Nixi AI was built from the ground up with privacy and security as a core principle — for clinicians who trust us with their most sensitive data.
This Privacy Policy explains how Nixi AI GmbH collects, uses, stores, and protects personal data when you use our healthcare application at app.nixiai.ai. It applies to registered users and clinicians who use our platform.
Nixi AI GmbH is the data controller for your account, payment, and usage data. For patient health data entered into the platform, you as the clinician are the data controller, and Nixi AI acts as your data processor (Auftragsverarbeiter) under a Data Processing Agreement. See Section 3 for details.
Data Controller
Nixi AI GmbH
Adolfsallee 14, 65185 Wiesbaden, Germany
Managing Director: Mahsa Yarahmadi
Email: privacy@nixiai.ai
Data Protection Officer (DPO)
Proliance GmbH — Dominik Fünkner
Leopoldstr. 21, 80802 München, Germany
Phone: +49 89 250 039 227
Nixi AI is a healthcare AI platform designed for licensed clinicians in Germany and the EU. Our system records doctor-patient consultations, transcribes audio to text in real time, and generates clinical notes using advanced AI. Audio is never stored — it is deleted immediately after transcription. You retain complete control over all data and clinical decisions.
We collect the following categories of data when you use the Nixi AI application.
Full name, email address, password (stored as a secure hash — never in plaintext), profile image, medical specialty, language preference, and account creation date.
When you record a consultation, the audio is streamed in real time to our transcription service via an encrypted connection, transcribed to text, and deleted immediately. Audio files are never stored or retained.
Transcribed text and AI-generated clinical notes are encrypted using AES-256 and stored in our database. Retention is configurable between 1 and 90 days (default 30 days), with automatic deletion based on your settings.
Nixi AI does not require or collect patient identifying information such as names, dates of birth, or patient IDs. You may optionally add context to a consultation, but any patient-related content you choose to include is entered at your discretion. As the clinician, you are responsible for deciding what information to enter and for managing patient consent accordingly.
Payment is processed through Stripe. We do not store your credit card numbers. We only store your name, email, billing address, transaction ID, and payment status.
Session metadata, timestamps, and feature usage help us maintain and improve the service. This data is used only for service improvement, performance monitoring, and resolving technical issues.
If you upload documents for text extraction, the documents are processed and the original files are not retained beyond the current session.
Nixi AI processes health data, which is classified as a special category of personal data under GDPR Article 9. This includes patient medical history, clinical notes, and consultation audio (before transcription and immediate deletion).
We process health data under Article 9(2)(h) of the GDPR, which permits processing when it is necessary for the provision of healthcare services by a healthcare professional.
As a clinician, you are the primary data controller for patient health data. Nixi AI acts as a data processor on your behalf, subject to a Data Processing Agreement (DPA) as required by GDPR Article 28. You are responsible for obtaining lawful consent from patients, ensuring GDPR compliance at your facility, and responding to patient data requests.
We collect and process only the minimum data necessary to provide our service. Audio is deleted immediately after transcription. Clinical notes are retained only for the period you configure, then automatically deleted.
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation & management | Contract performance | Art. 6(1)(b) |
| Audio transcription & note generation | Contract + Healthcare exception | Art. 6(1)(b) + Art. 9(2)(h) |
| Payment processing | Contract performance | Art. 6(1)(b) |
| Email communications (transactional) | Contract performance | Art. 6(1)(b) |
| Service improvement (de-identified) | Legitimate interest | Art. 6(1)(f) |
| Legal obligations (tax records) | Legal obligation | Art. 6(1)(c) |
| Marketing communications | Consent | Art. 6(1)(a) |
| Data Type | Retention Period | Basis |
|---|---|---|
| Audio recordings | Not stored — deleted immediately after transcription | Data minimization |
| Transcripts & clinical notes | 1–90 days configurable (default 30), auto-deleted | Contract + user preference |
| Account data | Duration of account + 30 days after deletion request | Contract performance |
| Payment/invoice records | 10 years after transaction | §147 AO, §14 UStG (German tax law) |
| Server logs | 90 days | Legitimate interest (security) |
Clinical notes, transcripts, and patient data are automatically deleted based on your configured retention settings. This process is fully automatic and requires no action from you.
When you request account deletion (Article 17 — right to erasure), we delete all account data, clinical notes, transcripts, and patient data. We retain only records required by German tax law. Complete deletion is confirmed within 7 business days.
We use the following service providers to operate Nixi AI. Each processes data on our behalf under contract.
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Audio transcription, AI note generation | EU (Frankfurt) |
| Google Cloud (Vertex AI) | AI model for clinical notes | EU |
| Hetzner | Infrastructure & database hosting | EU (Germany) |
| Stripe Inc. | Payment processing | EU + US (SCC/DPF) |
| Sentry | Error monitoring (with PII filtering) | EU |
| Mailgun (Sinch) | Transactional emails | EU |
All core data processing occurs within the European Union. Audio transcription, AI note generation, and database storage all happen on EU infrastructure. All sub-processors are bound by Data Processing Agreements with Standard Contractual Clauses.
Stripe may transfer some payment-related data to the United States, covered by SCCs and the EU-US Data Privacy Framework. See Section 7 for details.
Our error monitoring system includes a custom filter that removes all personally identifiable information and health data from error reports before transmission. Session replays are anonymized — personal details and clinical content are automatically masked.
The vast majority of Nixi AI data processing occurs within the EU, specifically in Frankfurt, Germany. This includes infrastructure, database hosting, audio transcription, and AI processing.
Only Stripe, our payment processor, may transfer data to the United States. This is protected by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework (DPF). Stripe processes only payment data — not clinical data or audio.
We do not transfer personal data to any other countries outside the EU/EEA.
You have the following rights regarding your personal data. To exercise any of these, contact us at privacy@nixiai.ai.
Request a copy of all personal data we hold about you. We will provide it in a structured, machine-readable format within 30 days.
Request correction of inaccurate or incomplete data. You can update your account information directly in the app.
Request deletion of your account and all associated data, subject to legal retention requirements (e.g., German tax law).
Request that we restrict processing of your data in certain circumstances — for example, while a dispute is being resolved.
Receive your data in a structured, machine-readable format and transmit it to another controller.
Object to processing based on our legitimate interests, including marketing and non-essential analytics.
Withdraw consent at any time for processing based on consent. Withdrawal does not affect prior lawful processing.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the data protection supervisory authority in your country of residence or workplace.
The Nixi AI application uses only essential session management and authentication technologies. The application does not contain analytics tracking or marketing cookies. We do not track your activity beyond what is necessary to provide and secure the service.
Nixi AI uses AI to generate clinical notes from transcribed consultations. However, the AI outputs suggestions only — you, the clinician, must review, edit, and approve all generated notes before they become part of the patient record. The clinician makes the final clinical decision, not the AI.
We do not use AI to profile patients or clinicians, predict clinical outcomes, or make treatment recommendations. Nixi AI is a documentation tool, not a diagnostic system.
We implement comprehensive technical and organizational measures to protect your data, in compliance with GDPR Article 32.
All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest — including transcripts, clinical notes, and patient information — is encrypted using AES-256.
We implement role-based access control and the principle of least privilege. Multi-factor authentication (MFA) is enforced on all accounts.
Our error monitoring system automatically removes all personally identifiable information and health data from reports before they leave our infrastructure.
In the unlikely event of a data breach, we will notify you and the relevant authorities without undue delay and no later than 72 hours after discovery.
Nixi AI is designed exclusively for licensed healthcare professionals and is not intended for use by persons under 16. We do not knowingly collect data from minors. If we become aware of such data, we will immediately delete it.
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. For material changes, we will notify you by email and display a notice in the app at least 30 days before the changes take effect. Your continued use after notification constitutes acceptance.
The current version is always available at nixiai.ai/legal/nixi-ai-privacy-policy.
If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:
Data Controller
Nixi AI GmbH
Adolfsallee 14, 65185 Wiesbaden, Germany
Email: privacy@nixiai.ai
Website: www.nixiai.ai
Data Protection Officer (DPO)
Proliance GmbH — Dominik Fünkner
Leopoldstr. 21, 80802 München, Germany
Phone: +49 89 250 039 227
Supervisory Authority
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
Website: datenschutz.hessen.de
© 2026 Nixi AI GmbH. All rights reserved.