GDPR Compliant
Full EU compliance
EU-Only Hosting
Frankfurt, Germany
AES-256 Encryption
At rest and in transit
No Audio Stored
Deleted after transcription
Contents
- Introduction & Data Controller
- Data We Collect
- Special Categories of Data (Health Data)
- Legal Bases for Processing
- Data Retention
- Data Recipients & Sub-processors
- International Data Transfers
- Your Rights under the GDPR
- Cookies & Tracking Technologies
- Automated Decision-Making
- Data Security
- Children's Data
- Changes to This Policy
- Contact
1. Introduction & Data Controller
This Privacy Policy explains how Nixi AI GmbH collects, uses, stores, and protects personal data when you use our healthcare application at app.nixiai.ai. It applies to registered users and clinicians who use our platform.
Nixi AI GmbH is the data controller for your account, payment, and usage data. For patient health data entered into the platform, you as the clinician are the data controller, and Nixi AI acts as your data processor (Auftragsverarbeiter) under a Data Processing Agreement. See Section 3 for details.
Data Controller
Nixi AI GmbH
Adolfsallee 14, 65185 Wiesbaden, Germany
Managing Director: Mahsa Yarahmadi
Email: privacy@nixiai.ai
Data Protection Officer (DPO)
Proliance GmbH. Dominik Fünkner
Leopoldstr. 21, 80802 München, Germany
Phone: +49 89 250 039 227
Email: datenschutzbeauftragter@datenschutzexperte.de
What is Nixi AI?
Nixi AI is a healthcare AI platform designed for licensed clinicians in Germany and the EU. Our system records doctor-patient consultations, transcribes audio to text in real time, and generates clinical notes using advanced AI. Audio is never stored. It is deleted immediately after transcription. You retain complete control over all data and clinical decisions.
2. Data We Collect
We collect the following categories of data when you use the Nixi AI application.
Account Data
Full name, email address, password (stored as a secure hash. Never in plaintext), profile image, medical specialty, language preference, and account creation date.
Audio Recordings & Transcriptions
When you record a consultation, the audio is streamed in real time to our transcription service via an encrypted connection, transcribed to text, and deleted immediately. Audio files are never stored or retained.
Clinical Notes & Transcripts
Transcribed text and AI-generated clinical notes are encrypted using AES-256 and stored in our database. Retention is configurable between 1 and 90 days (default 30 days), with automatic deletion based on your settings.
Patient Context (Optional)
Nixi AI does not require or collect patient identifying information such as names, dates of birth, or patient IDs. You may optionally add context to a consultation, but any patient-related content you choose to include is entered at your discretion. As the clinician, you are responsible for deciding what information to enter and for managing patient consent accordingly.
Payment Data
Payment is processed through Stripe. We do not store your credit card numbers. We only store your name, email, billing address, transaction ID, and payment status.
Usage Data
Session metadata, timestamps, and feature usage help us maintain and improve the service. This data is used only for service improvement, performance monitoring, and resolving technical issues.
Document Uploads
If you upload documents for text extraction, the documents are processed and the original files are not retained beyond the current session.
3. Special Categories of Data (Health Data)
Nixi AI processes health data, which is classified as a special category of personal data under GDPR Article 9. This includes patient medical history, clinical notes, and consultation audio (before transcription and immediate deletion).
Legal Basis
We process health data under Article 9(2)(h) of the GDPR, which permits processing when it is necessary for the provision of healthcare services by a healthcare professional.
Your Role as Data Controller
As a clinician, you are the primary data controller for patient health data. Nixi AI acts as a data processor on your behalf, subject to a Data Processing Agreement (DPA) as required by GDPR Article 28. You are responsible for obtaining lawful consent from patients, ensuring GDPR compliance at your facility, and responding to patient data requests.
Data Minimization
We collect and process only the minimum data necessary to provide our service. Audio is deleted immediately after transcription. Clinical notes are retained only for the period you configure, then automatically deleted.
4. Legal Bases for Processing
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation & management | Contract performance | Art. 6(1)(b) |
| Audio transcription & note generation | Contract + Healthcare exception | Art. 6(1)(b) + Art. 9(2)(h) |
| Payment processing | Contract performance | Art. 6(1)(b) |
| Email communications (transactional) | Contract performance | Art. 6(1)(b) |
| Service improvement (de-identified) | Legitimate interest | Art. 6(1)(f) |
| Legal obligations (tax records) | Legal obligation | Art. 6(1)(c) |
| Marketing communications | Consent | Art. 6(1)(a) |
5. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Audio recordings | Not stored. Deleted immediately after transcription | Data minimization |
| Transcripts & clinical notes | 1–90 days configurable (default 30), auto-deleted | Contract + user preference |
| Account data | Duration of account + 30 days after deletion request | Contract performance |
| Payment/invoice records | 10 years after transaction | §147 AO, §14 UStG (German tax law) |
| Server logs | 90 days | Legitimate interest (security) |
Automated Deletion
Clinical notes, transcripts, and patient data are automatically deleted based on your configured retention settings. This process is fully automatic and requires no action from you.
Account Deletion
When you request account deletion (Article 17. Right to erasure), we delete all account data, clinical notes, transcripts, and patient data. We retain only records required by German tax law. Complete deletion is confirmed within 7 business days.
6. Data Recipients & Sub-processors
We use the following service providers to operate Nixi AI. Each processes data on our behalf under contract.
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Audio transcription, AI note generation | EU (Frankfurt) |
| Google Cloud (Vertex AI) | AI model for clinical notes | EU |
| Stripe Inc. | Payment processing | EU + US (SCC/DPF) |
| Sentry | Error monitoring (with PII filtering) | EU |
| Mailgun (Sinch) | Transactional emails | EU |
All core data processing occurs within the European Union. Audio transcription, AI note generation, and database storage all happen on EU infrastructure. All sub-processors are bound by Data Processing Agreements with Standard Contractual Clauses.
Stripe may transfer some payment-related data to the United States, covered by SCCs and the EU-US Data Privacy Framework. See Section 7 for details.
Our error monitoring system includes a custom filter that removes all personally identifiable information and health data from error reports before transmission. Session replays are anonymized. Personal details and clinical content are automatically masked.
CLOUD Act position. As Nixi AI GmbH is a German company subject exclusively to German and EU law, the US CLOUD Act, FISA, and US executive orders do not apply. No US authority can compel Nixi AI to disclose patient data; § 203 StGB makes such disclosure a criminal offence under German law.
Audit right. Under Art. 28(3)(h) GDPR, customers may verify Nixi AI's compliance at any time via the Data Processing Agreement. Audits may be carried out by the customer directly, by their Data Protection Officer, or by an independent external auditor.
7. International Data Transfers
The vast majority of Nixi AI data processing occurs within the EU, specifically in Frankfurt, Germany. This includes infrastructure, database hosting, audio transcription, and AI processing.
Only Stripe, our payment processor, may transfer data to the United States. This is protected by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework (DPF). Stripe processes only payment data. Not clinical data or audio.
We do not transfer personal data to any other countries outside the EU/EEA.
8. Your Rights under the GDPR
You have the following rights regarding your personal data. To exercise any of these, contact us at privacy@nixiai.ai.
Right of Access (Article 15)
Request a copy of all personal data we hold about you. We will provide it in a structured, machine-readable format within 30 days.
Right to Rectification (Article 16)
Request correction of inaccurate or incomplete data. You can update your account information directly in the app.
Right to Erasure (Article 17)
Request deletion of your account and all associated data, subject to legal retention requirements (e.g., German tax law).
Right to Restriction (Article 18)
Request that we restrict processing of your data in certain circumstances. For example, while a dispute is being resolved.
Right to Data Portability (Article 20)
Receive your data in a structured, machine-readable format and transmit it to another controller.
Right to Object (Article 21)
Object to processing based on our legitimate interests, including marketing and non-essential analytics.
Right to Withdraw Consent (Article 7(3))
Withdraw consent at any time for processing based on consent. Withdrawal does not affect prior lawful processing.
Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the data protection supervisory authority in your country of residence or workplace.
9. Cookies & Tracking Technologies
Nixi AI does not set cookies and does not use third-party advertising or marketing trackers. Authentication uses secure tokens stored in your browser.
To keep the service reliable and improve it over time, we collect limited usage and error information, for example, which features are used and when something fails. This data is kept within our EU infrastructure and never includes patient information or clinical content.
10. Automated Decision-Making
Nixi AI uses AI to generate clinical notes from transcribed consultations. However, the AI outputs suggestions only. You, the clinician, must review, edit, and approve all generated notes before they become part of the patient record. The clinician makes the final clinical decision, not the AI.
We do not use AI to profile patients or clinicians, predict clinical outcomes, or make treatment recommendations. Nixi AI is a documentation tool, not a diagnostic system.
11. Data Security
We implement comprehensive technical and organizational measures to protect your data, in compliance with GDPR Article 32.
Encryption
All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest, including transcripts, clinical notes, and patient information. Is encrypted using AES-256.
Access Control
We implement role-based access control and the principle of least privilege. Multi-factor authentication (MFA) is enforced on all accounts.
PII Filtering
Our error monitoring system automatically removes all personally identifiable information and health data from reports before they leave our infrastructure.
Breach Notification
In the unlikely event of a data breach, we will notify you and the relevant authorities without undue delay and no later than 72 hours after discovery.
12. Children's Data
Nixi AI is designed exclusively for licensed healthcare professionals and is not intended for use by persons under 16. We do not knowingly collect data from minors. If we become aware of such data, we will immediately delete it.
13. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. For material changes, we will notify you by email and display a notice in the app at least 30 days before the changes take effect. Your continued use after notification constitutes acceptance.
The current version is always available at nixiai.ai/legal/nixi-ai-privacy-policy.
14. Contact
Data Controller
Nixi AI GmbH
Adolfsallee 14, 65185 Wiesbaden, Germany
Email: privacy@nixiai.ai
Website: www.nixiai.ai
Data Protection Officer (DPO)
Proliance GmbH. Dominik Fünkner
Leopoldstr. 21, 80802 München, Germany
Phone: +49 89 250 039 227
Email: datenschutzbeauftragter@datenschutzexperte.de
Supervisory Authority
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
Website: datenschutz.hessen.de