and any employees or contractors engaged by ScribeMat, including name, address, contact details, contractual and payroll information, and records required by law (for example, for HMRC and Companies House). A separate staff privacy notice is provided to all personnel on onboarding.
3f. Customer and Supplier Contacts
We hold contact details (name, job title, email address, telephone number) for individuals at NHS customer organisations and suppliers we work with. We use this information solely to manage those business relationships, including contract management, service delivery, and compliance evidence (including DSPT/DTAC requirements).
4. Our lawful basis for processing
Under UK GDPR, we must have a lawful basis before we can use your personal data. The table below sets out the basis we rely on for each group:
| Group | Lawful Basis (Article 6) | Special Category Condition (Article 9) |
|---|---|---|
| Patient data (via NHS clinical tool) | Public Task – Art 6(1)(e) as determined by the NHS Trust controller | Health/social care – Art 9(2)(h); Public health – Art 9(2)(i) |
| NHS staff user accounts & audit logs | Public Task – Art 6(1)(e) or Contract – Art 6(1)(b) | N/A |
| Website visitors | Legitimate Interests – Art 6(1)(f) (website improvement) | N/A |
| Job applicants | Legitimate Interests – Art 6(1)(f) (recruitment); Legal Obligation – Art 6(1)(c) | Only if voluntarily disclosed |
| Employees / directors / contractors | Contract – Art 6(1)(b); Legal Obligation – Art 6(1)(c) (HMRC, Companies House) | Employment – Art 9(2)(b) if applicable |
| Customer & supplier contacts | Contract – Art 6(1)(b); Legitimate Interests – Art 6(1)(f) | N/A |
5. Where data comes from
We receive personal data from the following sources:
- Directly from you – for example, when you contact us, apply for a role, or use the ScribeMat tool
- From the NHS Trust – when a Trust deploys the ScribeMat tool, they provide user account details and patient identifiers are entered by clinical staff
- Automatically via our website or systems – for example, technical access logs
- From third parties – for example, references provided as part of a job application, or contact details provided by a customer or supplier organisation
6. Who we share data with
We do not sell personal data. We do not share data for marketing purposes. We share data only as described below:
- NHS Trusts (controllers) – patient data and audit data are accessible to the relevant NHS Trust as part of the contracted clinical service
- Cloud Provider – our application and data are hosted on cloud infrastructure (UK only). The Cloud Provider processes data as our sub-processor under a Data Processing Agreement
- Microsoft 365 – we use Microsoft 365 for internal communications and document management. This is used for business data, not patient clinical data
- HMRC and Companies House – as required by law for payroll and statutory filings
- Professional advisors – for example, our accountant, where necessary and under confidentiality obligations
- Regulatory bodies – for example, the Information Commissioner's Office (ICO) if required by law
We may share data with other sub-processors or suppliers where necessary to deliver our services. A full list of sub-processors is maintained in our Information Asset Register.
7. International transfers
Our default is to keep all customer clinical data within the UK. Our application is hosted exclusively on UK cloud datacentres.
Our internal Microsoft 365 environment may store some business data in EU datacentres operated by Microsoft. This is covered by the UK Government's adequacy regulations and Microsoft's standard Data Processing Agreement.
We do not transfer patient or clinical data outside the UK. If any transfer outside the UK were to become necessary, we would ensure appropriate safeguards are in place (for example, UK International Data Transfer Agreements) and would notify affected NHS customers as contractually required.
8. How long we keep your data
| Type of data | Retention period |
|---|---|
| Patient clinical data (ScribeMat tool) | As directed by the NHS Trust controller. Minimum 8 years per NHS Records Management Code of Practice 2021 (maternity records). Deleted on Trust instruction per Data Processing Agreement. |
| NHS staff user account data | Duration of Trust engagement plus applicable statutory period. Deactivated on staff departure or contract end. |
| Website enquiries | Up to 12 months unless an ongoing relationship develops |
| Job application data (unsuccessful) | Up to 6 months after the process concludes |
| Employee / contractor records | Duration of employment/contract plus 6 years (HMRC requirement) |
| Customer / supplier contact data | Duration of relationship plus 6 years |
| DSPT / compliance evidence | Duration of NHS engagement plus 6 years |
9. How we protect your data
We take the security of personal data seriously. Our measures include:
- Encryption of personal data at rest and in transit
- Multi-factor authentication (MFA) for all system access
- Role-based access controls (RBAC) and least-privilege principles
- Hosted exclusively on Cloud UK-only data residency for clinical data
- Audit logging of all system access and actions
- Regular vulnerability monitoring and patching
- Supplier and sub-processor due diligence, with Data Processing Agreements in place
- Staff data protection awareness training
- Documented incident response procedures
Full details of our security controls are set out in our Information Security Policy (POL-01) and Security Controls Standard (STD-01), available on request by NHS customers.
10. Your rights
Under UK GDPR, you have the following rights in relation to your personal data. The rights that apply to you will depend on the lawful basis we use and whether we are acting as a controller or processor for your data.
| Right | What it means |
|---|---|
| Right to be informed | To know how your data is used – this Privacy Notice fulfils that obligation |
| Right of access | To request a copy of the personal data we hold about you (Subject Access Request) |
| Right to rectification | To ask us to correct inaccurate or incomplete data we hold about you |
| Right to erasure | To ask us to delete your data in certain circumstances (e.g. where it is no longer necessary) |
| Right to restrict processing | To ask us to limit how we use your data in certain circumstances |
| Right to data portability | To receive your data in a structured, machine-readable format where applicable |
| Right to object | To object to processing based on legitimate interests or public task |
| Rights re automated decisions | Not to be subject to solely automated decisions that significantly affect you |
Patient note:If you are a patient whose data has been processed via the ScribeMat tool, the NHS Trust is the data controller for that processing. You should direct rights requests to the NHS Trust's Information Governance team. ScribeMat will support the Trust in responding to your request.
To exercise any rights where ScribeMat is the controller, please contact us at contact@scribemat.co.uk. We will respond within one calendar month. We may ask you to verify your identity before processing your request.
11. How to contact us about data protection
If you have any questions about this Privacy Notice, or about how we handle your personal data, please contact us:
- Email: contact@scribemat.co.uk
- Post: Data Protection Lead, ScribeMat Ltd, 341 Kents Hill Road, Benfleet, Essex, SS7 5XT
- Website: scribemat.com/privacy
Our Data Protection Lead is the Co-Founder and Technical Director of ScribeMat Ltd.
12. How to make a complaint
We take all privacy concerns seriously and will do our best to resolve any issues. However, if you are not satisfied with how we have handled your personal data, you have the right to make a complaint to the Information Commissioner's Office (ICO):
- ICO website: ico.org.uk
- ICO helpline: 0303 123 1113
- ICO post:Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
You can also contact the ICO online at: ico.org.uk/make-a-complaint
13. Changes to this Privacy Notice
We review this Privacy Notice at least once a year and whenever we make a material change to how we process personal data. The current version, along with an archive of previous versions, is available at scribemat.com/privacy.
If we make significant changes, we will notify affected individuals where we are able to do so (for example, by email to NHS Trust contacts). Minor updates will be reflected in the version number and effective date above.
14. Accessibility and alternative formats
This notice is available at scribemat.com/privacy and is designed to be accessible and readable on all devices.
If you need this notice in a different format – including large print, audio, Easy Read, or a language other than English – please contact us at contact@scribemat.co.uk and we will do our best to accommodate your request.
NHS Trust customers may also provide printed copies of relevant sections to patients as part of their own patient information materials (for example, as part of a patient information leaflet on the use of technology during emergency care).
Questions about this notice or your personal data?