Privacy Policy | Kyma Health

Key definitions

Platform: Kyma's web portal at app.kymahealth.co and any related webpages, dashboards, software and APIs.
Member / You / Your: The natural person who purchases or is authorised to use a Membership.
Membership: The 12-month subscription plan for the Services described in the Kyma Terms & Conditions.
Membership Year: The contiguous twelve-month period commencing on the Member's Start Date and each subsequent twelve-month period thereafter.
Services: Collectively, the Screening, AI Assistant, Digital Dashboard, Referral Letters and Marketplace Services plus any other features provided to Members.
Screening: A preventive appointment which may include venous blood and/or urine collection, anthropometric measurements, vital-sign checks or other assessments at a Network Partner Site.
AI Assistant: The asynchronous messaging service (and any related video consultations) with UK-licensed clinicians (not doctors) provided via the Platform.
Marketplace Services: The catalogue of optional, fee-payable services or diagnostic tests (e.g. DEXA, CGM, MRI) curated by Kyma and supplied by Third-Party Providers.
Health Data: Special-category personal data relating to your physical or mental health, including lab results, vital signs and wearable-device metrics.
Member Content: Any data or content you upload or connect to the Platform (e.g. Health Data, Typeform answers, wearable feeds).
UK GDPR: The United Kingdom General Data Protection Regulation.
PECR: The Privacy and Electronic Communications Regulations 2003 (UK).

Who we are & how to contact us

Kyma Health Ltd — Solar House, 282 Chase Road, London, England, N14 6NZ, United Kingdom.

For privacy questions, email help@kymahealth.co.

What data we collect

Category	Examples	Source
Account data	Name, email, phone, DOB, address, payment status	You / Stripe
Screening data	Lab results, vitals, clinician notes	Network labs, clinicians
Wearable data	Steps, heart rate, sleep stage, etc.	Apple Health, Garmin, Oura, etc. (only if you connect)
Usage data	Page views, button clicks, error logs	HeapAnalytics (self-hosted, UK)
Marketing data	Newsletter opens, UTM codes	Mailchimp, Google Analytics
Cookie data	Analytics & marketing cookies (only if you opt-in)	Cookiebot + GA / Meta / LinkedIn pixels

We do not knowingly collect data from anyone under 18; the Platform blocks under-18 sign-ups.

Lawful bases for processing

Purpose	Lawful basis	Key notes
Create & manage your Membership	Contract (Art. 6(1)(b))	To deliver the Services you request.
Provide Screenings & AI assistant	Explicit consent (Art. 9(2)(a))	You give consent during onboarding & each Screening.
Payment processing	Contract; legal obligation	Stripe stores limited card data.
Analytics & product improvement	Legitimate interests (Art. 6(1)(f)); Health Data anonymised or aggregated	We use HeapAnalytics; no profiling with legal effect.
Marketing emails	Soft opt-in under PECR	Unsubscribe anytime via footer link.
Optional ad pixels	Consent via Cookiebot banner	No cookies set until you opt-in.

How we use Member Content

Service delivery: Provide dashboards, trend analysis and clinician advice.
Improvement: Train internal algorithms on de-identified aggregates.
Research: We may create anonymised statistics (e.g., "25% of Members had low vitamin D") — never identifying you.
Clinician access: Kyma clinicians view identifiable Health Data within our own EHR; no external telehealth processors.

Licence you grant us. When you upload or connect Member Content you grant Kyma a worldwide, royalty-free licence to host, use, modify and analyse that data for the purposes above. We will not sell identifiable Health Data to third parties.

Sharing your data

Recipient	Reason	Safeguard
UKAS-accredited labs (e.g. Randox)	Process your samples	Contract + UK GDPR DPA
Clinicians (employees / consultants)	Review results, issue advice	Employment / contractor NDA
Stripe	Card payments	Data stored in EU data centre
Microsoft Azure (UK)	Hosting & backups	Data stays in UK
Mailchimp	Transactional / marketing email	EU SCCs in place
Regulatory authorities	Legal or safety obligations	Only where required by law

Kyma never shares identifiable Health Data with employers; employer dashboards are aggregate only.

International transfers

We host all data in the United Kingdom. If we must transfer data outside the UK (e.g. to Mailchimp EU servers) we use UK Addendum-SCCs or an adequacy decision.

Cookies & trackers

We use Cookiebot to block non-essential cookies until you choose Accept. Essential cookies (session, CSRF) load regardless. See our Cookie Banner link for the full list.

Retention

Data set	Retention rule
Health records	10 years from Membership end, then pseudonymised or securely deleted.
Chat transcripts	10 years (clinical record).
Analytics logs	18 months rolling window.
Marketing data	Until you opt-out + 24 hrs to suppress.
Cookie consents	5 years.

Your rights

Under the UK GDPR you can: access, correct, erase, restrict, object, port your data, or withdraw consent at any time. Email help@kymahealth.co. We respond within one month.

Security

We use TLS 1.3, AES-256 encryption at rest, MFA for staff accounts, regular penetration testing and role-based access controls. No system is 100% secure, but we work hard to protect your data.

Accessibility commitment

Kyma aims to meet WCAG 2.1 AA. If any feature is not accessible to you, please email us so we can help and fix the issue.

Changes to this Notice

We may update this Notice. Material changes will be emailed to Members 30 days before they take effect. Continued use after that date means you accept the changes.

Complaints

If you are unhappy with how we handle your data, contact us first. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

Privacy Notice