Effective date: 28 June 2025
1. Introduction
This Privacy Policy explains how AINuma ("AINuma", "we", "us", or "our") collects, uses, stores, shares, and protects personal data when you use our website, web application, and mobile applications (together, the "Service").
AINuma is an AI-powered practice management platform designed for licensed psychologists, psychotherapists, and mental health practices. The Service includes AI-assisted clinical documentation, patient management, appointment scheduling, questionnaires, secure communication, and related practice operations.
We wrote this policy for mental health professionals, their patients (where applicable), and reviewers evaluating AINuma for clinical, IT, or procurement purposes. It is intended to support GDPR compliance and app store requirements. It is not legal advice. If you use AINuma as a healthcare provider, you remain responsible for your own professional and regulatory obligations, including informing your patients and establishing a lawful basis for processing their data.
2. Who We Are and How to Contact Us
For personal data relating to your AINuma account, billing, and use of the Service as a customer, AINuma acts as the data controller under the General Data Protection Regulation (GDPR) where it applies.
For patient and client information that you enter or generate in the Service, you (the practice or individual clinician) are generally the data controller, and AINuma acts as a data processor processing that information on your instructions to provide the Service. A separate Data Processing Agreement (DPA) may apply where required.
Legal entity and contact details
- Trade name: AINuma
- Legal form: Eenmanszaak (sole proprietorship), owned by Vladimir Tsaran
- KVK (Chamber of Commerce) number: 42065394
- VAT identification number (btw-id): NL005468707B92
- Registered address: Van Polanenpark 66, 2241 RS Wassenaar, The Netherlands
- Website: https://ainuma.com
- Privacy enquiries: privacy@ainuma.com
- General support: support@ainuma.com
Data Protection Officer
AINuma has not appointed a formal Data Protection Officer (DPO) as we are not currently required to do so under Article 37 GDPR. Privacy enquiries can be sent to privacy@ainuma.com.
3. Scope of This Policy
This Privacy Policy applies to personal data processed through the AINuma Service, including our website, authenticated web application, and mobile apps distributed via the Apple App Store and Google Play Store.
This policy does not apply to third-party websites, services, or integrations that you connect to AINuma outside our control, except where we explicitly describe our role (for example, Google Calendar when you choose to connect it).
If you access AINuma on behalf of a practice or organization, your organization may have additional policies that apply alongside this Privacy Policy and any contractual terms between us.
4. Controller and Processor Roles
Understanding who is responsible for different categories of data is essential in a healthcare context.
When AINuma is the controller
- Account registration and authentication data for clinicians and staff
- Billing, subscription, and payment-related information processed by AINuma
- Support communications you send to us
- Product usage and security logs relating to operation of the Service
- Marketing and website analytics, where enabled and permitted by law
When you are the controller and AINuma is the processor
- Patient and client demographic and contact information
- Clinical notes, treatment plans, session transcripts, and related health information
- Questionnaire and intake responses collected from patients
- Communications and follow-up content directed at your patients
- Appointment and scheduling data linked to your patients
Your responsibilities as a healthcare provider
- Provide appropriate privacy notices to your patients
- Establish and document a lawful basis for processing patient data
- Obtain valid consent where required, including for session capture and transcription where applicable under your local law
- Respond to data subject requests from your patients, using Service features and our support where needed
- Configure retention, access controls, and staff permissions appropriately within your practice
5. Personal Data We Collect
We collect personal data necessary to provide, secure, and improve the Service. The categories below depend on how you use AINuma.
Account and profile information
- Name, email address, and authentication credentials
- Professional profile information (for example, practice name, role, and public therapist profile fields you choose to publish)
- Organization or practice details, including company name and team membership
- Preferences and settings within the Service
Patient and clinical information (processor data)
- Patient identifiers and contact details you enter
- Clinical notes, progress notes, and documentation you create or approve
- Session transcripts generated from temporary audio processing (see Section 8)
- AI-generated drafts of summaries, notes, treatment plans, and homework pending your review
- Questionnaire and intake responses
- Treatment agreements, consent records, and related clinical artifacts
- Follow-up messages and secure communication content
Scheduling and calendar information
- Appointments, availability, and scheduling metadata within AINuma
- Google Calendar event data, only if you explicitly connect Google Calendar via OAuth and grant the requested permissions
Usage, technical, and security data
- Device type, operating system, app version, and browser information
- IP address, timestamps, and diagnostic logs
- Authentication events and security audit logs
- Feature usage events used to operate, troubleshoot, and improve the Service
- Error reports and performance data
Payment and billing data
- Subscription plan, billing status, and invoice metadata
- Payment processing is handled by our payment provider (for example, Stripe). We do not store full payment card numbers on our servers.
6. Special Category Data (Health Information)
Patient records processed through AINuma may include special category personal data under Article 9 GDPR, including information about mental health, therapy sessions, diagnoses documented by clinicians, and questionnaire responses.
When AINuma processes this data on your behalf, we do so only to provide the Service under your instructions and applicable contractual terms. As the controller for patient data, you must ensure you have an appropriate Article 9 legal basis (for example, provision of healthcare, explicit consent, or another basis recognized in your jurisdiction) and that your patients are properly informed.
We apply enhanced access controls and security measures appropriate to the sensitivity of health-related data. AI-generated outputs are drafts only and require professional review before becoming part of the clinical record.
7. Purposes and Legal Bases for Processing
Where GDPR applies and AINuma acts as controller, we rely on the following legal bases:
- Performance of a contract (Article 6(1)(b)): to create and manage your account, provide the Service, process subscriptions, and deliver support.
- Legitimate interests (Article 6(1)(f)): to secure the Service, prevent fraud and abuse, maintain audit logs, improve reliability, and communicate important service updates, balanced against your rights.
- Legal obligation (Article 6(1)(c)): to comply with applicable laws, respond to lawful requests, and meet accounting or tax requirements where relevant.
- Consent (Article 6(1)(a)): where required for optional integrations (such as Google Calendar), certain analytics cookies, or marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Processing on your instructions (processor role)
When we process patient data on your behalf, the legal basis is determined by you as controller. We process that data only to deliver features you use, such as documentation, scheduling, questionnaires, analytics within your practice, and secure communication.
8. Audio Processing and Transcription
This section describes an important aspect of how AINuma handles session audio.
AINuma does not permanently collect or store audio recordings. When you choose to use transcription features, audio is processed only temporarily to generate a transcript. After transcription completes, the audio is automatically deleted. Only the resulting transcript text is retained in the Service, subject to your retention settings and applicable law.
Temporary audio processing may occur on your device, during secure upload for transcription, or with subprocessors engaged solely to perform speech-to-text. Temporary copies exist only for the time needed to complete transcription and are not kept as session recordings in AINuma.
You are responsible for obtaining any consent required under local law before capturing session audio for transcription. See our Trust Center guidance on session recording consent at https://ainuma.com/en/trust/session-recording-consent.
9. Video Sessions
AINuma may support live video sessions for telehealth workflows. AINuma does not record or store video from these sessions.
If real-time transcription is enabled during a video session, only the resulting transcript text may be retained—not video or permanent audio recordings, consistent with Section 8.
10. Artificial Intelligence Processing
AINuma uses third-party AI providers to generate clinical documentation drafts, including session summaries, structured notes, treatment plans, and homework suggestions.
AI providers process data only to deliver the specific output you request. Customer data is not used to train AI models. We configure our AI integrations so that your content is not used to improve general-purpose models unless you explicitly agree otherwise in writing, which is not our standard practice.
All AI-generated content is a draft until reviewed and approved by a licensed professional. AINuma does not diagnose, does not replace clinical judgment, and is not a patient-facing therapy service.
Typical AI use cases include speech-to-text transcription and large language model inference for documentation drafting. Current provider categories are described in our Subprocessors page at https://ainuma.com/en/trust/subprocessors.
11. Google Calendar Integration
Connecting Google Calendar is optional. If you choose to connect, you explicitly grant access through Google OAuth.
AINuma reads calendar events required for appointment management—such as event titles, times, attendees, and related metadata needed to sync scheduling within your practice. We do not use Google Calendar access for unrelated purposes.
You can revoke Google Calendar permissions at any time through your Google Account security settings or by disconnecting the integration within AINuma. Revocation may limit calendar sync functionality.
Google's use of data obtained through OAuth is also governed by Google's policies: https://policies.google.com/privacy
13. International Data Transfers
AINuma uses cloud infrastructure and subprocessors that may process data in the European Economic Area (EEA), the United Kingdom, the United States, and other countries.
Where personal data is transferred from the EEA, UK, or Switzerland to countries not recognized as providing an adequate level of protection, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented measures where required, and data processing terms with subprocessors.
Enterprise customers may request details of transfer mechanisms as part of contract review or a DPA.
14. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy, unless a longer period is required by law or agreed in your contract.
- Account data: retained while your account is active and for a reasonable period afterward to handle deletion requests, disputes, and legal obligations.
- Clinical and patient data (processor data): retained according to your settings and instructions. You can delete records through product features where available. Upon account termination, we delete or return processor data according to our DPA and applicable law, subject to backup retention windows described below.
- Transcripts and clinical artifacts: retained until you delete them or your account is deleted, unless otherwise required by law or your contract.
- Temporary audio during transcription: deleted automatically after transcription; not retained as recordings.
- Security and audit logs: retained for a limited period appropriate for security investigation, fraud prevention, and compliance, typically between 30 days and 24 months depending on log type.
- Backups: deleted data may persist in encrypted backups for a limited period (typically up to 90 days) before being overwritten in the normal backup cycle.
15. Security Measures
We implement technical and organizational measures designed to protect personal data appropriate to the nature of healthcare-related practice data. We do not claim certifications we have not achieved (such as ISO 27001 or SOC 2) unless explicitly stated in a current contractual document or our Trust Center.
- Encryption in transit using TLS for data sent between your device and our Service
- Encryption at rest and access controls on cloud infrastructure managed by our providers
- Authentication controls, including support for strong passwords and multi-factor authentication where enabled
- Role-based authorization limiting access to patient records and clinical artifacts within your organization
- Audit and security logging of authentication and administrative events
- Regular monitoring, patching, and vulnerability management on our infrastructure
- Encrypted backups and recovery procedures to support business continuity
- Incident response procedures to investigate and address suspected security events
Your security responsibilities
- Use strong, unique credentials and enable multi-factor authentication where available
- Limit staff access according to role and supervision requirements
- Review AI-generated content before approval
- Notify us promptly at privacy@ainuma.com if you suspect unauthorized access to your account
16. Your Rights Under GDPR
Where GDPR applies and AINuma is the controller of your personal data, you have the following rights, subject to conditions and exceptions in applicable law:
- Right of access: request a copy of personal data we hold about you.
- Right to rectification: request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): request deletion of your data where applicable.
- Right to restriction: request that we limit processing in certain circumstances.
- Right to data portability: receive your data in a structured, commonly used, machine-readable format where applicable.
- Right to object: object to processing based on legitimate interests, including profiling, where applicable.
- Right to withdraw consent: where processing is based on consent.
- Right not to be subject to solely automated decision-making producing legal or similarly significant effects, where applicable.
Patient rights
Patients who wish to exercise rights regarding their health information should normally contact their therapist or practice (the data controller). We will assist our customers in fulfilling their obligations where required by contract and law.
How to exercise your rights
Send requests to privacy@ainuma.com. We may need to verify your identity before responding. We aim to respond within one month, as required by GDPR, and may extend that period for complex requests.
17. Right to Lodge a Complaint
If you believe our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with a supervisory authority.
If you are in the Netherlands, the relevant authority is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority): https://autoriteitpersoonsgegevens.nl
You may also lodge a complaint with the supervisory authority in your country of habitual residence, place of work, or place of the alleged infringement within the EU/EEA.
We encourage you to contact us first at privacy@ainuma.com so we can try to resolve your concern.
18. Account Closure and Data Deletion
You may request deletion of your AINuma account by contacting support@ainuma.com or through account settings where available.
Upon verified deletion request or account termination, we will delete or anonymize controller data within a reasonable period, subject to legal retention requirements and backup cycles described in Section 14.
If you are a practice administrator, you are responsible for exporting or deleting patient data before closure where required by your professional obligations. We can provide reasonable assistance during a defined export window where available in your plan.
Deletion of your account does not automatically delete data for which your organization remains controller; practices should follow their own retention and patient notification policies.
20. Mobile Applications
Our mobile applications available on the Apple App Store and Google Play Store process personal data as described in this Privacy Policy.
Mobile apps may request device permissions (for example, microphone access when you initiate transcription, or camera access for profile photos). Permissions are requested in context and can be managed in your device settings. Denying a permission may limit related features.
App store providers (Apple and Google) may collect data about downloads and device interactions under their own privacy policies.
21. Children's Privacy
AINuma is a business-to-business service intended for licensed mental health professionals and practices. It is not directed at children under 16, and we do not knowingly collect personal data directly from children for account registration.
If a clinician uses AINuma to document care for minor patients, the practice is responsible for lawful basis, parental authority, and consent requirements under applicable law. If you believe we have collected personal data from a child inappropriately, contact privacy@ainuma.com.
22. Additional Regional Information
Healthcare and privacy requirements vary by country. AINuma is designed with GDPR-conscious practices. We do not claim HIPAA compliance or other regional certifications unless explicitly documented in your contract.
Customers in the United States, United Kingdom, Switzerland, and other jurisdictions should evaluate whether our security measures and contractual terms meet their specific regulatory requirements before processing patient data in the Service.
23. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in the Service, legal requirements, or our processing practices. When we make material changes, we will post the updated policy on https://ainuma.com/privacy-policy and update the effective date at the top of this page.
Where required by law, we will provide additional notice (for example, by email or in-app notification). Continued use of the Service after the effective date of an updated policy constitutes acknowledgment of the changes, except where further consent is required by law.
24. Contact Us
For questions about this Privacy Policy or our data protection practices, contact:
AINuma (eenmanszaak), KVK 42065394
Van Polanenpark 66, 2241 RS Wassenaar, The Netherlands
Email: privacy@ainuma.com
General support: support@ainuma.com
For data processing agreements, security documentation, or subprocessor lists, contact support@ainuma.com or visit our Trust Center at https://ainuma.com/en/trust.