MSK Insight
Log InGet Started

Legal

Privacy Policy

How we handle your data and your patients' data — under GDPR and Cypriot law.

This policy was generated as a template and has not been reviewed by legal counsel. We recommend independent legal review before relying on this document.

Last updated: April 2026

1. Who we are

MSK Insight is operated by NZP Optimal Health Ltd, a company registered in the Republic of Cyprus with its registered office in Limassol, Cyprus. For the purposes of the EU General Data Protection Regulation (GDPR), NZP Optimal Health Ltd is the data controller for this website and the Symptom Checker product, and the data processor for the Clinical Platform (where the subscribing clinic is the controller).

Contact: privacy@mskinsight.com (falls back to info@mskinsight.com).

2. Scope of this policy

This policy covers two distinct products:

  • Clinical Platform — a clinic-facing SaaS (app.mskinsight.com) used by licensed clinicians to record patient assessments, generate clinical reports, and manage a caseload. It processes Protected Health Information (PHI) on behalf of the subscribing clinic.
  • Symptom Checker — a patient-facing, anonymous self-assessment tool (check.mskinsight.com and per-clinic subdomains). It does not collect names, emails, or medical records, and does not associate responses with an identified individual.

3. What we collect

On the Clinical Platform (per clinic, uploaded by the clinic):

  • Clinician account data — name, professional email, role, authentication credentials.
  • Clinic data — clinic name, address, phone, billing contact, subscription plan.
  • Patient records entered by the clinician — name, date of birth, contact details, clinical history, assessment findings, imaging, treatment plans, and audio/text clinical notes.
  • System metadata — audit logs (who accessed which record and when), IP addresses of logins, login timestamps.

On the Symptom Checker (no PII by default):

  • Anonymous interaction events — which body region was selected, which follow-up questions were answered, which result was shown.
  • Coarse analytics — referring domain, browser type, language, country-level IP geolocation (IP is hashed before storage).
  • Optional opt-in — if the patient chooses to book an appointment, their name, email and phone are sent to the clinic's contact endpoint; we do not retain a copy.

On the marketing website (mskinsight.com):

  • Contact form / waitlist submissions — name, email, clinic name.
  • Google Analytics (GA4) — anonymised, IP-masked site traffic.

4. Lawful basis (GDPR Article 6)

  • Symptom Checker (anonymous usage): legitimate interest in operating and improving the service (Art. 6(1)(f)). Because no PII is collected, this is not personal data processing in most cases.
  • Clinical Platform: performance of a contract with the subscribing clinic (Art. 6(1)(b)). We act as a processor on the clinic's documented instructions under a Data Processing Addendum (DPA).
  • Website account + billing: performance of a contract (Art. 6(1)(b)) and compliance with legal obligations such as tax/accounting (Art. 6(1)(c)).
  • Marketing emails and analytics: consent (Art. 6(1)(a)) or legitimate interest (Art. 6(1)(f)) where applicable, with a clear unsubscribe mechanism.

5. Special category (health) data — Article 9

Patient health data processed on the Clinical Platform is a special category of personal data under Art. 9 GDPR. The clinic (as controller) obtains the patient's explicit consent at intake before entering any clinical information into MSK Insight, or relies on another Art. 9(2) ground such as the provision of health care under the responsibility of a health professional (Art. 9(2)(h)). As processor we act only on the clinic's instructions and never process PHI for our own purposes.

6. Processors and sub-processors

We use the following third parties to deliver the service. We keep this list up to date and will notify customers of material changes via email with at least 30 days' notice before onboarding a new sub-processor.

  • Anthropic / OpenRouter (United States) — AI model inference for differential-diagnosis suggestions and clinical summaries. Queries are sent over TLS; zero-retention endpoints are used where available.
  • Hetzner Online GmbH (Germany / Finland) — primary application hosting and database storage. All PHI is stored within the EU.
  • Vercel Inc. (United States) — frontend CDN and static asset delivery (marketing site and checker). No PHI is served through Vercel.
  • Supabase Inc. (EU region) — billing and subscription database.
  • Stripe, Inc. (United States / Ireland) — payment processing. Card data is handled exclusively by Stripe and never touches our servers.
  • PracticeHub (EU) — optional clinic EHR synchronisation for clinics that opt in.
  • Google LLC — Google Analytics (United States) — anonymised website analytics with IP masking enabled.
  • Transactional email provider (EU) — account notifications and report deliveries.

7. International transfers

Where data is transferred outside the European Economic Area (notably to US-based processors such as Anthropic, Stripe, Vercel and Google), those transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) 2021/914 in combination with supplementary technical measures (encryption in transit and at rest). Where a provider is certified under the EU–US Data Privacy Framework, we also rely on that adequacy decision.

8. Retention

  • Clinical records — retained for the period mandated by the clinic's local professional regulator, typically 7 to 10 years after the last encounter. Clinics can request earlier deletion of individual records through the GDPR export/erasure endpoint.
  • Symptom Checker events — retained in anonymised form for up to 18 months for product analytics, then aggregated and deleted.
  • Billing records — retained for the statutory period required by Cyprus tax law (currently 6 years).
  • Marketing list entries — retained until you unsubscribe or request deletion.

9. Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectify inaccurate data (Art. 16).
  • Erase your data ("right to be forgotten") where no overriding legal obligation applies (Art. 17).
  • Restrict processing in certain circumstances (Art. 18).
  • Receive your data in a portable machine-readable format (Art. 20).
  • Object to processing based on legitimate interest (Art. 21), including direct marketing.
  • Withdraw consent at any time where consent is the lawful basis (Art. 7(3)).

Patients: direct your request to the clinic that provided the MSK Insight login — the clinic is the data controller for your clinical record. We will support the clinic in fulfilling your request.
Clinics and website users: email privacy@mskinsight.com. We respond within one month of receipt, extendable to three months for complex requests as permitted by Art. 12(3).

10. Security

  • Encryption at rest — AES-256-GCM for PHI columns and file objects.
  • Encryption in transit — TLS 1.2 or 1.3 for all network traffic; HSTS preloaded on production domains.
  • Authentication — bcrypt password hashing, mandatory two-factor authentication for clinician accounts, short-lived JWT access tokens with refresh rotation.
  • Audit logging — every PHI access is logged with actor, timestamp and record ID; logs are retained for 12 months.
  • Backups — encrypted daily backups with point-in-time recovery, held in a separate EU region.
  • Access control — principle of least privilege for staff; production database access is limited to on-call engineers and logged.

11. Supervisory authority

If you believe we have mishandled your data, you have the right to lodge a complaint with the Cyprus supervisory authority:
Commissioner for Personal Data Protection, 1 Iasonos Street, 1082 Nicosia, Cyprus.
Website: www.dataprotection.gov.cy

12. Contact us

Privacy questions and GDPR requests: privacy@mskinsight.com (fall back to info@mskinsight.com).
Postal: NZP Optimal Health Ltd, Limassol, Cyprus.