Sign up

Privacy Policy

Last updated: 5 May 2026

1. Controller

The controller responsible for data processing on this website is:

Healicus Ltd
Flat 2101, 5 New Drum Street
London E1 7BU
England, United Kingdom

Registered in England and Wales under company number 17182573.
Contact: healicus.support@gmail.com

1.5 International data transfers (UK ↔ EEA)

The European Commission adopted a renewed adequacy decision for the United Kingdom on 19 December 2024 (Commission Implementing Decision (EU) 2024/3204), valid until 27 December 2030. Personal data may therefore be transferred between Healicus Ltd in the UK and its EEA-based processors (notably Hetzner in Germany, where the application database is hosted) without additional safeguards under Art. 46 GDPR.

Where personal data is transferred to a processor outside the EEA and the UK, we rely on the UK International Data Transfer Agreement (IDTA) or the Standard Contractual Clauses adopted by the European Commission under Art. 46(2)(c) GDPR plus the UK Addendum, as incorporated into our written contract with that processor. Currently this applies to Anthropic (United States; chat AI) and to Google Analytics(Google LLC, United States; opt-in usage analytics only). For Google Analytics the transfer mechanism is incorporated via Google’s standard Ads Data Processing Terms which apply by default to our UK-based account.

2. What data we collect

When you use Healicus, we may process the following data:

  • Account data: Email address and password (managed by Supabase authentication)
  • Editorial preferences: The five-pillar focus you select, intention tags per pillar, age band, dietary pattern, and an optional self-note. These are lifestyle interests, not health data
  • Saved practices (My Focus): Practices you bookmark from the editorial catalogue, with optional notes and pause/resume status
  • Chat & search history: Messages you send and AI responses, stored to maintain conversation context. Free-text content you type may include health information you choose to disclose — see Section 3 for the legal basis
  • Wellness logs: Mood, energy, and sleep ratings you voluntarily submit at /wellness. These are health data (Art. 9 GDPR) — see Section 3
  • Usage data: IP address, browser type, and pages visited (server logs)
  • Email subscriptions: If you subscribe to our newsletter, we store your email address, the subscription date, and the page you subscribed from

What we no longer collect: Healicus used to ask users to maintain a stored health record (conditions, medications, allergies). That feature has been removed. You can use the Interaction Reference for one-shot supplement ↔ medication checks — the medications you enter there are processed in-session and never stored on your account.

3. Purpose and legal basis

  • Providing the service: Account data, editorial preferences, saved practices, and chat history are processed to deliver the service you signed up for — Art. 6(1)(b) GDPR (contract performance).
  • Wellness logs (Art. 9 special-category data): Mood, energy, and sleep ratings you choose to submit at /wellness are health data. Legal basis: Art. 9(2)(a) GDPR (explicit consent), given by you when you submit a log. You can stop logging at any time and delete past entries from your account.
  • Free-text content you type into chat or search: If you choose to disclose health information in a message (for example, “I’m on warfarin, is X safe?”), processing that single message is necessary to give you an answer. Legal basis: Art. 9(2)(a) GDPR (explicit consent through voluntary disclosure for a specific request). When the model detects a question about a medical condition, it routes you to a physician rather than answering. We do not aggregate, profile, or train models on this content.
  • Server logs: IP addresses are processed for security and abuse prevention — Art. 6(1)(f) GDPR (legitimate interest).

We do not maintain a stored health record on your profile. Conditions, medications, and allergies are no longer collected as a structured dataset.

4. Third-party services we use or plan to use

The services below are listed for transparency. Where a service processes personal data on our behalf, we enter into a written contract under Art. 28(3) GDPR — including, where the service is outside the EEA and the UK, the appropriate transfer mechanism (IDTA or Standard Contractual Clauses) — before any user data is transferred to them. Services marked “currently active” have a written processor agreement in place; services marked “planned” do not yet receive any user data.

  • Anthropic PBC (United States) — currently active. AI model provider. Chat messages are sent to Claude for response generation. Processor agreement and Standard Contractual Clauses are in place via Anthropic’s commercial terms. Anthropic does not use your data for training. See Anthropic’s privacy policy.
  • Hetzner Online GmbH (Germany) — currently active. Hosting provider for the application server and the primary PostgreSQL database. Auftragsverarbeitungsvertrag (DPA) accepted in the Hetzner customer area. EEA processor — no third-country transfer.
  • Supabase Inc. (United States) — currently active. Authentication service. Healicus Ltd is the customer of record and the project is hosted under our organisation. Data Processing Addendum signed on 3 May 2026, incorporating the EU Standard Contractual Clauses (Module Two) and the UK International Data Transfer Addendum for the UK → US transfer. Only authentication-token data (email + session token) is sent — no health profile data.
  • Brevo / Sendinblue SAS (France) — planned. Will be engaged for transactional email (subscription confirmations, unsubscribe links) once the email-subscription feature is enabled. EU processor — no third-country transfer.
  • Google LLC / Google Analytics (United States) — currently active. Anonymised usage analytics, loaded only after the visitor opts in via the cookie consent banner. IP anonymisation is enabled. The Google Ads Data Processing Terms (which incorporate the EU SCCs and the UK IDTA Addendum) apply by default to our UK-based Google account, providing the Art. 28(3) GDPR processor agreement and the appropriate transfer mechanism for the UK→US transfer. See Google’s processor terms.
  • ElevenLabs Inc. (United States) — paused. Previously used for voice synthesis. Voice output is currently disabled in production while we finalise the processor agreement and the appropriate transfer mechanism. No data is currently flowing to ElevenLabs.

4.5 Outbound referrals to lab partners and other third parties

Some pages on Healicus link to independent laboratories, supplement vendors, or programmes operated by third parties. Where Healicus has an affiliate agreement with one of those third parties, the link is labelled Sponsored and we may receive a commission if you transact with them. Links without that label are plain editorial references and earn us nothing. The full policy is on the disclosure page.

  • What we send on the outbound click: UTM tags identifying Healicus as the source of the click (utm_source=healicus, utm_medium=referral or utm_medium=affiliate, and a campaign label identifying the marker page you came from). These tags let the partner’s analytics attribute the visit; they do not identify you personally.
  • What happens once you arrive at the partner: You leave Healicus. The partner becomes the data controller. Their privacy policy, terms of use, and consent flows apply. Any account you create, sample you send, payment you make, or result you receive is between you and the partner.
  • What we never see:Healicus does not receive your lab order, your sample, your payment information, or your lab values. We do not have results-sharing integrations with any partner. If a partner flags one of your results as needing attention, they will contact you directly — Healicus will not.
  • What partners may share back with us: Aggregated, anonymised conversion counts (“X clicks from Healicus this month resulted in Y orders”) for commission reconciliation. No identifiable user data.

5. Data retention

Your account data, editorial preferences, saved practices, and wellness logs are retained as long as your account is active. Chat and search history is retained to provide conversation continuity; you can delete individual conversations at any time. Deleting your account from the Profile page erases all associated data. Server logs are retained for 30 days.

6. Your rights

Under GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Withdraw consent at any time (Art. 7(3))
  • Lodge a complaint with a supervisory authority

To exercise any of these rights, contact us at healicus.support@gmail.com.

6.5 Email subscriptions

If you subscribe to our newsletter, we store your email address, subscription date, and source page. We use a double opt-inprocess: you’ll receive a confirmation email after subscribing, and your subscription only becomes active once you click the confirmation link.

  • Legal basis: Art. 6(1)(a) GDPR — your consent
  • Retention: Until you unsubscribe. Every email includes an unsubscribe link
  • Withdrawal: You can unsubscribe at any time using the link in any of our emails, or by emailing us at the address in Section 1
  • No third parties: We do not share subscriber emails with advertisers or data brokers

7. Cookies

Healicus uses the following types of cookies:

  • Essential cookies: Required for authentication and session management. These cannot be disabled.
  • Analytics cookies (Google Analytics): We use Google Analytics with IP anonymisation to understand how visitors use our site. These cookies are only set after you opt in via the consent banner. You may decline analytics cookies, and the site will function normally without them.

We do not use advertising cookies, retargeting, or third-party tracking for marketing purposes.

8. Data security

All data is transmitted over HTTPS. User data (preferences, saved practices, wellness logs, chat history) is stored in a PostgreSQL database hosted at Hetzner in Germany, with row-level access scoping by user id and LUKS2 at-rest encryption on the data volume. Passwords are managed by Supabase Authentication and are never stored on Healicus servers.

9. California residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

  • Right to know: You can request what personal information we collect, use, and disclose
  • Right to delete: You can request deletion of your personal information
  • Right to opt out: We do not sell your personal information to third parties
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise these rights, contact us at healicus.support@gmail.com.

10. FDA disclaimer

The information provided by Healicus has not been evaluated by the Food and Drug Administration. This product is not intended to diagnose, treat, cure, or prevent any disease. The content is for educational and informational purposes only and should not be considered medical advice.

Impressum