App Privacy Policy

INTRODUCTION

Ampersand Health Limited, a company registered in England and Wales under company registration number 11584266 with registered office at 76 Portland Place, London W1 is committed to protecting and respecting your privacy.

This policy sets out the basis on which any personal data, including (but not limited to) sensitive health, genetic, sex, or biometric data, we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

We abide by the General Data Protection Regulation (GDPR) 2018 and the data controller is Ampersand Health Limited. We are registered as a data controller with the Information Commissioner’s Office under number ZA503696. You can contact the Data Protection Officer, Nader Alaghband, at info@ampersandhealth.co.uk. We will reply to all requests within 15 working days.

BASIS FOR PROCESSING SENSITIVE PERSONAL DATA

Before we process any of your sensitive personal data, we will need to obtain your explicit consent. Please read the information below on how and why we process your sensitive personal data before confirming your consent by ticking the boxes below.

Sensitive personal data is personal data that is related to racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; health; sex life and sexual orientation; genetic data or biometric data.

WHAT SENSITIVE PERSONAL DATA DO WE HOLD, AND WHAT DO WE DO WITH IT?

We hold patient name, profile photo, hospital number, medication, appointments, patient reported condition information (including physiological and mental wellbeing), lab test and home test data, summaries of interactions, wearable device data and information from your hospital’s Electronic Patient Record where applicable.

  • We process the information and make it available on an individual, identifiable basis to your hospital team.
  • We process the information and make it available on an aggregate, identifiable basis to your hospital team.
  • We will communicate with you and will enable your hospital team to communicate with you on clinical and service matters, through the app and by email.
  • We will use data you provide to us to provide customer service and to improve our product and services.
  • We may anonymise and use certain information you provide to support carefully selected and reviewed research with our research partners.
  • We may anonymise and use certain information you provide, to enable third party processors who support interactive features within the app.
  • We may, subject to your consent, contact you from time to time to request feedback, to inform you about research that we think may be relevant and to share updates about Ampersand Health.

We will not contact you for marketing purposes. You can opt out at any time by emailing info@ampersandhealth.co.uk

HOW WE USE DATA FROM ACCOUNTS YOU CONNECT TO OUR APPS

You can choose to connect certain third-party accounts or wearable devices to Ampersand’s apps in order to share data such as activity, sleep, or other health-related information. This may include connections made via Google Health or Apple HealthKit, as well as direct connections to supported devices or services such as Fitbit or Oura.

If you choose to connect a wearable device, the data you share can provide additional context alongside the symptoms, questionnaires, and other information you enter in the app. This information is intended to support your own understanding and, where applicable, may help provide context for discussions with your clinical team. Ampersand Health does not monitor wearable data in real time and does not use it to provide medical advice, diagnosis, or treatment.

Ampersand Health Limited’s use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

HOW WE SHARE YOUR INFORMATION WITH YOUR HOSPITAL

We may share your personal data (including sensitive personal data) with hospitals, doctors, clinicians and other health care professionals and providers (collectively referred to as “hospital”) who provide treatment to you. We do so so that they can provide you with healthcare services and so that they can maintain a complete and accurate record of your health.

Once you have consented to share your data with your hospital your personal and health data is shared with that hospital for direct care purposes under the lawful basis of UK GDPR Article 6 (1) (e) ‘Public Task’, hospitals will usually meet the conditions of Article 9(2)(h) of UK GDPR . This means that the hospital does not need your consent to use, store or process your personal data, including any sensitive personal data.

Personal data which the hospital receives may be included in, and form part of, your medical record. The hospital will be the data controller for all personal data held by it outside of our system and will process your personal data on the lawful basis of Public Task.

Further information about how your hospital uses your personal data can be found in your hospital’s Privacy Policy, this can usually be found on the hospital’s website or is obtainable from your hospital.

HOW WE SHARE YOUR INFORMATION FOR RESEARCH

Researchers, academics and service improvement professionals benefit from a better understanding of the lived experience of people with long-term conditions. Ampersand Health believes that improving this understanding is in patients’ interests and supports responsible academic research, investigator-sponsored research (ISRs), service evaluation, clinical trials and real-world evidence studies.

With your consent, we may use information you share through the app to support these activities. Any data used for research is anonymised, cannot be used to identify you, and is not used for marketing or promotional purposes. You can withdraw your consent for research use at any time without affecting your access to the app.

HOW WE SAFEGUARD YOUR DATA

We abide by data minimisation principles and only require, store and process the data that you supply; or that your clinician or hospital supply or require to further your care.

Ampersand Health is the controller and processor of your data. If your hospital is signed up to our service, they will be a Joint Data Controller and Joint Data Processor under our terms of business. We carry out a Data Protection Impact Assessment with each hospital to identify the risks to individuals, show how we are going to deal with them and what measures we have in place to meet UK GDPR requirements.

We will not share your personal data with third parties without your consent unless instructed to do so by your hospital as Joint Data Controller.

Should you become aware of any unauthorised person – including children below the age of 18 who do not have parental consent – accessing the app and providing personal data, please let us know immediately at: info@ampersandhealth.co.uk

WHERE WE STORE PERSONAL DATA

We store your personal data in secure data centres in the UK and in the EEA and on your device. Your data is encrypted using 256-bit encryption in transit and at rest. We store your personal data on virtual private servers in a secure data centre in the UK or the EEA and on your device. We take reasonable precautions to ensure that your data does not get processed outside the EEA.

HOW LONG WE STORE YOUR DATA

We keep your personal data for as long as you have an account with us, or until you ask us to delete it, which you can do at any time if you decide to stop using the service.

In some cases, we may be required to retain limited copies of certain data for a period of time after deletion, for example to meet legal, regulatory, contractual, audit, or safety obligations. Where this applies, such data is securely stored, access is restricted, and it is not used for any other purpose.

YOUR RIGHTS UNDER DATA PROTECTION LAWS

Right to object

You have the right to object to us processing your personal data where we are processing your personal data based on our legitimate interests. If you ask us to stop processing your personal data on this basis, we will stop processing your personal data unless we can demonstrate compelling grounds as to why the processing should continue in accordance with data protection laws; and

Right of access

You have the right to receive confirmation as to whether your personal data is being processed by us, as well as various other information relating to our use of your personal data. You also have the right to access your personal data which we are processing. We may charge you for exercising this right if we are allowed to do so by applicable law.

Right to rectification

You have the right to require us to rectify any inaccurate personal data we hold about you. You also have the right to have incomplete personal data we hold about you completed, by providing a supplementary statement to us.

Right to restriction

You have the right to restrict our processing of your personal data where:

  • the accuracy of the personal data is being contested by you;
  • the processing by us of your personal data is unlawful, but you do not want the relevant personal data erased;
  • we no longer need to process your personal data for the agreed purposes, but you want to preserve your personal data for the establishment, exercise or defence of legal claims; or
  • we are processing your data on the basis of our legitimate interest(as set out above) and you:
  • object to our processing on this basis; and
  • want processing of the relevant personal data to be restricted until it can be determined whether our legitimate interest overrides your legitimate interest.

Where any exercise by you of your right to restriction determines that our processing of particular personal data is to be restricted, we will then only process the relevant personal data in accordance with your consent and, in addition, for storage purposes and for the purpose of legal claims.

Right to data portability

You have the right to receive your personal data in structured, standard machine readable format and the right to transmit such personal data to another controller.

Right to erasure

You have the right to require we erase your personal data which we are processing where at least one of the following grounds applies:

  • the processing is no longer necessary in relation to the purposes for which your personal data were collected or otherwise processed;
  • our processing of your personal data is based on your consent, you have subsequently withdrawn your consent and there is no other legal ground we can use to process your personal data;
  • you object to the processing as set out in the “right to object” section of this policy and we have no overriding legitimate interest for our processing;
  • the personal data have been unlawfully processed; and
  • the erasure is required for compliance with a law to which we are subject.

You also have the right to lodge a complaint with the Information Commissioner’s Office, the supervisory authority for data protection issues in England and Wales.

Please note that when we erase your personal data, it will remain part of your health record managed by your hospital on the basis of Public Task.

Exercising your rights

You can exercise such rights by contacting the Caldecott Guardian at your hospital, or by contacting us via the contact form on our website.

Consents

  • I confirm that I have read and understood how and why Ampersand Health will collect and process my personal data, both sensitive and non-sensitive.
  • I confirm that I have read and understood the contents of this Privacy Policy, including my rights in relation to the sensitive personal data.
  • I acknowledge my right to withdraw consent to the processing of sensitive personal data at any time.
  • I hereby consent to Ampersand Health processing my sensitive personal data in accordance with this Privacy Policy.

Last Updated January 30th 2026.

GET IT NOW

Take control of your journey towards remission with our self-management apps

Download Today

My IBD Care

My Arthritis