Last updated: February 2026
1. Introduction
4Cori Ltd ("4Cori", "we", "us", "our") is committed to protecting your privacy. This policy explains how we collect, use, and protect personal data when you use our services, visit our website, or interact with us.
4Cori Ltd is registered in England and Wales (company number 16030827) with its registered office at 40 Woodcote Park Road, Epsom, England, KT18 7EX. We are registered with the Information Commissioner's Office (ICO) under registration number ZB817257. We are the data controller for the processing activities described in this policy, except where stated otherwise.
2. Who This Policy Applies To
This policy applies to:
• Clinician customers who purchase our video library services
• Patients and viewers who watch videos hosted on our platform
• Website visitors who browse our website or Portal
3. Data We Collect
3.1 Clinician Customers
When you become a customer, we collect:
• Identity and contact information: name, email address, telephone number, professional qualifications, regulatory body registration details, and practice details
• Billing information: billing address and payment details (processed securely by our payment provider)
• Biometric data: your likeness and voice recordings used to create your AI avatar for video production. This includes a consent video verified using facial recognition technology to match your identity
• Content you provide: scripts, clinical information, evidence sources, branding materials, and feedback submitted through our Portal
• Conflict of interest declarations: information about any commercial or financial interests related to your video content
• Communications: correspondence with our support team and timestamped feedback on video drafts
3.2 Patients and Video Viewers
We do not collect any personal data from patients or individuals who view videos on our platform. Video viewing is completely anonymous. We collect only aggregated, anonymised analytics (such as total view counts, average watch duration, and general geographic regions) which cannot identify individual viewers.
3.3 Website Visitors
When you visit our website or Portal, we collect only the technical data necessary to deliver our services, such as session information required for account access and security.
4. How We Use Your Data
We use personal data for the following purposes:
• Service delivery: to create your video library, including producing AI avatars using your likeness and voice, and generating multilingual versions of your content
• Account management: to manage your customer account and provide access to our Portal
• Payment processing: to process setup fees and hosting subscriptions
• Support and review: to respond to your enquiries, manage the production approval process, and facilitate clinical peer review
• Service improvement: to analyse anonymised usage data and improve our platform
• Compliance and audit: to maintain records for regulatory compliance, including PIF TICK accreditation standards
• Legal compliance: to meet our legal and regulatory obligations
5. Legal Basis for Processing
We process your personal data on the following legal bases under UK GDPR:
• Contract: processing necessary to perform our contract with you (service delivery, account management, payment processing)
• Consent: for the creation of AI avatars using your biometric data (likeness and voice). Consent is obtained through a recorded statement and verified using facial recognition technology
• Legitimate interests: for service improvement and portfolio management (where this does not override your rights)
• Legal obligation: where required to comply with applicable laws
6. Who We Share Data With
We share personal data with the following categories of recipients:
• Synthesia: our AI video platform provider, who processes your likeness and voice data to create avatars. Synthesia is certified to ISO/IEC 42001:2023 and operates under appropriate data protection standards. All videos pass through Synthesia's content moderation framework.
• SuiteDash: our HIPAA-compliant portal platform provider, who hosts the secure customer portal where files, approvals, and communications are managed.
• Supabase: our database and authentication provider, who securely stores customer account data and manages user authentication.
• Stripe: our payment processor, who handles payment card data securely. We do not store your full payment card details.
• Amazon Web Services (AWS): our cloud hosting provider, operating in UK/EU regions, who hosts our infrastructure.
• Vercel: our web application deployment platform, who hosts and serves our website and Portal.
• Vimeo: our video hosting platform, used for video review during production (allowing clients and clinical advisors to provide timestamped feedback) and for permanently hosting completed video libraries for customer access.
• Dropbox: used for secure backup storage of documents and video files.
• Professional advisers: such as lawyers and accountants, where necessary for legal or regulatory purposes.
We do not sell your personal data to third parties. We do not use your content to train public AI models. No personal or patient-identifiable data is entered into AI tools during content production.
7. International Data Transfers
Your data is primarily stored and processed within the UK and European Economic Area. Where data is transferred outside these regions (for example, where a service provider uses infrastructure in other countries), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office.
8. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy:
• Customer account data: for the duration of your contract plus 3 years
• Payment and invoice records: 7 years (as required for tax and accounting purposes)
• Support correspondence and production records: 2 years from the date of the last communication
• Hosted video content and avatars: 6 months after hosting ends, unless reactivation is agreed
• Version history and approval records: permanently retained within our production systems for compliance and audit purposes
9. Your Rights
Under UK data protection law, you have the following rights:
• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate or incomplete data
• Erasure: request deletion of your data in certain circumstances
• Restriction: request that we limit how we use your data
• Portability: receive your data in a structured, commonly used format
• Objection: object to processing based on legitimate interests
• Withdraw consent: where processing is based on consent (such as avatar creation), you may withdraw it at any time
To exercise any of these rights, please contact us at privacy@4cori.com. We will respond within one month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk if you believe your data protection rights have been infringed.
10. Cookies
Our website and Portal use only essential cookies necessary to enable core functionality, including security, account access, and session management. We do not use cookies for advertising or third-party tracking purposes.
11. Security
We apply appropriate technical and organisational measures to protect your personal data, including access controls, encryption in transit, secure hosting environments, and vetted subprocessors. Our platform is hosted on secure UK/EU infrastructure. We are certified to Cyber Essentials standards and comply with ICO and GDPR requirements. Our portal platform is HIPAA-compliant.
12. Use of AI and Data Protection
We use AI tools, primarily Synthesia, for video creation. We take the following measures to protect your data:
• No personal or patient-identifiable data is entered into AI tools
• All AI-generated content is reviewed by qualified medical professionals before release
• Avatar creation requires explicit recorded consent, verified using facial recognition technology
• All videos pass through Synthesia's AI-driven content moderation framework
• We do not use your content to train public AI models
13. Data Controller and Processor Roles
For clarity regarding our data protection roles:
• Clinician video content: you (the clinician customer) are the data controller for the video content you create and its use with patients. We act as a data processor when hosting this content on your behalf.
• Platform operations: we are the data controller for customer account management, platform analytics, and security logs.
14. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes by email or through our Portal. The date of the last update is shown at the top of this policy.
15. Contact Us
If you have any questions about this policy or our data practices, please contact us:
Email: privacy@4cori.com
Post: 4Cori Ltd, 40 Woodcote Park Road, Epsom, England, KT18 7EX
ICO Registration: ZB817257