Contact

Privacy Notice for Reps

WELCOME TO STEM’s AI RECORDING TOOL PRIVACY NOTICE

Introduction

This Privacy Notice explains how we collect, use, and protect your personal data when you use STEM’s AI Recording tool application (“application”) to upload recorded conversations and content for analysis and service improvement purposes. The application is designed as a coaching and insight generation tool, and not as a compliance monitoring, surveillance, or audit system.

We are committed to protecting your privacy and complying with data protection legislation including the General Data Protection Regulation (GDPR). This Privacy Notice is intended for Sales Representatives who use the STEM AI Recording Tool in the course of their professional activities as an employee or worker for STEM’s client (the “Client”). This includes data collected when Sales Representatives log into the application and initiate and store recordings through its functionalities.

This Privacy Notice applies globally. Additional jurisdiction‑specific privacy information, including any local rights or requirements, may apply depending on your location and is set out in the relevant country‑specific annex to this Notice. If there is any difference between this Privacy Notice and a country‑specific annex, the annex will apply to ensure compliance with local law.

We genuinely value your privacy and are deeply committed to safeguarding your personal data. When we refer to “your personal data,” we mean any information about you that is collected and stored by this application. Some of the information we collect may be transmitted to and processed by secure, external systems operated by our trusted service providers. These systems are designed to ensure robust security and efficient handling of your data.

We keep our Privacy Notice under regular review. This Privacy Notice is effective from July 2025.

Understanding of Data Controller and Data Processor

This section clarifies the roles of Data Controller and Data Processor under GDPR.

STEM is the Data Processor when handling recordings or other content that is uploaded by you on behalf of the Client. The Client is the Data Controller. This means STEM may only process personal data in accordance with the Client’s documented instructions.  STEM and the Client are parties to a data processing agreement when STEM acts as a Data Processor.

STEM is the Data Controller when using anonymised data for analytics or enhancement of the application. In these specific instances, STEM determines the purposes and means of processing, particularly when STEM uses data for trend analysis and to improve its services. Rest assured, any data used for these purposes will be aggregated and anonymised in a way that prevents identification of individuals.

Privacy Notice Sections

  1. IMPORTANT INFORMATION AND WHO WE ARE
  2. CONTACT DETAILS
  3. THE DATA WE COLLECT ABOUT YOU
  4. HOW IS YOUR PERSONAL DATA COLLECTED
  5. HOW WE USE YOUR PERSONAL DATA
  6. DISCLOSURES OF YOUR PERSONAL DATA
  7. INTERNATIONAL TRANSFERS
  8. DATA SECURITY
  9. DATA RETENTION
  10. PROTECTING MINORS
  11. YOUR LEGAL RIGHTS

1. IMPORTANT INFORMATION AND WHO WE ARE

Purpose of this Privacy Notice

This Privacy Notice informs you how we collect and process all personal information relating to individuals that is processed within the application.

This Privacy Notice is not intended for children.

It is important that you read this Privacy Notice together with any other Privacy Notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Notice supplements the other notices and is not intended to override them.

We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact us using the details set out below.

2. CONTACT DETAILS

Our full details are:

Trading name: STEM

Legal entity: STEM Healthcare Ltd

Email address:  [email protected]

Postal address: 6th Floor, Holborn Gate, 26 Southampton Buildings, London, WC2A 1AN

Phone number: +44 (0) 20 3861 3999

You have the right to make a complaint at any time to the supervisory authority for data protection issues in the country in which you reside. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.

Your duty to inform us of changes

It is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes during your relationship with us.

3. THE DATA WE COLLECT ABOUT YOU

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:

  • Identity Data includes first name, last name or similar identifiers;
  • Contact Data includes email address and telephone numbers;
  • Technical Data includes internet protocol (IP) address, your login data, mobile OS, time zone setting, operating system and platform, and other technology on the devices you use to access this mobile app;
  • Profile Data includes your current job role, feedback and survey responses;
  • Usage Data includes information about how you use our application and services;

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific application feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.

The application is not designed to collect Special Categories of Personal Data, and you should not intentionally record or upload such information. We don’t knowingly collect, use and/or share Special Categories of Personal Data (or Sensitive Personal Data) about you (which may include information about your health, genetic and biometric data, details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions and/or trade union memberships).

4. HOW IS YOUR PERSONAL DATA COLLECTED?

We use different methods to collect personal data from and about you including through:

  • Direct Interactions: This includes data you provide when you:
    • Log in to the application: Your login credentials (email and password) are collected during this process.
    • Create your account: During initial setup, we may collect information such as your name and territory.
  • Automated Technologies or Interactions: As you interact with our application, we may automatically collect Technical and/or Usage Data about your equipment, application usage, and patterns. This data is gathered via technologies such as Logfiles, Pixel Tags/Web Beacons, and Analytics (collectively referred to as “Technologies”). We may also use “Cookies” or similar technologies to enhance your experience.
  • User-Initiated Recordings: When you initiate recordings within the application, the data generated from these recordings is collected. This includes the content of the recordings themselves, along with associated metadata. These recordings may contain third-party data (e.g., HCPs). You are responsible for obtaining consent from those third parties. The system is not intended to be used as a general recording repository, and recordings are processed solely for defined analytical purposes within the application.

We utilize these technologies to understand how our application is used, improve its functionality, and ensure a seamless user experience.

5. HOW WE USE YOUR PERSONAL DATA

We will only use your personal data when the law allows us to. We do not use personal data collected through the application for profiling or automated decision-making that produces legal or similarly significant effects. Most commonly, we will use your personal data in the following circumstances:

  • Enable app functionality and user support.
  • Generate anonymized insights and performance metrics.
  • Analyze recordings to generate aggregated and anonymized insights, improve service outputs and provide coaching tips.

We will rely on one or more of the following legal grounds (as appropriate) to process your personal data:

  • To pursue our legitimate business interests in providing and marketing our products and services;
  • Your consent to us using your information, which you can withdraw at any time;
  • To comply with our legal obligations and establish, exercise or defend our legal rights; and
  • Those other purposes that you have agreed with us.

Personal data is not used to train or fine‑tune the STEM AI model, and any model or service improvement is based only on anonymized or aggregated data.

Marketing

We don’t use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

6. DISCLOSURES OF YOUR PERSONAL DATA

STEM is a part of INIZIO, a global group of companies, and we may share your personal information with other members of the Group. The nature of our business, operations and services requires us to transfer your information (from time to time) to our associated offices and/or group companies. We may transfer the information we collect about you to countries other than your home country or other than the country in which the information is originally collected. Your personal information may be accessible by our other international entities. We will take appropriate steps to ensure that your information is protected and handled in accordance with legal requirements and as described in this Privacy Notice.

We may also share your information with selected third parties including:

  • Business partners, clients, suppliers and sub-contractors for the performance of any contract we enter into with them or you;
  • In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets; and
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to enforce any contract or agreement between us; or to protect the rights, property, or safety of Inizio, our staff, customers, or others.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

7. INTERNATIONAL TRANSFERS

Whenever we do transfer your personal data to another jurisdiction, we will take appropriate steps to protect such, which includes the following:

  • Entering into an agreement with the third party which includes clauses that offer adequate protection for your information and these will offer no less protection than are provided by those determined by the EU commission, a template copy of which is available at: https://commission.europa.eu/law/law-topic/data-protection_en; or
  • Otherwise ensuring that information would only be transferred to third parties in jurisdictions that have at least the same data privacy protection for personal data as the jurisdiction from which the personal data originates from. For example, in the case that the personal data originates from the EEA or UK and is transferred to a third country that has been deemed to offer adequate protection by the EU Commission or UK ICO for the processing of your personal data.

8. DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Storage of Personal Data 

We securely store your personal data in a centralised databases and within certain trusted third-party vendor tools, with controlled access to these locations. Access to personal data in electronic form is restricted to employees who have a legitimate and justifiable reason to view such data.

9. DATA RETENTION

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, tax, reporting requirements or as is consented to by yourself. Recordings will be retained for the period of 3 months (90 days) before they are hard-deleted. Non‑anonymized data is deleted as soon as processing is complete, and only anonymized outputs are retained thereafter where necessary.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may use anonymized and aggregated data for research ,statistical analysis and service improvement purposes in which case we may use this information indefinitely without further notice to you where such data can no longer be linked to an identifiable individual.

10.PROTECTING MINORS

Our services are not designed for or directed at minors.

In most cases, a “minor” is anyone under 16 years old. However, this age may be higher in specific countries or territories based on local laws.

We do not intentionally gather personal data from minors or permit them to register for our services. If we discover that we have inadvertently collected personal data from a minor, we may delete this information immediately without notice.

11. YOUR LEGAL RIGHTS

Under certain circumstances, you have rights under data protection laws in relation to your personal data, which include the following:

  • Request access to your information by submitting a request via the contact details listed in section 2.
  • Update or amend your information if it is inaccurate or incomplete.
  • Object to certain uses of your personal data, including direct marketing and processing based on legitimate interests and processing for purposes of scientific or historical research and statistics on grounds relating to your particular situation.
  • You can ask us to delete your data, or restrict its use, in certain circumstances (for example, where permitted by law), you can request that we erase your information where the information is no longer necessary for the purpose for which it was collected).
  • To withdraw any consent, you have provided in respect of our use of your information.
  • To request a copy of the information you have provided to us, to use for your own purposes (often called your right to data portability).
  • To lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.

If you have any questions about these rights, or you would like to exercise any of them, please contact us by submitting a request to [email protected].

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.