Trust Centre Document

Terms of Service

The terms on which clinicians use Cogent Clinic, covering pricing, acceptable use, intellectual property, warranties and disclaimers, and liability.

Effective 24 May 2026.

These Terms and Conditions govern access to and use of Cogent Clinic, a Class I medical device under the UK Medical Devices Regulations 2002 (registered with the MHRA) supplied as a software service by Cogent Clinic Ltd.

1. Parties

These Terms are between:

Provider and Manufacturer: Cogent Clinic Ltd, operating the Cogent Clinic service and acting as the legal manufacturer of the Cogent Clinic medical device under UK MDR 2002 Company number: SC887432 Registered address: Mearns Castle Golf Academy, Waterfoot Road, Glasgow, G77 5RR ICO data-controller registration: ZC132394 Privacy contact: [email protected] Vigilance contact: [email protected], 0141 471 3632 Website: www.cogent.clinic

and

Customer: the individual clinician, practice, or organisation that purchases or uses the Service.

2. The Service

2.1 Cogent Clinic is a documentation tool for UK HCPC-registered practitioner psychologists. It is classified as a Class I medical device under the UK Medical Devices Regulations 2002 (as amended) ("UK MDR 2002") and is registered with the MHRA. Conformity is self-certified by the Provider as manufacturer; registration on the MHRA register does not represent MHRA approval or certification. The Service's full intended purpose is published in the in-product Intended Purpose statement at the Trust Centre and in the Instructions for Use in the in-product Help corpus.

2.2 The Service supports the clinician across a small set of connected surfaces within the registered intended purpose: drafting clinical and administrative documentation, managing per-client folders, maintaining a treatment-plan record, preparing for supervision, capturing a live session transcript in the browser, running a folder-scoped reflective-thinking chat, and running a documentation-completeness review on a finished draft.

2.3 The Service is, by intended purpose and architectural design, a documentation tool only. It does not diagnose, screen for, or rule out any condition. It does not recommend, evaluate, or rank treatment options. It does not predict, score, or stratify clinical risk. It does not interpret psychometric, neuropsychological, or other assessment data. It does not map symptoms or observations onto diagnostic criteria. It does not generate clinical reasoning, formulation, or opinion of its own. It does not alert, notify, or escalate. It does not replace clinical judgement at any point.

2.4 All outputs are drafts. The Customer remains solely responsible for reviewing, editing, validating, and approving any output before clinical, legal, professional, administrative, or other use. The clinician is the author of record on every output produced through the Service. A draft is not part of the clinical record until the responsible clinician has reviewed, edited, and signed it off.

2.5 The Provider may update, improve, modify, or withdraw features from time to time, provided this does not materially deprive the Customer of the core contracted service without reasonable notice. Material changes affecting the intended purpose, the function list, the limits, or the safety profile of the Service trigger a new conformity assessment under UK MDR 2002 and are communicated to the Customer in advance.

2.6 The following features may be reachable in the same product surface but are not part of the registered Class I medical device and are operated under separate arrangements:

  • Neurodevelopmental assessment report drafting (ADHD, autism, and combined types), where offered as a beta or out-of-scope feature
  • Expert witness report drafting (Cogent Witness), supplied as a separate product under medico-legal regulatory arrangements

The Customer's use of any such feature is outside the registered conformity declaration for the Cogent Clinic device.

3. Eligibility and permitted users

3.1 The Service is intended exclusively for HCPC-registered practitioner psychologists in the United Kingdom registered under one of the seven protected practitioner-psychologist titles: clinical, counselling, forensic, health, educational, occupational, and sport and exercise psychologists. The audience scope may be broadened in a future version of these Terms to include adjacent regulated professions, where each such broadening is reflected in an updated intended purpose statement and a re-issued Declaration of Conformity where required. Use by individuals who are not appropriately regulated, or who are not within the current eligible audience, is outside the registered intended purpose of the Service.

3.2 The Customer must ensure that all users of the Service are properly authorised and trained on the intended use of the device, including the requirement to review, edit, and sign off every draft before it becomes part of a clinical record.

3.3 The Customer is responsible for all activity occurring under its accounts.

4. Customer responsibilities

The Customer must:

  • use the Service lawfully, professionally, and within the registered intended purpose
  • ensure it has an appropriate lawful basis for any personal data processed through its use of the Service
  • ensure any special category data is processed under an appropriate Article 9 condition
  • review every output before any clinical use, and personally sign off the output as author of record before it is entered into the clinical record
  • avoid entering unnecessary identifying information
  • follow the product's de-identification and review workflow
  • obtain any client consent required by the Customer's own professional, legal, or ethical framework before using the live session-transcription feature
  • where the Customer shares with a client any material that was prepared with the assistance of the Service (a draft note, a session summary, a formulation diagram, a printed PDF, or similar), disclose to that client that AI was used in preparing the first draft, in line with the Customer's own professional and ethical transparency obligations to clients
  • keep login credentials secure, noting that the Customer's account password also derives the key that protects stored session-transcript ciphertext
  • ensure no user shares accounts inappropriately
  • comply with applicable professional, ethical, confidentiality, and record-keeping obligations
  • promptly report to the Provider any event affecting, or that could have affected, the safety of patient care or the confidentiality of patient data while using the Service, in accordance with clause 18 below

The Customer must not:

  • use the Service as a substitute for professional judgement
  • rely on outputs without human review and personal sign-off
  • use the Service outside its registered intended purpose
  • use the Service in emergency, crisis, or acute-care contexts
  • use the Service for unlawful, harmful, discriminatory, or misleading purposes
  • upload malware or interfere with the Service
  • attempt to reverse engineer the Service except where such restriction is prohibited by law

5. Data protection and confidentiality

5.1 The parties acknowledge that, in relation to clinician-submitted content, the Customer is generally the controller and the Provider is generally the processor.

5.2 The parties agree that the Data Processing Agreement forms part of these Terms where applicable.

5.3 The Provider's handling of personal data is described in the Privacy Policy, retention schedule, incident response plan, and related compliance documents.

5.4 The Customer remains responsible for determining whether use of the Service is appropriate within its own professional and organisational framework.

6. Security

6.1 The Provider will maintain appropriate technical and organisational measures to protect the Service and personal data processed within it, consistent with the cybersecurity requirements applicable to a Class I medical device.

6.2 The Customer must use security features provided by the Service, including mandatory two-factor authentication.

6.3 The Customer must notify the Provider promptly if it becomes aware of any suspected unauthorised access, credential compromise, or misuse.

7. Fees and payment

7.1 The Customer must pay the fees specified in the relevant order, pricing page, or agreed commercial proposal.

7.2 Unless otherwise stated, fees are payable in advance for the billing cycle stated in the order or pricing page (typically monthly or annually) and are non-refundable except where required by law, where this clause 7 expressly provides otherwise, or where the Customer is entitled to a service credit under the Service Level Agreement.

7.3 The Provider issues a statement of charges by email or through the in-product account area each billing cycle. The statement records the charges applied to the payment method on file and is not a request for further payment.

7.4 If a payment is declined or otherwise not received on time, the Provider may charge interest on overdue amounts at the rate set by the Late Payment of Commercial Debts (Interest) Act 1998 where the Customer is a business, or at the maximum rate otherwise permitted by applicable law.

7.5 The Provider may suspend access for non-payment after giving the Customer at least 7 days' written notice and a reasonable opportunity to pay. During a suspension for non-payment the Provider will retain the Customer's data in accordance with the DPA retention provisions and will restore access promptly on payment of the outstanding amount, unless the agreement has by then been terminated under clause 11.

7.6 The Provider may change pricing for future billing periods. Material changes to fees or to the payment terms will be notified to the primary administrative contact on the Customer's account at least 30 days before the change takes effect, and will not apply to a billing period already paid for. The Customer's continued use of the Service after a notified fee change takes effect constitutes acceptance of the revised fee for subsequent billing periods.

7.7 All fees are exclusive of VAT and of any other tax, duty, or levy that may be due. Where VAT or another tax is applicable, the Provider will add it to the invoice or statement at the rate in force on the date of supply.

7A. Cancellation and refunds

7A.1 How to cancel. A Customer may cancel a subscription at any time:

  • through the "Cancel subscription" control in the in-product account area, or
  • by email to [email protected] from the email address on the account, stating the intention to cancel.

The Provider will confirm the cancellation by email and stop further billing at the end of the then-current billing period.

7A.2 Effect of cancellation on access. Unless the parties agree otherwise, the Customer's access to the Service continues until the end of the billing period that the Customer has already paid for. The Service is not suspended on the day of cancellation. This gives the Customer time to export drafts, finalise notes, and download anything they need to keep.

7A.3 Monthly subscriptions. Fees paid for a monthly subscription period are non-refundable. The Customer's monthly subscription will not renew once cancelled.

7A.4 Annual subscriptions. Fees paid for an annual subscription period are non-refundable, save that the Provider may, at its discretion, refund the unused portion of an annual subscription where:

  • the cancellation is for the Provider's material breach of these Terms,
  • the cancellation follows the Customer's objection to a new sub-processor under clause 9.3 of the DPA,
  • the cancellation follows a continuing force majeure event under clause 13A.3,
  • the cancellation follows a material adverse change to the Terms or the Service that the Provider has notified under clause 15, where the Customer objects within the notice period,
  • a service credit under the Service Level Agreement falls due where the cancellation has already taken effect, or
  • the Provider is otherwise required to refund by law (including statutory cancellation rights, where they apply).

Where a refund is due under this clause 7A.4, the Provider will calculate it on a pro-rata basis from the date of cancellation to the end of the then-current annual period and will pay it within 30 days of acknowledging the refund request.

7A.5 Cancellation rights of consumer Customers. Where the Customer is a natural person buying outside the course of a business or profession (a "consumer" within the meaning of the Consumer Rights Act 2015 and the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013, "CCRs"), the Customer has a statutory right to cancel within 14 days of the conclusion of the contract, without giving any reason, except as set out in clause 7A.6 below.

7A.6 Consumer's request to begin the Service within the cancellation period. Where a consumer Customer requests, at sign-up, that the Service begins within the 14-day cancellation period:

  • the Customer expressly consents to provision starting before the end of that period and acknowledges that the right to cancel under the CCRs will be lost once the Service has been fully performed;
  • if the Customer cancels within the 14-day period after some but not all of the Service has been performed, the Customer remains liable to pay a reasonable amount in proportion to the Service supplied up to the date of cancellation;
  • in practice, the Provider treats the cancellation as effective on the date of the cancellation notice, retains a pro-rata portion of the fee for the days of Service already provided, and refunds the balance within 14 days of receiving the cancellation notice, using the original payment method, in accordance with regulation 34 CCRs.

7A.7 Method of cancellation by a consumer. A consumer Customer may cancel under clauses 7A.5 or 7A.6 by any clear written statement, including the cancellation method at clause 7A.1, by email to [email protected], or by completing and returning a copy of the model cancellation form set out in Schedule 3 to the CCRs.

7A.8 What happens to data on cancellation. Termination of the subscription does not by itself delete the Customer's data. The Customer's existing data is handled under the Data Processing Agreement and the Retention Schedule, including the Customer's choice of return or deletion within 30 days of the end of the provision of services under clause 7.7 of the DPA. The Customer should export anything they wish to keep before requesting deletion.

7A.9 No reactivation guarantee after deletion. If the Customer requests permanent deletion under the DPA, that action is final. The Provider cannot reinstate deleted folders, drafts, formulations, or session-transcript ciphertext after the deletion has taken effect.

7A.10 Refunds method. Refunds are paid by the original payment method. Where that is no longer available, the parties will agree an alternative method (typically bank transfer to the Customer's nominated account).

8. Intellectual property

8.1 The Provider and its licensors retain all intellectual property rights in the Service, excluding Customer data.

8.2 The Customer retains rights in its own input data and in its own reviewed and adopted outputs, subject to any third-party rights and the limitations of applicable law.

8.3 The Customer grants the Provider a limited right to process Customer data only as necessary to provide the Service, comply with law, maintain security, and enforce these Terms.

8.4 Where the Customer voluntarily provides the Provider with feedback, suggestions, feature requests, or bug reports about the Service ("Feedback"), the Customer grants the Provider a perpetual, irrevocable, worldwide, royalty-free, sub-licensable licence to use, modify, and incorporate that Feedback into the Service and into the Provider's other products. The Provider may act on Feedback without obligation to the Customer and without compensation. This clause does not give the Provider any right to use Customer clinical content, draft bodies, formulation text, chat messages, transcripts, or other operational data for development, training, or product-improvement purposes; those data are governed by the DPA and the Privacy Policy and are not Feedback.

8.5 Any improvement, modification, derivative work, or new functionality the Provider develops in connection with the operation of the Service (including improvements that draw on aggregated, fully de-identified usage metrics, but excluding any use of Customer clinical content) remains the Provider's intellectual property.

9. Availability and support

9.1 The Provider will use reasonable care and skill in providing the Service but does not guarantee uninterrupted or error-free availability.

9.2 Planned maintenance, security actions, supplier failures, and events outside the Provider's reasonable control may affect availability.

9.3 Support is provided through the channels and hours communicated by the Provider.

9.4 The Provider operates a post-market surveillance programme for the device. Material safety events, field safety corrective actions, and field safety notices are communicated to active Customers through the channels described in the in-product Instructions for Use.

9.5 The Provider's commitments on availability, planned-maintenance windows, support response targets, breach-notification timing, and service credits are set out in the Service Level Agreement published on the Trust Centre. The Service Level Agreement forms part of these Terms.

10. Acceptable use and restrictions

This clause is the Acceptable Use Policy that applies to the Service. It works alongside the responsibilities at clause 4 and the registered intended purpose of the device. A longer, clinical-judgment-oriented companion document, "Acceptable Use", is published on the Trust Centre and forms part of these Terms by reference.

10.1 Within-scope use. The Service is supplied for documentation work within the registered intended purpose described at clauses 2.1 to 2.3. Within that scope, the Customer is expected to draft, transform, edit, organise, and review clinical and administrative content; to manage a per-client folder and treatment plan; to use the live-transcription feature with appropriate consent; and to use the reflective-thinking chat to think through cases out loud.

10.2 Out-of-scope use. The Customer must not use the Service:

  • as a substitute for professional clinical judgement;
  • to make, screen for, rule out, score, stratify, or rank a diagnosis or clinical risk;
  • to recommend, evaluate, or rank treatment options;
  • to interpret psychometric, neuropsychological, or other assessment data clinically;
  • in an emergency, crisis, or acute-care context;
  • outside the eligible audience described at clause 3;
  • without reviewing and personally signing off every output before it enters a clinical record.

10.3 Prohibited conduct. The Customer must not:

  • use the Service in a way that infringes another person's rights;
  • use the Service to generate knowingly false, misleading, or fraudulent records;
  • use the Service for spam, harassment, or unlawful surveillance;
  • input the personal data of an individual the Customer has no professional relationship with, except to the minimum extent necessary to draft a document about a client;
  • interfere with the integrity or performance of the Service, including by uploading malware, scraping, automated abuse, or attempting to bypass rate limits or daily caps;
  • attempt to extract, copy, or republish the Provider's prompts, model configuration, identifier-detection rules, or other components of the Service that are not Customer data;
  • use any output of the Service to develop, train, fine-tune, benchmark, evaluate, or improve a competing artificial-intelligence model or product;
  • attempt to manipulate, coerce, or otherwise drive the Service into producing a clinical diagnosis, a differential-diagnosis list, a treatment recommendation, a risk score, a triage decision, or any other clinical reasoning that the Service is by design not built to produce, including by prompt-injection, role-play framing, or instruction overrides;
  • test the Service for vulnerabilities without written permission from the Provider's responsible disclosure address ([email protected]);
  • share user accounts or credentials, or transfer access to a person not on the Customer's account.

10.4 Provider response. The Provider may suspend or terminate access where reasonably necessary to protect the Service, comply with law, investigate misuse, or where continued use would pose a clinical-safety risk inconsistent with the Service's intended purpose. The Provider will give notice and a reasonable opportunity to remedy where it is safe to do so; where it is not safe (for example a confirmed credential compromise), the Provider may act immediately and notify after the fact.

11. Suspension and termination

11.1 Either party may terminate in accordance with the agreed commercial arrangement or any minimum subscription term.

11.2 The Provider may suspend or terminate access immediately where:

  • the Customer materially breaches these Terms
  • non-payment persists after notice
  • use of the Service creates a security, legal, operational, or clinical-safety risk
  • continued provision would likely breach law or third-party obligations
  • the Customer is demonstrably using the Service outside its registered intended purpose in a way that creates a clinical-safety concern

11.3 On termination, the Provider will handle Customer data in accordance with the DPA, Privacy Policy, and retention schedule.

12. Warranties and limitations

12.1 The Provider warrants that it will provide the Service with reasonable care and skill, and that the Service is supplied as a Class I medical device in conformity with UK MDR 2002 within the registered intended purpose.

12.2 Except as expressly stated, the Service is provided on an "as available" basis.

12.3 The Service is supplied as a documentation tool within the meaning of its registered intended purpose. The Provider does not warrant that:

  • outputs will always be accurate, complete, or fit for a particular purpose other than as a draft for the Customer's review and sign-off
  • the Service will meet every Customer requirement
  • the Service is suitable for use outside its registered intended purpose, including (without limitation) use as a diagnostic tool, a treatment recommendation tool, a risk-prediction tool, or a substitute for the clinician's professional judgement

12.4 The Customer acknowledges the inherent limitations of AI-generated text and the requirement, under the Service's intended use, to personally review and sign off every draft before it is entered into a clinical record or otherwise relied upon.

13. Liability

13.1 Nothing in these Terms excludes or limits liability for death or personal injury caused by negligence, fraud, fraudulent misrepresentation, or any liability that cannot lawfully be excluded, including any liability that cannot be excluded under the Consumer Protection Act 1987 in relation to defective products.

13.2 Subject to clause 13.1, the Provider will not be liable for:

  • indirect or consequential loss
  • loss of profit, revenue, goodwill, or anticipated savings
  • loss arising from the Customer's failure to review and sign off outputs as required under clause 4
  • loss arising from Customer use of the Service outside its registered intended purpose
  • loss arising from Customer misuse or unlawful use of the Service
  • loss caused by third-party systems outside the Provider's reasonable control

13.3 Subject to clause 13.1, the Provider's aggregate liability arising out of or in connection with the Service shall be capped at the fees paid by the Customer in the 12 months preceding the event giving rise to the claim, unless a different cap is agreed in writing.

13A. Force majeure

13A.1 Neither party is liable for any delay in performing, or any failure to perform, any obligation under these Terms (other than an obligation to pay money) that is caused by an event beyond that party's reasonable control. Such events include, without limitation:

  • act of government, regulator, or other public authority, including new or amended legislation,
  • act of war, terrorism, civil unrest, or sanctions,
  • failure of a public telecommunications network or of public utility supply,
  • failure of, or significant outage in, a third-party infrastructure provider on which the Service materially depends, including but not limited to AWS regions and availability zones, content delivery networks, DNS resolvers, certificate authorities, payment networks, transactional email providers, and large-language-model inference providers,
  • significant cyber-attack on the Provider's or a sub-processor's infrastructure where the affected party has taken reasonable preventive measures consistent with its security commitments,
  • fire, flood, severe weather, earthquake, or other natural event,
  • pandemic, epidemic, or public-health emergency declared by a competent authority,
  • labour dispute affecting the affected party or a sub-processor, other than one confined to its own workforce.

13A.2 The party affected by a force majeure event will notify the other party as soon as reasonably practicable, describe the nature and likely duration of the event, and take reasonable steps to mitigate its effects and to restore performance.

13A.3 If a force majeure event prevents the Provider from substantially providing the Service for a continuous period of 30 days or more, either party may terminate the affected Service on written notice, and the Provider will refund any fees paid in advance for the unused portion of the then-current billing period. The DPA, the confidentiality obligations, and the Customer's right to the return or deletion of personal data continue to apply on termination.

13A.4 Force majeure does not relieve the Provider of its obligations under UK MDR 2002 in respect of safety-critical events, including the obligation to investigate and where applicable report to the MHRA under clause 18 of these Terms.

14. Confidentiality

14.1 Each party shall keep the other party's confidential information confidential and use it only as necessary to perform or receive the Service.

14.2 This does not apply to information that is already public, lawfully received from another source, independently developed, or required to be disclosed by law.

15. Changes to the Service or Terms

15.1 The Provider may update these Terms from time to time.

15.2 Material adverse changes will be notified with reasonable notice before they take effect, unless immediate changes are required for legal, regulatory, or security reasons. Changes affecting the intended purpose or the safety profile of the device will be communicated in advance, in accordance with the post-market surveillance and vigilance procedures referenced in clause 18.

16. Governing law and jurisdiction

These Terms are governed by the law of Scotland. The courts of Scotland have exclusive jurisdiction, unless mandatory law requires otherwise.

17. Order of precedence

If there is a conflict between these Terms and the Data Processing Agreement on data protection matters, the Data Processing Agreement prevails for those matters.

18. Manufacturer identification, vigilance, and reporting

18.1 The Provider is the legal manufacturer of the Cogent Clinic medical device under UK MDR 2002. Manufacturer identification, including registered office, Companies House number, and the regulatory and vigilance contact, is set out in clause 1.

18.2 The Customer must report to the Provider, without undue delay, any event involving the Service that has caused, or could have caused, the safety of patient care or the confidentiality of patient data to be affected. Reports may be made by email to [email protected] or by telephone to 0141 471 3632, or through the in-product "Report a problem with this device" link.

18.3 The Provider will acknowledge the report, triage it, investigate, and where the event meets the relevant MHRA thresholds, report it to the MHRA in accordance with the manufacturer's vigilance obligations under UK MDR 2002. The Provider's incident response plan and post-market surveillance approach are summarised on the Trust Centre.

18.4 The Customer is independently entitled to report any adverse incident involving any medical device, including the Service, directly to the MHRA through the Yellow Card scheme at https://yellowcard.mhra.gov.uk/. Direct reporting to MHRA does not replace, but supplements, reporting to the Provider.

18.5 Field Safety Notices issued by the Provider in connection with the Service will be sent to active Customer accounts by email and displayed as a persistent in-app notice until acknowledged. The Customer must read and act on any Field Safety Notice received.