Privacy Policy
Effective Date: 2025-04-29
Introduction
Health Data Avatar (“HDA”, “we”, “our”, “us”) is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services.
Definition of Service
“Our Service” refers to the Health Data Avatar App, allowing you to upload, process, and interact with your personal files and medical data.
The “Waiting List” refers to users proactively subscribing for early access to the Health Data Avatar App.
“Marketing Updates” refers to users proactively subscribing for news, features, and other promotional content.
Who We Are
Health Data Avatar Ltd is registered with Companies House in the UK, with company number 16236443
Data Controller: Health Data Avatar
Data Protection Officer: Hex Miller-Bakewell
Email: hex@healthdataavatar.com
What Data We Collect
We collect the following types of personal data:
Service Usage Data
- Files you upload to the service, which may include sensitive medical data protected under Article 9 of the GDPR.
- Data extracted from uploaded files.
- Edits or annotations you make within the service.
Feedback Data
- Feedback or comments you submit voluntarily
- Feedback is immediately anonymised before analysis
Waiting List Data
Collected only with your explicit consent:
- Email address and any additional information you provide when joining the waiting list.
Marketing Updates Data
Collected only with your explicit consent:
- Email address and any additional information you provide when subscribing to marketing updates.
Legal Bases for Processing
We process your personal data under the following legal bases:
- Consent
- Uploading files and submitting special category (medical) data requires your explicit consent.
- Subscribing to our waiting list is based on your freely given, separate consent.
- Subscribing to our marketing updates is based on your freely given, separate consent.
- Legitimate interest
- Anonymising and using feedback to improve our service without linking it back to individuals.
How We Use Your Data
Service Data
- To provide, maintain, and improve the Health Data Avatar Service.
- To securely store and process uploaded files and extracted medical data.
Feedback Data
- To anonymously assess and improve the functionality and quality of our service.
Waiting List
- To send service notifications (operational emails).
Marketing Updates
- To send marketing communications if you have opted in separately.
You can unsubscribe from marketing emails at any time by using the link provided in each email.
Data Retention
Service Data
- Retained only as long as necessary to provide the service.
- Uploaded files and extracted data are deleted within one week after you request deletion or close your account.
Waiting List Data
Retained until you unsubscribe, or a maximum of 12 months after the public launch of the service, whichever is sooner.
Marketing Data
Retained until you unsubscribe.
Data Security
Your data is stored on servers located within the European Union (EU) or European Economic Area (EEA).
We apply appropriate technical and organizational measures, including:
- Encryption of data at rest and in transit.
- Access controls to restrict access to authorized personnel.
- Regular Security Audits
We use Microsoft Azure services to store and process your service data. For Marketing Updates and Waiting List data we also use Microsoft Azure, Google Cloud and Amazon AWS. The Microsoft, Google, and AWS services we use are all certified under key international standards (e.g. ISO/IEC 27001, 27017, 27018) and provides contractual assurances as a data processor under the GDPR.
Subprocessors
We rely on third-party service providers (subprocessors) to help
deliver and maintain our services.
Each subprocessors is contractually obligated to comply with GDPR and
provide appropriate safeguards for personal data.
Our primary subprocessors include:
- Microsoft Azure (Microsoft Ireland Operations Ltd.)
- Purpose: Cloud infrastructure hosting, file
storage, user identity (Single Sign-On), and secure data
processing.
- Location: European Union
- Compliance: ISO/IEC 27001, ISO/IEC 27018, GDPR, and EU Standard Contractual Clauses (SCCs).
- Purpose: Cloud infrastructure hosting, file
storage, user identity (Single Sign-On), and secure data
processing.
- Google Cloud Platform (Google Ireland Ltd.)
- Purpose: Optional analytics, internal tooling, email services, and user identity (Single Sign-On)
- Location: European Union
- Compliance: ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, GDPR, and EU Standard Contractual Clauses (SCCs).
- Amazon Web Services (AWS EMEA SARL)
- Purpose: Cloud infrastructure hosting, email services
- Location: European Union
- Compliance: ISO/IEC 27001, 27701, GDPR, and EU Standard Contractual Clauses (SCCs).
We ensure all subprocessors process data only under our instructions and with sufficient technical and organizational safeguards in place.
Cookies and Tracking
We do not use cookies or trackers for analytics or advertising.
However, we use your browser’s local storage to store session data for authentication and data cacheing (e.g. keeping you logged in even when you close your browser). This data is not shared with third parties or used for profiling or tracking.
This usage is considered essential to the operation of the service and does not require consent under the ePrivacy Directive.
Automated Decision-Making
We do not use your personal data for automated decision-making, including profiling.
Age Restrictions
You must be at least 16 years old to consent to the processing of your personal data. If you are under 16, consent must be provided by someone with parental responsibility.
Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of Access: Request a copy of your data.
- Right to Rectification: Correct inaccurate or incomplete data.
- Right to Erasure: Request deletion of your data (“right to be forgotten”).
- Right to Restrict Processing: Request limitation of how your data is processed.
- Right to Data Portability: Request your data in a machine-readable format to transfer to another controller.
- Right to Object: Object to data processing based on our legitimate interests.
You can exercise these rights directly from within the app itself, or by contacting the Data Protection Officer (whose details are at the top of this document).
As we process sensitive health data, we have completed a Data Protection Impact Assessment (DPIA). Any data breaches affecting your data will be reported within 72 hours of discovery.
How to Withdraw Consent
You can withdraw your consent at any time by: - Requesting account deletion via the service settings (for service data). - Clicking the unsubscribe link in marketing emails (for marketing consent). - Contacting the Data Protection Officer (who details are at the top of this document).
Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.
Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):
Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF https://www.ico.org.uk
If you are an EU resident, you also have the right to lodge a complaint with your local data protection authority. A list of national data protection authorities in the EU is available here: https://edpb.europa.eu/about-edpb/board/members_en
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and provide a prominent notice via our service.
Contact Us
If you have any questions or concerns about this Privacy Policy, please contact the Data Protection Officer.