Privacy

Last updated: 06 12 2025

Pallum Health is a digital health platform designed to help clinicians monitor patient wellbeing between appointments using symptom logs, connected devices, and structured health insights.

Data Controller:
Pallum Health

As we evolve toward NHS-integrated deployments, we may act as either a Data Controller or Data Processor, depending on contractual arrangements with GP practices or NHS organisations.

  1. Personal Identification Data
    • Full name
    • Email address
    • Phone number
    • Date of birth
  2. Health & Clinical Data (Special Category Data)
    • Symptom logs
    • Lifestyle entries (sleep, diet, mood)
    • Vital signs (BP)
    • Notes you choose to share with your clinician
  3. Technical Data
    • IP address
    • Device/browser type
    • Usage logs
    • Cookies (only those essential to platform performance)
  4. Clinician / Pilot Participant Data
    • Professional contact details
    • Usage analytics for service improvement

We process personal data under the following legal bases:

  1. Consent
    1. When you register and actively agree to data sharing
    2. When you choose to connect wearable devices
    3. When you join a pilot or beta programme
  2. Legitimate Interests
    1. To improve platform functionality
    2. To ensure cyber security and fraud prevention
    3. To analyse anonymised usage patterns to enhance service quality
  3. Performance of a Contract
    1. Providing access to your dashboard
    2. Supporting clinician–patient interactions
    3. Maintaining platform availability
  4. Legal Obligations
    1. Where required for regulatory compliance
    2. To respond to data protection rights requests

 

We only process health data with explicit consent or under a formal NHS contract that provides an alternative lawful basis.

We may use your data for the following purposes:

  • To provide personalised health insights
  • To support clinician decision-making
  • To notify clinicians when concerning patterns arise
  • To improve the accuracy and functionality of the Pallum Health platform
  • To continuously improve safety, as required under DCB0129
  • To contact you regarding updates, safety notices, or pilot participation
  • To generate anonymised, aggregated statistics

 

We do not use your data for advertising, profiling unrelated to healthcare, or selling to third parties.

We only share data when necessary, safe, and legally permitted.

This may include:

  1. Clinicians
    Where you have consented for a GP or healthcare professional to view your information.
  2. Technical Providers
    Carefully selected, secure sub-processors:
    • Cloud hosting provider (e.g., Hetzner/Azure/AWS depending on final configuration)
    • Email delivery provider (Brevo)
    • Analytics tools (anonymised only)

      All providers undergo due diligence, meet UK GDPR standards, and sign Data Processing Agreements.
  3. NHS Organisations (for pilots)
    Only where contracted and consented.

    We never share identifiable data with commercial entities for marketing or non-health purposes.

We apply measures aligned to NHS DTAC, DCB0129, and industry best-practice:

  • Encrypted data in transit (TLS 1.2+)
  • Encrypted data at rest
  • Role-based access controls
  • Secure audit logs
  • Regular clinical safety risk assessments
  • Penetration testing and vulnerability management
  • Daily encrypted backups

Data is stored within the UK or EEA.

If any service provider is located outside the UK/EEA, we use:

  • UK IDTA agreements, or
  • Standard Contractual Clauses (SCCs)

 

…to ensure equivalent protection.

We retain personal data only for as long as necessary:

  • Pilot data: usually 12–24 months
  • Clinical data under contract: follows NHS retention schedules
  • Account data: held until you delete your account
  • Backups: retained for disaster recovery purposes for 30–90 days

 

You may request deletion at any time (see Section 10).

Under UK GDPR, you have the right to:

  • Access your data
  • Correct inaccurate data
  • Erase your data (“right to be forgotten”)
  • Restrict processing
  • Object to certain uses
  • Request data portability
  • Withdraw consent at any time
  • Raise concerns with the ICO - Home

 

We will respond to verified requests within 30 days.

You can withdraw consent, change preferences, or request deletion by:

Email: sayonnathan@pallumhealth.uk

 

Once deleted, your data cannot be recovered.

We may update this Privacy Notice to reflect regulatory or operational changes. Updates will be published on the platform with a clear “last updated” date.