When you use splose AI, your clients are trusting you with sensitive health information. That trust extends to the tools you use to manage it. This article explains exactly how splose AI handles client data, what your obligations are under UK law, and how to have an informed, confident conversation with clients about it.

splose AI is an opt-in feature that uses OpenAI's technology to assist practitioners with documentation tasks — including progress note writing, reporting, and routine administrative work. It's designed to reduce time spent on paperwork without compromising the quality or security of your client records.

Because splose AI processes health information, it's important to understand what happens to that data, where it goes, and who can access it.

All data in splose is stored on Amazon Web Services (AWS), one of the most widely used and rigorously audited cloud infrastructure providers in the world. splose applies the following protections:

Encryption at rest: All stored data is protected using AES-256 encryption — the same standard used by financial institutions and government agencies.

Encryption in transit: Data moving between your device and splose's servers is encrypted using TLS 1.2+ to prevent interception.

Regular security audits: OpenAI undergoes SOC 2 compliance audits, an independent standard for verifying security controls in cloud-based services.

Zero data retention by OpenAI: splose holds a Business Associate Agreement (BAA) with OpenAI. This agreement legally guarantees that OpenAI does not retain or use your clients' data beyond the immediate task it is processing. Client data is never used to train OpenAI's models.

splose complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These are the primary legal frameworks governing how health-related personal data must be collected, stored, used, and protected in the UK.

Under UK GDPR, health data is classified as special category data. This means it carries a higher level of legal protection and requires explicit consent before it can be processed using AI-assisted tools. splose's opt-in model is designed with this requirement in mind.

For more details, splose's full Privacy Policy is available at splose.com/privacy-policy.

Access to client data within splose is limited to:

splose's employees and service providers are bound by strict privacy and security standards.

splose AI cannot be used without a client's explicit consent. This is both a splose requirement and a legal obligation under UK GDPR.

Before using AI-assisted features with any client, you need to:

Consent should be documented. splose's online forms feature is well-suited for capturing this as part of your intake process.

Many clients will have questions — and some may be uncertain about AI in healthcare. Here's how to approach common concerns clearly and honestly.

"What is splose AI used for?"

splose AI helps your clinicians with documentation tasks, such as drafting progress notes. It processes the information shared during your appointments to help reduce administrative time, so your practitioner can focus more on your care.

"Does the AI read my records?"

splose AI accesses only the data needed to complete the specific task. It does not browse your full history independently.

"Does OpenAI keep my data?" No. splose holds a formal agreement with OpenAI that ensures your data is not retained or used for any purpose beyond the task at hand — including AI model training.

"What if I don't want AI used with my information?"

That's entirely your right. Let your clinician know and consent will not be recorded. splose AI will not be used with your data.

"Is my data secure?"

Yes. Your data is stored using industry-leading encryption and security standards, and splose complies with UK GDPR requirements for the handling of health data.

splose has produced a one-page fact sheet specifically for sharing with clients. It covers the key questions in plain language and is suitable for:

Download the UK Client Fact Sheet (PDF)

splose AI is designed for high accuracy, but no AI-generated content is guaranteed to be error-free. Clinicians are responsible for reviewing all AI-generated output before it becomes part of a client's record. This is standard clinical practice and is consistent with UK professional standards.

Do not rely on AI-generated content without review. Always apply your clinical judgement.

Q: Do I need a separate data processing agreement with splose as a UK-based practice?

A: splose's Terms of Service and Privacy Policy govern the data processing relationship between your practice and splose. If you have specific questions about your obligations as a data controller under UK GDPR, we recommend speaking with a qualified data protection adviser.

Q: Is splose AI compliant with NHS data standards?

A: splose complies with UK GDPR and uses industry-standard security practices (AES-256 encryption, TLS 1.2+, SOC 2 audited infrastructure). If your practice has specific NHS or ICO requirements, please get in touch via the support chat.

Q: Where exactly is my clients' data stored — is it in the UK?

A: splose stores data on Amazon Web Services (AWS). For specific information about data residency, please get in touch via the support chat.
​

Q: Can I use splose's online forms to capture AI consent?

A: Yes. splose's online forms feature is a practical way to collect and document AI consent as part of your intake process.

For more information, visit splose.com/uk/resources/resource-centre/your-privacy-our-priority or contact splose via the support chat.