Privacy Policy
Last updated: 9 June 2026
1. Introduction
Replik.care (operated by Seb Digital, the "Service") is a doctor-to-doctor knowledge platform where licensed medical professionals create AI avatars trained on their own corpus. This policy describes what we collect, how we use it, and the rights you have under the General Data Protection Regulation (GDPR).
2. Who we are
The data controller for the Service is Seb Digital. Contact: info@sebdigital.io. Specific legal entity details are listed in our Legal Notice page.
3. Information we collect
We collect the following categories of data:
- Account data: full name, email, hashed password (bcrypt), professional role and any profile details you choose to share.
- Doctor corpus: documents, URLs, notes, and audio recordings you upload to train your avatar. You decide what to upload.
- Generated content: chunks and embeddings derived from your corpus, conversation transcripts, AI-generated answers and citations.
- Usage data: page views, IP address, browser/device fingerprint for security and abuse prevention, error logs.
- Marketing data: if you subscribe to our newsletter or sign up to the platform, your email and name are sent to Zoho CRM (EU data center) as our CRM.
4. How we use your information
We process your data to: (a) provide the Service — train and serve your avatar, surface citations, persist conversations; (b) secure the platform — rate limit abuse, detect intrusion, audit logs; (c) communicate with you — service emails, password resets, optional newsletter; (d) improve the Service — aggregate usage analytics, no sale of personal data.
5. AI processing and where your data goes
Some parts of the Retrieval-Augmented Generation pipeline call third-party AI services. By using the Service you accept that these specific operations send relevant text or audio to those providers under their own privacy terms:
- OpenAI (USA, EU–US Data Privacy Framework participant): chat generation (gpt-4.1-mini), embeddings (text-embedding-3-large), image OCR (gpt-4o), audio transcription (whisper-1), query decomposition (gpt-4o-mini). Audio uploaded for transcription leaves the EU.
- Jina AI (Berlin, EU): optional re-ranking of retrieved chunks. Data stays in the EU.
- Scaleway (France): hosting, database, object storage, transactional email. All EU.
- Zoho CRM (EU data center): CRM for newsletter and sign-up tracking. Email + name only.
- Vercel: not currently used — we host on Scaleway.
6. Audio recordings and consent
When you use Audio Notes, recorded audio is uploaded to Scaleway (EU) then sent to OpenAI Whisper (USA) for transcription. The first time you open the feature on any device, you must explicitly acknowledge a consent banner that reminds you to obtain explicit consent from any identifiable patient before recording them. The Service cannot enforce that you obtained patient consent — it is your responsibility as a healthcare professional.
7. Data storage and security
Your data is stored on Scaleway Managed PostgreSQL and Scaleway Object Storage in fr-par (Paris). Passwords are hashed with bcrypt (work factor 12). Sessions use HTTP-only cookies on the web and signed JWTs (HS256) on the mobile app, with refresh tokens stored as SHA-256 hashes in the database. We do not currently hold an HDS (hébergement de données de santé) certification, so you must not upload identifiable patient health records to the Service.
8. Sharing with third parties
We do not sell your personal data. Beyond the AI providers listed in section 5 and our marketing CRM, we share data only when legally compelled (court order, regulatory request) or with explicit instructions from you (for example, publishing your avatar at /d/your-slug makes its name, bio and corpus-derived answers public).
9. Cookies
We use strictly-necessary cookies for authentication (the NextAuth session cookie) and language preference. We do not use third-party advertising cookies. Analytics events are first-party and aggregated.
10. Your rights under GDPR
You have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data — most fields are editable from your dashboard Settings.
- Erase your account and all associated data ("right to be forgotten"). Use Settings → Delete Account or email info@sebdigital.io.
- Restrict or object to processing.
- Data portability — receive your data in a machine-readable format on request.
- Lodge a complaint with the CNIL (Commission nationale de l'informatique et des libertés, France) or your local supervisory authority.
11. Data retention
We retain account and corpus data while your account is active. When you delete your account, we delete the personal data and corpus within 30 days, except for logs we are legally required to keep. Anonymous aggregated metrics may be retained indefinitely.
12. Children
The Service is restricted to licensed medical professionals and is not directed at children under 16. We do not knowingly collect data from minors.
13. Changes to this policy
We may update this policy as the Service evolves. Material changes will be notified by email to active users at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.
14. Contact
For any privacy question, GDPR right, or data request: info@sebdigital.io. We do not currently have a designated Data Protection Officer; this contact email reaches the responsible party.