Privacy Policy

We take the privacy of our users seriously. This Privacy Policy explains how Scriva — a software for AI-assisted medical documentation and real-time voice transcription, developed and operated by TP53 S.r.l. (VAT IT02203290388), registered office Via Pomposa 153, 44123 Ferrara (FE), Italia, legal representative Matteo Melina — Amministratore Unico — handles and protects your personal data in accordance with applicable privacy legislation, including the EU General Data Protection Regulation (GDPR).

We only process personal data that is relevant and necessary for the purposes it serves. Scriva acts as a data processor with respect to any patient or consultation data processed through the platform on behalf of its customers. The processing of such data is governed by the Data Processing Agreement (DPA) entered into between TP53 S.r.l. and the relevant customer, and is not covered specifically by this Privacy Policy.

Your patients' data are safe. Data entered into or processed by Scriva is not attributable to anyone outside the clinician's practice and is never used for any purpose other than delivering the service.

TP53 S.r.l. has neither the interest nor the ability to access patients' clinical content for purposes other than the technical operation of the platform. Patient data is never used to train, fine-tune or improve AI models, neither by us nor by third-party providers.

Although some of our customers are organised as businesses, our service requires the processing of certain personal data. We only process data for which we have a legal basis.

Marketing and information purposes

When you request information or subscribe to newsletters, we collect, with your consent, necessary contact information such as email address, name and phone number. Recipients may withdraw their consent at any time. Legal basis: Article 6(1)(a) GDPR — your consent.

Entering into an agreement for our services

To offer and deliver the service we require some personal information, including data necessary to manage billing and provide support. When creating an account you may be asked for your name, professional or organisational identifier (such as your healthcare registration number or clinic identifier), email, phone, mailing address and associated medical centre. We do not collect national identity numbers unless specifically required for a regulated purpose. Legal basis: Article 6(1)(b) GDPR — performance of a contract.

Analysing user activity to improve our services

To analyse and improve the service we may process user-activity data such as IP address, browser type, visit time and how you interact with the platform. Legal basis: Article 6(1)(f) GDPR — our legitimate interest in improving functionality, stability and user experience, which we have assessed is not overridden by your interests or fundamental rights.

Legal obligations

We may process personal data to fulfil legal obligations, such as accounting or tax duties. Legal basis: Article 6(1)(c) GDPR — compliance with a legal obligation.

The correct allocation of the roles set out in Regulation (EU) 2016/679 ensures transparency and protection of data subjects' rights.

• Healthcare professional — Data Controller: determines the purposes and means of processing and remains in control of their patients' data.
• TP53 S.r.l. (Scriva) — Data Processor: processes patient data on the Controller's documented instructions, within the limits of the service.
• Patient — Data Subject: enjoys the rights of access, rectification, erasure, portability and objection under Articles 15-22 GDPR.

For account-related personal data (e.g. registration, billing and support), Scriva acts as data controller in accordance with this Privacy Policy.

Identification / contact data

First and last name, email, phone, address, date of birth, gender, profession, login credentials, IP address and user-agent (audit logs).

Health data (special category — Art. 9 GDPR)

• Medical history, conditions, allergies and intolerances
• Clinical notes and consultation reports generated from the visit
• Real-time transcription of the spoken consultation

Only the data strictly necessary to provide the service is collected and processed, in application of the data minimisation principle under Art. 5(1)(c) GDPR.

Transcription happens in real time. No audio recording of the consultation is stored: the audio stream is processed on the fly to produce the text and is not retained afterwards.

Generated notes and transcripts are automatically deleted after twenty-four (24) hours from the end of a consultation, and clinicians can also delete them at any time.

• Support, not replacement of clinical judgement. AI-generated content is an operational aid and does not replace the professional's clinical or ethical judgement. Every decision remains under the sole responsibility of the professional.
• No use of data for model training. Patient data is never used to train, fine-tune or improve AI models, neither by us nor by third-party providers.

TP53 S.r.l. accepts no responsibility for clinical decisions taken on the basis of AI outputs. The professional must critically assess every suggestion before applying it to clinical practice.

We use cookies to register and analyse activity on our website, in order to improve the website and our services as well as for marketing purposes. If you do not want cookies to be stored, you may change your browser settings and delete existing cookies; you may experience reduced functionality if you reject them.

Necessary and functional cookies, as well as cookies for statistics, are processed based on our legitimate interest. Legal basis: Article 6(1)(f) GDPR — our legitimate interest in improving the functionality, stability and user experience of our platform.

To offer and optimise our services we rely on reputable service providers who offer sufficient guarantees to protect personal data and who may only process it according to our instructions and the relevant data processor agreement. We rely on IT providers, digital platforms for managing customers, sales, marketing and support, login and verification services, invoicing and payment processing, and analytics.

Our core sub-processors, each bound by data-protection obligations equivalent to ours (DPA + Standard Contractual Clauses where applicable), include:

• Vercel Inc. — application hosting and compute (Frankfurt, EU)
• Neon Inc. — PostgreSQL database, primary storage (Frankfurt, EU)
• Cloudflare Inc. — encrypted database backups (Western Europe, EU)
• Anthropic PBC — AI (Claude) for note generation; directly identifying data is obscured before transmission and no API data is used for training (US)
• Deepgram Inc. — real-time voice transcription; no audio is retained (US)
• Resend Inc. — transactional email (US)
• Twilio Inc. — SMS for reminders and OTP (US)

Some of our service providers are located outside the European Economic Area (EEA) or may process data on servers outside the EEA. Where data is transferred to a country without an adequacy decision, we ensure appropriate safeguards under Chapter V of the GDPR, typically Standard Contractual Clauses (SCCs) approved by the European Commission.

Patient data processed through our service is subject to no international transfers outside the EU/EEA and is processed exclusively in European data centres. You may request further information about the safeguards in place by contacting us at the address below.

Storage duration

We store information for as long as required to provide the service and for the purposes for which it was collected, considering our legal and contractual obligations. Once our legitimate and practical need ceases — or upon withdrawal of consent — the information is deleted promptly, save where law (e.g. accounting rules) requires longer retention.

• On termination, data is made available for export for 90 days, after which identifiable data is securely deleted, save for legal obligations.
• Tax data / invoices: 10 years (Art. 2220 of the Italian Civil Code).
• Audit logs: 12-24 months.
• Backups: deleted within 7 days (automatic rotation).

Security measures (Art. 32 GDPR)

• Encryption in transit: TLS/HTTPS on all connections.
• Encryption at rest provided by the infrastructure providers.
• Passwords hashed with bcrypt; never stored in clear text.
• Role-based access control with multi-tenant isolation: each professional accesses only their own patients.
• Authenticated, single-use, time-limited links for data exports.
• Audit logging of access, creation, modification, deletion and exports with IP and user-agent.
• Regular encrypted backups with short retention and automatic rotation.
• Continuous monitoring and documented incident management, including notification to the supervisory authority under Art. 33 GDPR.

Information is only accessible to employees who require access to perform their tasks. It remains the customer's responsibility to prevent unauthorised access to their account.

In relation to the processing of your personal data, you have the right to:

• Request access to your personal data
• Request correction of inaccurate or incomplete information
• Request deletion of personal data when it is no longer necessary
• Withdraw your consent, where we are not legally required to retain the data
• Request restriction of the processing of your personal data
• Receive the personal data we have collected from you (data portability)
• Object to processing based on our legitimate interests

To exercise these rights you can contact us at privacy@tp53.com. We will respond within one month of receipt; in complex cases this period may be extended by a further two months, of which we will inform you within the first month. Requests concerning patient data should be addressed to the Controller (the healthcare professional).

If you believe we have processed your personal data in violation of applicable data protection legislation, you have the right to lodge a complaint with a supervisory authority — in your country of residence, place of work, or where the alleged infringement occurred. In Italy, the relevant authority is the Garante per la protezione dei dati personali (www.garanteprivacy.it).

We may change this Privacy Policy at our own discretion. In the case of material changes we will notify our customers. The latest version will always be available on our website.

Feel free to contact us with any questions, comments or to exercise your rights: TP53 S.r.l., Via Pomposa 153, 44123 Ferrara (FE), Italia — Email: privacy@tp53.com. No Data Protection Officer (DPO) has been designated; privacy requests are handled at this address.