1. Who We Are
Hea LTD ("Hea", "we", "us", "our") is a private limited company incorporated in England and Wales with its registered office at [Company Address]. We are registered with the UK Information Commissioner's Office (ICO) as a data controller (Registration No. [ICO Number]).
Data Protection Officer Contact:
Post: Data Protection Officer, Hea LTD, [Company Address]
Phone: [Company Phone]
2. Our Service
Hea provides an Al-powered wellbeing service that analyses voice recordings and text messages to detect early markers of systemic health risks and deliver proactive wellness
IMPORTANT MEDICAL DISCLAIMER:
This Service is NOT a medical device, does NOT diagnose disease, and must NOT be used as a substitute for professional medical advice, diagnosis, or treatment. Always consult qualified healthcare professionals before making any medical decisions.
3. Personal Data We Collect
Raw voice recordings, extracted acoustic features (fundamental frequency, jitter, shimmer)
Messages, chat logs, written communications
Self-reported conditions, medications (optional)
Timestamps, session frequency, device metadata, IP address
Email, phone number (optional)
Core analysis, Al model training
Core analysis, user experience improvement
Service personalisation, model performance
Risk modelling, personalised insights
Service delivery, security, analytics
Account management, support
Special Category Data:
Voice biometrics and health information are classified as special category data under UK GDPR Article 9. We process such data only with your explicit consent.
4. How We Use Your Data
4.1 Legal Bases for Processing
Deliver and maintain the Service
Personalise insights & notifications
Improve and train algorithms
Scientific research with anonymised data
Contract (Art. 6(1) (b)); Explicit consent for voice/health data (Art. 9(2) (a))
Consent; Legitimate interests (Art. 6(1) (f))
Legitimate interests; anonymised where possible
Anonymised data; if re-identifiable: consent/Art. 9(2)(j)
Legal obligation (Art. 6(1)(c))e Data
4.2 Data Anonymisation
We implement irreversible anonymisation techniques:
Immediate separation of voice recordings from personal identifiers
Industry-standard de-identification processes
Regular audits to ensure re-identification is not possible
5. Data Sharing and Disclosure
We never sell your personal data. We may share data with:
As necessary for service delivery
Data Processing Agreements, confidentiality
Ethics approval, data sharing agreements
Only when legally obligated
Continued protection under this Policy
6. International Data Transfers
Where data is transferred outside the UK/EEA, we ensure protection through:
UK Addendum to EU Standard Contractual Clauses
ICO-approved adequacy decisions
Additional supplementary measures where required
7. Data Security
Technical Measures:
Encryption: AES-256 at rest; TLS 1.3 in transit
Architecture: Zero-trust model with multi-factor authentication
Testing: Quarterly penetration testing; annual ISO 27001-aligned audits
Access Control: Role-based with annual reviews
Organisational Measures
Staff training on data protection
Incident response procedures
Business continuity planning
Regular security assessments
8. Data Retention
UK statutory requirements
9. Your Rights
Under UK GDPR, you have the right to:
Access your personal data
Rectify inaccurate data
Erase data ("right to be forgotten")
Restrict or object to processing
Data portability
Withdraw consent at any time
How to Exercise Your Rights:
Response time: Within 30 days
No fee unless requests are excessive
Complaints: If unsatisfied, you may lodge a complaint with the ICO at
ico.org.uk10. Jurisdiction-Specific Rights
California Residents (CCPA)
Right to know what personal information we collect
Right to delete personal information
Right to opt-out of sale (we do not sell data)
Right to non-discrimination
EU Residents
All UK GDPR rights apply, plus the right to lodge complaints with your local supervisory authority.
US Healthcare (HIPAA)
Hea is not a HIPAA-covered entity. Where we handle Protected Health Information for covered providers, we do so under Business Associate Agreements.
11. Cookies and Tracking
We use essential cookies for:
Session management
Security
User preferences
You can control cookies through browser settings. Essential cookies cannot be disabled without affecting Service functionality.
12. Children's Privacy
Our Service is not intended for individuals under 18. We do not knowingly collect data from children.Parents who believe their child has provided data should contact us for immediate deletion.
13. Medical Disclaimer and Limitation of Liability
Hea LTD provides wellbeing insights only. We are NOT liable for:
Medical decisions made without professional consultation
Misinterpretation of Service results
Any health outcomes resulting from Service use
Delays in seeking professional medical care
Users MUST seek professional medical advice for any health concerns.
14. Changes to This Policy
We will notify you of material changes:
Via email to registered users
Through Service notifications
At least 30 days before changes take effect
Continued use after changes constitutes acceptance.
15. Contact Us
Hea LTD
[Company Address]
Email:
privacy@hea.aiPhone: [Company Phone]
Data Protection Officer:
dpo@hea.aiDocument Version: 3.0
Review Date: August 2026
