Last updated: 11/05/2026
This policy explains what personal information The Hybrid Layer Ltd collects when you use our website and services, why we collect it, and what your rights are.
Our contact details
The Hybrid Layer Ltd
Registered Office Address: Office 2/3, 48 West George Street, Glasgow, Scotland, G2 1BP.
Company number: SC703922.
We are a Private Limited Company registered in Scotland.
Website: https://thehybridlayer.com
Email: info@thehybridlayer.com
ICO registration number: ZB249595
The personal information we collect
When you register an account on The Hybrid Layer, we collect:
- First Name
- Last Name
- Username/Nickname
- Email address
When you take part in an online learning course on our website, we store information about the courses you are enrolled in, your progress, and points you have earned. This allows us to issue certificates and improve your experience on our learning platform.
When you make a purchase (for example, joining as a member or buying access to a course), we collect the following billing information:
- First Name and Last Name
- Company Name (optional)
- Dental Regulatory Body Registration ID/Number, for example a GDC number in the UK (optional, and stored only so it can be displayed on your course certificates for verification with your regulatory body)
- Country/region
- Street address, flat/suite/unit, town/city, state/county, postcode/ZIP
- Phone
- Email address
Card and bank details are handled directly by our payment processor (Stripe) and are not stored on our servers.
If you request a password reset, your IP address is included in the reset email so you can verify whether the request was made by you.
How we use your information and the lawful bases
Most of the personal information we process is provided directly by you, so that we can:
- Set up and manage your account on The Hybrid Layer.
- Give you access to our online learning platform, courses, and certificates of completion.
- Process membership purchases and renewals.
- Send you service-related emails about your subscription, and (if you have opted in) our newsletter.
- Provide Hybrid Notes (our AI-assisted clinical note drafting tool) to members. See the Hybrid Notes section below for full detail.
- Improve your experience on the website and keep the platform secure.
Under UK GDPR, the lawful bases we rely on are:
- Contract: providing your membership, course access, certificates, subscription emails about your account, and Hybrid Notes.
- Consent: sending you our newsletter (opt-in at checkout).
- Legal obligation: keeping financial and tax records for the periods required by UK law.
- Legitimate interests: keeping the platform secure, preventing fraud, and improving the service.
You can withdraw your consent for marketing at any time by clicking the unsubscribe link in any email or by contacting info@thehybridlayer.com.
Marketing and subscription emails
The Hybrid Layer newsletter (sent via MailerLite). You can opt in at checkout when you join, or at any time afterwards. We use the newsletter to share educational content, lecture announcements, and platform updates. You can unsubscribe at any time using the link at the bottom of any newsletter email.
Subscription emails (sent via Metorik). If you are a member, we send a small number of emails about your subscription, for example onboarding tips during your first months of membership, renewal reminders, and re-engagement messages if your subscription lapses. You can opt out of these at any time using the unsubscribe link in any email or by contacting info@thehybridlayer.com.
Who we share your data with
We do not sell your personal information, and we do not share it for advertising or marketing by third parties.
We do use trusted service providers (sub-processors) to operate the platform. Each one only processes your data under a written agreement and only as needed to deliver our service:
| Sub-processor | Role | Location | Safeguards |
|---|---|---|---|
| Kinsta | Managed WordPress hosting (Google Cloud Platform) | United Kingdom (London) | Standard hosting DPA. UK GDPR compliant. |
| Cloudflare | Edge CDN, bot protection, and DDoS mitigation (via our hosting provider) | United Kingdom and United States | Standard DPA. UK IDTA and EU SCCs in place. |
| Stripe | Payment processing | UK and US | Standard payments DPA. UK IDTA and EU SCCs in place. Card details stored by Stripe, not on our servers. |
| MailerLite | Newsletter delivery | EU | Standard email service DPA. |
| Metorik | Subscription and onboarding emails | International | Standard DPA. UK IDTA and EU SCCs in place for transfers outside the UK or EU. |
| Vimeo | Video hosting and playback for lectures and previews | United States | Standard DPA. UK IDTA and EU SCCs in place. Sets cookies when videos are played; see our Cookie Policy for full detail. |
| OpenAI, Inc. | Hybrid Notes (AI note generation and dictation transcription) | United States | Standard API DPA. UK IDTA and EU SCCs in place. Inputs and outputs not used for training. Up to 30-day abuse-monitoring retention. |
Embedded content and external services
Pages on this site may include embedded content (for example, videos, images, or articles from other websites). Embedded content from other websites behaves in the same way as if you had visited those websites directly. They may collect data about you, set their own cookies, embed additional third-party tracking, and monitor your interaction with the embedded content.
Where a profile picture is displayed on the site, we use the Gravatar service (provided by Automattic) to load an image associated with your email address. This only happens if your email already has a Gravatar account; otherwise no image is loaded. The Gravatar privacy policy is available at https://automattic.com/privacy/.
Cookies
We use cookies for site functionality, analytics, and advertising. You can review and manage your preferences at any time on our Cookie Policy page, which lists every cookie we set and lets you change your consent.
How long we keep your information
We keep your personal information while you have an active account or membership with us.
After you close your account, we keep billing and financial records for the period required by UK tax and accounting law (typically six years), and delete the rest. If you ask us to erase your information sooner, we will do so unless we are legally required to retain it.
Your data is held on Kinsta’s managed WordPress hosting in London, United Kingdom.
Hybrid Notes
Hybrid Notes is the AI-assisted clinical note drafting tool included with The Hybrid Layer membership. It is designed so that we do not store your chatbot inputs, dictation audio, transcripts, or AI-drafted outputs anywhere on our infrastructure. Everything you type or dictate into Hybrid Notes is processed in transit only and is not retained on our side.
What is sent and where
When you use Hybrid Notes, the text you type or the audio you dictate is transmitted to OpenAI for processing. OpenAI operates in the United States.
Text inputs and the drafts that Hybrid Notes produces are routed to OpenAI’s API so the AI can generate your note. We send only what you type into the chatbot, together with the Profile and Library entries you have saved to shape your house style.
Dictation audio is routed to OpenAI’s transcription API over a secure WebSocket connection. The audio is converted to a transcript on OpenAI’s side. Both the audio stream and the resulting transcript flow back through Hybrid Notes only to be displayed to you on screen. Neither is stored by us.
OpenAI processes this data under their standard API terms:
- API inputs and outputs are not used to train OpenAI’s models.
- OpenAI may retain API content for up to 30 days for abuse-monitoring purposes, with restricted internal access. The content is otherwise not retained.
- The transfer to the United States is covered by OpenAI’s Data Processing Agreement, which incorporates the UK International Data Transfer Agreement and EU Standard Contractual Clauses.
Your responsibilities
Hybrid Notes is built around one rule: do not submit patient-identifying information. No names, dates of birth, addresses, contact details, NHS numbers, insurance numbers, photographs, or anything else that identifies or could reasonably identify a specific patient.
If you follow that rule, the only personal data flowing through OpenAI is yours: your case description, your library content, your draft notes. That is the design intent of the tool and the reason it can operate without storing chatbot content.
This rule is set out in the Hybrid Notes Terms of Use, in the on-screen guidance in the workspace, and in the system prompt that governs the AI itself.
What we do store on our side
The information we hold on our own infrastructure for Hybrid Notes sits on UK-hosted servers and is never transmitted to OpenAI beyond a single generation request. It is:
- Your member account details (name, email, billing information), held in line with your membership and any statutory retention rules.
- Your Hybrid Notes Profile (region, note style, opening and closing text), held until you change or delete it.
- Your Hybrid Notes Library (Protocols and Templates), held until you delete entries.
- A daily counter of transcription sessions, used to enforce rate limits.
- A rolling audit log of your library actions: timestamps and action types only, no content.
Your rights for Hybrid Notes data
You can delete individual Library entries and your Profile at any time directly in the Hybrid Notes workspace. Your other rights under UK GDPR (access, rectification, erasure, portability, restriction of processing, objection) are the same as for the rest of your member data and are set out in the “Your data protection rights” section below.
Updates to this section
If we change the way Hybrid Notes processes data, for example by adding a new sub-processor or switching models, we will update this section and let members know via an in-product banner.
Your data protection rights
Under UK GDPR, you have rights including:
- Right of access: you can ask us for a copy of your personal information.
- Right to rectification: you can ask us to correct information you think is inaccurate, or complete information you think is incomplete.
- Right to erasure: you can ask us to erase your personal information in certain circumstances.
- Right to restriction of processing: you can ask us to restrict how we use your information in certain circumstances.
- Right to object to processing: you can object to the way we process your information in certain circumstances.
- Right to data portability: you can ask us to transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we will respond within one month. To make a request, contact us at info@thehybridlayer.com.
How to complain
If you have any concerns about how we use your personal information, please contact us first at info@thehybridlayer.com.
You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have used your data.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline: 0303 123 1113
Website: https://www.ico.org.uk
Updates to this policy
If we make a material change to how we handle your personal information, we will update this policy and refresh the “Last updated” date at the top of the page. For changes that affect Hybrid Notes specifically, we will also let members know via an in-product banner.
Contact us
If you have any questions about this policy, please contact us by email at info@thehybridlayer.com.
