Privacy policy.

Effective date: [TBD] · Last updated: [TBD]

This privacy notice explains how [Elin Health, Inc. / registered company name] ("Elin", "we", "us") collects, uses and protects your personal information when you visit elin.health, complete our symptom quiz, contact us, or otherwise interact with our services.

1. Who we are

The data controller is [Elin Health, Inc. / registered company name], registered in [England & Wales / state], company number [number]. Registered address: [address].

For privacy questions, contact us at privacy@elin.health.

2. Information we collect

You give us directly

• Quiz responses — your answers about age, symptoms (rage, sleep, brain fog, anxiety, cycle changes), symptom duration, and prior doctor experience.
• Contact details — name and email when you submit the quiz or our contact form.
• Messages — anything you write in the contact form.

Collected automatically

• Technical data — IP address, country (derived from IP), browser user agent, referring URL.
• Submission metadata — timestamp, application ID.

3. Why we use it (lawful basis)

Health-related quiz responses are special category data under UK GDPR Article 9. We rely on:

• Article 6(1)(b) — performance of a contract: to assess your eligibility and provide our services.
• Article 6(1)(f) — legitimate interests: to operate, secure and improve our service, and to detect and prevent abuse.
• Article 9(2)(a) — explicit consent: for processing special category (health) data, which you provide by submitting the quiz.

You may withdraw consent at any time by emailing privacy@elin.health. Withdrawal does not affect lawfulness of processing prior to withdrawal.

4. Who we share it with

We do not sell your personal data. We share it only with service providers strictly necessary to operate Elin:

• Vercel Inc. — website hosting and edge functions.
• Upstash, Inc. — encrypted data storage (Redis).
• Resend — transactional email delivery.
• Our clinical team — board-certified clinicians who review applications.
• [Add: analytics, payment processor, EHR, etc. once decided]

Each processor is contractually bound to handle your data in line with UK GDPR and only on our instructions.

5. International transfers

Some processors are based in the United States. Where personal data is transferred outside the UK, we rely on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK addendum, plus appropriate supplementary measures.

6. How long we keep it

• Quiz applications: [retention period — TBD, e.g. 2 years from last interaction]
• Contact form submissions: [retention period — TBD, e.g. 12 months]
• Account/clinical records (once active): [retention period — typically governed by clinical record-keeping rules]

7. Your rights

Under UK GDPR, you have the right to:

• Access the data we hold about you.
• Rectify inaccurate data.
• Erase your data ("right to be forgotten").
• Restrict or object to processing.
• Data portability.
• Withdraw consent.
• Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email privacy@elin.health. We will respond within one month.

8. Cookies and analytics

[TBD: list any cookies / analytics tools in use, their purpose, and how to opt out. If none currently, state "We do not currently set non-essential cookies or use third-party analytics."]

9. Security

We take appropriate technical and organisational measures to protect your data, including TLS encryption in transit, encrypted storage at rest, restricted access controls, and a strict-transport-security policy on our domain. No system is perfectly secure; we encourage you to use a strong, unique password if you create an account.

10. Changes to this policy

We may update this notice from time to time. Material changes will be highlighted on this page with an updated effective date. Continued use of Elin after changes constitutes acceptance.

11. Contact

Questions or complaints: privacy@elin.health or via our contact form.