Privacy policy.

Last updated: November 18, 2025

1. Security and compliance 

Security and compliance are top priorities for Quench because they are fundamental to your experience with the Quench product. Quench is committed to securing your application data, eliminating system vulnerabilities, and ensuring continuity of access. 

Quench uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. All Quench employees undergo background checks before employment and are trained on security practices during company onboarding and annually. 

Security is directed by Quench’s Privacy Officer. 

2. Infrastructure and network security 

2.1 Physical access control 

Quench is hosted on Amazon Web Services (AWS). AWS data centers use a layered physical security model and only grant data-center access to approved personnel following the principle of least privilege and time-bound access controls, as described in AWS’s own data-center control documentation. Quench employees do not have physical access to AWS data centers, servers, network equipment, or storage. 

2.2 Logical access control 

Quench is the administrator of its infrastructure on AWS. Only designated, authorized Quench operations team members can configure the infrastructure, using a two-factor authenticated virtual private network. Access to individual servers requires specific private keys, stored securely in encrypted form. 

2.3 Third-party audit 

AWS undergoes regular independent audits and holds certifications such as SOC 2 and ISO 27001 for its data centers, infrastructure, and operations. 

3. Data security and privacy 

3.1 Data encryption 

All data stored in Quench servers is encrypted at rest. AWS stores and manages cryptographic keys in its redundant Key Management Service (KMS). If an intruder were ever able to access physical storage media, Quench data would remain encrypted and unreadable without the keys. 

Encryption at rest also enables secure backup and infrastructure management without compromising data privacy. 

All data sent to and from Quench is transmitted over HTTPS with TLS encryption. 

3.2 Data removal

All customer data stored on Quench servers is deleted upon account termination after a 24-hour waiting period to prevent accidental cancellation. Data can also be deleted earlier upon request, subject to any legal retention obligations. 

4. Application security 

4.1 Secure development lifecycle 

Quench uses a continuous delivery methodology. All code changes are committed, tested, reviewed, and deployed via a controlled build pipeline. Pull requests, continuous integration (CI), automated error tracking, and logging help reduce the likelihood of security issues and enable rapid remediation of vulnerabilities. 

5. Corporate security and risk management 

All product changes must pass code review and CI before reaching production. Only designated operations staff have secure shell (SSH) access to production systems. 

Quench performs ongoing testing and risk management on systems and applications. New security methods are reviewed and deployed via internal processes and documented in internal knowledge bases. 

6. Contingency planning 

The Quench operations team maintains contingency plans for unforeseen events, including risk management, disaster recovery, and customer communication. These plans are tested and updated on an ongoing basis and formally reviewed at least annually. 

7. Security policies and training 

Quench maintains an internal knowledge base of security policies, reviewed annually and updated as needed. An overview of specific security policies is available to enterprise customers upon request and covers areas including: 

• Information Security 

• Risk Management 

• Security Incident Response 

• Vulnerability Management 

• Change Management 

• System Access 

All engineers review security policies during onboarding and are expected to stay current via internal documentation. Policy changes that affect the product are implemented via pull requests that all engineers can review. Major updates are communicated to all employees by email. 

8. Incident response and disclosure 

Quench follows an incident handling and response process modeled on industry standards for identifying, containing, eradicating, recovering from, and documenting security events. 

Quench will notify affected customers of any data breach as soon as reasonably possible via email, followed by periodic updates on progress and impact until remediation is complete. 

9. Vulnerability disclosure

Anyone may report security vulnerabilities or concerns by contacting dev@projectquench.ai and including a proof of concept, list of tools used (with versions), and relevant output. Quench takes all disclosures seriously, verifies each reported issue, and then applies appropriate fixes, providing periodic status updates where appropriate. 

10. HIPAA 

Quench and its affiliates support HIPAA compliance through technical and organizational measures designed to protect Protected Health Information (PHI). These measures include encrypted transmission and storage, strict access controls, and role-based permissions to ensure only authorized personnel can access PHI. 

Quench personnel who may encounter PHI undergo internal privacy and security training, and Quench conducts periodic audits and vulnerability assessments to maintain an appropriate security posture. 

11. Use of AI and large language models (LLMs) 

11.1 Purpose and role of AI 

Quench uses AI and LLMs to assist with tasks such as structuring and formatting medico-legal reports, summarising large bodies of clinical and legal text, and suggesting language for drafts. 

AI outputs are used as drafting aids only. They do not replace the clinical judgment or medico-legal expertise of the clinician, nor do they constitute legal or medical advice by Quench. The clinician remains the expert and the sole author of any opinions expressed in a report. 

11.2 Use of external LLM providers (OpenAI and Google Gemini) 

For these AI features, Quench uses enterprise-grade LLM application programming interfaces (APIs), including services provided by OpenAI and Google (Gemini and related services). Case materials that you choose to process with Quench may be sent, in encrypted form, to these providers as data processors so they can generate the requested outputs. 

These providers’ business and API offerings are designed so that customer API data is not used to train or improve their foundation models by default, and they support customers’ compliance with GDPR and other privacy laws. Quench configures these services as processors under appropriate data-protection terms and does not allow them to use your case material to train or fine-tune any general-purpose models. 

11.3 No use of public chatbots for case material 

Quench does not send your case material to public consumer chatbots or browser-based tools where prompts may be used to train models or be exposed to third parties. This design is aligned with judicial guidance in England and Wales, which warns that public AI chatbots do not provide answers from authoritative databases and may generate information that is inaccurate, incomplete, misleading or out of date, and advises users not to enter private or confidential information into such tools. 

11.4 No automated decision-making with legal effect 

Quench provides augmented drafting and workflow support. It does not perform automated decision-making that produces legal or similarly significant effects for data subjects. AI outputs are always subject to human review and correction. This approach is consistent with UK GDPR principles and NHS guidance, which emphasise that AI systems in health and care should support, not replace, professional judgment and that the final decision about care remains with the clinician. 

11.5 Alignment with professional standards

Quench’s design is intended to support, not undermine, professional standards for clinicians. Guidance from the General Medical Council (GMC) on confidentiality and digital technologies makes clear that patients have a right to expect that their personal information will be treated as confidential and that doctors remain responsible for the decisions they take when using technologies such as AI. NHS information-governance guidance similarly requires that AI implementations use data lawfully, complete a data protection impact assessment where required, and ensure that health and care professionals remain the decision-makers. 

12. GDPR / UK GDPR information for UK and EU users 

12.1 Roles and responsibilities 

For medico-legal case material, the instructing organisation (for example, the clinician’s practice, hospital trust, insurer, law firm, or medico-legal agency) will usually act as the data controller under UK GDPR or EU GDPR. Quench typically acts as a data processor on their behalf, under a written data-processing agreement. 

For account, billing, and product-analytics data relating to your use of Quench, Quench may act as an independent data controller. 

12.2 Legal bases for processing 

Depending on context, and where Quench is acting as controller, the main legal bases we rely on are: • Performance of a contract with you (Article 6(1)(b) UK GDPR / GDPR). 

• Legitimate interests (Article 6(1)(f)), such as securing and improving the service. • Compliance with legal obligations (Article 6(1)(c). 

Special-category health data in medico-legal records is typically processed under Article 9(2)(f) (establishment, exercise or defence of legal claims) and/or Article 9(2)(h) (health or social care), with the instructing organisation as controller. 

12.3 International transfers 

Where data is processed or stored outside the UK or EU (for example, in AWS, OpenAI or Google cloud regions), Quench uses appropriate transfer mechanisms such as the UK International Data Transfer Agreement or EU standard contractual clauses, as applicable, along with technical and organisational measures such as encryption. 

12.4 Data subject rights 

Under UK GDPR and EU GDPR, data subjects have rights including: 

• Access to their personal data. 

• Rectification of inaccurate data. 

• Erasure (in certain circumstances). 

• Restriction or objection to processing. 

• Data portability (where applicable). 

• The right not to be subject to automated decision-making with legal or similarly significant effects (Article 22). 

Where Quench acts as processor, individuals should normally exercise these rights via the relevant data controller; Quench will support controllers in responding to such requests. 

12.5 Contact and complaints

Data-protection queries can be directed to: [insert privacy contact email]. UK data subjects also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) or, in the EU, with their local supervisory authority. 

13. LLM security and retention 

• All transmissions between Quench and LLM providers use TLS encryption. 

• Quench configures LLM providers so that case data is not used to train foundation models or improve services, except where a customer has explicitly elected such use in a separate agreement. 

• LLM prompts and outputs are stored within Quench’s own environment for as long as the customer account is active or as required by law or contract; customers may request deletion or shorter retention, subject to legal obligations. 

• Quench does not sell personal data or conversation histories. 

A more detailed assurance statement for clinicians and instructing parties is available on request.