top of page

Privacy Policy

Introduction

Unwritten Health  LTD (based in Manchester, UK) is committed to protecting your privacy and handling your personal information in compliance with all relevant laws, including the EU/UK General Data Protection Regulation (GDPR) and the U.S. Health Insurance Portability and Accountability Act (HIPAA). This Privacy Policy explains the types of data we collect through our Equity Engine platform, why we collect it, how we use and share it, and how you can exercise your privacy rights . We recognise that much of the data we handle, such as health information, biometric identifiers, and certain demographics, is highly sensitive. In Europe, such information is considered “special category” personal data that merits specific protection . In the United States, individually identifiable health information is protected as “Protected Health Information (PHI)” under HIPAA . We treat all such data with the utmost care and security.

Data we collect

We collect various types of personal data from patients/participants to support our health equity mission. This includes:​

 

  • Health information: Details about your past, present, or future physical or mental health conditions, medical history, diagnoses, treatments, and related health data. This encompasses any information about health care services you’ve received or are receiving.

  • Social Determinants of Health: Non-medical factors about your life that can influence health outcomes, for example, the conditions in which you are born, grow, live, work, and age (such as your housing, education, income, employment, community safety, and social support) . These contextual details help us understand barriers and drivers of health in your daily life.

  • Biometric data: Biological or physiological identifiers. For instance, if applicable, this could include data like heart rate or other sensor readings, or unique identifiers such as facial images or fingerprints (though we generally do not collect these unless explicitly needed and consented to). Any biometric data used for identification purposes is considered sensitive and protected by law .

  • Behavioral data: Information on health-related behaviors and lifestyle (e.g. exercise habits, diet, medication adherence, sleep patterns) as well as your engagement with our platform (such as survey responses, interaction logs, or usage patterns). This helps us analyze how behaviors and experiences impact health outcomes.

  • Demographic data: Personal characteristics such as age, gender, racial or ethnic background, language, and other relevant details. Understanding demographics is crucial for equity analyses, but since these can reveal sensitive traits (like ethnic origin or religious beliefs), we handle them as special protected data .

  • Device and technical information: When you use the Equity Engine web platform, we automatically receive some technical data like your device type, operating system, browser, IP address, and cookie identifiers. We use this information to ensure the platform works correctly on your device and to maintain security. Notably, we do not use any mobile apps or external tracking services that collect additional data, our platform is web-based, and we only gather the technical data necessary for it to function (e.g. basic cookies for session management).

  • Identification and contact details: If you sign up or communicate with us, we may collect personal identifiers such as your name, email address, phone number, or organisational affiliation. For example, joining our waitlist or participating in a study may involve providing your contact information so we can reach you with results or further opportunities.

 

Note: Many of the above categories (health, SDOH, biometric, racial/ethnic data, etc.) are considered sensitive personal data under GDPR and will only be processed subject to strict legal safeguards . Likewise, any individually identifiable health information among these is treated as PHI under HIPAA, meaning it is protected in any form or medium . We will not collect more information than is necessary for our stated purposes, in line with the data minimisation principle.

How we use your data

We use the collected data to serve our mission of improving health equity and to provide our services to you and our client organisations. Specifically, we may use your personal data for the following purposes:

​​

  • Service delivery and analysis: To analyze the information you provide (including qualitative “story” data and quantitative measures) and generate insights, reports, or recommendations aimed at improving health outcomes and addressing inequities. For example, our platform’s AI will process your data to uncover patterns or hidden barriers in care , enabling healthcare providers or community organisations to tailor interventions.

  • Platform operation: To operate and maintain the Equity Engine platform. This includes using technical information to ensure the website functions properly on your device, troubleshooting issues, and securing the platform against fraud or misuse.

  • Communication: To communicate with you about the research or services you are involved in. We may send you reminders, ask follow-up questions, provide feedback or results from our analysis, or notify you of new opportunities to participate. We will only send you marketing or promotional communications if we have your consent or another lawful basis, and you can opt out at any time.

  • Improvement and research: To de-identify and aggregate personal data for internal research, product development, and quality improvement. When possible, we remove or pseudonymise personal identifiers so that the data can no longer be linked to you . De-identified data (data that is no longer capable of identifying an individual) is not subject to the same restrictions and may be used to refine our algorithms, generate statistical insights, or publish findings that could benefit public health – but this will never include information that identifies you .

  • Compliance and legal obligations: To comply with applicable laws, regulations, and professional obligations. For instance, if we are working with healthcare providers, we may use PHI as needed for treatment or health care operations in accordance with HIPAA’s allowances. We may also use or disclose information where required by law (such as reporting public health information or responding to court orders or government requests).

 

We will not use your personal data for any wholly new purposes that are incompatible with the above without first obtaining your consent. We do not engage in any automated decision-making that produces legal or similarly significant effects on you; any AI-driven analysis is used to inform human decision-makers in healthcare, not to make medical decisions about your individual care without human oversight.

Legal basis for processing (GDPR)

Under the GDPR (and UK data protection law), we must have a valid legal basis to process your personal data, especially sensitive health-related data. The primary basis we rely on is your explicit consent. We will ask for your clear consent to collect and use your health information and other sensitive data; you have the right to withdraw this consent at any time. GDPR requires a high standard for consent when it comes to sensitive information like health data, it must be freely given, specific, informed, and unambiguous . By providing your information to us (for example, by participating in an Equity Engine survey or interview and agreeing to this Privacy Policy and any consent forms), you are consenting to our use of your data as described.

 

In some contexts, we may have additional legal bases for processing, such as:

​​

  • Healthcare/public health purposes: We might process health data because it is necessary for the provision of health or social care or for public health purposes, under Article 9(2)(h) or (i) GDPR. For example, if we work with an NHS organisation, processing may occur under these provisions with appropriate safeguards (like professional secrecy). In all such cases, we ensure any required consents are obtained as well.

  • Legitimate interests: For certain non-sensitive data or where a specific exception applies, we may process personal data as necessary for our legitimate interests in running and improving our platform and services. We always consider your rights and expectations, especially since our work involves vulnerable communities, and will not rely on legitimate interests to process sensitive health data unless we are confident we can do so lawfully and with minimal privacy impact.

  • Legal obligation: If we have a legal duty to retain or disclose certain information, we will process it as necessary to comply (e.g. complying with a court order or regulatory requirement).

 

We will clearly inform you of the legal basis applicable whenever required, and we adhere to all principles of GDPR (lawfulness, transparency, data minimization, etc.). Because we handle special category data, we have conducted Data Protection Impact Assessments and implement safeguards like encryption and access controls to protect your information.

 

HIPAA note: Separately, for individuals in the United States whose information falls under HIPAA, we will obtain the necessary HIPAA authorisations if any use or disclosure of your PHI falls outside the routine healthcare operations or other permitted uses. Generally, if we are operating as a partner to a healthcare provider (a covered entity), we act as a HIPAA Business Associate and use/disclose PHI only for purposes that the provider is allowed to use it, for example, helping to improve care quality or manage operations (which HIPAA deems “health care operations”) . Any other use of PHI (such as for marketing) would require your specific written authorization, as HIPAA’s rules on consent/authorization are distinct from GDPR’s requirements . We ensure that all HIPAA-regulated data is handled in accordance with the Privacy Rule and that we assist our partner healthcare organisations in fulfilling their HIPAA obligations.

Data sharing and disclosure

We do not sell your personal data. We also do not share it with third-party advertisers or social media platforms. We only share your data in a few limited circumstances, outlined below:

​​

  • With service providers (Processors): We may share data with trusted third-party service providers who perform functions on our behalf, strictly for the purposes described in this policy. In particular, OpenAI is a key service provider we use to analyse the qualitative data you provide. Our platform sends portions of your responses (potentially after removing direct identifiers) to OpenAI’s AI system to help identify themes and insights. OpenAI acts under our instructions as a data processor and is contractually bound to protect your information. Importantly, OpenAI does not use our business data for its own purposes or to train its models unless we explicitly opt in . Data sent to OpenAI may be processed by OpenAI’s infrastructure and its approved sub-processors (e.g. cloud computing providers) as necessary to provide the service . We have a Data Processing Agreement in place with OpenAI that incorporates appropriate safeguards (including Standard Contractual Clauses for international transfer) to ensure your data receives a high level of protection even when processed outside the UK/EEA.

  • With healthcare/research partners: If you are participating in a project in collaboration with a healthcare provider, public health agency, or other organisation, we may share results and insights (including personal data where necessary) with that partner. For example, if an NHS trust or community health group engaged Unwritten Health to run a study, we will report back findings to them. In such cases, we will have agreements in place to ensure your data is only used for the intended health purposes and is protected. Whenever feasible, we share data in aggregate or de-identified form. Any sharing of identified health information with covered entities in the US will be done in accordance with HIPAA (e.g., as part of treatment, payment, or health care operations), and in the EU/UK in accordance with GDPR requirements for data sharing.

  • Legal requirements and safety: We may disclose personal information if we are required to do so by law or legal process, or if we have a good-faith belief that such disclosure is necessary to (i) comply with a legal obligation (for example, to respond to a subpoena or a lawful request by public authorities), (ii) protect and defend our rights or property, (iii) act in urgent circumstances to protect the health or safety of users or the public, or (iv) investigate and address violations of our terms or this policy. If we receive an official request for data (e.g., from law enforcement or a regulatory authority), we will review it carefully and only comply if required and appropriate. Wherever possible, we will inform you of such requests before disclosing your data, unless we are legally prohibited from doing so .

  • Corporate transactions: If Unwritten Health is involved in a merger, acquisition, investment, or sale of all or a portion of its business or assets, your data may be transferred to the acquiring entity or its advisors as part of due diligence or the final transaction. In such an event, we would ensure that the new owner continues to be bound by privacy protections at least as stringent as those described in this policy, and we would provide notice to users before any personal data becomes subject to a different privacy policy.

 

Other than the above scenarios, your information will remain within Unwritten Health’s control. In particular, we do not use any external analytics or tracking services that collect your data through our site, and we do not share your data with any unauthorized third parties. All third parties that process data on our behalf (like OpenAI) are subject to strict agreements and data protection obligations – they can only use your data to provide services to us, and not for their own purposes .

Data security

Unwritten Health takes data security very seriously. We implement a variety of technical and organizational measures to protect your personal data from unauthorised access, loss, or alteration. These measures include:

​​

  • Encryption: All data is encrypted both in transit and at rest. We use strong industry-standard protocols (such as TLS 1.3 for data in transit and AES-256 for data at rest) to ensure your information is protected during transmission and storage . In fact, HIPAA’s Security Rule effectively mandates encryption of stored health data, and we meet or exceed those requirements by encrypting all sensitive data wherever it resides .

  • Access controls: Access to personal data is restricted to authorised personnel who need it to perform their job (for example, a data analyst working on the project). We follow the principle of least privilege and maintain strict user access controls. All staff and any contractors with potential access to data are bound by confidentiality obligations and receive training on privacy and security.

  • Secure infrastructure: Our servers are hosted in secure environments with robust firewall protection, intrusion detection systems, and regular security monitoring. We utilize modern cloud security best practices. If we use third-party hosting services, we ensure they have strong security certifications (such as ISO 27001, SOC 2) and compliance with healthcare data standards. Data processed by OpenAI on our behalf is protected by OpenAI’s security measures and compliance commitments as well.

  • Audit and monitoring: We maintain logs of access to personal data and monitor our systems for any suspicious activity. Regular audits, security assessments, and penetration tests are conducted to identify and address potential vulnerabilities. We also comply with any required security risk assessments (for instance, those required under HIPAA).

  • Data minimisation: We minimise the data we collect and store to what is truly necessary. We anonymise or delete personal data that is no longer needed for the purposes described. (See Data Retention below for more on how long we keep data.)

  • Incident response: We have a breach response plan in place. In the unlikely event of a data breach or security incident, we will promptly notify affected individuals and the relevant authorities as required by law (GDPR’s 72-hour breach notification rule, U.S. state data breach laws, etc.), and we will take immediate steps to mitigate the incident and prevent future occurrences.

 

While no method of transmission or storage is 100% secure, we strive to use commercially acceptable means and follow industry best practices to protect your personal data. We continuously improve our security measures to keep up with evolving threats.

Data retention

We will retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, or as required by law. In practice, this means:

​​

  • Active projects: For participants in a study or program, we retain your data for the duration of that project and for a defined period afterward in order to complete the analysis, report results, and satisfy any research archiving requirements.

  • Withdrawal or inactivity: If you withdraw your consent or your participation ends, we will either delete or anonymise your identifiable information upon your request, after fulfilling any obligations (for example, some analyses may require maintaining data integrity). If you simply become inactive, we will review and purge identifiable data after a reasonable period of non-use.

  • Legal requirements: We adhere to differing retention requirements in different jurisdictions. For example, under HIPAA, a covered entity’s medical records (PHI) generally must be retained for at least 6 years . If we are acting on behalf of a U.S. healthcare provider, we will retain the data as required for their compliance. On the other hand, GDPR gives data subjects the right to request erasure of their data at any time . We strive to reconcile these rules by honoring deletion requests for EU/UK individuals to the fullest extent possible while still complying with any mandatory record-keeping laws .

  • Deletion process: When data no longer needs to be retained, we will securely erase it from our systems. We have internal policies defining specific retention periods for different data types. Personal identifiers will be deleted or irreversibly anonymized once they are no longer required. Any backup copies are also managed with retention limits and are deleted or overwritten in due course.

  • OpenAI data: Regarding data we send to OpenAI’s systems for AI analysis, OpenAI’s policy is to retain API processing data for a maximum of 30 days for abuse monitoring, after which it is deleted (unless a longer retention is legally required) . We have configured our use of OpenAI such that we do not store those prompts or responses longer than necessary in our own systems either. Any outputs we keep from the AI analysis (e.g. summarized insights) are retained under our general retention rules stated above.

 

In summary, we do not keep your personal data indefinitely. We periodically review the data we hold and erase or anonymize information that is no longer needed. If at any time you would like us to delete your data, you can contact us to request erasure (see Your Rights below), and we will accommodate the request so long as it does not conflict with our legal obligations.

Your privacy rights

You have rights regarding the personal data we hold about you. We are committed to facilitating your exercise of these rights. This section describes rights under GDPR/UK law and, where applicable, under HIPAA:

 

Rights under UK/EU Data Protection Law: If you are in the UK, EU, or a similar jurisdiction, you have the following rights (subject to certain legal limitations):

​​

  • Right of access: You can request confirmation of whether we are processing your personal data, and if so, request access to that data. This allows you to receive a copy of the personal data we hold about you and information about how we use it .

  • Right to rectification: If any of your personal data is inaccurate or incomplete, you have the right to have it corrected or updated .

  • Right to erasure: You can ask us to delete your personal data in certain circumstances, for example, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent and no other legal basis for processing applies. We will honor valid erasure requests and will also notify any third parties processing your data to do the same, unless an exemption applies (such as if we are required by law to keep certain data) .

  • Right to restrict processing: You have the right to request that we limit the processing of your data in certain situations, for instance, if you contest the accuracy of the data, or object to our use of it, we may restrict processing while your request is being considered .

  • Right to data portability: For data you have provided to us, you have the right to request that we provide it to you (or a third party you designate) in a structured, commonly used, machine-readable format. This right applies when the processing is based on your consent or on a contract and is carried out by automated means .

  • Right to object: You may object to our processing of your personal data where we are relying on a legitimate interest (or performing a task in the public interest). You also have an unconditional right to object to any processing of your data for direct marketing purposes. In some cases, we may demonstrate compelling legitimate grounds to continue processing (e.g., if the data is needed for legal claims), but we will carefully consider and respond to each such request .

  • Right to withdraw consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. Once withdrawn, we will stop the processing that was based on consent. (Note: Withdrawal of consent will not affect the lawfulness of processing that occurred before the withdrawal.)

  • Right to lodge a complaint: If you believe we have infringed your data protection rights, you have the right to file a complaint with your national data protection authority (for example, the UK Information Commissioner’s Office, or the supervisory authority in the EU country where you live or work) . We ask that you please try to address any concerns with us first, so we can work with you to resolve them.

 

Your Rights under HIPAA (U.S. Health Information Privacy Law): If you are a patient in the United States and we maintain your personal health information as part of our services (as PHI on behalf of a covered healthcare provider), you have rights under the HIPAA Privacy Rule regarding that information. These include:

 

  • Right to access PHI: You have the right to access and obtain a copy of your health information that we maintain in a designated record set, with only a few exceptions. We will provide you with access to your records in the format you request (electronic or paper) if readily producible, typically within 30 days as required by HIPAA . You may also direct us to send a copy of your records to a third party of your choice.

  • Right to request amendment: If you believe that the PHI we have about you is incorrect or incomplete, you have the right to request an amendment. We may ask you to provide a reason for the request. If we accept the amendment, we will update the information and inform you. If we deny the request (for example, if we believe the records are accurate), we will provide you a written denial and you have the right to submit a statement of disagreement that will be kept with your records .

  • Right to an accounting of disclosures: You can request a list (an “accounting”) of certain disclosures of your PHI that we have made to third parties, other than those disclosures made for purposes of treatment, payment, or health care operations (and certain other exceptions under HIPAA). The accounting will include disclosures made in the past six years (or a shorter period you specify) and will list the date of each disclosure, the recipient, and the purpose, among other details .

  • Right to request restrictions: You have the right to request restrictions on how we use or disclose your PHI for treatment, payment, or health care operations. While HIPAA does not require us to agree to most restriction requests, we will consider them. If we do agree to a restriction, we will comply with it (except in an emergency or as otherwise required by law) . Additionally, if you pay for a health care item or service out-of-pocket in full and you request that we not disclose information about that service to a health insurer, we must honor that request.

  • Right to request confidential communications: You have the right to request that we contact you in a certain way or at a certain location to protect your privacy. For example, you can ask that we only contact you at a specific phone number or send mail to a different address. We will accommodate reasonable requests for confidential communications of PHI .

  • Right to a copy of this policy: You have the right to a paper copy of this Privacy Policy (which also serves as our HIPAA Notice of Privacy Practices, when applicable) upon request, even if you have agreed to receive it electronically.

  • Right to complain without retaliation: If you believe your privacy rights under HIPAA have been violated, you have the right to file a complaint with us and/or with the Secretary of the U.S. Department of Health and Human Services (Office for Civil Rights). We will not retaliate against you for filing a complaint . To file a complaint with us, you can use the contact information below; to file with HHS, you can visit the OCR website for instructions.

 

We will facilitate the exercise of your rights to the fullest extent required. To exercise any of these rights or get more information, please contact us (see Contact Us below). For privacy and security, we may need to verify your identity before complying with certain requests.

 

Please note that some rights may be limited in certain circumstances. For example, a request for deletion under GDPR may not be fulfilled immediately if the data must be retained for legal reasons, or a HIPAA request for access might be denied for a narrow set of reasons (in which case you may have the right to have the denial reviewed). We will inform you of any such limitations in our response to your request.

Updates to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we make material changes, we will notify users by updating the effective date at the top of this policy and, if appropriate, provide a more prominent notice (such as on our website homepage or via email notification). We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

 

Any changes to this Policy will become effective when posted to our website, unless indicated otherwise. If you continue to use our services after a Privacy Policy update, it constitutes your acceptance of the revised Policy to the extent permitted by law.

Contact us

If you have any questions, concerns, or requests regarding this Privacy Policy or how your data is handled, please contact us:

 

Unwritten Health Ltd (Privacy Team/DPO)

Email: dpo@unwritten.health

Address: Unwritten Health LTD, First Floor, Swan Buildings, 20 Swan Street, Manchester, M4 5JW, UK.

 

We will respond to your inquiries as soon as possible, and within any timeframe required by law.

 

If you are in the UK/EU and believe we have not adequately resolved your privacy concern, you have the right to contact your supervisory data protection authority (for example, the UK Information Commissioner’s Office or your local EU DPA). If you are in the US and have a complaint regarding your health information privacy, you may contact the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.

 

We welcome your questions and feedback. Your trust is very important to us, and we are always looking for ways to ensure your personal data is safe and your privacy rights are respected.

​

 

Last updated: November 12, 2025.

Effective date: November 12, 2025.

bottom of page