Privacy Notice

Key definitions

Term — Meaning

Platform — Kyma’s web portal at app.kymahealth.ai and any related webpages, dashboards, software and APIs.

Member / You / Your — The natural person who purchases or is authorised to use a Membership.

Membership — The 12-month subscription plan for the Services described in the Kyma Terms & Conditions.

Membership Year — The contiguous twelve-month period commencing on the Member’s Start Date and each subsequent twelve-month period thereafter.

Services — Collectively, the Screening, AI Assistant, Digital Dashboard, Referral Letters and Marketplace Services plus any other features provided to Members.

Screening — A preventive appointment which may include venous blood and/or urine collection, anthropometric measurements, vital-sign checks or other assessments at a Network Partner Site.

AI Assistant — The asynchronous messaging service (and any related video consultations) with UK-licensed clinicians (not doctors) provided via the Platform.

Marketplace Services — The catalogue of optional, fee-payable services or diagnostic tests (e.g. DEXA, CGM, MRI) curated by Kyma and supplied by Third-Party Providers.

Health Data — Special-category personal data relating to your physical or mental health, including lab results, vital signs and wearable-device metrics.

Member Content — Any data or content you upload or connect to the Platform (e.g. Health Data, Typeform answers, wearable feeds).

UK GDPR — The United Kingdom General Data Protection Regulation.

PECR — The Privacy and Electronic Communications Regulations 2003 (UK).

Who we are & how to contact us

Kyma Health Ltd – Solar House, 282 Chase Road, London, England, N14 6NZ, United Kingdom.

For privacy questions, email help@kymahealth.ai.

What data we collect

Category — Examples — Source

• Account data — Name, email, phone, DOB, address, payment status — You / Stripe
• Screening data — Lab results, vitals, clinician notes — Network labs, clinicians
• Wearable data — Steps, heart rate, sleep stage, etc — Apple Health, Garmin, Oura, etc. (only if you connect)
• Usage data — Page views, button clicks, error logs — HeapAnalytics (self-hosted, UK)
• Marketing data — Newsletter opens, UTM codes — Mailchimp, Google Analytics
• Cookie data — Analytics & marketing cookies (only if you opt-in) — Cookiebot + GA / Meta / LinkedIn pixels

We do not knowingly collect data from anyone under 18; the Platform blocks under-18 sign-ups.

Lawful bases for processing

Purpose — Lawful basis — Key notes

• Create & manage your Membership — Contract (Article 6 (1)(b)) — To deliver the Services you request.
• Provide Screenings & AI assistant — Explicit consent (Art 9 (2)(a)) — You give consent during onboarding & each Screening.
• Payment processing — Contract; legal obligation — Stripe stores limited card data.
• Analytics & product improvement — Legitimate interests (Art 6 (1)(f)); Health Data anonymised or aggregated — We use HeapAnalytics; no profiling with legal effect.
• Marketing emails — Soft opt-in under PECR — Unsubscribe anytime via footer link.
• Optional ad pixels — Consent via Cookiebot banner — No cookies set until you opt-in.

How we use Member Content

• Service delivery: Provide dashboards, trend analysis and clinician advice.
• Improvement: Train internal algorithms on de-identified aggregates.
• Research: We may create anonymised statistics (e.g., “25 % of Members had low vitamin D”)—never identifying you.
• Clinician access: Kyma clinicians view identifiable Health Data within our own EHR; no external telehealth processors.

Licence you grant us: When you upload or connect Member Content you grant Kyma a worldwide, royalty-free licence to host, use, modify and analyse that data for the purposes above. We will not sell identifiable Health Data to third parties.

Sharing your data

Recipient — Reason — Safeguard

• UKAS-accredited labs (e.g. Randox) — Process your samples — Contract + UK GDPR DPA
• Clinicians (employees/consultants) — Review results, issue advice — Employment / contractor NDA
• Stripe — Card payments — Data stored in EU data centre
• Microsoft Azure (UK) — Hosting & backups — Data stays in UK
• Mailchimp — Transactional/mktg email — EU SCCs in place
• Regulatory authorities — Legal or safety obligations — Only where required by law

Kyma never shares identifiable Health Data with employers; employer dashboards are aggregate only.

International transfers

We host all data in the United Kingdom. If we must transfer data outside the UK (e.g. to Mailchimp EU servers) we use UK Addendum-SCCs or an adequacy decision.

Cookies & trackers

We use Cookiebot to block non-essential cookies until you choose Accept. Essential cookies (session, CSRF) load regardless. See our Cookie Banner link for full list.

Retention

Data set — Retention rule

• Health records — 10 years from Membership end then pseudonymised or securely deleted.
• Chat transcripts — 10 years (clinical record).
• Analytics logs — 18 months rolling window.
• Marketing data — Until you opt-out + 24 hrs to suppress.
• Cookie consents — 5 years.

Your rights

Under the UK GDPR you can: access, correct, erase, restrict, object, port your data, or withdraw consent at any time. Email help@kymahealth.ai. We respond within one month.

Security

We use TLS 1.3, AES-256 encryption at rest, MFA for staff accounts, regular penetration testing and role-based access controls. No system is 100 % secure, but we work hard to protect your data.

Accessibility commitment

Kyma aims to meet WCAG 2.1 AA. If any feature is not accessible to you, please email us so we can help and fix the issue.

Changes to this Notice

We may update this Notice. Material changes will be emailed to Members 30 days before they take effect. Continued use after that date means you accept the changes.

Complaints

If you are unhappy with how we handle your data, contact us first. You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

‍