Hexai Logo
Hexai

GDPR Compliance

Last Updated: 18 May 2025

Compliance Status

Hexai Care Limited is actively working toward full GDPR compliance. As a UK-based company, we are committed to adhering to the General Data Protection Regulation and UK data protection laws. We are currently in the process of implementing all necessary measures required by GDPR regulations.

Our Commitment to GDPR Compliance

At Hexai Care Limited, we are committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (GDPR). As a healthcare technology provider, we understand the sensitivity of the data we process and the importance of maintaining the highest standards of data protection.

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations operating within the EU and to organizations outside the EU that offer goods or services to individuals in the EU or monitor their behavior.

The GDPR sets out principles for data management and the rights of individuals, and requires organizations to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Our Role Under GDPR

Depending on the specific circumstances, Hexai Care Limited may act as either a data controller or a data processor:

  • As a Data Controller: We determine the purposes and means of processing personal data that we collect directly from individuals, such as account information from healthcare providers using our platform.
  • As a Data Processor: We process personal data on behalf of our healthcare customers (the data controllers) in accordance with their instructions.

GDPR Principles We Follow

We adhere to the following GDPR principles in our data processing activities:

  • Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner.
  • Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.
  • Data Minimization: We limit the personal data we collect to what is necessary for the purposes for which it is processed.
  • Accuracy: We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.
  • Storage Limitation: We keep personal data in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is processed.
  • Integrity and Confidentiality: We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
  • Accountability: We are responsible for and can demonstrate compliance with the GDPR principles.

Data Subject Rights

We respect and facilitate the exercise of data subject rights under the GDPR, including:

  • Right to Access: Data subjects have the right to obtain confirmation as to whether their personal data is being processed and, if so, access to that data.
  • Right to Rectification: Data subjects have the right to have inaccurate personal data rectified and incomplete personal data completed.
  • Right to Erasure (Right to be Forgotten): Data subjects have the right to have their personal data erased in certain circumstances.
  • Right to Restriction of Processing: Data subjects have the right to restrict the processing of their personal data in certain circumstances.
  • Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
  • Right to Object: Data subjects have the right to object to the processing of their personal data in certain circumstances.
  • Rights Related to Automated Decision Making and Profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

Technical and Organizational Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: We encrypt personal data both in transit and at rest.
  • Access Controls: We implement strict access controls to ensure that only authorized personnel can access personal data.
  • Regular Testing: We regularly test, assess, and evaluate the effectiveness of our technical and organizational measures.
  • Data Protection Impact Assessments: We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
  • Data Protection by Design and Default: We implement data protection principles from the onset of product development and by default.

Data Processing Agreements

When we act as a data processor, we enter into Data Processing Agreements (DPAs) with our customers (the data controllers). These agreements clearly outline our responsibilities regarding the processing of personal data, including:

  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal data and categories of data subjects
  • The obligations and rights of the controller
  • Our commitments to implement appropriate technical and organizational measures
  • Our assistance to the controller in responding to data subject requests
  • Our notification obligations in case of a data breach

International Data Transfers

As a UK-based company, we ensure that any transfer of personal data to countries outside the UK or European Economic Area (EEA) is done in compliance with GDPR requirements. We implement appropriate safeguards, such as Standard Contractual Clauses, to protect personal data transferred internationally.

Data Breach Notification

In the event of a personal data breach, we have procedures in place to:

  • Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach
  • Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms
  • Document all breaches, including the facts relating to the breach, its effects, and the remedial action taken

Data Protection Officer

While we are in the process of determining whether we are required to appoint a Data Protection Officer (DPO) under the GDPR, we have designated personnel responsible for overseeing our data protection strategy and implementation.

Contact Information

For questions about our GDPR compliance or to exercise your data subject rights, please contact us at:

Hexai Care Limited
Unit 82a James Carter Road
Mildenhall, Bury St. Edmunds
England, IP28 7DE
Email: hexaicare@gmail.com