HomeHDA

Privacy Policy

This Privacy Policy covers the Closed Alpha service provided by Health Data Avatar. It explains what information we gather, how we use it, and your legal rights regarding your data.

Privacy Policy

Effective Date: 2025-04-29

Introduction

Health Data Avatar (“HDA”, “we”, “our”, “us”) is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services.

Definition of Service

“Our Service” refers to the Health Data Avatar App, allowing you to upload, process, and interact with your personal files and medical data.

The “Waiting List” refers to users proactively subscribing for early access to the Health Data Avatar App.

“Marketing Updates” refers to users proactively subscribing for news, features, and other promotional content.

Who We Are

Health Data Avatar Ltd is registered with Companies House in the UK, with company number 16236443

Data Controller: Health Data Avatar

Data Protection Officer: Hex Miller-Bakewell

Email: hex@healthdataavatar.com

What Data We Collect

We collect the following types of personal data:

Service Usage Data

Feedback Data

Waiting List Data

Collected only with your explicit consent:

Marketing Updates Data

Collected only with your explicit consent:

We process your personal data under the following legal bases:

How We Use Your Data

Service Data

Feedback Data

Waiting List

Marketing Updates

You can unsubscribe from marketing emails at any time by using the link provided in each email.

Data Retention

Service Data

Waiting List Data

Retained until you unsubscribe, or a maximum of 12 months after the public launch of the service, whichever is sooner.

Marketing Data

Retained until you unsubscribe.

Data Security

Your data is stored on servers located within the European Union (EU) or European Economic Area (EEA).

We apply appropriate technical and organizational measures, including:

We use Microsoft Azure services to store and process your service data. For Marketing Updates and Waiting List data we also use Microsoft Azure, Google Cloud and Amazon AWS. The Microsoft, Google, and AWS services we use are all certified under key international standards (e.g. ISO/IEC 27001, 27017, 27018) and provides contractual assurances as a data processor under the GDPR.

Subprocessors

We rely on third-party service providers (subprocessors) to help deliver and maintain our services.
Each subprocessors is contractually obligated to comply with GDPR and provide appropriate safeguards for personal data.

Our primary subprocessors include:

We ensure all subprocessors process data only under our instructions and with sufficient technical and organizational safeguards in place.

Cookies and Tracking

We do not use cookies or trackers for analytics or advertising.

However, we use your browser’s local storage to store session data for authentication and data cacheing (e.g. keeping you logged in even when you close your browser). This data is not shared with third parties or used for profiling or tracking.

This usage is considered essential to the operation of the service and does not require consent under the ePrivacy Directive.

Automated Decision-Making

We do not use your personal data for automated decision-making, including profiling.

Age Restrictions

You must be at least 16 years old to consent to the processing of your personal data. If you are under 16, consent must be provided by someone with parental responsibility.

Your Rights Under GDPR

You have the following rights regarding your personal data:

You can exercise these rights directly from within the app itself, or by contacting the Data Protection Officer (whose details are at the top of this document).

As we process sensitive health data, we have completed a Data Protection Impact Assessment (DPIA). Any data breaches affecting your data will be reported within 72 hours of discovery.

You can withdraw your consent at any time by: - Requesting account deletion via the service settings (for service data). - Clicking the unsubscribe link in marketing emails (for marketing consent). - Contacting the Data Protection Officer (who details are at the top of this document).

Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF https://www.ico.org.uk

If you are an EU resident, you also have the right to lodge a complaint with your local data protection authority. A list of national data protection authorities in the EU is available here: https://edpb.europa.eu/about-edpb/board/members_en

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and provide a prominent notice via our service.

Contact Us

If you have any questions or concerns about this Privacy Policy, please contact the Data Protection Officer.