Back to HomeLihv Assist

Privacy Policy

Last updated: 26 March 2026

1. Introduction

Lihv (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use Lihv Assist (“the Service”).

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all applicable data protection legislation.

2. Data Controller

Lihv is the data controller for the personal data processed through the Service. For data protection enquiries, contact us at privacy@lihv.co.uk.

3. Data We Collect

3.1 Account Information

When you register, we collect:

  • Full name and title
  • Email address
  • Region (England, Scotland, Wales, or Northern Ireland)
  • Password (stored securely using bcrypt hashing)

3.2 Usage Data

When you use the Service, we collect:

  • Conversation content (messages you send and responses generated)
  • Token usage statistics (input and output token counts)
  • Tags and labels you apply to messages
  • Timestamps of activity (last active, conversation dates)

3.3 Payment Data

Payment processing is handled by Stripe. We store your Stripe customer ID for subscription management but do not store credit card numbers, CVVs, or full payment card details. Please refer to Stripe's Privacy Policy for details on how they handle payment data.

3.4 Technical Data

We may collect technical information such as browser type, IP address, and device information for security and service improvement purposes.

4. How We Use Your Data

We use your personal data to:

  • Provide and maintain the Service
  • Authenticate your identity and manage your account
  • Process subscription payments and manage billing
  • Track token usage for plan limits and billing
  • Send password reset emails and important service notifications
  • Improve and develop the Service
  • Comply with legal obligations

5. Legal Basis for Processing

We process your data on the following legal bases:

  • Contract: Processing necessary to provide the Service you have subscribed to
  • Legitimate interest: Service improvement, security, and fraud prevention
  • Legal obligation: Compliance with applicable laws and regulations
  • Consent: Where required, such as for marketing communications

6. Patient Data

You must not enter identifiable patient data into the Service. This includes patient names, NHS numbers, dates of birth, addresses, or any other information that could identify an individual patient. All clinical scenarios should be anonymised before being entered into the Service.

We are not a healthcare provider and do not act as a data processor for patient data. If identifiable patient data is inadvertently entered, you must notify us immediately so we can assist with its removal.

7. Data Sharing

We share your data with the following third parties, strictly as necessary:

  • Anthropic: Conversation content is sent to Anthropic's API to generate responses. Anthropic processes this data in accordance with their data processing terms.
  • Stripe: Payment and subscription data is processed by Stripe for billing purposes.
  • Resend: Your email address is shared with Resend for transactional emails (password resets, account notifications).

We do not sell your personal data. We do not share your data with third parties for marketing purposes.

8. Data Storage and Security

Your data is stored on secure servers with the following safeguards:

  • Passwords are hashed using bcrypt (never stored in plain text)
  • All data in transit is encrypted using TLS/HTTPS
  • Database access is restricted and authenticated
  • Session tokens are HTTP-only cookies to prevent XSS attacks
  • Password reset tokens are cryptographically secure and time-limited

9. Data Retention

We retain your data as follows:

  • Account data: Retained for the duration of your account, plus 30 days after deletion
  • Conversation data: Retained for the duration of your account. You may delete individual conversations at any time.
  • Payment records: Retained for 7 years as required by UK tax law
  • Password reset tokens: Automatically expire after 1 hour

10. Your Rights

Under UK GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your personal data
  • Portability: Receive your data in a structured, machine-readable format
  • Restriction: Request restriction of processing
  • Objection: Object to processing based on legitimate interests

To exercise any of these rights, contact us at privacy@lihv.co.uk. We will respond within 30 days.

11. Cookies

We use the following cookies:

  • Session cookie (lihv-session-user-id): Essential for authentication. HTTP-only. Expires after 24 hours or 30 days if “Remember me” is selected.
  • Preferences (localStorage): Dark mode preference and sidebar state. Stored locally on your device.

We do not use analytics cookies, advertising cookies, or third-party tracking cookies.

12. Children

The Service is not intended for individuals under the age of 18. We do not knowingly collect data from children.

13. International Transfers

Your conversation data may be processed by Anthropic in the United States. Appropriate safeguards are in place in accordance with UK GDPR requirements for international data transfers.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The “Last updated” date at the top of this page indicates when the policy was last revised.

15. Complaints

If you are dissatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

16. Contact

For any questions about this Privacy Policy, contact us at privacy@lihv.co.uk.