Privacy Policy

Last Updated: 17 May 2026

Your privacy is fundamental to us. This comprehensive privacy policy explains how Verivis Health Ltd collects, uses, protects, and shares your information in compliance with UK GDPR. We are committed to transparency and giving you control over your data.

🔒 Your UK GDPR Rights

Under UK GDPR, you have the following rights regarding your personal data. We will respond to requests within one month:

Individual Rights

📋 Right of Access (Article 15)

  • Subject Access Request: Obtain a copy of your personal data
  • Processing information: Details of how we use your data
  • Data sources: Where we obtained your information
  • Retention periods: How long we keep your data
  • Recipients: Who we share your data with

✏️ Right to Rectification (Article 16)

  • Correct inaccurate data: Update incorrect information
  • Complete incomplete data: Add missing information
  • Update health information: Modify medical conditions or medications
  • Account details: Change contact information
  • Automatic updates: We'll inform third parties of corrections

🗑️ Right to Erasure (Article 17)

  • Delete personal data: "Right to be forgotten"
  • Withdraw consent: Remove data processed on consent basis
  • Account closure: Permanent deletion of all data
  • Exceptions: Legal obligations may require retention
  • Third party notification: We'll inform others of deletion

⏸️ Right to Restrict Processing (Article 18)

  • Suspend processing: While disputing data accuracy
  • Limit use: Restrict processing for specific purposes
  • Storage only: Keep data but not process it
  • Pending legal claims: Preserve data for legal proceedings
  • Notification: We'll inform you before lifting restrictions

📤 Right to Data Portability (Article 20)

  • Export your data: Machine-readable format (JSON, CSV)
  • Transfer to another service: Move data to competitors
  • Health profile export: Complete health data download
  • Supplement history: All recommendations and interactions
  • Direct transfer: We can send data directly to new provider

🚫 Right to Object (Article 21)

  • Object to processing: Based on legitimate interests
  • Direct marketing: Opt-out of all marketing communications
  • Profiling: Object to automated decision-making
  • Research: Opt-out of scientific research
  • Compelling grounds: We must stop unless we have overriding interests

How to Exercise Your Rights

Account Settings

Most privacy controls are available in your account settings:

  • • Profile and privacy settings
  • • Communication preferences
  • • Data export and deletion
  • • Third-party app connections

Contact Us

For requests that can't be handled through settings:

  • • Email: privacy@herbaladvisor.ai
  • Contact form
  • • Response time: Within 30 days

✅ Verification Process

To protect your privacy, we verify your identity before processing requests:

  • • Email verification for account-related requests
  • • Additional verification for sensitive data requests
  • • Government ID may be required for certain requests
  • • We never charge fees for privacy requests

Policy Updates & Legal Information

Policy Updates

We may update this privacy policy to reflect changes in our practices, legal requirements, or regulatory guidance.

Update Notification

  • Material changes: 30 days advance notice by email
  • Minor updates: In-app notification
  • Version history: See the Version History expander at the bottom of this page.
  • Continued use: Constitutes acceptance of changes

Legal Framework

This privacy policy is governed by UK data protection law and regulations.

Applicable Laws

  • UK GDPR: Primary data protection regulation
  • Data Protection Act 2018: UK implementation
  • PECR: Privacy and Electronic Communications Regulations
  • Consumer Rights Act 2015: Consumer protections

Effective Date: 17 May 2026 | Version: 3.0 (UK GDPR Compliant) | ICO Registration: ZC031096

Version HistoryPrivacy Policy current: v3.0

  1. v3.0current

    PR T9 (§2.T.2): removed aspirational "Healthcare providers" and "Social media platforms" claims from the third-party integrations block; moved them to a clearly labelled "Future integrations" sub-card with explicit consent-before-activation language. Tightened "Service Providers → Analytics services" wording to match the Cookie Policy hedge. PR T11 (§2.T.4): rewrote the Section 2 Account Information bullet to distinguish identifier storage (email — plaintext, unique-lookup) from credential storage (password — bcrypt hash); replaced the Section 6 Encryption chip with the byte-for-byte "TLS in transit · AES-256 at rest" wording used on the About page; deleted the Multi-factor-authentication chip (no MFA in code today); added the Article 32(1)(a) paragraph naming the precise scope of column-level encryption.

  2. v2.0

    PR T4 (§1.T.5): replaced the FDA-only legal-disclosure clause with MHRA + ICO + FDA, restoring UK regulatory primacy. PR T5 (§1.T.6): added the "How We Improve Our Recommendations" sub-card disclosing aggregate recommendation-weight learning, lawful basis Art. 6(1)(f), with a Settings → Privacy opt-out enforced server-side.

  3. v1.0

    Initial UK GDPR-compliant publication.