Skip to main content
← Back

Privacy Notice

Version 1.0 — last updated 2 May 2026

This notice explains how VestiHeal (operated by Hypatia Clinic, the “data controller”) collects and uses your personal and health information. It is written to align with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the NHS Digital Technology Assessment Criteria (DTAC), and the Data Security and Protection Toolkit (DSPT).

1. Who we are

Hypatia Clinic is the data controller. To exercise your rights or ask questions about this notice, contact dpo@hypatiaclinic.example.

2. What information we collect

  • Account details: email, display name, date of birth (optional).
  • Health data you log: symptoms, sleep, mood, migraine episodes, therapy sessions.
  • If you connect to a clinician via an invite code: the link between your account and theirs.
  • Messages you send to your clinician through the in-app chat.
  • Technical: device/browser type, approximate session metadata, audit log of access.

3. Why we use it (lawful basis)

  • Consent (Article 6(1)(a) and Article 9(2)(a) UK GDPR) for processing your health data to provide self-guided support.
  • Contract (Article 6(1)(b)) to provide the service you signed up for.
  • Legal obligation (Article 6(1)(c)) for security logging and statutory record-keeping.

You can withdraw consent at any time in Settings → Privacy. Withdrawing consent does not affect processing already carried out.

4. Who we share it with

  • Your clinician, only if you redeem an invite code. They can view your tracked data and AI-generated plans, and message you.
  • Sub-processors: hosting (Lovable Cloud / Supabase, EU region) and AI inference (Google Gemini via the Lovable AI Gateway). We have data processing agreements in place.
  • We do not sell your data, use it for advertising, or share it with insurers or employers.

5. Where it is stored

Data is stored in EU-region cloud infrastructure. Encryption is applied in transit (TLS 1.2+) and at rest (AES-256, managed by the hosting provider).

6. How long we keep it

  • Active account data: while your account is open.
  • If you delete your account: tracked health data is removed within 30 days. Audit logs and consent records are kept for 6 years for statutory and clinical safety reasons.

7. Your rights

  • Access a copy of your data (Settings → Privacy → Download my data).
  • Correct inaccurate data.
  • Delete your data (Settings → Privacy → Delete my account).
  • Restrict or object to processing.
  • Withdraw consent for clinician sharing.
  • Complain to the UK Information Commissioner’s Office (ico.org.uk).

8. Clinical safety

VestiHeal is a self-guided wellness and education tool. It does not diagnose, prescribe, or replace a qualified clinician, and is not for emergency care. Clinical safety risks are managed under the principles of NHS DCB0129 / DCB0160 by our clinical safety officer.

9. Changes to this notice

If we change this notice we will record a new version, prompt you to re-consent on next sign-in, and keep the previous versions on file.