Privacy & Compliance
How Nixi AI protects patient data.
Data flow, medical confidentiality, EU AI Act. Explained plainly.
Is AI documentation GDPR-compliant?
Yes, when the vendor does it right. With Nixi AI, audio is processed in Frankfurt and deleted immediately after transcription. The generated text is processed in the EU and stored in Frankfurt. As a data processor under Art. 28 GDPR, Nixi AI is bound by medical confidentiality (§203 StGB).
The most common question clinicians ask about AI tools. The answer depends on the vendor. Here we explain how Nixi AI meets the GDPR requirements.
Where your data is, and isn't.
Five steps from microphone to documentation. The detail lives in the steps below; the short version is: nothing about audio storage, nothing about US transfer, nothing about third parties.
Recording
You speak with your patient. Nixi AI captures the audio signal through your microphone.
Encrypted transfer
The audio is transmitted via TLS 1.3 to our servers in Frankfurt.
Processing
Our speech model transcribes and structures the documentation. Processing runs on EU-hosted infrastructure.
Result
The finished documentation draft is sent back to you encrypted. You review, correct, and transfer it to your EMR. Practice Pro automates the transfer.
Audio deletion
After processing, the audio is deleted. There's no permanent storage of recordings.
What we explicitly do NOT do
- No permanent audio storage: audio is deleted after processing
- No data transfer to the US: all data stays in Germany
- No sharing with third parties: no data brokers, no advertising networks
- No access to full patient records: Nixi AI sees only the current consultation
Full sub-processor list and architecture in the Trust Centre. Documentation flows directly to the EMR with Practice Pro.
Data processing: your data, your control.
Nixi AI is a data processor under Art. 28 GDPR. That means: we process patient data exclusively on your behalf and according to your instructions. A pre-prepared Data Processing Agreement (DPA) is part of every Nixi AI contract.
What the DPA covers
| Processing purpose | Exclusively documentation creation on the clinician's behalf |
| Data types | Audio (temporary), transcribed text, structured documentation |
| Retention | Audio after processing; documentation per contract term or on instruction |
| Sub-processors | Only the EU-hosted infrastructure provider (named transparently) |
| Audit right | You can verify DPA compliance at any time |
DPIA support
A Data Protection Impact Assessment (DPIA, Art. 35 GDPR) may be required when introducing AI-assisted documentation with health data. Nixi AI provides a DPIA orientation document describing the relevant risks and mitigations for your specific use case. Coordinate the DPIA with your Data Protection Officer.
Medical confidentiality: how AI documentation is compatible.
Nixi AI is integrated into medical confidentiality as a data processor, analogous to IT service providers, billing services, or cloud EMR providers that also handle patient data. The DPA contains the corresponding obligation to data secrecy.
Medical confidentiality (§203 StGB in Germany) protects the trust relationship between clinician and patient. Since the 2017 reform (§203(3) StGB), clinicians may involve so-called "auxiliary persons", including IT service providers, provided they are bound to data secrecy. Nixi AI is integrated as a technical service provider within this framework.
Why US vendors have a problem here
US companies are subject to the CLOUD Act, which grants US authorities access to data regardless of where the servers sit. This directly conflicts with §203 StGB and GDPR. As a German company based in Wiesbaden, Nixi AI is subject exclusively to German and EU law.
How Nixi compares to US AI tools: vendor comparison.
Do patients need to consent?
Whether a separate patient consent is required depends on your specific setting. In the EULAR 2025 study, 108 patients were informed about the AI use: not a single one refused (0 refusals). 56% gave a positive response.
Inform your patients
Transparency builds trust. A short note is enough: "We use AI to make documentation faster and more complete."
Use our notice template
Nixi AI provides a short, plain-language template you can post in your practice or show to patients.
Talk to your DPO
The specific assessment depends on your practice setup.
EULAR study 2025: 108 patients informed, 0 refusals, 56% positive responses, 44% neutral.
EU AI Act: risk class and transparency obligations.
The EU AI Act (Regulation 2024/1689) classifies AI systems into four risk categories. As an AI documentation assistant, Nixi AI falls under "limited risk" and is subject to transparency obligations. Not the strict requirements for high-risk systems.
| Risk class | Limited risk |
| Main obligation | Transparency to users (Art. 50 AI Act) |
| Not high-risk because | Nixi AI makes no diagnostic or therapeutic decisions. The clinician remains the decision-maker. |
| Applicable from | AI literacy (Art. 4) since 2 February 2025; GPAI obligations (Chapter V) since 2 August 2025; transparency (Art. 50) and high-risk obligations from 2 August 2026. |
We inform clinicians and patients clearly: Nixi AI is an AI system. Documentation is generated automatically, the clinician reviews and approves. No diagnostic or therapeutic decision is taken by the AI. This classification reflects Nixi AI's current product (Stage 1 ambient AI scribe). Subsequent product stages will be re-assessed under MDCG 2019-11 Rev.1 and the AI Act before launch.
Patient rights: what patients can do.
GDPR grants patients comprehensive rights over their data. Nixi AI supports you, as the clinician, in fulfilling those rights.
Right of access
Patients can ask what data has been processed. You provide the information from your EMR; Nixi AI provides a processing overview on request.
Right to rectification
Patients can request correction of inaccurate data. The AI documentation lives in your EMR. You correct it there, not at Nixi AI.
Right to erasure
Patients can request deletion, unless statutory retention applies (e.g. §630f BGB in Germany, 10 years).
Right to restriction
Patients can request processing restriction: practically relevant during open objections to AI use.
Right to portability
Patients can receive their data in a structured format. Nixi AI documentation lives in structured form in the EMR.
Right to object
Patients can object to AI documentation at any time. You then document manually, as before.
External Data Protection Officer
Nixi AI has appointed an external Data Protection Officer (DPO) under Art. 37 GDPR. Patients with access requests, complaints, or data-protection questions can reach the DPO directly.
PROLIANCE GmbH
Leopoldstraße 21, 80802 Munich
The external DPO is independent and represents the interests of data subjects. They audit our data-protection measures and are the first point of contact for supervisory authorities.
FAQ
Frequently asked questions about data protection
Nixi AI meets all GDPR requirements: EU-hosted infrastructure in Frankfurt, DPA under Art. 28, no US transfer, external DPO. The vendor doing it right is the only requirement; this page documents how we do.
Experience the privacy, don't just read about it. Try free for 14 days.
EU-hosted infrastructure, DPA, §203-compliant. All details documented transparently. Here and in the Trust Centre.