This Privacy Policy covers the Closed Alpha service provided by Health Data Avatar. It explains what information we gather, how we use it, and your legal rights regarding your data.

Privacy Policy

Effective Date: 2025-04-29

Introduction

Health Data Avatar (“HDA”, “we”, “our”, “us”) is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services.

Definition of Service

“Our Service” refers to the Health Data Avatar App, allowing you to upload, process, and interact with your personal files and medical data.

The “Waiting List” refers to users proactively subscribing for early access to the Health Data Avatar App.

“Marketing Updates” refers to users proactively subscribing for news, features, and other promotional content.

Who We Are

Health Data Avatar Ltd is registered with Companies House in the UK, with company number 16236443

Data Controller: Health Data Avatar

Data Protection Officer: Hex Miller-Bakewell

Email: hex@healthdataavatar.com

What Data We Collect

We collect the following types of personal data:

Service Usage Data

• Files you upload to the service, which may include sensitive medical data protected under Article 9 of the GDPR.
• Data extracted from uploaded files.
• Edits or annotations you make within the service.

Feedback Data

• Feedback or comments you submit voluntarily
• Feedback is immediately anonymised before analysis

Waiting List Data

Collected only with your explicit consent:

• Email address and any additional information you provide when joining the waiting list.

Marketing Updates Data

Collected only with your explicit consent:

• Email address and any additional information you provide when subscribing to marketing updates.

Legal Bases for Processing

We process your personal data under the following legal bases:

• Consent
  • Uploading files and submitting special category (medical) data requires your explicit consent.
  • Subscribing to our waiting list is based on your freely given, separate consent.
  • Subscribing to our marketing updates is based on your freely given, separate consent.
• Legitimate interest
  • Anonymising and using feedback to improve our service without linking it back to individuals.

How We Use Your Data

Service Data

• To provide, maintain, and improve the Health Data Avatar Service.
• To securely store and process uploaded files and extracted medical data.

Feedback Data

• To anonymously assess and improve the functionality and quality of our service.

Waiting List

• To send service notifications (operational emails).

Marketing Updates

• To send marketing communications if you have opted in separately.

You can unsubscribe from marketing emails at any time by using the link provided in each email.

Data Retention

Service Data

• Retained only as long as necessary to provide the service.
• Uploaded files and extracted data are deleted within one week after you request deletion or close your account.

Waiting List Data

Retained until you unsubscribe, or a maximum of 12 months after the public launch of the service, whichever is sooner.

Marketing Data

Retained until you unsubscribe.

Data Security

Your data is stored on servers located within the European Union (EU) or European Economic Area (EEA).

We apply appropriate technical and organizational measures, including:

• Encryption of data at rest and in transit.
• Access controls to restrict access to authorized personnel.
• Regular Security Audits

We use Microsoft Azure services to store and process your service data. For Marketing Updates and Waiting List data we also use Microsoft Azure, Google Cloud and Amazon AWS. The Microsoft, Google, and AWS services we use are all certified under key international standards (e.g. ISO/IEC 27001, 27017, 27018) and provides contractual assurances as a data processor under the GDPR.

Subprocessors

We rely on third-party service providers (subprocessors) to help deliver and maintain our services.
Each subprocessors is contractually obligated to comply with GDPR and provide appropriate safeguards for personal data.

Our primary subprocessors include:

• Microsoft Azure (Microsoft Ireland Operations Ltd.)
  • Purpose: Cloud infrastructure hosting, file storage, user identity (Single Sign-On), and secure data processing.
    
  • Location: European Union
  • Compliance: ISO/IEC 27001, ISO/IEC 27018, GDPR, and EU Standard Contractual Clauses (SCCs).
• Google Cloud Platform (Google Ireland Ltd.)
  • Purpose: Optional analytics, internal tooling, email services, and user identity (Single Sign-On)
  • Location: European Union
  • Compliance: ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, GDPR, and EU Standard Contractual Clauses (SCCs).
• Amazon Web Services (AWS EMEA SARL)
  • Purpose: Cloud infrastructure hosting, email services
  • Location: European Union
  • Compliance: ISO/IEC 27001, 27701, GDPR, and EU Standard Contractual Clauses (SCCs).

We ensure all subprocessors process data only under our instructions and with sufficient technical and organizational safeguards in place.

Cookies and Tracking

We do not use cookies or trackers for analytics or advertising.

However, we use your browser’s local storage to store session data for authentication and data cacheing (e.g. keeping you logged in even when you close your browser). This data is not shared with third parties or used for profiling or tracking.

This usage is considered essential to the operation of the service and does not require consent under the ePrivacy Directive.

Automated Decision-Making

We do not use your personal data for automated decision-making, including profiling.

Age Restrictions

You must be at least 16 years old to consent to the processing of your personal data. If you are under 16, consent must be provided by someone with parental responsibility.

Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of Access: Request a copy of your data.
• Right to Rectification: Correct inaccurate or incomplete data.
• Right to Erasure: Request deletion of your data (“right to be forgotten”).
• Right to Restrict Processing: Request limitation of how your data is processed.
• Right to Data Portability: Request your data in a machine-readable format to transfer to another controller.
• Right to Object: Object to data processing based on our legitimate interests.

You can exercise these rights directly from within the app itself, or by contacting the Data Protection Officer (whose details are at the top of this document).

As we process sensitive health data, we have completed a Data Protection Impact Assessment (DPIA). Any data breaches affecting your data will be reported within 72 hours of discovery.

How to Withdraw Consent

You can withdraw your consent at any time by: - Requesting account deletion via the service settings (for service data). - Clicking the unsubscribe link in marketing emails (for marketing consent). - Contacting the Data Protection Officer (who details are at the top of this document).

Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF https://www.ico.org.uk

If you are an EU resident, you also have the right to lodge a complaint with your local data protection authority. A list of national data protection authorities in the EU is available here: https://edpb.europa.eu/about-edpb/board/members_en

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and provide a prominent notice via our service.

Contact Us

If you have any questions or concerns about this Privacy Policy, please contact the Data Protection Officer.