Privacy Policy
Autonomyx Privacy Policy
Effective date: 18/06/26 Last updated: 18/06/26
1. About this policy
This policy explains how your personal information is collected, used, stored and protected when you use the Autonomyx mobile application ("the App") and the connected wearable monitoring service ("the Service"). It applies to everyone who takes part in the Autonomyx research programme and uses the App.
Autonomyx is currently a research and product-development tool. It is used to collect heart-rate and related physiological signals, together with information you log about your day, so that we can develop and validate algorithms that detect changes in the activity of the autonomic nervous system (ANS). The App is not a medical device, does not provide a diagnosis, and must not be used to make any decision about your health, treatment or medication. If you have a health concern, contact a qualified healthcare professional.
Please read this policy alongside any participant information sheet and consent form you are given when you join the programme. Where those documents and this policy differ, the study consent documents take precedence for matters relating to the research.
2. Who we are (the data controller)
The data controller responsible for your personal information is:
Reset Health Clinics Ltd [CONFIRM correct legal entity — Reset group / Autonomyx] One Fleet Place, London EC4M 7WS, United Kingdom Company number: [INSERT] ICO registration number: [INSERT]
If you have any questions about this policy or about how your data is handled, contact us at [INSERT PRIVACY CONTACT EMAIL]. Our Data Protection point of contact is [INSERT NAME / ROLE — e.g. Data Protection Officer or Caldicott Guardian].
3. What information we collect
Physiological data from your wearable device. When you wear the Polar 360 device, the App collects heart rate, heart-rate variability (HRV), and inter-beat interval (IBI) data, along with the time each measurement was taken.
Information you log yourself. Through in-app prompts and linked forms, you tell us about events during your day — for example exercise, periods of stress or rest, food and drink, substance use (such as alcohol, caffeine or nicotine), and contextual health events (such as illness, travel or medication changes). You also provide the time each event occurred.
Account and contact details. Information needed to enrol you and pay any agreed compensation, such as a participant identifier, and contact details held by the recruitment platform.
Device and technical data. Basic information about your phone and the App needed to deliver the Service and reminders, such as device type, operating-system version, app version, and a push-notification token.
We use a participant identifier to label your data. We do not store your name alongside your physiological data — your data is pseudonymised.
4. Health data and why we ask for your explicit consent
Heart-rate, HRV and the events you log are information about your health, which is a special category of personal data under data protection law. We only process it where you have given your explicit consent, and you can withdraw that consent at any time (see section 11).
5. How we use your information and our lawful bases
Purpose Lawful basis (UK GDPR) Collecting and analysing your physiological and logged data to develop and validate the Autonomyx ANS algorithms Consent — Article 6(1)(a); explicit consent for health data — Article 9(2)(a) Sending you reminders and operating the App Consent — Article 6(1)(a) Administering your participation and any compensation Consent — Article 6(1)(a); our legitimate interests in running the programme — Article 6(1)(f) Keeping records we are legally required to keep Compliance with a legal obligation — Article 6(1)(c)
We do not use your data for advertising, and we do not sell your data. Results shared outside the team — for example in investor or partner materials — use only anonymised, aggregated information that cannot identify you.
6. Who we share your information with
We share data only with service providers ("processors") who help us run the Service, and only under contracts that require them to protect it. These include:
Supabase — secure, UK-hosted database where your data is stored.
Google (Workspace / Forms) — used to collect the events you log, before they are transferred into our database. [Confirm region/retention of Google-held responses]
Polar — the wearable device and its software interface.
Apple (TestFlight / App Store) — distribution of the App.
Firebase Cloud Messaging (Google) — delivery of reminder notifications.
[Recruitment platform — e.g. Prolific] — participant recruitment and payment.
Access within our own team is restricted to the named study personnel who need it. We will also disclose information if required to do so by law, or to protect the safety of a participant or others.
7. Where your data is stored and international transfers
Your data is stored in the United Kingdom. Some of our service providers may process limited data outside the UK. Where that happens, we ensure an appropriate safeguard is in place — such as a UK adequacy decision or the International Data Transfer Agreement / Addendum — so your data receives equivalent protection. [Confirm which providers transfer data and which safeguard applies.]
8. How long we keep your information
We keep your research data for 24 months after the end of the study. After that, we will either securely delete it or fully anonymise it so it can no longer be linked to you. Where you ask us to delete your data earlier, we will do so unless we are required to keep certain records by law.
9. How we protect your information
All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
Database access controls (row-level security) mean records are accessible only to authorised study personnel.
Connections between our data-collection forms and our database are authenticated using a secret credential held securely.
Access is limited to a small, named study team.
No system is completely secure, but we take appropriate technical and organisational measures to protect your data and to detect and respond to any breach.
10. Your rights
Under UK data protection law you have the right to:
Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Erase your data ("right to be forgotten").
Restrict or object to our processing in certain circumstances.
Data portability — receive your data in a structured, machine-readable format.
Withdraw consent at any time (see section 11).
Complain to the regulator (see section 13).
To exercise any of these rights, contact us at [INSERT PRIVACY CONTACT EMAIL]. We will respond within one month. Exercising your rights is free and will not disadvantage you in the programme.
11. Withdrawing your consent
Because we rely on your consent, you can withdraw it at any time, without giving a reason and without penalty. You can stop using the App and ask us to stop collecting your data by contacting [INSERT PRIVACY CONTACT EMAIL]. Withdrawing consent does not affect the lawfulness of processing carried out before you withdrew. Any compensation already earned for completed days is unaffected.
12. Children
The App and Service are intended for adults aged 18 and over. We do not knowingly collect data from anyone under 18.
13. How to contact us and how to complain
If you have a question or a concern about how we handle your data, please contact us first at [INSERT PRIVACY CONTACT EMAIL] so we can try to resolve it.
You also have the right to complain to the UK supervisory authority:
Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Helpline: 0303 123 1113 — ico.org.uk
14. Changes to this policy
We may update this policy from time to time. When we make material changes, we will notify you through the App or by email, and update the "Last updated" date above.
[DRAFT — for legal/DPO review before publication. Placeholders in square brackets must be completed and the data-controller entity confirmed.]
