EricaAI Website Privacy Notice (March 2025)
Introduction
This Privacy Notice explains how Epical Global Ltd ("we," "us," or "our") collects, uses, shares, and protects information in relation to our Midwives Live Chat and EricaAI service, website, and related services (collectively, the "Service"). This notice applies to Business Customers who contract with us directly and to End Users who interact with our midwife-powered AI assistant through our website and our Business Customers' platforms.
We are committed to protecting your privacy and ensuring your information is handled appropriately. This policy explains our data practices and your rights regarding your information.
​
Information We Collect -
​
From Business Customers
When you register as a Business Customer, we collect:
-
Company name and contact details
-
Billing and payment information
-
Contact information for authorized representatives
-
Account credentials
-
Correspondence and communication records
-
Service configuration preferences
​
From End Users
Through our Business Customers' implementation of our Midwives Live Chat Service and EricaAI, we may collect:
-
Chat and interaction content
-
Questions and concerns submitted to EricaAI
-
Usage data and interaction patterns
-
Optional demographic information where provided
-
Feedback on responses received
​
Technical Information
We automatically collect certain information when you access our Service:
-
IP address and device information
-
Browser type and settings
-
Operating system
-
Service usage statistics and patterns
-
Log information
-
Location information (at country or region level)
​
How We Use Information
We use the information we collect for the following purposes:
​
Business Operations
-
Providing and maintaining our Service
-
Processing transactions and sending related information
-
Managing Business Customer accounts
-
Communicating about service-related issues
​
Service Improvement
-
Training and improving our AI assistant
-
Analysing usage patterns to enhance functionality
-
Developing new features and services
-
Quality assurance and monitoring accuracy of responses
​
Business Analytics
-
Generating anonymous statistical data
-
Creating insights about maternal health trends and concerns
-
Providing Business Customers with aggregated analytics about End User interactions
​
Legal and Security
-
Protecting the security and integrity of our Service
-
Detecting and preventing fraudulent or illegal activities
-
Complying with legal obligations
-
Enforcing our Terms and Conditions
​
Special Categories of Data
We recognize that information related to pregnancy, maternal health, and infant care may constitute special categories of data under certain data protection laws.
​
Health-Related Information
-
We process health-related information only for the purposes of providing our Service
-
Our midwife-powered AI assistant is designed to provide general informational content only, not personalised medical advice
-
We implement enhanced security measures for this data
​
Children's Data
-
Our Service is not directed to children under 16
-
We do not knowingly collect personal information from children
-
Information about infants and children is provided by adult End Users
​
How We Share Information
​
Business Customers
-
We provide Business Customers with usage analytics and insights generated from End User interactions with the Service implemented on their platforms
-
Business Customers receive anonymous and aggregated data unless otherwise specified in our service agreement
-
Where personal data is shared, we ensure appropriate data processing agreements are in place in compliance with GDPR Article 28
​
Service Providers (Data Processors)
-
We may share information with third-party vendors and service providers who need access to perform services on our behalf, such as:
-
Cloud hosting providers
-
Analytics services
-
Customer support tools
-
​
-
All service providers are bound by data processing agreements in accordance with GDPR Article 28 that require them to:
-
Process personal data only on our documented instructions
-
Ensure confidentiality of the data
-
Implement appropriate technical and organisational measures
-
Assist us in fulfilling our GDPR obligations
-
Delete or return all personal data after the end of service provision
-
Submit to audits and inspections
-
​
Recipients of Personal Data
​
In accordance with GDPR transparency requirements, we maintain a current list of categories of recipients with whom personal data may be shared. This list is available upon request.
​
Legal Requirements
-
We may disclose information if required to do so by law or in response to valid requests by public authorities
-
We conduct an assessment of each request to ensure it meets legal requirements before disclosing any information
-
Where permitted, we will notify affected individuals of such disclosures
​
Business Transfers
-
In the event of a merger, acquisition, or asset sale, your information may be transferred as a business asset
-
We will notify Business Customers of any such change in ownership or control of personal information
-
We will ensure that the recipient of the data continues to process it in accordance with this Privacy Notice and applicable data protection laws
​
Data Retention
In accordance with GDPR Article 5(1)(e) (storage limitation principle), we retain information only for as long as necessary to provide our Service and fulfil the purposes outlined in this Privacy Notice, unless a longer retention period is required or permitted by law.
​
Specific Retention Periods
We have established the following specific retention periods:
-
Business Customer account information: For the duration of the service contract plus 12 months following termination
-
End User chat interactions: 6 months after collection for service improvement, after which they are anonymized or deleted
-
Billing information: 7 years, as required by financial regulations
-
Marketing communications data: Until consent withdrawal or 2 years of inactivity
​
We regularly review our retention policies and anonymise or delete data when it is no longer needed. Our detailed retention schedule is available to Business Customers upon request.
Criteria Used to Determine Retention Periods
The specific retention periods are determined based on:
-
The nature and sensitivity of the information
-
The purposes for which it is processed
-
Applicable legal and regulatory requirements
-
Industry best practices
-
Operational requirements
-
Data minimisation principles
​
Business Customers can request deletion of their account information as described in the "Your Rights" section below. We have established procedures to respond to such requests in accordance with GDPR requirements.
Security
​
In accordance with GDPR Article 32, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing.
​
Technical Measures
Our technical security measures include:
-
End-to-end encryption of sensitive data both in transit and at rest
-
Pseudonymisation and anonymisation of personal data where appropriate
-
Regular penetration testing and vulnerability scanning
-
Secure development practices and code reviews
-
Automatic system monitoring and alerting
-
Multi-factor authentication for all systems containing personal data
​
Organisational Measures
Our organisational security measures include:
-
Detailed information security policies and procedures
-
Background checks for employees with access to sensitive data
-
Strict access controls based on the principle of least privilege
-
Data protection impact assessments for high-risk processing activities
-
Formal incident response and breach notification procedures
-
Regular security audits and compliance assessments
-
Appointment of a Data Protection Officer
​
Breach Response
In the event of a personal data breach, we have procedures in place to:
-
Detect and report breaches within 72 hours to the relevant supervisory authority
-
Assess the risk to affected individuals
-
Notify affected individuals without undue delay when a breach is likely to result in a high risk to their rights and freedoms
-
Document all breaches and remediation actions taken
​
While we strive to use commercially acceptable means to protect your information, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
International Data Transfers
​
We may process and store your information in countries other than your own. These countries may have data protection laws that differ from those in your country.
When we transfer information across borders, we:
-
Use standard contractual clauses or other appropriate legal mechanisms
-
Ensure transfers comply with applicable data protection laws
-
Implement additional safeguards as necessary
​
Your Rights Under GDPR
In accordance with GDPR Articles 12-22, data subjects have the following rights:
-
Right to Information (Articles 13-14): To receive clear information about the collection and use of your personal data, which we provide through this Privacy Notice.
-
Right of Access (Article 15): To obtain confirmation as to whether personal data concerning you is being processed, and where that is the case, access to the personal data and the following information:
-
The purposes of processing
-
The categories of personal data concerned
-
The recipients to whom the data has been or will be disclosed
-
The envisaged period of storage
-
The existence of automated decision-making, including profiling
-
Where data is transferred to a third country, information about the appropriate safeguards
-
​
-
Right to Rectification (Article 16): To obtain without undue delay the rectification of inaccurate personal data or to have incomplete personal data completed.
-
Right to Erasure ('right to be forgotten') (Article 17): To obtain the erasure of your personal data without undue delay under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
-
Right to Restriction of Processing (Article 18): To obtain restriction of processing in specific circumstances, such as when you contest the accuracy of the data or when processing is unlawful.
-
Right to Data Portability (Article 20): To receive the personal data you have provided to us in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance.
-
Right to Object (Article 21): To object at any time to processing of your personal data for direct marketing purposes or when processing is based on legitimate interests.
-
Rights Related to Automated Decision Making (Article 22): Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
-
Right to Withdraw Consent: To withdraw your consent at any time where processing is based on your consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
How to Exercise Your Rights
We have implemented procedures to enable you to exercise your rights in a timely manner:
-
Business Customers can submit rights requests by contacting hello@ericaai.co.uk using subject heading “Data Request”
-
End Users should contact the relevant Business Customer who has implemented our Service, as they are typically the data controller for End User data.
​
We will respond to all legitimate requests within one month as required by the GDPR. This period may be extended by up to two additional months where necessary, taking into account the complexity and number of requests.
Verification Process
​
To protect your privacy, we may need to verify your identity before processing your request. We may request specific information from you to help us confirm your identity.
​
No Fee Usually Required
​
You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.
​
Changes to This Privacy Notice
We may update this Privacy Notice from time to time. For minor changes, we will post the updated Privacy Notice on our website with the effective date.
​
We encourage you to review this Privacy Notice periodically to stay informed about our information practices.
Contact Us
​
If you have any questions, concerns, or requests regarding this Privacy Notice or our data practices, please contact us at:
​
Data Controller
Epical Global Ltd acts as the data controller for the processing of personal data collected directly from Business Customers. For End User data collected through our Service, we may act as either a data controller or data processor depending on the specific implementation and our agreement with the Business Customer.
​
Legal Bases for Processing
We rely on the following legal bases for processing personal data:
-
Performance of a Contract: Processing necessary for the performance of a contract to which you are a party or to take steps at your request before entering into a contract (Article 6(1)(b) GDPR).
-
Example: Processing Business Customer account information to provide our Service.
-
-
Legitimate Interests: Processing necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms (Article 6(1)(f) GDPR).
-
Example: Improving our AI assistant's responses and functionality.
-
Example: Generating anonymized analytics and insights.
-
-
Consent: Processing based on your specific, informed, and unambiguous consent (Article 6(1)(a) GDPR).
-
Example: Sending marketing communications.
-
-
Legal Obligation: Processing necessary for compliance with a legal obligation to which we are subject (Article 6(1)(c) GDPR).
-
Example: Responding to valid legal requests from authorities.
-
​
Special Categories of Data
For health-related information, which constitutes special category data under GDPR Article 9, we rely on the following legal bases:
-
Explicit consent (Article 9(2)(a))
-
Processing necessary for healthcare purposes (Article 9(2)(h)), where applicable
-
Processing necessary for public health (Article 9(2)(i)), where applicable
Your Enhanced GDPR Rights
In addition to the rights outlined in the "Your Rights" section, you have the right to:
-
Withdraw consent: Where processing is based on consent, you can withdraw consent at any time.
-
Object to processing: Object to processing based on legitimate interests, including profiling, and for direct marketing purposes.
-
Object to automated decision-making: Object to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
-
Lodge a complaint: File a complaint with a supervisory authority, particularly in the member state of your habitual residence, place of work, or place of the alleged infringement.
-
​
Data Protection Officer
We have appointed a Data Protection Officer who can be contacted at: hello@ericaai.co.uk
Automated Decision Making
​
Our Service may involve some automated decision-making, including profiling, to provide relevant responses through our AI assistant. However, we have implemented suitable safeguards to protect your rights, freedoms, and legitimate interests, including:
-
Human oversight by our midwife team for complex queries
-
Regular review of our AI systems to identify and mitigate potential biases
-
Clear procedures for End Users to request human intervention