1. Introduction and Contact Details

This privacy policy aims to transparently and comprehensively inform data subjects about the way Pamela AI Holding B.V. (hereinafter: "Pamela", "we", or "us") processes personal data, in accordance with the General Data Protection Regulation (GDPR), applicable Dutch implementing laws, and other relevant data protection legislation within the European Economic Area (EEA).

Pamela is based in the Netherlands and provides an AI-powered clinical documentation assistant for healthcare professionals. Pamela combines ambient listening with real-time clinician input to create personalized medical notes. We respect the privacy of our users and handle personal data with the utmost care.

For questions or requests, please contact: privacy@trypamela.ai

2. Data Protection Officer (DPO)

Pamela has appointed a Data Protection Officer responsible for monitoring privacy compliance. You can reach the DPO via: privacy@trypamela.ai

3. Definitions

The terms used in this policy carry the same meanings as those defined in Article 4 of the GDPR.

4. Scope

This policy applies to any processing of personal data by or under the responsibility of Pamela, whether automated or included in (or intended to be included in) a filing system.

5. Purposes of Processing

Pamela processes personal data solely for specific, explicit, and legitimate purposes, including:

Providing AI-powered clinical documentation services, including ambient listening, transcription, and note enhancement;

Optimizing the user experience and improving software performance;

Customer support, including responding to inquiries and complaints;

Internal administration, security, and compliance with legal obligations;

Ensuring the security of our infrastructure and services.

6. Legal Bases

Pamela processes personal data on at least one of the following legal bases:

Performance of a contract to which the data subject is party;

Compliance with a legal obligation to which Pamela is subject;

Legitimate interests pursued by Pamela or a third party, provided such interests are not overridden by the rights and freedoms of the data subject;

Your explicit, informed, and unambiguous consent.

7. Source of Personal Data

Personal data processed by Pamela is collected directly from you, your employer or healthcare organization, or generated through your use of our software.

8. Categories of Personal Data

Depending on your use of our services, we may process the following categories of personal data:

Identification data (e.g., name, email address, IP address, device information);

Audio data, transcripts, and AI-enhanced clinical notes;

Technical metadata and user interaction data;

Health data (Article 9 GDPR) as part of clinical consultations processed through the service.

9. Sensitive Data

The services are designed for use by healthcare professionals and involve the processing of health data (Article 9 GDPR). Pamela processes such data under appropriate technical and organizational safeguards, including encryption, access controls, and Data Processing Agreements. Patient identifiers are pseudonymized — Pamela works with identifiers from the clinician's EHR system and does not generate or store direct patient contact details. Customer is responsible for ensuring a valid legal basis for any sensitive data processed through the services.

10. Sharing with Third Parties

We engage third parties for data processing to support our services. These entities act as processors under Pamela's responsibility and process data solely based on our instructions:

AWS (EU regions) for hosting and infrastructure

AWS Bedrock for AI model hosting and inference

Anthropic (Claude) for AI-powered note enhancement, accessed via AWS Bedrock

Deepgram for transcription

AssemblyAI for transcription

ElevenLabs for voice processing

Proprietary models for audio processing and voice

All processors hold up-to-date security certifications such as ISO 27001 and/or SOC 2. Pamela is ISO 27001 and NEN 7510 compliant, currently in the process of getting certified. An up-to-date list of subprocessors is available upon request.

Processing outside the EEA is carried out only with appropriate safeguards in accordance with Article 46 GDPR.

11. Data Retention

Personal data is retained no longer than necessary for the purposes for which it was collected:

Account data: up to 30 days after account termination;

Audio recordings: stored securely and encrypted on EU-based infrastructure with strict access controls;

Transcripts and clinical notes: default retention is 90 days unless otherwise agreed.

After expiration, data is deleted or anonymized.

12. Data Subject Rights

You have the following rights under the GDPR:

Right of access to your data;

Right to rectification or completion;

Right to erasure ('right to be forgotten');

Right to restrict processing;

Right to data portability;

Right to object to processing;

Right not to be subject to solely automated decision-making.

To exercise these rights, contact privacy@trypamela.ai. We will respond within one month upon verifying your identity.

13. Refusal or Limitation of Requests

Pamela may deny or limit a request in specific cases, including:

Where necessary for national or public security;

For the prevention, investigation, or prosecution of criminal offenses;

In the context of ongoing legal proceedings;

Where requests are excessive or repetitive.

14. Complaints

If you are dissatisfied with our response, you may file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) via www.autoriteitpersoonsgegevens.nl.

15. Data Security

Pamela implements appropriate technical and organizational measures, including:

Encryption of data at rest (AES-256) and in transit (TLS);

Role-based access control (RBAC) with full audit logging;

Hosting exclusively in AWS data centers within the EU;

Confidentiality obligations for all staff and contractors;

Background screening for all personnel with data access, including VOG (Certificate of Good Conduct) verification;

Regular security audits and staff training.

Pamela is ISO 27001 and NEN 7510 compliant, currently in the process of getting certified.

16. Clinical Documentation — Not Clinical Decision-Making

Pamela is an AI assistant for clinical documentation. Pamela does not replace professional clinical judgment. All outputs must be reviewed by the healthcare professional before use. Pamela does not provide medical advice, diagnoses, or treatment recommendations. Use of outputs for clinical decision-making is entirely at the healthcare professional's own responsibility.

17. Liability

Pamela's output (e.g., transcripts and enhanced clinical notes) is generated via automated processing. While we strive for high accuracy, we do not guarantee error-free or complete results. Pamela is a documentation assistant, not a medical device. Use of this output in clinical documentation is entirely at the user's own responsibility. Pamela is not liable for damages resulting from the use of such data.