Legal
Privacy Policy
Last updated: March 2026
1. Introduction
SurgOS is a surgical intelligence platform designed for cataract surgery. We help surgeons and clinics record, audit, and analyse surgical outcomes. This policy explains what data we collect, how we use it, and what rights you have.
2. Data we collect
SurgOS may collect the following types of data:
- Account information: name, email address, organisation name, and assigned role.
- Surgical audit data: structured case records including technique, complications, risk factors, and IOL data.
- Operative note data: content generated or edited through the Protocol Generator, including any AI-assisted drafts.
- Usage data: session information and application interactions required to operate and improve the service.
- Billing data: subscription status and payment metadata processed by Stripe. Card details are never stored by SurgOS.
3. Patient data
SurgOS is designed to minimise patient-identifiable information:
- Clinics should use internal case references rather than direct patient identifiers wherever possible.
- All patient identifiers entered into SurgOS are converted to pseudonymous SHA-256 hashes before storage. The original identifier is never stored on SurgOS servers.
- The mapping between a pseudonymous identifier and the patient remains solely within the clinic's own systems.
- The platform is intended to work with structured surgical data, not clinical records or direct patient identifiers.
4. How we use your data
- To provide surgical audit functionality and case management
- To generate analytics, clinical insights, and performance reporting
- To generate operative note drafts through the Protocol Generator
- To manage subscriptions and billing
- To improve workflow and product performance
- To communicate with you about your account or the service
5. Data hosting
SurgOS is built on Supabase, a cloud infrastructure provider with SOC 2 compliance. Data is intended to be hosted in secure European infrastructure. All data is encrypted in transit using TLS and at rest using AES-256.
6. Access control
SurgOS uses role-based access control. Each user is assigned one of the following roles:
- Super Admin: platform-level access, used by the SurgOS team only.
- Clinic Admin: full access to their organisation's data, users, and settings.
- Surgeon: access to their own case data and clinic-wide analytics.
- Secretary: restricted access for case entry and history viewing.
Organisations are logically separated. Users can only access data within their own organisation.
7. AI assistance
SurgOS includes an optional AI writing assistant for operative note generation, powered by Azure OpenAI. AI features are assistive only. They do not provide medical advice, autonomous decision-making, or clinical recommendations. All AI-generated content must be reviewed and approved by the responsible clinician. No identifiable patient data is sent to AI services; input is sanitised before processing.
8. Third-party services
SurgOS uses the following third-party services:
- Supabase: database and authentication infrastructure
- Stripe: subscription and payment processing
- Azure OpenAI: AI-assisted operative note generation (optional, organisation-controlled)
9. Your rights
You have the right to:
- Request access to the personal data we hold about you
- Request correction of inaccurate or incomplete data
- Request deletion or export of your data, subject to your clinic's own data responsibilities and any legal retention obligations
To exercise any of these rights, contact us at privacy@surgos.com. We will respond within 30 days.
10. Cookies
SurgOS uses only functional cookies required for authentication and session management. We do not use advertising, analytics, or tracking cookies.
11. Changes to this policy
We may update this policy from time to time. We will notify you of significant changes by email or through the platform. Continued use of SurgOS after changes constitutes acceptance of the updated policy.
12. Contact
For privacy-related questions or requests, contact us at privacy@surgos.com.