Where is patient data hosted?
All data is hosted on European infrastructure. PappAI is GDPR-native by design, not adapted after the fact.
Security & Privacy
PappAI is built on data minimisation, role-based access control, and a strict separation between AI-generated suggestions and the clinical decisions that are always yours to make.
Data minimisation
We collect only what the clinical workflow actually requires. Each practice's data is scoped to that practice alone and is never shared across tenants or used for any purpose outside the service.
Role-based access
Nutritionists and patients operate in separate authentication contexts. Each role is permitted to see and act only on what it needs. The system is designed to keep sessions isolated and to prevent cross-role data exposure.
Human decision always wins
AI generates a proposal. The clinician reads it, adjusts it if needed, and approves it. No AI output is applied to a patient record without an explicit professional action.
Access control
Each nutrition practice operates inside its own isolated context. The boundaries are enforced at the database level, not just in application logic.
Tenant isolation
One studio cannot access the patients, records, or settings of another. Data is logically partitioned and scoped by practice at the database layer.
Role separation
Nutritionist accounts and patient accounts are distinct authentication identities with different permissions. A patient cannot see clinical notes; a nutritionist cannot impersonate a patient.
Endpoint-level enforcement
Authenticated clinical-data endpoints are designed to verify role and tenant membership on every request. The architecture is built to make these checks unavoidable for protected routes.
Explicit patient association
A patient is linked to a practice only after redeeming a one-time association code issued by the professional. No implicit or automatic linking occurs.
Data & GDPR
Patients' clinical information is health data within the meaning of Article 9 GDPR. We treat it accordingly.
Controller / Processor split
The nutrition professional is the data controller for their patients' data. PappAI acts as data processor on their behalf, under the terms of our Data Processing Agreement.
Informed consent in the workflow
PappAI supports collecting patient consent as part of the workflow and stores attributable consent records (who consented, when, and to what version of the notice). It is the professional's responsibility to obtain consent in line with their applicable obligations.
No training on patient data
Patient clinical data is never used to train, fine-tune, or evaluate AI models — by PappAI or by any of our sub-processors.
Data Processing Agreement available
A standard DPA is available for download. If your organisation needs a custom DPA, contact us at support@pappai.it.
AI role & limits
PappAI uses AI to accelerate professional workflows. The system is designed so that clinical responsibility always remains with the licensed professional.
Suggestions only
AI generates diet plans and clinical observations as draft proposals. The professional must review and explicitly approve each one before it is saved or shown to the patient.
Audit trail of AI operations
Relevant AI interactions are logged: the request context, the generated output, and the outcome — accepted as-is, modified, or rejected. The logs are designed to be accessible to the professional for review.
No autonomous actions
AI never sends messages to patients, never modifies a saved plan, and never acts without an explicit user action. There are no background AI operations that the professional has not triggered.
AI outputs are informational drafting support for the licensed professional's review. PappAI is not a medical device, does not perform diagnosis or treatment, and is not intended to replace clinical judgement. Clinical and dietary responsibility remains with the licensed professional at all times.
FAQ
All data is hosted on European infrastructure. PappAI is GDPR-native by design, not adapted after the fact.
Yes. PappAI acts as data processor for the nutritionist, with a Data Processing Agreement available directly from the platform, granular patient consent tracking, and data subject rights (export, erasure) built into the product.
No. Personal identifiers are pseudonymised before any AI processing, and patient data is never used to train third-party AI models.
Only the assigned nutritionist and, where explicitly configured, their studio team. Row-level tenant isolation prevents any cross-account data access.
Both the nutritionist and the patient can request a full data export or account erasure at any time from within the platform, in line with GDPR Articles 15, 17 and 20.
Start your free trial and explore the platform with your real workflow. No credit card required.
Quick setup · No contractual commitment
We value your privacy
We use cookies to improve your experience, analyse site traffic, and enable personalised features. You can accept all cookies, reject non-essential ones, or manage your preferences. Cookie Policy