Privacy Policy

Last updated: [DATE — TO BE SET ON PUBLICATION]

1. Controller

The data controller is Aevique Ltd, registered in England & Wales under [Company No. XXXXXXXX], with registered office at [Registered office address]. Data Protection contact: [DPO contact or Data Protection representative — REVIEW: required if processing special category data at scale]. General contact: info@aevique.io.

2. Data we collect

To deliver the service we collect and process:

• Account data — name, contact details, date of birth, address, sex/gender at birth where clinically relevant.
• Order data — tests ordered, panels selected, payment metadata (Stripe holds card data; we do not).
• Biological samples and results — biomarker results, genetic markers, microbiome composition, hormonal profiles, and other test outputs. This is special category data under Article 9 UK GDPR (data concerning health and, where applicable, genetic data).
• Clinical communications — messages exchanged between you and your assigned clinician via the app.
• App analytics & device data — usage events, device identifiers, IP address, language. [REVIEW: align with actual analytics stack].
• Wearable integrations — Oura, Whoop, Apple Watch, Garmin or similar — data shared with us only with your explicit consent.

3. Lawful basis

We rely on the following lawful bases under UK GDPR:

• Article 6(1)(b) — performance of a contract: to deliver the service you have purchased.
• Article 6(1)(f) — legitimate interests: for service improvement, analytics, and fraud prevention, balanced against your rights and freedoms.
• Article 9(2)(a) — explicit consent: for processing your health and genetic data, requested at sign-up and at order.
• Article 9(2)(h) — provision of healthcare: where the processing is for the management of healthcare systems and services by a regulated health professional. [REVIEW: solicitor to confirm which Article 9 conditions apply, including any need for a Data Protection Impact Assessment under Article 35].

4. How we use your data

To register your account, accept and process orders, collect samples, deliver lab results, provide clinician review and consultation, send service communications, comply with legal obligations (including clinical record-keeping), and improve the service.

5. Sharing & processors

We share data only with the following categories of recipients, each acting as a processor or independent controller as appropriate:

• Nationwide Pathology — laboratory analysis. UKAS 15189:2022 accredited.
• Stripe — payment processing.
• Phlebotomy partners — at-home or partner-site sample collection.
• Hosting, email, analytics, and app vendors — [REVIEW: full processor list to be added].
• Regulators and law enforcement — where required by law.

International transfers, where they occur, are protected by appropriate safeguards including the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses with the UK Addendum. [REVIEW: solicitor to confirm specific transfers and safeguards].

6. Retention

Health records are retained in line with NHS / CQC guidance, typically [REVIEW: 8 years for adult records is the standard default]. Account data is retained for the life of the account plus a reasonable closure period. Payment records are retained as required by tax law (typically 6 years). On request we will delete data where there is no overriding legal retention requirement.

7. Your rights

Under UK GDPR you have the right to: access your personal data; have inaccurate data corrected; have data erased (subject to legal holds); restrict processing; receive your data in a portable format; object to processing based on legitimate interests; and withdraw consent at any time without affecting the lawfulness of prior processing. To exercise any of these rights, email info@aevique.io. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

8. Security

We use encryption in transit and at rest, role-based access controls, audit logs, and supplier due diligence. Access to clinical records is limited to your assigned clinician and authorised support staff with a need-to-know. [REVIEW: align this section with your actual technical stack and security controls].

9. Cookies

We use a minimal set of cookies for session management and basic analytics. [REVIEW: produce a separate Cookie Policy if analytics or marketing cookies are added; cookie consent banner required if non-essential cookies are used].

10. Children

The service is for adults aged 18 and over. We do not knowingly collect data from children.

11. Changes

We will notify you by email and in-app if we make material changes to this policy. [REVIEW: notice period].

12. Contact

For any privacy question or to exercise your rights, contact info@aevique.io.