Privacy policy.
This privacy notice explains how Elin Health ("Elin", "we", "us") collects, uses and protects your personal information when you visit elin.health, complete our symptom quiz, contact us, or otherwise interact with our services.
1. Who we are
The data controller is Elin Health. For privacy questions, contact us at elin.health@proton.me.
2. Information we collect
You give us directly
- Quiz responses — your answers about age, symptoms (rage, sleep, brain fog, anxiety, cycle changes), symptom duration, and prior doctor experience.
- Contact details — name and email when you submit the quiz or our contact form.
- Messages — anything you write in the contact form.
Collected automatically
- Technical data — IP address, country (derived from IP), browser user agent, referring URL.
- Submission metadata — timestamp, application ID.
3. Why we use it (lawful basis)
Health-related quiz responses are special category data under UK GDPR Article 9. We rely on:
- Article 6(1)(b) — performance of a contract: to assess your eligibility and provide our services.
- Article 6(1)(f) — legitimate interests: to operate, secure and improve our service, and to detect and prevent abuse.
- Article 9(2)(a) — explicit consent: for processing special category (health) data, which you provide by submitting the quiz.
You may withdraw consent at any time by emailing elin.health@proton.me. Withdrawal does not affect lawfulness of processing prior to withdrawal.
4. Who we share it with
We do not sell your personal data. We share it only with service providers strictly necessary to operate Elin:
- Vercel Inc. — website hosting and edge functions.
- Upstash, Inc. — encrypted data storage (Redis).
- Resend — transactional email delivery.
- Our clinical team — board-certified clinicians who review applications.
Each processor is contractually bound to handle your data in line with UK GDPR and only on our instructions.
5. International transfers
Some processors are based in the United States. Where personal data is transferred outside the UK, we rely on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK addendum, plus appropriate supplementary measures.
6. How long we keep it
- Quiz applications: 2 years from your last interaction with us, after which records are deleted or anonymised.
- Contact form submissions: 12 months from receipt.
- Account and clinical records (once active): for the period required by applicable clinical record-keeping rules.
7. Your rights
Under UK GDPR, you have the right to:
- Access the data we hold about you.
- Rectify inaccurate data.
- Erase your data ("right to be forgotten").
- Restrict or object to processing.
- Data portability.
- Withdraw consent.
- Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).
To exercise any of these rights, email elin.health@proton.me. We will respond within one month.
8. Cookies and analytics
We do not currently set non-essential cookies or use third-party analytics on elin.health. Only strictly necessary cookies (for example, to keep you signed in when an account is created) may be used.
9. Security
We take appropriate technical and organisational measures to protect your data, including TLS encryption in transit, encrypted storage at rest, restricted access controls, and a strict-transport-security policy on our domain. No system is perfectly secure; we encourage you to use a strong, unique password if you create an account.
10. Changes to this policy
We may update this notice from time to time. Material changes will be highlighted on this page with an updated effective date. Continued use of Elin after changes constitutes acceptance.
11. Contact
Questions or complaints: elin.health@proton.me or via our contact form.