Security & Compliance
Your clinic protected.
Your patients, at ease.
CAi is built from day one to comply with GDPR and LOPD. Here we explain exactly what data we process, why, and how we protect it.
RGPD / GDPR
EU Compliance
TLS Encryption
Data in transit
No Med Records
No access to health records
Appointments only
Minimum data scope
What data does CAi process?
CAi operates on the principle of minimum necessary data. We only process what is strictly necessary to manage calls and appointments. The following table shows exactly what we access and what we do not access under any circumstances.
| Data type | Use | Access |
|---|---|---|
| Patient name | Identify the appointment in the system | ✓ |
| Phone number | Return the call or send WhatsApp reminder | ✓ |
| Appointment date and time | Book / modify / cancel in the clinic system | ✓ |
| Reason for visit (generic) | Redirect to correct professional if applicable | ✓ |
| Medical history | CAi does not access this data at any time | ✗ |
| Diagnoses or treatments | CAi does not access this data at any time | ✗ |
| Payment or insurance data | CAi does not access this data at any time | ✗ |
What happens with voice recordings?
CAi records calls to generate transcriptions and allow the clinic to review conversations. These are the exact policies that govern recordings:
- Calls are processed in real time and stored encrypted in EU infrastructure
- Voice logs are retained for a maximum of 30 days, after which they are automatically deleted
- Transcriptions (text) can be retained longer at the clinic's request
- Recordings are never shared with third parties for commercial purposes
- The clinic may request zero retention: calls processed without persistent storage
Infrastructure and data location
All CAi infrastructure runs on servers within the European Union, in compliance with GDPR data residency requirements.
- Hosting: our own infrastructure with EU-region servers
- Encryption in transit: TLS 1.2+ on all communications
- Credentials and API keys encrypted at rest
- Access controlled by environment and role
GDPR and LOPD Compliance
CAi complies with the General Data Protection Regulation (GDPR) and Spain's Organic Law on Data Protection (LOPD-GDD). In the data processing chain:
- The clinic acts as data controller (owner of the patient relationship)
- QuiroAds / CAi acts as data processor on behalf of the clinic
- We sign a Data Processing Agreement (DPA) with each clinic
- We apply data minimisation: we only process data strictly necessary for the service
- Patients can request deletion of their data at any time
- We do not share data with third parties except subcontracted technical providers necessary for the service, all operating under DPA
Your responsibility as a clinic
As controller of your patients' data, the clinic has certain obligations when using CAi:
- Inform patients that calls may be answered by an AI assistant
- Update your privacy policy to include CAi as a data processor
- Sign the Data Processing Agreement with QuiroAds before going live
We provide a ready-to-use DPA template and guidance on adapting your privacy policy. Our team will guide you through this during onboarding.
Do you have compliance questions?
Our team can answer your GDPR, DPA or technical security questions before you make a decision. No obligation.
Talk to the team →