Privacy Policy
How Citt.ai Processes and Protects Personal Data
Citt.ai is an AI therapy co-pilot used alongside licensed therapists. This notice explains what data we collect, why we process it, how our roles work, and what choices you have. For privacy, GDPR, DPO, or EU representative enquiries, contact Declan Ahern.
Last updated: April 20, 2026
Who We Are
Citt.ai operates the Citt.ai platform and website. Declan Ahern is the named privacy contact for Citt.ai and handles GDPR, DPO, and EU representative enquiries sent to declan@citt.ai. Our correspondence address is 90 Clapham Common North Side, London, UK, SW49SG.
Who Can Use Citt.ai
Citt.ai is intended only for users aged 18 or older. Patient use must be connected to a licensed therapist. We do not knowingly offer the service to anyone under 18.
When Data Comes From a Therapist or Clinic
If your therapist or clinic invites you to Citt.ai, they may provide your name, contact details, therapist assignment, care configuration, or other onboarding details needed to activate the service. That source information is processed under the role allocation described below and under the therapist's or clinic's own privacy obligations where they act as controller.
Managed Records and What They Mean for You
A therapist using Citt.ai may keep a record for you in their practice workspace before you have signed up for the patient-facing parts of the Service yourself. We call this a managed record. A managed record exists so the therapist can run scheduling, notes, transcription, and billing for your care inside Citt.ai, in the same way many practices use other practice-management tools.
While you have only a managed record:
- The therapist (or their practice) and Citt.ai are joint controllers for that record under Article 26 GDPR. The therapist or clinic determines the clinical purpose. Citt.ai independently determines the essential platform choices (the AI models we run, the sub-processors we use, the safety pipeline, our retention defaults) and pursues its own legitimate interests in security, abuse prevention, and product integrity. The roles are summarised at a glance in the next section.
- Citt.ai does not treat you as a user of its patient-facing features. The patient-side AI chat, daily check-ins, in-app assessments, WhatsApp bot, and patient portal remain inactive for you. We do not collect chat history, check-in answers, or patient-portal usage data for you.
- Citt.ai is not contacting you on its own initiative, monitoring you between sessions, or running automated crisis detection on your behalf. Where Citt.ai sends you operational messages on the therapist's behalf (for example, an appointment confirmation, an invoice, or a personal invitation to claim a Citt.ai account), it does so under the joint-controllership arrangement, and the therapist remains responsible for the clinical basis of that communication.
- Citt.ai assumes no clinical duty toward you and no obligation to triage, escalate, or respond to messages, signals, or events relating to your record. Your therapist's professional duty of care to you is unchanged and is not delegated to Citt.ai by the use of the Service. In an emergency, you should contact your local emergency services or crisis line.
A managed record becomes a claimed account only when you accept a personal invitation from your therapist, set a password, and accept our Terms and this Privacy Notice directly. From that point on, the patient-facing parts of the Service apply to you as set out in this notice. The joint-controllership arrangement still applies to your clinical messaging, assessments, and any session recording or transcription, alongside the safety processing described below.
You can exercise your data rights with either party (see “Your Rights” below). Each party will support the other to action a valid request promptly under the joint-controllership routing described in our Joint Controller Agreement.
How Our Roles Work
Citt.ai does not use one single role for every data flow. The role depends on the context. We use three buckets:
- Citt.ai acts as sole controller for the public website, demo requests, therapist account administration, direct billing, payouts, consent records, security monitoring, audit logging, and the therapist-facing AI tools (Ask Citt and Citt Evidence).
- Citt.ai and your therapist or clinic act as joint controllers under Article 26 GDPR for managed patient records, patient AI messaging and support, assessments and check-ins, and session recording and transcription. Your therapist or clinic determines the clinical purpose (what care looks like, what to ask, how to interpret results). Citt.ai independently determines the essential platform choices (the AI models we run, the sub-processors we use, the safety pipeline, retention defaults) and pursues its own legitimate interests in security, abuse prevention, and product integrity. Both bases operate alongside one another, not as fallbacks.
- Citt.ai acts as a residual processor for any future flow where we purely execute documented therapist or clinic instructions without making essential-means decisions. No live flow currently sits in this bucket; the residual processor agreement is kept as a fallback.
Joint Controllership at a Glance (Article 26(2))
Article 26(2) GDPR requires that the essence of the joint-controller arrangement is made available to data subjects. This is the essence summary; the full Joint Controller Agreement is signed by every therapist or clinic at onboarding.
- What is joint: managed patient records, patient AI messaging and support, assessments and check-ins, and session recording and transcription where Citt.ai is used.
- What is not joint: Citt.ai's public website, cookie consent, demo requests, therapist account administration, direct billing, payouts, and the therapist-facing tools listed above are operated by Citt.ai as sole controller. Your therapist or clinic's in-house records, their own clinical decision-making, and any third-party tools they use outside Citt.ai are their sole responsibility.
- Who leads on what: Citt.ai leads on platform transparency (this notice), platform security, sub-processor management, the safety pipeline, and the platform DPIA. Your therapist or clinic leads on clinical decisions, clinical communications outside the platform, and any in-clinic records they keep about you. Each party has its own independent obligation under Articles 30 (record of processing), 33 (breach notification), 35 (data protection impact assessment where applicable), and the data-protection principles in Article 5.
- Single point of contact: you can exercise your data subject rights (Articles 15-22 GDPR) with either party. We will route the request to the party best placed to fulfil it and co-ordinate a single response within the GDPR timeline. The default routing is documented in our internal SAR runbook and summarised in the “Your Rights” section below.
- Information for data subjects: Citt.ai publishes this notice and keeps it current. Your therapist or clinic publishes their own notice covering their clinical use of the platform and references this notice for the platform layer.
- Sub-processors: the current platform sub-processor list is in the “Sharing and Subprocessors” table below. Material changes are notified to therapists and clinics.
Information We Collect
- Account and identity data: names, email addresses, phone numbers, country, therapist assignment, titles, and account credentials.
- Patient-care data: messages, check-ins, assessment answers and scores, therapist-configured prompts, notes, resources, uploads, and progress data.
- Audio and transcription data: voice notes, session audio where enabled, transcripts, and AI-generated note drafts.
- Usage, device, and audit data: timestamps, IP address or approximate device/network data, log events, delivery status, abuse-prevention signals, and security monitoring records.
- Billing and commercial data: subscription metadata, invoices, payment status, tax or accounting records, and Stripe customer identifiers.
- Website analytics and marketing data: cookie choices, campaign parameters, and other public-site measurement data only where you have enabled optional cookies.
- Data from therapists or clinics: referral details, therapist instructions, care-plan settings, and other information they provide so the service can be configured for you.
How We Use Personal Data
- Provide therapist-configured between-session support.
- Screen patient messages for risk signals before response generation.
- Produce transcripts, summaries, assessments, alerts, and workflow tools for therapists or clinics.
- Operate accounts, subscriptions, invoicing, and customer support.
- Protect the platform, investigate abuse, and maintain audit trails.
- Measure public-site performance and campaign effectiveness where you consent to optional cookies.
- Comply with legal obligations and exercise or defend legal rights.
Article 6 and Article 9 Basis Matrix
Where GDPR applies, the lawful basis depends on the data flow and on whether Citt.ai is acting as controller or processor.
| Processing activity | Role | Article 6 basis | Article 9 condition |
|---|---|---|---|
| Public website, demo requests, and general enquiries | Controller | Article 6(1)(f) legitimate interests and Article 6(1)(b) where you ask us to respond or arrange a demo | Not usually applicable |
| Therapist account creation, subscription management, billing, and support | Controller | Article 6(1)(b) contract and Article 6(1)(c) legal obligation for billing, tax, and record-keeping | Not usually applicable |
| Managed patient records, patient AI messaging and support, assessments and check-ins, session recording and transcription | Joint controllers (Citt.ai and the therapist or clinic) under Article 26 GDPR | Clinical side: determined by the therapist or clinic, typically Article 6(1)(b), (c), or (e) as permitted by local law. Platform side: Article 6(1)(f) Citt.ai's legitimate interests in security, abuse prevention, and product integrity, and Article 6(1)(d) for emergency safety steps. Both bases operate alongside one another. | Clinical side: typically Article 9(2)(h) healthcare or another valid condition under local law, determined by the therapist or clinic. Platform side: Article 9(2)(h) where needed to support secure care delivery, and Article 9(2)(c) where vital interests are engaged. |
| Clinical safety monitoring, abuse prevention, incident investigation, and audit logging | Controller or independent safety responsibility | Article 6(1)(f) legitimate interests, Article 6(1)(c) where law requires, and Article 6(1)(d) for vital interests in an emergency | Article 9(2)(h) where needed to support secure care delivery, and Article 9(2)(c) where vital interests are engaged |
| Optional WhatsApp messaging, voice notes, or similar optional features | Controller or processor by context | Article 6(1)(a) consent or Article 6(1)(b) where the feature is part of the service you request | Article 9(2)(a) explicit consent where required, or the therapist's applicable treatment basis where used as part of care |
| Public-site analytics and advertising technologies | Controller | Article 6(1)(a) consent | Not applicable |
Automated Processing and Human Oversight
Citt.ai uses automated systems to screen messages for risk, generate responses, produce transcripts, score assessments, prioritise review queues, and draft summaries or notes. These tools are designed to support care delivery, not replace professional judgment.
- Patient messages are screened for safety signals before response generation.
- Risk flags, summaries, and generated outputs can affect what a therapist sees or reviews first.
- Therapists or clinics remain responsible for care decisions, escalation decisions, and clinical interpretation.
- Citt.ai can surface crisis resources and notify the therapist or clinic, but it is not an emergency service and does not replace emergency response pathways.
Sharing and Subprocessors
We never sell personal data. We share it only with therapists or clinics involved in your care, with service providers acting on our behalf or on the therapist's behalf, and where required for legal, security, or vital-interest reasons.
| Provider | Purpose | Data | Location | Safeguards |
|---|---|---|---|---|
| AWS | Hosting, database, and storage | Account data, patient-care data, files, and logs | US / EU | Access controls, encryption, and contractual restrictions |
| OpenAI | Response generation and audio transcription | Message content, prompts, and audio/transcription payloads | US | Contractual controls and no training on API customer data by default |
| Deepgram | Speech-to-text services | Audio streams or files where transcription is enabled | US | Contractual restrictions and security commitments |
| Stripe | Payments and subscription billing | Payment identifiers, billing metadata, and invoice data | US | PCI DSS and contractual controls |
| Meta (WhatsApp) | Messaging channel | Message metadata and content where WhatsApp is enabled | US / EU | Platform terms and DPA commitments |
| Resend | Transactional email | Email addresses and message content needed for delivery | US | Contractual and security controls |
| Demo scheduling, optional calendar integrations, and consent-gated website measurement | Demo-booking contact details, calendar metadata, device identifiers, and website measurement data where consent is granted | US / EU | Contractual controls, consent gating where applicable, and vendor transfer terms | |
| Mailgun | Outbound campaign email | Email addresses and campaign delivery data | EU | DPA and security controls |
International Transfers
Some providers process data outside the country where the user, therapist, or clinic is located, including in the United States. Where GDPR applies, we use appropriate transfer safeguards such as standard contractual clauses, contractual restrictions, and vendor assessments. You can request more information by emailing declan@citt.ai.
Retention Schedule
| Data category | Retention period |
|---|---|
| Website enquiries, demo requests, and sales conversations | 12 months after last contact |
| Cookie preference records and public-site consent signals | 12 months |
| Therapist account, billing, tax, and commercial records | Account lifetime plus 7 years unless law requires longer |
| Patient identity, messages, check-ins, assessments, transcripts, summaries, and care records | Active care relationship plus our current 7-year clinical record retention setting by default. Some records are deleted or archived through approved deletion requests and operational retention workflows rather than automatic expiry alone. |
| Raw audio or session recordings used for transcription | Uploaded transcription audio is processed ephemerally and is not intentionally retained after processing. We retain the resulting transcript and related metadata. |
| Security and performance logs | Current operational settings target 90 days for API performance logs and 365 days for application error logs |
| Audit trails for access, deletion, and compliance events | Retained under current compliance settings and not subject to automatic deletion today |
| Backups | Up to 35 days |
| Records of privacy requests and complaint handling | 3 years after closure |
Security
We use encryption in transit and at rest, role-based and least-privilege access controls, audit logging, vendor controls, and incident response processes designed for privacy-sensitive care environments.
Your Rights
Depending on your location, you may have rights to access, rectify, erase, export, restrict, or object to certain processing, and to withdraw consent where consent is the legal basis. For our joint-controllership flows, you can exercise these rights with either party.
- You can contact Citt.ai directly at declan@citt.ai. We will acknowledge within 5 working days, route to your therapist or clinic where the request touches their clinical records, and co-ordinate a single response within the GDPR one-month timeline (extendable by a further two months for complex requests, with notice to you).
- You can contact your therapist or clinic directly for any request that relates to your care. They will fulfil the clinical-side scope and ask Citt.ai to fulfil the platform-side scope.
- Default routing: account, authentication, sub-processor, and platform data sit with Citt.ai by default. Clinical messages, transcripts, assessment results, care plans, and managed records sit with your therapist or clinic by default. Either party will assist the other to action a valid request.
- Erasure of clinical data is led by your therapist or clinic, with Citt.ai routing the platform-side action through our deletion queue. Lawful retention overrides (clinical record retention, billing, security logs) are documented in our retention schedule above.
- If you are in the EEA or UK, you may also complain to your local supervisory authority, including the Irish Data Protection Commission where relevant.
- If you use Citt.ai through Facebook or WhatsApp, you can also use our data deletion page to track platform requests submitted by Meta.
Cookies and Website Measurement
Necessary cookies are always active. Optional analytics and marketing technologies are used only with consent on the public website. See our Cookie Policy for details.
Changes to This Policy
We may update this policy when the product, vendors, or legal requirements change. If the changes are material, we will update the notice in the product or on the website and revise the date above.
Contact
Privacy contact, DPO enquiries, and EU representative enquiries should be sent to Declan Ahern at declan@citt.ai. Postal correspondence may be sent to 90 Clapham Common North Side, London, UK, SW49SG.