Important notice
Clearup Health processes health data, which is classified as Special Category personal data under UK GDPR Article 9. We take this responsibility seriously. Please read this policy carefully before using our platform.
1. Who we are
Clearup Health Ltd ("Clearup", "we", "us", "our") operates the Clearup Health platform at clearuphealth.com. We are the data controller for personal data processed through our platform.
ICO Registration Number: ZB[PENDING]
Data protection contact: privacy@clearuphealth.com
2. What data we collect
Account data
- Name and email address (provided at signup)
- Password (stored as a cryptographic hash — we never store your plain-text password)
- Account preferences and language settings
Health data (Special Category — Article 9)
This is the most sensitive data we hold. We collect it only with your explicit consent.
- Blood test marker values and results you enter manually
- Heritage region and biological sex (used to calibrate reference ranges)
- Health goals and dietary preferences
- Daily Morning Pulse check-in responses (mood, energy, clarity, sleep)
- Supplement protocol choices and daily logs
- Meal plan preferences and food culture selections
Usage data
- Pages visited and features used (analytics, with your consent)
- Session recordings (Microsoft Clarity, with your consent — all health data fields are masked)
- Device type and browser (for compatibility)
- IP address (for security purposes, not stored long-term)
Payment data
Payment details are processed by Stripe. We do not store card numbers. We hold your Stripe customer ID and subscription status only.
3. Why we process your data and our legal basis
| Purpose | Legal basis |
|---|---|
| Providing the platform and your account | Contract (Art. 6(1)(b)) |
| Processing health data and producing insights | Explicit consent (Art. 9(2)(a)) |
| Sending service emails (result ready, pulse reminder) | Contract (Art. 6(1)(b)) |
| Analytics and platform improvement | Consent (Art. 6(1)(a)) |
| Fraud prevention and security | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
4. Your explicit consent for health data
Before entering any health data, you are asked to give explicit consent. You may withdraw this consent at any time by deleting your account from Settings, which will permanently delete all health data we hold about you.
Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal.
5. Who we share your data with
We do not sell, rent, or share your personal data with third parties for marketing. We share data only with the following processors, each bound by a Data Processing Agreement:
Supabase Inc.
Database and authentication hosting
EU (Frankfurt)
Anthropic PBC
AI interpretation engine (processes anonymised marker data)
United States (Standard Contractual Clauses apply)
Vercel Inc.
Platform hosting and edge delivery
EU and global CDN
Stripe Inc.
Payment processing
United States (SCCs apply)
Microsoft (Clarity)
Session recording analytics (with consent, health fields masked)
United States (SCCs apply)
PostHog Inc.
Usage analytics (with consent)
EU (PostHog Cloud EU)
We may disclose data if required by law, court order, or to protect the safety of users or the public.
6. International data transfers
Some of our processors are based outside the UK/EU. Where data is transferred to countries without an adequacy decision, we rely on UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) to ensure appropriate safeguards are in place.
7. How long we keep your data
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account |
| Health data (markers, results) | Until you delete your account, then permanently deleted within 30 days |
| Morning Pulse check-ins | Until you delete your account |
| Supplement logs | Until you delete your account |
| Payment records | 7 years (legal requirement under UK tax law) |
| Analytics data | 13 months from collection (PostHog / Clarity default) |
| Server logs | 30 days, then automatically purged |
8. Your rights under UK GDPR
You have the following rights regarding your personal data:
Right of access
Request a copy of all data we hold about you
Right to rectification
Correct inaccurate data
Right to erasure
Delete your account and all associated data from Settings
Right to restrict processing
Ask us to pause processing while a dispute is resolved
Right to data portability
Receive your data in a machine-readable format
Right to object
Object to processing based on legitimate interest
Right to withdraw consent
Withdraw health data consent at any time
Rights related to automated decision-making
Request human review of any automated AI interpretation
To exercise any right, email privacy@clearuphealth.com. We will respond within 30 days. You also have the right to complain to the ICO at ico.org.uk.
9. Security
We implement appropriate technical and organisational measures to protect your data:
- All data encrypted at rest (AES-256) and in transit (TLS 1.3)
- Row-level security on all database tables — users can only access their own data
- Authentication via Supabase Auth with secure JWT tokens
- Regular security reviews and dependency updates
- Access to production systems restricted to authorised personnel only
Despite these measures, no system is completely secure. If you believe your account has been compromised, contact us immediately at privacy@clearuphealth.com.
10. AI and automated processing
Clearup uses AI (Claude by Anthropic) to interpret your blood test markers and generate personalised insights. This constitutes automated processing under UK GDPR Article 22.
Important:
- AI interpretations are for informational purposes only — they are not medical diagnoses
- Data sent to Anthropic is processed under a Data Processing Agreement
- You have the right to request human review of any AI-generated output by contacting us
- AI outputs are clearly labelled on the platform
11. Cookies
We use cookies and similar technologies. See our Cookie Policy for full details. You can manage your preferences at any time.
12. Children
Clearup is not intended for use by anyone under the age of 18. We do not knowingly collect data from children. If you believe a child has provided us with data, please contact us at privacy@clearuphealth.com and we will delete it immediately.
13. Changes to this policy
We may update this policy from time to time. We will notify you of significant changes by email and by posting a notice on the platform. The "last updated" date at the top of this page always reflects the current version.
14. Contact us
For any privacy-related questions or to exercise your rights: