Back

Privacy Notice — Cadence Health

Effective date: July 2026

This notice was updated in June 2026 to reflect how Cadence Health actually operates: a segmented data-protection model (we are a data processor for patients who join through a healthcare provider, and a controller only for patients who sign up independently and for optional research), the real third parties we use, our international transfers, and our current data-retention periods. It was updated again in July 2026 to add one new, optional data category: progress / journal photos (see Section 3). It supersedes all earlier versions.

1. Who we are

Cadence Health Ltd is a company registered in England and Wales (Company No. 17043196), registered office 3rd Floor, 86-90 Paul Street, London, EC2A 4NE. We are registered with the Information Commissioner's Office (ICO Registration No. ZC095403) and with the Medicines and Healthcare products Regulatory Agency (MHRA) as a medical device manufacturer (DORS Ref: 2026031601473996). Our app is a UK MHRA Class I Software as a Medical Device (SaMD), provided to patients as nudge or under a healthcare provider's own brand.

For any question about how we handle your data, contact our privacy lead, Bradley Phelps (CEO), at hello@cadencehealth.uk. We are not currently required to appoint a Data Protection Officer under Article 37 of UK GDPR given the nature and scale of our processing; we keep this under review.

2. How your data is managed

How your data is managed depends on how you joined the platform. There are three distinct roles, and we are explicit about which one applies.

If you joined through a healthcare provider (partner pathway)

Your healthcare provider is the Data Controller for the clinical data you share through the platform (your symptoms, medication, doses, weight, and injection logs). Cadence Health acts as a Data Processor on your provider's behalf, under a written Data Processing Agreement, processing this data only to support your treatment. This is part of the healthcare service your provider offers, managed under the responsibility of a registered health professional (e.g. a GPhC pharmacist or GMC doctor) bound by a duty of confidentiality. You do not need to "consent" to this processing — it is part of your care — and your provider cannot use this data for marketing or profiling.

If you joined independently (standalone pathway)

Cadence Health Ltd is the sole Data Controller for your data. We process your health data on the basis of your explicit consent (UK GDPR Article 6(1)(a) and Article 9(2)(a)), which you give when you sign up. You can withdraw it at any time in Profile > Privacy Settings; if you do, we stop processing your health data and delete your account, because we have no other lawful basis to continue.

Research (all users, optional)

Cadence Health is an independent Data Controller for health-outcomes research, but only if you give separate, explicit consent (UK GDPR Article 6(1)(a) and Article 9(2)(a)). This is a live, optional opt-in during onboarding or in your Privacy Settings. It is never a condition of using the platform, and you can withdraw at any time. We do not operate this as a joint controllership with any provider.

Platform operation (all users)

We process limited non-health data (login timestamps, IP addresses, device type) to keep the service secure and working. The lawful basis is our legitimate interests (UK GDPR Article 6(1)(f)). We do not rely on legitimate interests for any health data — it is not a valid basis for Special Category data.

3. What data we collect

  • Identity data: your name, email address, and date of birth.
  • Health data (Special Category under UK GDPR Article 9): the GLP-1 medication you are prescribed (e.g. Mounjaro, Wegovy), your dose, injection dates and site, weight, height and BMI, the symptoms you log, refill requests, pen-supply state, and your responses to validated quality-of-life questionnaires (currently EQ-5D-5L). We collect only what is needed to personalise your content, support clinical oversight, and maintain the regulatory audit trail required of a Class I medical device.
  • Apple Health / Google Health Connect data (only if you connect them): weight, meals, exercise, and mood sync both ways under your clinical-care basis; steps, sleep, resting heart rate, heart-rate variability, and active energy are read for research only, and only if you have given research consent. Values you typed by hand into Apple Health or Google Health Connect are excluded at the point of sync.
  • Progress / journal photos (Special Category, opt-in only): If you choose to start a photo journal in the app, the progress photos you take are images of you, which are Special Category health data under UK GDPR. We store them encrypted, and they are visible only to you — they are never shared with your care team or prescriber, never seen by Cadence staff, and never used for research. We strip location and device metadata (such as GPS) from each photo on your phone before it is uploaded, so that information is never stored. The app does not analyse, measure, or interpret your photos — it is a private record you keep for yourself, not a clinical check. You can delete any photo at any time, and all your photos are permanently deleted when your account is closed (they are personal motivation aids, not clinical records, so the 8-year clinical retention in Section 11 does not apply to them).
  • Technical data: device type, browser, IP address, and login timestamps, used only for security and reliability.
  • Derived data: an "active treatment period" status we compute from your app activity. This is algorithmically inferred, not clinically determined, is never shared with your prescriber as a clinical status, and is included in research only if you have opted in.

4. Legal basis for processing

Your health data is Special Category data under UK GDPR Article 9, so we rely on both an Article 6 basis and an Article 9 condition.

Processing purpose Article 6 basis Article 9 condition
Clinical care (partner pathway) Art 6(1)(b) — contractual necessity (or Art 6(1)(e) for an NHS body) Art 9(2)(h) — provision of healthcare under a registered health professional
Clinical care (standalone pathway) Art 6(1)(a) — your explicit consent Art 9(2)(a) — your explicit consent
Health-outcomes research (optional) Art 6(1)(a) — your explicit consent Art 9(2)(a) — your explicit consent
Platform security and operation Art 6(1)(f) — legitimate interests N/A (non-health data only)

5. How we use your data

  • To deliver personalised GLP-1 guidance and daily content relevant to your treatment stage, based on information you provide.
  • To enable clinical oversight by your healthcare provider, so they can review your progress and flag concerns.
  • To maintain an audit trail for regulatory compliance with MHRA and GPhC requirements.
  • If you opt in: to contribute to health-outcomes research and real-world evidence. While we analyse it internally, your data is pseudonymised (your name and email replaced with a code); before any external sharing it is irreversibly anonymised so no one, including us, can identify you.

6. Who we share data with

Clinical data is shared only with your healthcare provider (as the Data Controller) and with the sub-processors listed in Section 14, who help us run the platform. Where your provider uses an integrated clinical record system (EHR, such as Semble), we sync a defined minimum set of clinical data with that system on your provider's behalf to keep the same record current in both places. We do not share demographic details (name, NHS number, address, postcode) with the EHR — your prescriber already holds those. The EHR is operated by your provider as their own data controller; to have your data removed from it you must contact your provider directly — closing your account removes your platform-side record only.

Research data (only if you opt in) is irreversibly anonymised before sharing — your name, contact details, exact date of birth, and full postcode are removed and replaced with a code that cannot be linked back to you. What remains is your treatment journey combined into a dataset alongside thousands of other anonymised patients. It may be shared at an individual-record level with pharmaceutical companies (for real-world evidence studies), academic and clinical researchers, health-system bodies (such as NICE and NHS England), and regulators (such as the MHRA, on lawful request) — but never in a form that identifies you.

7. What we don't do

  • No automated clinical decisions. The platform provides information only. No algorithm makes decisions about your treatment; all clinical decisions are made by your healthcare professional. We are registered with the MHRA as an information and behaviour-support tool.
  • No profiling with legal or significant effects. Content personalisation is based on information you provide directly, not on profiling, and produces no legal or similarly significant effects (UK GDPR Article 22).
  • We never sell your identifying personal data. Your name, email, date of birth, and postcode are never sold or shared beyond your provider and the technical sub-processors we use. Anonymised research data is a separate, opt-in matter — if you give research consent, your treatment data, with all identifying details irreversibly removed, may form part of datasets we share commercially with research partners. Your decision has no effect on your use of the platform.
  • No AI-generated clinical content. Where we use AI (see Section 8), it never makes clinical decisions, recommends treatment, or replaces medical advice. Q&A answers are written by clinical professionals; coaching responses go through a multi-layer safety review.
  • No third-party advertising trackers on patient pages. We do not load advertising or tracking pixels (e.g. Google Analytics, Meta Pixel) on any page where you enter or view health data. Our product analytics use an anonymised device identifier only.
  • No data shared with insurers, employers, or marketers — under any pathway.

8. How we use artificial intelligence

We use AI in two places, and in both the AI supports — never replaces — clinical judgement. For Q&A search, an AI classifier reads your question and selects the most relevant pre-written, clinician-reviewed answer; it does not write the answer. For in-app coaching, AI generates lifestyle and wellbeing guidance (not medical advice) that passes a multi-layer safety review before it reaches you, and which you can disable. The AI never makes clinical decisions, recommends doses, diagnoses, or accesses your full health record. We minimise what is sent: a question or message and limited treatment context only — never your surname, email address, or date of birth. Our AI provider is Anthropic (contracting entity: Anthropic Ireland, Limited); under our agreement your data is not used to train their models and inputs are not retained beyond the request.

9. International data transfers

Your clinical records are stored in the United Kingdom (London, AWS eu-west-2). Two limited, safeguarded transfers leave the UK — your email address to Resend (US), and, only when you use the in-app coach, your message text plus limited treatment context to Anthropic (US):

  • Your email address only (never health data) is transferred to the United States to send sign-in emails, via our provider Resend, under the UK-US Data Bridge (UK Adequacy Regulations 2023).
  • For AI features, your question or message text and limited treatment context are processed by Anthropic in the United States. The contracting entity is Anthropic Ireland, Limited, and the transfer is covered by our Data Processing Agreement including standard contractual safeguards recognised by the UK Information Commissioner. Your email, surname, and date of birth are never transferred.

10. Research consent

During onboarding you may opt in to health-outcomes research. This is a separate, optional consent — never a condition of using the platform — and you can change your mind at any time in Profile > Privacy Settings without affecting your care. While we analyse your data internally it is pseudonymised; before any external sharing it is irreversibly anonymised. When you withdraw, new syncing of research data stops immediately, and the link between any already-collected research data and your identity is severed — once severed, that data can no longer be linked back to you (UK GDPR Article 11(2)).

11. How long we keep your data

If you joined through a pharmacy, GP, or clinic (partner pathway)

Your healthcare provider is the data controller for your clinical records. Under the NHS Records Management Code of Practice 2021, your provider is required to keep them for at least 8 years from your last clinical contact. We hold these records on your provider's behalf and on their instruction, and your provider can instruct us to return or delete them at any time, subject to that legal retention requirement. This is why a partner-pathway record is not removed by an erasure request to us alone (UK GDPR Article 17(3)(c)).

If you joined independently (standalone pathway)

Your health data is retained only for as long as you have an active account. When you delete your account, a 14-day grace period begins (so you can change your mind); at the end of it, your account and all associated clinical data are permanently and irrecoverably deleted. There is no further retention period — your data was processed under your consent, and once that consent is withdrawn we have no lawful basis to keep it.

All users

  • Support query text: automatically redacted after 90 days.
  • Consent and acknowledgement records: kept for the duration of your account plus 6 years (regulatory evidence).
  • Security logs: login timestamps retained for up to 12 months; rate-limiting IP data deleted within 24 hours.
  • Progress / journal photos (if you use the photo journal): hard-deleted the moment you delete a photo, and all photos are permanently deleted when your account closes — on both pathways. Photos are personal motivation aids, not clinical records, so the 8-year clinical retention above does not apply to them.

12. Your rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your account and personal data. For standalone users, your profile and all clinical data are permanently deleted after the 14-day grace period. For partner users, your profile is removed and your clinical records are pseudonymised; your provider, as their controller, is required by the NHS Records Management Code of Practice 2021 to keep them for at least 8 years, and can instruct us to return or delete them at any time (UK GDPR Article 17(3)(c)).
  • Restriction — ask us to pause processing while a dispute is resolved.
  • Portability — receive your data in a machine-readable format.
  • Object — object to processing based on legitimate interests (platform operation).
  • Withdraw consent — at any time, without affecting anything we did before. For standalone users, withdrawing platform consent closes your account.
  • Complain to the ICO — at ico.org.uk or on 0303 123 1113.

To exercise any of these rights, email hello@cadencehealth.uk.

13. Data security

  • All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
  • Database access uses Row Level Security — you can only see your own data, and staff access is limited and audited.
  • Authentication is passwordless (magic-link sign-in) — we do not store passwords.
  • Cadence Health is Cyber Essentials certified.

14. Sub-processors

We use the following third-party services to operate the platform. Each is bound by a Data Processing Agreement and may use your data only for the purpose listed.

Provider Location Purpose Data processed
Supabase London, UK Database, authentication, server functions All patient data stored here
Anthropic (via Anthropic Ireland, Limited) US (UK Addendum + EU SCCs) AI language model for Q&A search and coaching Question / message text and limited treatment context. No email, surname, or DOB. Not used for model training; not retained beyond the request
Vercel Global CDN, EU origin Website hosting No personal data stored
Resend US (UK-US Data Bridge) Sign-in email delivery Email addresses only; no health data
Amplitude EU Anonymised product analytics Device identifier only; no names, emails, or health data
Upstash London, EU Rate limiting (security) IP addresses only; no health data

15. Changes to this notice

We may update this Privacy Notice from time to time. If we make significant changes, we will notify you through the app or by email. The effective date at the top of this page always reflects the most recent version.

16. Contact

Cadence Health Ltd
3rd Floor, 86-90 Paul Street, London, EC2A 4NE
Company No. 17043196 | ICO Registration ZC095403
MHRA DORS Ref: 2026031601473996
Privacy contact: Bradley Phelps, CEO
hello@cadencehealth.uk