Privacy Policy

Yekta Health Ltd (“Yekta”, “we”, “us”, or “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our website (yekta.health), mobile applications, and related services (collectively, the “Services”).

By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Services.

The identity of the Data Controller for your personal data depends on how you use our Services:

• Healthcare provider deployments: If you access the Yekta Health platform through a healthcare organisation, clinic, or care provider (your “Care Provider”), that Care Provider is the Data Controller for your health and personal data. Yekta Health Ltd acts as the Data Processor on their behalf, processing your data only in accordance with their instructions and this policy. Your Care Provider is responsible for their own privacy notice and for ensuring the lawful basis for processing your data.
• Direct (D2C) access: If you access the Services directly through Yekta Health Ltd without an intermediary Care Provider, Yekta Health Ltd is the Data Controller.
• Website visitors: For visitors to yekta.health who are not platform users, Yekta Health Ltd is the Data Controller.

Yekta Health Ltd
Registered in England & Wales
Email: privacy@yekta.health

Information you provide directly:

• Contact information (name, email address) when you submit a contact form or subscribe to our newsletter
• Message content when you reach out to us
• Account registration details when you create an account on our platform
• Health and medical data that you voluntarily input into the platform, including vital signs (heart rate, blood pressure, oxygen saturation, respiratory rate, temperature), symptoms, medications, and appointments
• Biometric data captured by the contactless measurement feature on supported devices
• Profile photograph, if you choose to provide one

Special Category Data (GDPR Article 9): Health, biometric, and related medical data constitutes special category personal data under GDPR. We process this data only where you have given explicit consent and/or where processing is necessary for healthcare purposes (Article 9(2)(a) and 9(2)(h)).

Information collected automatically:

• Device information (device type, operating system, app version)
• Usage data (features used, navigation patterns, session duration)
• IP address (anonymised where possible)
• Cookies and similar technologies on the website (see our Cookie Policy)

We use your information for the following purposes:

• To provide, maintain, and improve our Services
• To respond to your enquiries and provide customer support
• To send you service-related communications
• To send marketing communications (only with your explicit consent)
• To generate health insights and support clinical decision-making for your care team (platform users only)
• To ensure the security and integrity of our Services
• To comply with legal and regulatory obligations

We process your personal data based on the following legal grounds:

• Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)): For health and biometric data, newsletter subscriptions, and marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Contractual necessity (Art. 6(1)(b)): To fulfil our obligations to you under our Terms of Service.
• Legal obligation (Art. 6(1)(c)): To comply with applicable laws and regulations.
• Legitimate interests (Art. 6(1)(f)): To improve our Services, maintain security, and communicate with you in ways you would reasonably expect.
• Healthcare purposes (Art. 9(2)(h)): Where processing of special category health data is necessary for the provision of healthcare or treatment under a professional obligation of confidentiality.

We do not sell your personal data. We may share data with:

• Your Care Provider: Clinicians, nurses, and administrative staff within your care team who are authorised by your Care Provider to access your data for the purposes of your care
• Sub-processors: Third-party vendors who help us operate our Services (e.g., cloud hosting, email delivery) under strict Data Processing Agreements (DPAs). A list of sub-processors is available on request.
• Legal authorities: When required by law, court order, or to protect the rights and safety of our users
• Business transfers: In connection with a merger, acquisition, or sale of assets, subject to confidentiality obligations

We never share your health data with third parties for advertising, marketing, or commercial profiling purposes.

We retain your personal data only for as long as necessary for the purposes outlined in this policy:

• Contact form submissions: Up to 2 years
• Newsletter subscriptions: Until you unsubscribe
• Platform health data: For the duration of your active care relationship and as required by applicable healthcare regulations, after which data is securely deleted or anonymised
• Account data after deletion: Up to 30 days to allow recovery, then permanently deleted

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption at rest: AES-256 encryption for all stored personal and health data
• Encryption in transit: TLS 1.2 or higher for all data transmitted between your device and our servers
• Access controls: Role-based access, least privilege principles, and multi-factor authentication for administrative access
• Audit logging: All access to health records is logged and monitored
• Security reviews: Regular vulnerability assessments and penetration testing
• Infrastructure: Hosted in ISO 27001-certified cloud infrastructure

Despite these measures, no transmission over the internet is completely secure. If you believe your data has been compromised, please contact us immediately at privacy@yekta.health.

Your health and personal data is stored and processed in the region where your care provider operates, in accordance with the data protection laws applicable in that jurisdiction. We do not transfer your health data outside your region without your knowledge and appropriate safeguards in place.

Where data is processed by third-party sub-processors located in another jurisdiction, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent mechanisms recognised by the applicable local data protection authority.

Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your data where there is no compelling reason for continued processing
• Restriction: Request that we limit how we process your data
• Portability: Receive your data in a machine-readable format and transfer it to another provider
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Withdraw consent at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at privacy@yekta.health. We will respond within 30 days. If your data is processed by a Care Provider acting as Data Controller, please contact your Care Provider directly in the first instance.

You also have the right to lodge a complaint with your national data protection supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO) at ico.org.uk.

You can request deletion of your Yekta account and associated personal data in either of these ways:

• In the app: Use Account -> Request Account Deletion.
• On the web: yekta.health/privacy-centre/delete-data
• By email: privacy@yekta.health

We may ask you to verify your identity before acting on a deletion request. Once verified, we will delete or anonymise the relevant data within 30 days unless retention is required by law, for patient safety, or because your Care Provider is the Data Controller and must direct the deletion process.

Our Services are not intended for children under 16. We do not knowingly collect personal data from children under 16 without verified parental or guardian consent. Where the platform is used in a paediatric care context, the Care Provider is responsible for obtaining appropriate consent. If you believe we have collected data from a child without proper consent, please contact us immediately at privacy@yekta.health.

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website and, for platform users, through the application. The date at the top of this page indicates when the policy was last updated. Your continued use of our Services after changes constitutes acceptance of the updated policy.

For any questions about this Privacy Policy, to exercise your rights, or to request a Data Processing Agreement (for enterprise customers), please contact:

Yekta Health Ltd
Registered in England & Wales
Email: privacy@yekta.health