Privacy Policy

1. Who We Are

Refearly Ltd (“refEarly”, “we”, “us”, or “our”) is a company registered in England and Wales (Company No. 17150584). We operate the refEarly platform, which provides AI-assisted referral letter drafting tools for NHS clinicians in the United Kingdom.

We are registered with the Information Commissioner's Office (ICO) under reference number 00013750740.

This Privacy Policy explains how we collect, use, store, and protect personal data when you use our website and services. Please read it carefully. If you have any questions, contact us at hello@refearly.co.uk.

2. What Data We Collect

We collect and process the following categories of personal data:

Account and Identity Data

• Your name and email address (provided at registration)
• Your professional role and the organisation you work for
• Your subscription status and billing information (processed by Stripe; we do not store full card details)

Usage and Technical Data

• Information about how you interact with our platform, including pages visited, features used, and referral letters drafted
• IP addresses, browser type, device information, and access timestamps, collected for security and performance monitoring

Clinical Content You Choose to Enter

• Any clinical notes, patient details, or referral information you input when using our AI drafting tools. See Section 3 (Special Category Data) and Section 5 (AI Processing) for important information about how this is handled.

3. Special Category Data

Some information you enter when generating referral letters may constitute special category data under UK GDPR, including health data relating to patients.

We strongly advise you not to enter personally identifiable patient information (such as full names, NHS numbers, or dates of birth) into the refEarly platform. Clinical content should be entered in a de-identified or pseudonymised form wherever possible.

By using our AI drafting tools, you confirm that you are acting as the data controller in respect of any patient data you choose to input, and that you have a lawful basis for doing so. refEarly acts as a data processor in relation to that content, in accordance with the terms of our Data Processing Agreement (available on request).

4. How We Use Your Data

We use the data we collect for the following purposes:

• To provide and operate the refEarly service, including authenticating your account, processing your subscription, and generating AI-assisted referral letters.
• To communicate with you about your account, subscription, platform updates, and support requests.
• To improve our platform by analysing usage patterns and identifying technical issues. This analysis is conducted at an aggregated, anonymised level wherever possible.
• To comply with legal obligations, including financial record-keeping and responding to lawful requests from regulatory authorities.
• To protect our platform and users from fraud, abuse, and security threats.

Our lawful bases for processing under UK GDPR are: performance of a contract (providing the service you have subscribed to); legitimate interests (platform security, improvement, and fraud prevention); and legal obligation (compliance with applicable law).

5. AI Processing

refEarly uses third-party artificial intelligence services (including large language model providers) to generate referral letter drafts based on the clinical content you submit.

When you use our AI drafting tools, the content you input is transmitted to these third-party AI providers for processing. We have contractual arrangements in place with our AI providers that prohibit them from using submitted content to train their models or retaining it beyond the minimum period required to process the request.

You remain responsible for reviewing all AI-generated output before use. refEarly does not guarantee the clinical accuracy of any generated content. Referral letters produced by our platform are drafts only and must be reviewed, edited, and approved by a qualified clinician prior to submission.

6. Third-Party Services

We use the following third-party service providers in the operation of refEarly:

• Stripe — payment processing and subscription management. Stripe processes billing data in accordance with its own privacy policy and PCI DSS compliance standards.
• Xano — backend database and API infrastructure. Your account and subscription data is stored on Xano's servers.
• Resend — transactional email delivery (e.g. account confirmations, password resets).
• Vercel — hosting and deployment of the refEarly web application.
• AI model providers — for generating referral letter drafts (see Section 5).

All third-party processors are bound by contractual obligations to handle your data securely and only for the purposes we specify.

7. Cookies and Local Storage

refEarly uses a single authentication cookie (rf_token) to maintain your logged-in session. This cookie is strictly necessary for the platform to function and does not track you across other websites.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We may use anonymous, aggregated analytics in future — if we do, this policy will be updated accordingly and, where required by law, your consent will be obtained.

8. Data Retention

We retain your data for as long as your account is active and for a reasonable period thereafter, subject to the following:

• Account data is retained for the duration of your subscription and for up to 7 years following account closure, to comply with our legal and financial record-keeping obligations.
• Clinical content submitted for AI processing is not retained by refEarly beyond the period required to generate a response. We do not store referral letter drafts on our servers after delivery to you.
• Usage logs (IP addresses, access times) are retained for up to 12 months for security purposes.

You may request deletion of your account and associated data at any time by contacting us at hello@refearly.co.uk. Some data may be retained where we are required to do so by law.

9. Your Rights

Under UK GDPR, you have the following rights in respect of your personal data:

• Right of access — you may request a copy of the personal data we hold about you.
• Right to rectification — you may ask us to correct inaccurate or incomplete data.
• Right to erasure — you may ask us to delete your personal data, subject to legal retention requirements.
• Right to restriction — you may ask us to restrict how we use your data in certain circumstances.
• Right to data portability — you may request your data in a structured, machine-readable format.
• Right to object — you may object to processing based on our legitimate interests.
• Rights in relation to automated decision-making — refEarly does not make automated decisions with legal or similarly significant effects about individuals.

To exercise any of these rights, contact us at hello@refearly.co.uk. We will respond within one calendar month.

10. Data Security

We take the security of your data seriously. We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These measures include:

• Encrypted data transmission (HTTPS/TLS) across all platform surfaces
• Hashed and salted password storage — we never store passwords in plain text
• JWT-based authentication with time-limited tokens
• Access controls limiting internal access to personal data on a need-to-know basis

No system is completely secure. In the event of a data breach that is likely to affect your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay.

11. Children

refEarly is a professional tool intended for use by qualified clinicians. Our services are not directed at children under the age of 18, and we do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email and update the “Last updated” date at the top of this page. Your continued use of the platform following notification constitutes acceptance of the revised policy.

13. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We would, however, appreciate the opportunity to address your concerns directly before you contact the ICO — please reach out to us first at hello@refearly.co.uk.

14. Contact Us

For any questions, requests, or concerns relating to this Privacy Policy or our data practices, please contact: