EBO Healthcare

AI Healthcare Guide

 

Privacy Notice for NHS Users

Who We Are

EBO.ai (UK) Ltd. (company number 11544587 and ICO Registration reference: ZA803821), is a technology company providing AI-powered Virtual Agent services to NHS organisations. We operate under strict confidentiality, security, and data protection frameworks in accordance with the UK GDPR and Data Protection Act 2018.

What Data We Process

When you interact with our Virtual Agent through NHS platforms, we may process the following data:

  • Personal identifiers (e.g. name, contact details, NHS number if applicable)
  • Conversation transcripts and interactions
  • User preferences and response patterns
  • Meta-data such as time stamps, technical logs, or anonymised device identifiers

We will only process special category data if it is explicitly required, requested and permitted by your healthcare provider to fulfil a requirement that you may have.

Why We Process Your Data

Your data is processed to:

  • Deliver the Virtual Agent service effectively and securely
  • Pre-populate relevant information if you use NHS login
  • Improve your experience by tailoring responses and functionality
  • Fulfil contractual obligations with the NHS body providing the service

Our lawful basis for processing your data includes:

  • Performance of a contract with the NHS organisation
  • Consent where explicitly provided (e.g. use of NHS login)
  • Legitimate interest to improve, audit and secure our AI services fully respecting all obligations around confidentiality and privacy,

Anonymised Data and Research

We may process anonymised data for:

  • Statistical analysis
  • Service improvement
  • Research and product development

No identifiable personal data is included in such use. All anonymisation adheres to ICO and NHS standards. EBO retains ownership of any derived statistical or research results, which may be used to enhance our AI models and services.

NHS login 

Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS login’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.


Data Security

We take data security seriously. Your data is:

  • Encrypted in transit and at rest
  • Stored within geo-redundant, UK or EU-based, GDPR-compliant infrastructure as requested by your Healthcare Provider
  • Protected by strict internal access controls and monitoring

We follow industry best practices and NHS Digital’s data protection toolkit.

Data Sharing

Your data is not sold or shared with third parties for marketing.

It may be shared only:

  • With NHS organisations involved in your care
  • With technical partners under strict data processing agreements, if necessary,
  • When required by law

Data Retention

Your identifiable data is retained only as long as necessary for the purposes described above. Anonymised data used for research purposes may be retained securely and indefinitely or as established via contractual framework with your Healthcare Provider.

Your Rights

You have the right to:

  • Access your personal data
  • Request correction or deletion
  • Object to or restrict processing
  • Withdraw consent (where applicable)
  • Lodge a complaint with the Information Commissioner’s Office (ICO)

To exercise your rights, contact: hello@ebo.ai or contact your Healthcare Provider in the NHS.

Back to top