Privacy Policy

Effective Date: 8th September 2025
Last Updated: 23rd November 2025

1. Introduction

Ceraluna Health is committed to protecting your privacy and handling your personal data with care, transparency, and integrity. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our digital health services, website, surveys, or interact with us.

We are an independent digital health provider and are not part of the NHS. However, we align our practices with the highest international and UK standards for privacy, data protection, and healthcare regulation.

Data Controller:
Ceraluna Health
Email: privacy@ceralunahealth.com
ICO Registration Number: C1827607
Company Registration Number: 16701879
Registered Address: 6 St. Peters Street, Censeo House, St. Albans, England, AL1 3LF

2. Regulatory Alignment and Commitment

Ceraluna Health operates in accordance with:

• UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018
• Information Commissioner's Office (ICO) guidelines
• UK Medicines and Healthcare products Regulatory Agency (MHRA) standards for digital health technologies and medical devices
• U.S. Food and Drug Administration (FDA) best practices for digital health (where applicable)
• World Health Organization (WHO) health information and privacy guidelines
• European Science Foundation (ESF) best practices for research and innovation

We continuously monitor regulatory developments and update our policies and practices accordingly to ensure your data is protected to the highest standards.​

3. What Personal Data We Collect

“We are committed to data minimisation and only collect information that is necessary to deliver our services. This may include:

• For our current MVP and pilot phase, this primarily includes: your email address for account access; your responses to wellbeing questionnaires (for example EPDS, PHQ‑9, GAD‑7); and optional wellbeing journaling entries.
• Your data is stored securely in the UK, and we never sell your personal information.
• You are always in control. you can ask us to access, correct, or delete your data at any time.
• MVP and survey data is generally kept for up to 12–24 months unless we have a legal or ethical reason to keep it longer.
• You can contact us anytime at info@ceralunahealth.com if you have questions about your data.

We only collect special category data (such as health information) under strict legal conditions and with appropriate safeguards.​

Additional personal information (such as phone number, date of birth, or demographic details) may only be requested in later phases or for specific research or clinical services, where strictly necessary and clearly explained

4. How We Collect Your Data

We collect data in the following ways:

• Directly from you: when you complete forms, surveys, sign up for services, or contact us
• Automatically: through cookies, analytics tools (e.g., Google Analytics), and usage tracking on our website and apps
• From third parties: with your consent, from healthcare providers, research partners, or NHS services (if applicable)

We will always inform you at the point of collection how your data will be used.​

5. Why We Collect and Use Your Data 

We process your personal data lawfully, fairly, and transparently on one or more of the following legal grounds:

• Consent: You have given clear, explicit consent for us to process your data for specific purposes (e.g., surveys, newsletters, service delivery)
• Contract: Processing is necessary to deliver services you have requested or agreed to
• Legal Obligation: We are required by law to process your data (e.g., safeguarding, regulatory reporting)
• Vital Interests: Processing is necessary to protect your life or health in emergencies
• Public Task: We are performing a task in the public interest (e.g., public health research)
• Legitimate Interests: Processing is necessary for our legitimate business interests, balanced against your rights (e.g., service improvement, fraud prevention)

Purposes include:

• Delivering digital health services and responding to enquiries
• Managing appointments, consultations, and care
• Conducting surveys, research, and clinical studies (with consent and ethics approval)
• Service evaluation, quality improvement, and safety monitoring
• Complying with legal, regulatory, and contractual obligations
• Communicating with you about services, updates, and opportunities (with consent for marketing).​

6. Data Sharing and Third Parties

We do not sell your personal data. We may share your data with trusted third parties only when necessary and under strict legal agreements:

Service Providers and Processors:

• Cloud hosting providers (e.g., AWS, Microsoft Azure)
• Email and communication platforms  
• Survey tools (e.g., [Qualtrics/SurveyMonkey/Google Forms/Typeform])  
• Analytics tools (e.g., Google Analytics)  
• Payment processors (if applicable)

Healthcare and Research Partners:

• NHS organisations, private clinicians, or research institutions (only with your consent or as required by law)
• Ethics committees and regulatory bodies (for research approvals and compliance)

Legal Requirements:

• We may disclose data to comply with legal obligations, court orders, or to protect rights, safety, and security

All third-party processors are required to comply with UK GDPR and maintain equivalent security standards. We share only the minimum data necessary and prefer de-identified or pseudonymised data wherever possible.​

7. International Data Transfers

Your data is primarily stored and processed in the UK. If we transfer data outside the UK or European Economic Area (EEA), we ensure appropriate safeguards are in place (such as Standard Contractual Clauses or adequacy decisions) to protect your information in line with UK GDPR.​

8. Data Security

We implement robust technical and organisational security measures to protect your data, including:

• Encryption of data in transit and at rest
• Access controls and role-based permissions (only authorised personnel can access your data)
• Regular security audits, penetration testing, and vulnerability assessments
• Staff training on data protection and confidentiality
• Incident response and breach notification procedures

In line with NHS guidance, formal clinical health records may be retained for 8 years (adults) or up to 25 years (maternity/children’s records), where applicable.

However, for our current MVP, survey and pilot-stage services, personal data is typically retained for 12–24 months, unless a longer period is required by law or ethical research approval.

In the event of a data breach that affects your rights or freedoms, we will notify you and, where required, the ICO within 72 hours.​ We will inform affected individuals without undue delay, providing details of the breach, its likely consequences, and the measures we are taking to address it.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by law.

Typical retention periods:

• Health records: 8 years (adults), up to 25 years (maternity/children's records, following NHS guidelines)
• Survey and research data: as specified in ethics approvals and consent forms
• Incomplete or abandoned forms: up to 90 days
• Marketing consent records: until consent is withdrawn

After the retention period, data is securely deleted or anonymised.​

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files placed on your device (computer, smartphone, or tablet) when you visit our website. They help our website work efficiently, remember your preferences, and provide information about how you use our site. Cookies do not contain viruses and are very small in size.

In addition to cookies, we may use similar technologies such as scripts, web beacons (pixels), and local storage. For simplicity, we refer to all of these as "cookies" in this policy.

10.2 How We Use Cookies

We use cookies to:

• Make our website function securely and efficiently
• Remember your preferences and settings
• Understand how you use our website to improve your experience
• Measure the effectiveness of our services
• Provide relevant content and features

We only use cookies that are strictly necessary for our website to function, or where you have given us explicit consent.

10.3 Types of Cookies We Use

Strictly Necessary Cookies (Essential)

These cookies are essential for our website to function properly and securely. Without them, our website cannot operate correctly. You cannot opt out of these cookies as they are required for basic functionality.

We use the following strictly necessary cookies:

Session Cookie (ceraluna_session): This cookie keeps your session secure and active whilst you browse our website. It is automatically deleted when you close your browser.

Cookie Consent (cookie_consent): This cookie remembers your cookie consent preferences so we don't ask you again every time you visit. It expires after 12 months.

Analytics Cookies (Performance)

Analytics cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. We use this data to improve how our website works, identify which pages are most popular, and see how users navigate the site. We will only use analytics cookies if you consent to them.

We use Google Analytics, which sets the following cookies:

Google Analytics Cookie (_ga): This cookie distinguishes unique users anonymously and helps us understand overall website usage patterns. It expires after 2 years.

Google Analytics Cookie (_gid): This cookie also distinguishes unique users anonymously and provides more detailed short-term analytics. It expires after 24 hours.

Google Analytics Cookie (_gat): This cookie is used to throttle the request rate to prevent overloading our servers. It expires after 1 minute.

For more information about how Google Analytics uses cookies and processes data, please visit Google's Privacy Policy.

Functional Cookies

Functional cookies enable enhanced functionality and personalisation on our website, such as remembering your language preference, region, or accessibility settings. They may be set by us or by third-party providers whose services we have added to our pages. We will only use functional cookies if you consent to them.

We do not currently use functional cookies, but if we do in the future, we will update this policy and obtain your explicit consent.

Marketing Cookies (Advertising Cookies)

Marketing cookies are used to track visitors across websites to display relevant and engaging advertisements. They may be set by us or by third-party advertising partners. We will only use marketing cookies if you consent to them.

We do not currently use marketing cookies. If we introduce marketing cookies in the future, we will update this policy and obtain your explicit consent before setting them.

10.4 Third-Party Cookies

Some cookies on our website are set by third-party services. We do not control these cookies. Third-party services we may use include:

• Google Analytics (for website analytics)
• Survey tools (e.g., SurveyMonkey, Typeform, Qualtrics)

Please refer to their privacy policies for more information.

10.5 Cookie Consent and Your Choices

When you first visit our website, you will see a cookie consent banner. You can choose to:

• Accept all cookies (including analytics and functional)
• Reject non-essential cookies (only strictly necessary cookies)
• Manage your preferences (select which categories you accept)

We will not set non-essential cookies unless you give us explicit consent.

You can change your cookie preferences at any time by:

• Clicking "Cookie Settings" in our website footer
• Adjusting your browser settings (see below)
• Contacting us at privacy@ceralunahealth.com

10.6 How to Control Cookies in Your Browser

Most browsers allow you to control cookies through their settings. You can:

• Block all cookies
• Block third-party cookies only
• Delete cookies when you close your browser
• Get notified when a cookie is being set

How to manage cookies:

• Google Chrome: Chrome Cookie Settings
• Firefox: Firefox Cookie Settings
• Safari: Safari Cookie Settings
• Edge: Edge Cookie Settings

Note: Blocking cookies may affect your experience on our website.

10.7 How Long Do Cookies Last?

Cookies can be:

• Session cookies: Temporary and deleted when you close your browser
• Persistent cookies: Remain on your device for a set period (see tables above) or until manually deleted

10.8 Cookies and Personal Data

Some cookies may collect personal data (such as IP addresses). When this happens, we process that data in accordance with UK GDPR and this Privacy Policy.

Legal basis:

• Consent: For non-essential cookies (analytics, functional, marketing)
• Legitimate interests: For strictly necessary cookies (security, fraud prevention)

10.9 Legal Framework for Cookies

Our use of cookies complies with:

• UK General Data Protection Regulation (UK GDPR)
• Privacy and Electronic Communications Regulations (PECR) 2003
• Data Protection Act 2018
• Data Use and Access Act 2025

10.10 Further Information About Cookies

For more information about cookies, visit:

• Information Commissioner's Office (ICO): https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/
• All About Cookies: https://www.allaboutcookies.org/

11. Your Rights Under UK GDPR

You have the right to ask us to delete your personal data at any time, unless we are legally required to keep it (for example, for safeguarding or regulatory reasons):

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data (subject to legal obligations)
• Right to Restriction: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format and transfer it to another service
• Right to Object: Object to processing based on legitimate interests or for marketing purposes
• Right to Withdraw Consent: Withdraw consent at any time (without affecting the lawfulness of prior processing)
• Right to Lodge a Complaint: Contact the Information Commissioner's Office (ICO) if you believe your rights have been violated

Simply email us at privacy@ceralunahealth.com and we will guide you through the process.

12. MVP and Pilot Stage Notice

Ceraluna Health is currently in the MVP (Minimum Viable Product) and pilot stage. During this phase:

• We are testing and refining our digital health services with early users
• Your participation and feedback are invaluable in helping us improve
• We collect only essential data for service delivery, evaluation, and user research
• All data protection and privacy safeguards apply fully, regardless of our development stage
• We may update our services, features, and this Privacy Policy as we evolve—you will be notified of significant changes

Your participation in our pilot is voluntary, and you may withdraw at any time by contacting us.​

13. Research and Ethics Compliance

If you participate in research studies or surveys conducted by Ceraluna Health:

• We will obtain ethics committee approval before commencing any research
• You will be provided with detailed participant information and consent forms
• Your participation is entirely voluntary, and you may withdraw at any time without penalty
• Data will be handled in accordance with research ethics standards, UK GDPR, and NHS research governance (where applicable)
• Where possible, we will use de-identified or pseudonymised data for analysis and reporting.​

14. Marketing and Communications

We will only send you marketing communications (newsletters, updates, promotional content) if you have given explicit consent. You can opt out at any time by:

• Clicking "unsubscribe" in any marketing email
• Contacting us at privacy@ceralunahealth.com 
• Updating your communication preferences (if available)

We do not sell your data for marketing purposes.​

15. Children's Data

If our services are used by individuals under the age of 16, we will obtain parental or guardian consent where required by law. We handle children's data with additional care and in line with UK GDPR requirements for special protection.​

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. Significant changes will be communicated via:

• A notice on our website
• Email notification to registered users

We encourage you to review this policy periodically. The "Last Updated" date at the top of this page indicates the most recent revision.​

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

Ceraluna Health
Website: www.ceralunahealth.com
Email: privacy@ceralunahealth.com 
ICO Registration Number: C1827607

You also have the right to contact the Information Commissioner's Office (ICO):
Website: https://ico.org.uk
Helpline: 0303 123 1113

All data protection enquiries should be directed to privacy@ceralunahealth.com

18. Commitment to Continuous Improvement

Ceraluna Health is dedicated to maintaining the highest standards of data protection, privacy, and regulatory compliance as we grow. We value your trust and are committed to transparency, accountability, and respect for your rights at every stage of our journey.​

Thank you for trusting Ceraluna Health with your care and your data.