Privacy Policy

To provide EndoInsight, we collect the following information when you create an account and use the app:

• Name and email address — to create and manage your account
• Symptom logs — including pain, fatigue, bleeding, digestive symptoms, and how symptoms affect daily life
• Treatment logs — medications, therapies, and other interventions you record
• Cycle data — dates, patterns, and related notes
• Personal notes — anything you choose to write about your experience
• Functional impact data — how symptoms affect your work, sleep, movement, and daily activities

We do not collect advertising identifiers, browsing history, or any information unrelated to providing the service. We do not build profiles for advertising purposes.

Under UK GDPR, health and symptom data is classified as special category data. We process this data on the basis of your explicit consent, given when you create an account and use the app.

Your data is used for one purpose only: to provide EndoInsight to you. That means powering your symptom timeline, identifying patterns, generating appointment summaries, and showing you insights about your own tracked experience.

We will never sell your personal health information. We will never share it with third parties for marketing, advertising, or any commercial purpose.

The only time anyone other than you accesses your data is if you contact us with a technical problem and give us permission to investigate, or if we are legally required to do so. We will always tell you if that happens, unless prohibited by law.

Everything you enter into EndoInsight belongs to you — not to us, not to advertisers, not to any third party. You can export a copy of your data at any time in a standard format. You can delete your account and all associated data at any time, permanently.

When you delete your account, your personal data is removed from our systems within 30 days. Backups are purged on a rolling schedule within 90 days. We do not retain identifiable data after deletion.

To export or delete your data, use the account settings in the app or contact us at privacy@endoinsight.app.

If you are based in the UK or EU, you have the following rights under data protection law:

• Right to access — Request a copy of the personal data we hold about you.
• Right to correction — Ask us to correct inaccurate or incomplete information.
• Right to deletion — Ask us to delete your account and all associated data.
• Right to data portability — Receive your data in a structured, commonly used format so you can take it elsewhere.
• Right to restrict processing — Ask us to pause how we use your data while a concern is being resolved.
• Right to withdraw consent — You can withdraw consent at any time by deleting your account.

To exercise any of these rights, contact us at privacy@endoinsight.app. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been handled unlawfully.

EndoInsight is built with privacy by design. Security is not an afterthought — it shapes how the product is built at every level.

• All data is encrypted in transit using TLS
• Passwords are hashed and never stored in plain text
• Access to production systems is limited to essential personnel only
• We collect only the data needed to provide the service
• Dependencies and infrastructure are reviewed and updated regularly

EndoInsight does not currently hold any formal security certifications such as ISO 27001 or SOC 2. We do not claim HIPAA compliance. If you are in a jurisdiction with specific health data regulations, please contact us to discuss.

To understand how EndoInsight is being used and where it can be improved, we may analyse aggregated, anonymised data. For example: understanding whether certain features are useful, or how frequently people log symptoms.

This analysis uses data that cannot be linked back to any individual. It is never shared externally and is used only to make the product better.

We do not use third-party advertising analytics. Any basic usage analytics we collect (such as page load errors or feature interactions) are used solely to operate and improve the service, not to profile you.

If we ever need to make meaningful changes to this policy — particularly changes that affect how your data is used — we will notify you by email before those changes take effect. We will not make significant changes without giving you the opportunity to review them.

For questions, requests, or concerns about privacy, contact us directly:

privacy@endoinsight.app

We aim to respond to all privacy enquiries within 30 days and will always communicate in plain language.