Privacy Policy

Introduction

Vert Neo Limited ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Health Vault application, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller: Vert Neo Limited (Company No. 09321333), Redlands, St. Marys Road, Worcester Park, KT4 7JL, England.
Contact: privacy@healthvault-ai.com

Lawful Basis for Processing

We process your personal data on the following lawful bases under Article 6 UK GDPR:

  • Consent (Article 6(1)(a)): You have given explicit consent for processing your health data (special category data under Article 9).
  • Contract (Article 6(1)(b)): Processing is necessary for the performance of our service agreement with you.
  • Legitimate Interests (Article 6(1)(f)): For service improvement, security, and fraud prevention.

Special Category Data

Health data is classified as special category data under Article 9 UK GDPR. We process this data only with your explicit consent (Article 9(2)(a)). You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Data We Collect

  • Account Data: Name, email address, date of birth, gender.
  • Health Data: Medical records, test results, diagnoses, prescriptions, and health observations you upload or enter.
  • Device Data: Information from connected health devices and activity trackers (with your permission).
  • Technical Data: IP address, browser type, device identifiers, usage logs for security and service improvement.

How We Use Your Data

  • Service Delivery: To provide personalised health insights, record management, and AI-assisted analysis.
  • Communication: To send service notifications, health-related updates, and respond to your enquiries.
  • Improvement: To analyse anonymised, aggregated data for improving our services.
  • Legal Compliance: To meet our obligations under applicable laws and regulations.

AI Processing and Automated Decision-Making

We use artificial intelligence (including large language models) to assist with health data analysis, text extraction from documents, and generating health insights. These AI features:

  • Are designed to assist, not replace professional medical advice.
  • Do not make decisions that produce legal or similarly significant effects on you without human review.
  • Process data using encrypted connections to our AI service providers.

Under Article 22 UK GDPR, you have the right not to be subject to solely automated decisions. You may request human review of any AI-generated output by contacting us.

Data Storage and Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256).
  • Regular security assessments and penetration testing.
  • Strict access controls and audit logging.
  • Data stored on servers within the European Economic Area (EEA) or countries with UK adequacy decisions.

International Data Transfers

Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place as required by Chapter V UK GDPR, including:

  • Transfers to countries with a UK adequacy decision.
  • Standard Contractual Clauses (International Data Transfer Agreement or Addendum) approved by the ICO.
  • Additional technical measures where necessary (encryption, pseudonymisation).

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Account data: For the duration of your account, plus 30 days after deletion request.
  • Health records: Until you delete them or close your account.
  • Technical logs: Up to 12 months for security purposes.

Your Rights

Under UK GDPR, you have the following rights:

  • Right of Access (Article 15): Request a copy of your personal data.
  • Right to Rectification (Article 16): Correct inaccurate or incomplete data.
  • Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten").
  • Right to Restriction (Article 18): Restrict processing in certain circumstances.
  • Right to Data Portability (Article 20): Receive your data in a structured, commonly used format.
  • Right to Object (Article 21): Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Withdraw consent at any time via your account settings.

To exercise any of these rights, contact us at privacy@healthvault-ai.com. We will respond within one month.

Cookies and Similar Technologies

We use essential cookies required for the application to function. We do not use advertising or tracking cookies. For details, see our Cookie Notice within the application settings.

Children's Data

Our service is not intended for children under 16. We do not knowingly collect personal data from children under 16 without parental consent.

Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification. The latest version is always available within the application.

Last updated: March 2026