How many calls do health clinics miss on average?

Health clinics miss an average of 44% of their incoming calls. This equates to around 15 potential patients per week going unanswered — approximately €86,400 in lost revenue per year for a medium-sized clinic. Most of this happens outside working hours: before 9am, at lunch or after 6pm.

How much does an AI appointment booking assistant cost?

CAi starts at €199/month with €20 in voice credits included (~133 minutes). An average clinic uses between 200–400 minutes/month, for a total cost of €200–260/month. Compared to a full-time receptionist (€24,000–36,000/year in salary and social security), the saving is over €2,000 per month.

Will patients notice they are speaking with an AI?

Most will not. CAi uses latest-generation voices with natural intonation and the ability to hold fluid conversations. In our surveys, only 12% of patients suspected they were speaking with an AI, and 94% rated the experience as "excellent" or "very good".

What happens if the patient has an emergency or complex question?

CAi automatically detects situations that require human intervention and can transfer the call to an on-call number, send an urgent notification to the team, or take a priority message. You define the rules.

Does it work with my current practice management software?

CAi integrates with the leading software in the sector: PracticeHub, Cliniko, Jane App, ChiroTouch, Google Calendar and more. It also includes QuiroHiro for your marketing automations. If you use different software, contact us — we can probably integrate it.

How long does setup take?

Basic setup takes around 10–15 minutes. You connect your practice management software, define your schedules and preferences, and CAi is ready to go. Advanced customisations may take 1–2 days of fine-tuning.

Can I cancel at any time?

Yes, with no long-term commitment. Monthly billing, cancel any time from your control panel. No penalties and no awkward questions.

How is voice minute usage billed?

The base plan includes the service and platform. Voice minutes are charged at €0.15/minute (only real conversation time). An average clinic uses between 200–400 minutes/month. You can set usage alerts.

GDPR and Voice Data in Clinics: A Practical Compliance Guide

Europe closed 2025 with roughly 1.2 billion euros in accumulated GDPR fines, according to the DLA Piper annual survey (January 2026). Spain leads EU countries by number of fines issued, with 651 sanctioning files on record according to Statista (2024), and the AEPD has kept the healthcare sector under close watch. Marina Salud, a public health service provider, was investigated for refusing to disclose contracts with third-party IT providers handling patient data categorized as health, genetic, and other special-category information.

Most clinics that run into GDPR problems don’t do it in bad faith. They do it through a framing mistake. They treat call recordings as if they were audio files. GDPR treats them as health data when they happen in a clinical context. That single difference changes the applicable legal basis, the retention period, the vendor contract, and the patient rights you need to support.

This guide lays out the points a clinic needs settled before recording a single call, and the ones you should revisit when you contract an AI voice assistant. It’s written for chiropractors, physiotherapists, and osteopaths operating in Spain or elsewhere in the EU.

Voice, on its own, is personal data. The Spanish AEPD has confirmed it in several resolutions compiled by Edora Consulting: the timbre and biometric features of a voice allow identification of an individual, which places voice under the scope of GDPR protection.

Inside a clinic the nuance goes further. When a patient calls to book an appointment, describe symptoms, or ask about a treatment, the conversation contains information about their health. That information becomes health data, covered by Article 9 of GDPR as a special category. Processing health data requires a reinforced regime: a legal basis from Article 6 plus an exception from Article 9 that allows handling it.

It isn’t the same to record a call at a tax office as it is at a physiotherapy clinic. The clinical content of the second turns the audio file into a health record, even if the patient only called to book an hour for a session.

GDPR Article 6.1 lists six legal bases for processing personal data: consent, contract performance, legal obligation, vital interests, public interest, and legitimate interests. Consent is not the only one, and for call recording in clinics you need to choose with care.

Consent is the cleanest basis when you record for training, quality control, or service improvement. It has to be freely given, specific, informed, and unambiguous, and the patient must be able to withdraw it at any time. A one-liner at the start of the call like “this call may be recorded” is no longer enough: the AEPD expects patients to be able to object without losing the service.

Legitimate interest fits when the recording serves to document the operation (for example, to prove the patient accepted an appointment or a quote). IAPP published an analysis (2024) explaining that call centers can rely on legitimate interest for service recordings, provided they run the balancing test and the patient’s interest doesn’t override it.

Contract performance works for the administrative part of the call (booking, confirming, canceling), but it doesn’t cover the health data that shows up inside the conversation. For that data you have to layer an Article 9 exception on top: usually explicit patient consent, or necessity for preventive medicine, diagnosis, or the provision of healthcare.

The combination that works best in a clinic is usually: legitimate interest for recording the operational part, plus explicit consent to process the clinical content of the conversation and to store it.

If your voice assistant is an AI that processes calls in real time, our security and compliance page goes deeper into the technical side of the infrastructure.

Five Minimum Requirements to Record Calls Without Exposing the Clinic

First, inform before recording. GDPR forbids silent recordings. The patient has to know the call is being recorded, for what purpose, who the controller is, and how to exercise their rights. You can deliver that information with a short audio notice at the start of the call plus a link to the privacy policy for the detail.

Second, minimize the data. Only record and store what’s needed for the stated purpose. If the goal is to confirm a booking, there’s no point storing five minutes of clinical conversation. Well-configured AI voice assistants retain the structured transcript of the booking, not the full audio.

Third, encrypt data in transit and at rest. TLS 1.2 or higher for transport and AES-256 for storage are the minimum standards the AEPD looks at during healthcare inspections. Encryption needs to be provable with vendor documentation.

Fourth, host the data in the EU. Hosting outside the European Economic Area requires an international transfer with safeguards (standard contractual clauses, adequacy decision). Handling that for a small clinic is rarely worth it. If the vendor can’t host natively in the EU, that’s a friction point to sort out before signing.

Fifth, sign a data processing agreement. It’s the document that governs what the vendor does with your patients’ data. Without it, liability falls entirely on your clinic. Serious vendors provide it by default.

Retention: Reasonable Periods and What the AEPD Expects

GDPR doesn’t set fixed retention periods: it requires data not to be kept longer than necessary for the purpose. That wording leaves room, but there are practical references.

For service calls in general call centers, the common range is 12 to 24 months, according to the analysis published by NiCE (2024). For calls with clinical content that period shrinks considerably. In practice, 90 days is a reasonable cap for raw audio of a healthcare call. After that, the sensible path is to keep only the structured transcript (date, time, reason, booking confirmed) and delete the audio.

The exception is calls that become part of a medical file. In that case sector-specific retention applies: in Spain, Law 41/2002 requires clinical documentation to be kept for at least five years from discharge. But that applies to clinically relevant content, not to the full recording of every scheduling call.

A common mistake is keeping all calls “just in case”. The AEPD reads that as processing without a defined purpose, and it’s one of the most frequent causes of retention-based fines in the services sector.

Patient Rights Your Vendor Must Be Able to Handle

Patients have six main GDPR rights: access, rectification, erasure, objection, restriction, and portability. For voice recordings the first four are where friction shows up.

Access. If the patient asks for a copy of their recordings, the clinic has one month to deliver, per Article 12.3 of GDPR. The voice assistant vendor has to let you export recordings identified by patient. If it can’t, your clinic is out of compliance.

Erasure. The right to be forgotten means permanently deleting audio and transcripts. A vendor that just “marks as deleted” without physically erasing the files doesn’t comply. The same applies to backups: the backup rotation schedule should be documented.

Rectification. If the patient spots an error in a transcript (a misattributed diagnosis, for example), they have the right to have it corrected. That’s harder on raw audio, which is why structured transcripts make compliance easier.

Objection. The patient can object to being recorded. If the legal basis was consent, the withdrawal is immediate. If it was legitimate interest, the clinic has to run a new balancing test and explain why the interest overrides the patient’s, which rarely ends well.

What to Ask Your Vendor Before Signing

A short, practical list of points to bring up in the contract meeting:

Question	Answer to accept
Where is the voice data hosted?	EU, with the region confirmed in writing
What encryption do you use in transit and at rest?	TLS 1.2+ and AES-256, with documentation
How long do you retain audio and transcripts?	Audio: 90 days max. Transcripts: configurable
How is an access or erasure request handled?	Dashboard with per-patient export and deletion
Is there a data processing agreement?	Yes, signed before the main contract
What sub-processors do you use?	Public, maintained list
How do you notify a data breach?	Under 72h to the controller (your clinic)
Have you been inspected by a DPA?	Transparent answer, with references

The sub-processor question is the one most vendors dodge. Every AI voice assistant leans on several providers underneath (language model, transcription, telephony, storage). The list must be available and current, and each one should have its own processing contract.

If you want to compare this with the human-receptionist model, where GDPR applies differently, our vs receptionist page and the alternatives page cover the ground. To see how CAi handles these points in practice, you have the demo available.

Frequently Asked Questions

For recording the operational part (booking, confirming, canceling) you can rely on legitimate interest if you pass the balancing test. To process the clinical content that shows up in the conversation, you do need explicit patient consent under Article 9 of GDPR. In practice, a notice at the start of the call plus documented consent in the patient’s file tends to be the cleanest path.

How long can I keep call recordings?

There’s no fixed period. The GDPR rule is not to keep more than necessary. For healthcare calls, 90 days is a reasonable cap on raw audio. After that it’s common to keep only the structured transcript (date, reason, booking). If the recording becomes part of the patient’s clinical file, healthcare-specific retention applies (at least five years in Spain under Law 41/2002).

Can I use an AI voice assistant whose vendor hosts data in the US?

Yes, but it adds complexity. You’d have to sign standard contractual clauses, document an international transfer, and assess the destination country’s level of protection. For a small clinic it rarely pays off. The cleanest option is a vendor with native EU hosting, ideally with the region confirmed in writing in the contract.

What happens if a patient exercises their right to be forgotten?

Your clinic has one month to respond. The voice assistant vendor must let you identify every recording and transcript tied to that patient and delete them permanently, including backups. If the vendor only “marks as deleted” without physical removal, compliance is partial and the liability stays with your clinic.

Who is responsible if a security breach happens at the vendor?

The clinic is the controller, and answers to the patient and the data protection authority. The vendor is the processor, and answers to the clinic according to the signed contract. That’s why the contract needs to spell out security obligations, breach notification under 72 hours, and assistance if the authority requests it. Without that contract, all liability concentrates on the clinic.

The Framing Mistake That Triggers Most Clinic GDPR Issues

What GDPR Considers “Voice Data” in a Clinic

The Legal Basis: When Consent Works and When Legitimate Interest Does