Privacy Policy

Last updated

29 May 2026.

Lirena Limited is an Irish private company limited by shares. Public Companies Registration Office records list Lirena Limited under company number 781851. In this policy, "Lirena", "we", "us" and "our" mean Lirena Limited.

You can contact Lirena through the contact routes published on the Lirena website, including demo@lirena.ie. Lirena has not published a named Data Protection Officer on this site. If Lirena appoints or publishes a Data Protection Officer, the relevant contact details will be made available through Lirena's legal pages or customer communications.

What Lirena provides

Lirena provides psychometric assessment workflow software for clinics. The service is designed to help authorised clinic users create practice-scoped workspaces, create or manage client records, issue patient assessment links, collect submitted responses, apply structured deterministic scoring where supported, review results, and export records.

Lirena is not an emergency service, does not replace professional clinical judgement, and does not provide autonomous diagnosis or treatment recommendations. Human clinicians and clinics remain responsible for clinical interpretation, diagnosis, care planning, consent, instrument governance, record retention, and any action taken in response to assessment information.

Our roles under data protection law

For website visitors, demo enquiries, marketing contacts, customer account administration, product security, service improvement, legal compliance, and Lirena's own business records, Lirena is normally the controller of the relevant personal data.

For client, patient, assessment, response, score, export, review-note, and assessment workflow data that a clinic or its authorised users submit to or generate in the Lirena service, Lirena normally acts as a processor on behalf of the clinic customer. The clinic customer is normally the controller and is responsible for telling patients and service users how their data will be used, for selecting lawful bases and special-category conditions, and for deciding how Lirena should process the data under the Data Processing Agreement.

In limited cases, Lirena may also process customer-controlled data as an independent controller where necessary for its own legal obligations, security, abuse prevention, legal claims, or compliance records. Lirena does not use patient-level data for advertising, data-broker enrichment, insurance pricing, employment screening, or automated clinical decision systems.

Personal data we may handle

The categories of personal data depend on how the service is used. They may include clinic and workspace information, authorised user names, professional contact details, organisation membership, role and permission information, authentication and session information, support and demo communications, and audit records.

Where a clinic uses Lirena for assessment workflows, the service may handle client or patient profile information, assessment assignments, schedule tokens, submitted assessment responses, score outputs, scoring provenance, completion metadata, exports, clinician-entered review notes, consent records, deletion or retention workflow records, and integration metadata.

Lirena may also handle technical information such as device, browser, IP address, request metadata, cookie or similar technology identifiers, product analytics events, API keys or integration credentials by reference, webhook metadata, security logs, and diagnostic information. Lirena's integration design stores secret references rather than raw Semble tokens or webhook secrets in the application database.

Assessment responses, mental-health information, health-related history, clinical notes, and psychometric result information may be special-category data under GDPR. Lirena treats that data as high sensitivity. Where Lirena processes it for a clinic as processor, the clinic is responsible for the Article 9 condition and patient-facing transparency; Lirena processes it under the clinic's documented instructions and the Data Processing Agreement.

How we collect data

We collect data directly from website visitors, clinic customers, authorised users, and people who complete patient assessment links. We also receive data from clinic customers and authorised users when they create workspaces, client records, assessment schedules, exports, integrations, or support requests.

Where a customer configures an integration, Lirena may receive limited metadata from that integration in accordance with the customer's instructions and the configured integration scope. The current Semble integration foundation supports connection testing and verified webhook metadata handling, and is intentionally limited in the repo to avoid storing raw webhook payloads or performing patient or booking imports unless reviewed product work adds that capability.

Why we process personal data

We process personal data to provide, secure, maintain, and improve the Lirena service; authenticate users; scope workspaces to clinics; create and manage assessment workflows; collect and score responses where supported; prepare exports; maintain audit records; provide support; communicate about demos and service administration; investigate errors or abuse; comply with legal obligations; and establish, exercise, or defend legal claims.

For Lirena-controlled processing, our lawful bases may include contract performance or steps before contract, legitimate interests in operating and securing an assessment workflow service, legal obligation, consent where required for marketing or non-essential cookies, and legal claims where relevant. For customer-controlled assessment workflow data, the customer determines the lawful basis and any special-category condition, and Lirena acts on documented instructions unless law requires otherwise.

Scoring and automated decisions

Lirena's current scoring path is deterministic and designed to preserve scoring provenance.

Lirena must not be used to make solely automated clinical decisions, autonomous diagnoses, treatment recommendations, or clinical risk stratification. Lirena does not use patient-level data to build automated clinical decision systems.

Sharing and recipients

We share personal data only where necessary for the purposes described in this policy, where instructed by a clinic customer, where required by law, or where needed to protect rights, safety, security, or the integrity of the service.

Recipients may include authorised clinic users, the customer that controls the relevant workspace, Lirena personnel and contractors with a need to know, hosting and infrastructure providers, authentication providers, product analytics providers where enabled, customer-configured integration providers, professional advisers, insurers if applicable, regulators, courts, law enforcement, and counterparties in a corporate transaction.

Verified public and repository sources identify Google Cloud infrastructure, identity authentication, PostHog analytics when configured, and an optional Semble integration foundation. Lirena provides subprocessor information through its published legal pages, contract materials, or other reasonable customer notice channels.

Cookies and analytics

Lirena uses cookies and similar technologies that are necessary for website operation, authentication, session handling, security, and requested service functionality. These technologies are required for the service to work.

Where PostHog or another analytics technology is enabled, Lirena uses it to understand product usage and improve service reliability and usability. Product analytics should avoid patient-identifying data, clinical free text, licensed assessment content, raw responses, secrets, and note contents. Non-essential analytics cookies or similar technologies should only be used where a valid legal basis and any required consent are in place.

International transfers

Lirena is based in Ireland, but the service and its providers may process personal data outside Ireland, the EEA, and the United Kingdom. Repository documentation identifies Google Cloud production targets in the United States, and third-party providers may operate internationally.

Where GDPR or UK GDPR requires transfer safeguards, Lirena relies on mechanisms such as adequacy decisions, standard contractual clauses, the UK international data transfer addendum or equivalent safeguards, and supplementary measures where appropriate. Clinic customers should assess international transfer risk for their own use of Lirena before using the service with live clinical data.

Retention

Lirena keeps personal data for as long as necessary for the purposes described in this policy, to provide the service, comply with legal obligations, resolve disputes, maintain audit and security records, and follow customer instructions. Exact retention periods may depend on the customer contract, workspace configuration, legal hold, clinical record obligations, and whether Lirena acts as controller or processor.

Clinical records and assessment data may be subject to professional, legal, safety, and local clinic retention duties. Deletion requests involving clinical data may therefore require human review before data is deleted, retained, redacted, exported, or anonymised after review.

Security

Lirena uses technical and organisational measures intended to protect personal data, including authenticated clinician workspaces, practice-scoped access, role-aware product surfaces, audit-log foundations, secret-management boundaries, and internal-only posture for worker services by default.

No online service can guarantee absolute security. Customers and authorised users must protect credentials, configure integrations carefully, avoid uploading unnecessary data, and notify Lirena promptly if they suspect unauthorised access or a security incident involving the service.

Your rights

Where Lirena is controller, you may have rights to access, rectify, erase, restrict, port, or object to the processing of your personal data, and to withdraw consent where processing is based on consent. You may also have the right not to be subject to certain solely automated decisions.

Where Lirena processes assessment workflow data as processor for a clinic, Lirena may need to refer your request to that clinic because the clinic controls the data and decides how to respond. Lirena will assist customers with data subject requests in accordance with the Data Processing Agreement.

You may complain to the Irish Data Protection Commission or another competent supervisory authority. The Data Protection Commission's website is dataprotection.ie.

Children and vulnerable users

Lirena is designed for use by clinics and authorised clinical teams. Patients or service users may access Lirena only through workflows made available by their clinic, such as an invited assessment link. Lirena is not intended for children to create their own accounts or self-direct clinical assessment outside a clinic's governance process.

Where a clinic uses Lirena with minors or vulnerable service users, the clinic is responsible for consent, capacity, guardian involvement, safeguarding, professional review, and local clinical governance.

Changes to this policy

Lirena may update this Privacy Policy as the service, law, or production configuration changes. Material changes should be made visible on the public site and, where appropriate, notified to affected customers through service or contract channels.