Their website's privacy policy doesn't say anything about their product. It's also incorrect (they seem to have switched tracking providers without updating their privacy policy). I would quote the sections that are incorrect, but their terms and conditions forbid copying any content from their site. Their T&C also forbids me from linking to their page or terms.
I very much doubt that using this product as advertised is even legal under the GDPR. The company is French and health data, even pseudonymized, is strictly regulated. The "demo" doesn't feature any explicit consent at the very least.
It looks like they're making all privacy risks and concerns the doctors' problems. After all, they're the ones violating the law when they use this product.
Our product is GDPR compliant.
What I don't understand from those, and statements made by your team in this thread, is how some claims can be compatible.
- That the product is GDPR compliant.
- That you don't store the PII or health data.
- Yet all data is stored at Google servers.
- Also, you reserve the right to re-use said data. (Which, since this is for R&D purposes, should probably qualify you for the need to ask the CNIL for an authorization as "health data repository"? [0])
- That none of the data is sent outside the EU or to additional 3rd parties.
- Yet it uses a fine-tuned "GPT-3" (a term that to the best of my knowledge exclusively refers to Microsoft/OpenAI's US-based API service, not to on-prem GPT-like LLMs like GPT-J or GPT-NeoX).
All in all, I can feel the enthusiasm but it does feel like this thread would have been so much more reassuring with some proactive comments about the privacy/health data issues, rather than have everyone voice the obvious concern with no prepared answers.
[0] https://www.cnil.fr/fr/la-cnil-adopte-un-referentiel-sur-les...
I hope this link will clarify our position.
Here are additional answers related to your points. - We do use Google Cloud to host our backend in EU or in the US but also the data for the Care Platform product. For the Copilot product, we don't host any data. They are hosted locally on the practitioner browser. - Our T&C reserves the right to re-use data in the event we will store the data in future versions of Nabla Copilot. In any case, the reuse of data, even health data, is allowed by GDPR for the improvement of the service provided if the data controller (practitioner) authorizes us and if they have informed the patient. - We did not say that "none of the data is sent outside the EU". Actually we say the opposite in the Copilot APD Annexe 1. We specifically mention Google and OpenAI and we comply with GDPR with a data protection agreement with both these companies.