This is your

safe space

What does safety mean to us?

Heidi was built by clinicians for clinicians.

We understand the privilege of handling sensitive personal information and we take it seriously. Supported by our world-class compliance team, we're at the forefront of data safety for AI scribes globally, ensuring your data remains secure.

Whatever your specialty, we’ve made Heidi both safe and joyful to use. Here’s how.

Ticking all your compliance and safety boxes.

Your data is yours.

What data does Heidi store?

Heidi only stores transcripts and notes, and that's it, for as long as you need them. As you speak, Heidi transcribes your words. No audio recordings are ever saved, ensuring there's no hidden playback.
1
As you speak, Heidi listens.

Heidi captures your conversation in real time.
2
Transcript: Every detail, instantly transcribed.
Heidi converts your words into text—accurate, structured, and ready for review.
3
No audio is ever kept.
As soon as Heidi transcribes, the audio disappears—poof!
4
De-identification: Privacy first.
Heidi automatically removes identifiable details from your transcript and notes.
5
Medical notes & documents: Ready in seconds.

From the transcript, Heidi generates structured notes, referral letters, and care plans.
6
Add context anytime.

Need to refine or add details? Upload or type in extra context to make your notes more precise.
7
Delete anytime—you're in control.
Once you've reviewed and transferred your notes to the EMR, you can delete everything—no record kept.
Data & security

How does Heidi protect your data?

Encryption, everywhere. Encrypted at rest and in transit, your data is protected every step of the way.

Global compliance and secure storage. Your data is protected with full GDPR compliance, including strict data processing controls and security measures. We ensure secure local storage through industry-leading infrastructure that meets ISO27001, SOC 2 and Cyber Essentials standards, safeguarding your information with the highest levels of protection.

Strict access control. You, the clinician, hold the keys, and ensuring explicit patient consent should be a priority. Heidi’s team can only peek at data if you specifically say, “Hey, help me troubleshoot!” (and even then, we log every step).

De-identification of your data. Before Heidi processes your session, we strip all data of personal identifiers (think ‘Jane Doe’ instead of the patient’s name), so it can’t be traced back.

Heidi doesn’t use any of your data to train our AI.

But how do you make it sound like me? 

We know every clinician has their own style and vision of the perfect note, and that's why our incredible Medical Knowledge team—skilled clinicians turned prompt engineers—create hundreds of templates based on your feedback. Need any tweaks? It's simple: just jump into your template, tell Heidi exactly what you want and where you want it, and she'll remember your changes—you're in charge.

Learn more about Heidi's template magic

Delete means delete. Forever.

Everyone loves Heidi, clinicians, patients,
even your cyber security guys!
“I love how passionate you are about data governance and security. We feel we’re in safe hands.”
– GP Compliance Partner

Every account matters. Free or paid, premium security is always included.

Making Heidi work for your practice.

Our compliance team is here to guide you through every step to ensure full compliance when using Heidi in your practice. To get started, you'll need to:

Complete a Data Protection Impact Assessment (DPIA)

We can assist you with this - simply fill out the form at the bottom, or your Data Protection Officer (DPO) may already have one prepared.

Sign a Data Processing Agreement (DPA)

This ensures that data processing responsibilities are clearly defined and compliant with UK regulations.

Obtain Clinical Safety Documentation

You’ll need to obtain our DCB0129 (clinical risk management for manufacturers) and create your DCB0160 (clinical risk management for healthcare organisation), both essential for safe implementation in your practice.

Heidi best practice - for your practice.

Empower your patients with consent.

There are many ways to ask for consent, and we trust that you choose the one that works for you and your patients. To keep it top of mind, you can ask Heidi to remind you at the beginning of your session - just head to your settings.

Remember to check your notes.

Once your notes are generated, take time to review and add any more detail or context before transferring them to your Electronic Health Record (EHR) system.

Share access responsibly.

To protect the confidentiality of your patients’ consults, please avoid sharing your account access. We've made our templates easy to share through our template library, and anyone can try Heidi for free. Curious about giving Heidi a go? Simply create a free account.

Quick answers

Heidi Safety FAQs

Is Heidi General Data Protection Regulation (GDPR) compliant?

Yes. From ensuring your personal data remains within the EU/EEA and is protected in accordance with GDPR requirements to lawful, fair, and transparent data processing and transfer, Heidi safeguards your personal data with strict protocols and robust security measures. Our continuous compliance management system ensures that we are always vigilant in accordance with GDPR compliance - it also means we reduce the risk of vulnerabilities in between audits. Learn more about our GDPR compliance practices here.

Is Heidi National Health Service (NHS) compliant and does it have Data Security and Protection Toolkit (DSPT)?

Yes and yes. Heidi meets all the mandatory requirements and standards necessary to operate safely and securely within the NHS, including adherence to clinical safety protocols, data protection regulations, and information governance frameworks. At Heidi, we have aligned ourselves with these standards by completing the Digital Technology Assessment Criteria (DTAC), satisfying the Data Security and Protection Toolkit (DSPT), and fulfilling the DCB0129 clinical safety criteria. This documentation collectively demonstrates our ability to handle patient information responsibly and assure healthcare providers that our platform can be deployed confidently in an NHS environment. If you need any of these documents, don’t hesitate to contact our team through the form below.

Do you have a Data Protection Impact Assessment (DPIA) and Data Processing Agreement (DPA)?

Yes! We have DPIAs for all jurisdictions that we operate in. If you need a copy, please don’t hesitate to reach out to our amazing compliance team through the form below.

Can Heidi access my patient’s information?

Short answer, no. Before Heidi processes your session, we strip all data of personal identifiers (think ‘Jane Doe’ instead of the patient’s name), so it can’t be traced back. Your patient’s data remains protected and Heidi does not and will not contact your patients for any purposes.

Are audio recordings saved?

No, Heidi does not store any audio. As you speak, Heidi types, and the audio immediately goes *poof*. Even if you’re uploading an audio file that was recorded offline, the audio is only stored on your device, and Heidi doesn’t retain any of it once it’s been transcribed.

How long are my notes stored for?

It’s your data, and you’re in control. You can keep them for as long as you need, set up a regular deletion schedule, or delete them on ad-hoc basis - whatever works for you. Note: Heidi’s not designed for long-term record storage, so we recommend reviewing and transferring your notes to your medical records management tool as soon as they’re ready. You can then set up a 24hr deletion schedule in alignment with NHSE, or one that works best for your practice.

Where are Heidi’s servers storing my data?

Locally. Heidi’s “brain” (aka servers) stays strictly in the region you’re based in, keeping everything in line with data localisation requirements under regulations like GDPR.

How does Heidi mitigate data breaches?

Step 1: Prevention. Heidi implements the best in class infrastructure - think ISO27001, SOC2 and Cyber Essential compliant, while also being penetration tested every year. The architecture of our data storage also ensures that your protected health information (PHI) is de-identified and processed separately to the rest of the transcript. The reality is though, we have to be prepared for anything, and so all of our users, free or paid, are insured and receive the highest standard of compliance. 

How do you tackle ‘hallucinations’?

First, you might be wondering what AI scribe hallucinations are? Well, AI sometimes generates content that might be nonsensical or incorrect - think hearing things that weren’t said. And while we’re striving to improve the technology to avoid this from happening, here are some other ways to tackle these:

  • Our experienced Medical Knowledge team regularly reviews our models, templates and checks the outputs for accuracy.  
  • Your feedback and input is invaluable. We encourage you to review all notes before transferring them to your EHR system. 

Can my Heidi medical notes be subpoenaed?

If your notes are stored in Heidi at the time they have been subpoenaed, we are legally required to comply and may need to provide access upon request - the short answer being yes.

If you have, however, deleted your notes, they are permanently wiped out from our systems, and we are unable to retrieve them.

Why do I need a DPIA? And can you help me with it?

In short, the data handled by Heidi and your clinic is highly sensitive (special category) data, and completing a DPIA is both a practical and legal measure to identify, assess, and mitigate data protection risks - ultimately ensuring compliance and preserving patient trust. We can absolutely guide you through the process, making sure you’re set up for confident and compliant use of Heidi.

Has Heidi been vetted by my local integrated care board (ICB)?

To find out whether Heidi’s been vetted by your local ICB, you can explore this map.

  • The bright pink areas have been confirmed
  • The dark purple areas are in process
  • The light purple are yet to be approached

Even if your ICB is not pink yet, it’s not a barrier for your practice. Our compliance team is here to guide you through all the necessary compliance requirements independently.If you’ve already established contact with your DPO or ICB, you’re welcome to introduce our compliance team who’d be delighted to help you through the process.

You say you’re compliant. But how do you prove it

Have any more questions?

We’re here to answer them.

Hungry for more?

Watch our Heidi Compliance series.

Designed by clinicians, for clinicians

Use Cases
Psychologists
Dietitian
Vets
Medical Doctors
Nurses
Allied Health
Podiatrists
Compliance
SafetyTrust CentreGDPRHIPAAUKCanadaAU/NZ
Company
Contact usBlogCustomersOur Story
Open Roles
10+
Product
PricingChangelogDownloadsSystem StatusResource CentreHeidi Guides
Resources
DevelopersReferralsHelp CentreCookie SettingsFAQs
Legal
Privacy PolicyPrivacy Policy (Swiss)Terms of ServiceUsage PolicyUKGDPR PolicyAccessibility
© 2025 Heidi. All rights reserved.