1. Introduction

This Privacy Policy explains how personal data is collected, used, and protected when you use the e-Zap Health mobile application (“the App”).

The App is operated by e-Zap Health Ltd (trading as “e-Zap Health”), a company registered in the United Kingdom.

e-Zap Health is a personal health record and tracking tool that allows users to record and organise health-related information such as symptoms, diagnoses, medications, procedures, diet, wellbeing, mood and test results.

The App has been designed in accordance with data minimisation principles, meaning that the collection and processing of personal data is limited to what is strictly necessary for functionality.

This Privacy Policy is provided in accordance with:

The UK General Data Protection Regulation (UK GDPR)

The Data Protection Act 2018

2. Data Controller

The data controller responsible for processing personal data in connection with the App is:

e-Zap Health Ltd

United Kingdom

Email: enquiries@ezaphealth.com

3. Nature of Data Processed

3.1 Personal Data

The App processes limited personal data, specifically:

Email address (for authentication purposes only)

3.1A Optional Username

The App may also allow users to enter an optional username for display within the App.

This username is:

Not required for use of the App

Not verified by e-Zap Health Ltd

Not used for identity verification

Not used as an authentication credential

Not included in generated clinical appointment preparation PDF summaries

Users are strongly discouraged from using their real name or any other directly identifiable personal information as a username.

3.2 Special Category Data (Health Data)

Health information entered into the App may include:

Symptoms and symptom logs

Symptom update history, including ongoing, intermittent, cyclical, recurring, or fluctuating symptoms tracked over time

User-linked references between symptoms, medications, surgeries, and uploaded supporting images stored locally on the device

As well as:

Diagnoses

Medications

Allergies

Procedures and surgeries

Vaccinations

Test results and scans

Lifestyle information (e.g. diet, smoking, alcohol consumption, mood and wellbeing)

Weight and health metrics

Free-text health notes

This constitutes special category data under UK GDPR.

3.3 Image Data (Image Hub)

The App includes an optional Image Hub feature which allows users to select and upload images from their device.

Images are selected manually by the user via the device’s system image selection interface (for example, the device photo library or equivalent system picker). The App does not access, scan, or retrieve images from the device without direct user action.

The App does not:

Access the user’s photo library in bulk

Scan or analyse the contents of the photo library

Access images in the background

Access the device camera in its current version

Only images explicitly selected by the user are made available to the App.

Images uploaded to the Image Hub may include screenshots, letters, prescriptions, referral documents, test results, scans, or other health-related material chosen by the user.

Such images may contain personally identifiable information, including for example a full name, address, NHS number/ ID number/ insurance ID, date of birth, prescription details, referral information, or other identifiers. e-Zap Health Ltd does not request that users upload identifiable documents and does not require users to include such information.

Users upload image content entirely at their own discretion and remain solely responsible for the content they choose to upload, store, link, retain, share, or delete within the App.

Users are strongly advised to redact, obscure, crop, or otherwise remove unnecessary identifying information before uploading any image to the App.

Uploaded images are stored locally on the user’s device only, are not accessible to e-Zap Health Ltd, are not reviewed or moderated by e-Zap Health Ltd, and are not externally processed, analysed, or used for advertising, profiling, or product training purposes.

4. Legal Basis for Processing

4.1 Email Authentication

Processing of email addresses is necessary for:

Providing secure access to the App

Preventing unauthorised access

This processing is based on:

Article 6(1)(b) – performance of a contract

Article 6(1)(f) – legitimate interests (security and fraud prevention)

4.2 Health Data Processing

Health data is processed:

Solely on the user’s device

Under the user’s control

Where any processing occurs (e.g. optional features), this is based on:

Article 9(2)(a) – explicit consent

5. Data Collection and Use

5.1 Email Address (Authentication)

When accessing the App, users must provide an email address to receive a one-time authentication code.

This is used only to:

Verify access

Enable secure login

Authentication emails (such as one-time login codes) are delivered using a secure third-party email delivery provider (Resend).

This provider processes the user’s email address solely for the purpose of sending authentication emails on behalf of e-Zap Health Ltd.

The App does not create user profiles containing identifiable personal information.

Limited technical diagnostics data may also be processed by third-party infrastructure used in connection with authentication and application stability monitoring, including services such as Firebase Crashlytics, for the sole purposes of identifying crashes, diagnosing software issues, and improving reliability and security.

Such technical diagnostics processing is limited to technical and operational information reasonably necessary for those purposes and is not used by e-Zap Health Ltd for advertising, behavioural profiling, or sale of personal data.

5.2 Health Data

All health data entered into the App is:

Provided voluntarily by the user

Used solely for personal tracking purposes

Not accessible to e-Zap Health Ltd

5.3 Image Data and Local Linking Functionality

Where the user chooses to use the Image Hub, uploaded images remain under the user’s control and are stored only on the user’s device.

The App may allow users to link locally stored images to certain records within the App, including symptoms, medications, and surgery records. This linking function is organisational only and operates solely on-device.

e-Zap Health Ltd does not access, inspect, verify, moderate, or approve uploaded images or the linkages a user creates between images and records.

No uploaded image is processed externally, used by the My AI tool, or included within the clinical appointment preparation PDF generated by the App in its current form.

6. Data Storage

6.1 Local Storage

All health data is stored locally on the user’s device using on-device storage technology.

e-Zap Health Ltd:

Does not store health records on its own servers

Does not have access to user health data

Does not maintain centralised health databases

Users retain full control over their data.

For the avoidance of doubt, this local-only storage model also applies to images uploaded into the Image Hub, together with any on-device links between those images and the user’s records.

Users may delete individual images from within the App at any time, subject to the functionality available in the App interface.

6.2 Authentication Data (Supabase)

Authentication services are provided by Supabase.

Supabase processes:

Email addresses

Authentication tokens

Technical metadata (e.g. IP address, login activity)

This data is processed solely to enable secure authentication.

Supabase acts as a data processor on behalf of e-Zap Health Ltd.

6.3 Email Delivery (Resend)

Transactional emails required for authentication (such as one-time login codes) are delivered using Resend, a third-party email delivery service.

Resend processes:

Email addresses

Limited technical data required for delivery (e.g. delivery status, message metadata)

This processing is carried out solely for the purpose of delivering authentication emails securely and reliably.

e-Zap Health Ltd does not use Resend for:

Marketing communications

User profiling

Storage of health data

Neither Supabase, Firebase, nor Resend is used by e-Zap Health Ltd to publish, sell, profile, or otherwise commercially exploit user email addresses.

Those providers are used only for limited infrastructure purposes such as authentication, secure delivery of authentication emails, and technical stability monitoring.

7. Data Retention

7.1 Email Data

Email addresses are retained:

For as long as the user account remains active

Until deletion is requested

Users may request deletion of their authentication data at any time by contacting:

enquiries@ezaphealth.com

e-Zap Health Ltd will take reasonable steps to ensure deletion requests are actioned, including requesting deletion from third-party processors where applicable.

7.2 Health Data

Health data is:

Stored only on the user’s device

Retained until deleted by the user or the App is uninstalled

7.3 Image Data and Wipe Function

Images stored in the Image Hub are retained locally on the user’s device until deleted by the user, removed by use of the App’s wipe function, or deleted when the App is uninstalled.

The App may include a wipe-all-data function which is intended to remove all locally stored health data and locally stored images from the device and return the App to an initial set-up state.

However, wiping locally stored App data does not necessarily sever or destroy the separate association between the user’s email address and third-party authentication or infrastructure providers used by the App, including Supabase and related services.

As a result, the association between authentication information and third-party processors may not be fractured solely by wiping stored health data from the device. Full disassociation may require use of a new email address for authentication and a fresh installation or new registration process.

8. International Data Transfers

Third-party processors such as Supabase and Resend may process data outside the United Kingdom.

Where this occurs, e-Zap Health Ltd ensures that appropriate safeguards are in place, including:

UK adequacy regulations

Standard Contractual Clauses (SCCs)

9. Data Sharing

e-Zap Health Ltd does not:

Sell personal data

Share personal data for advertising or commercial purposes

Data may be shared only:

With service providers (e.g. Supabase for authentication and Resend for email delivery)

Where required by law

10. Future AI Functionality

The App may introduce optional AI-powered features in future.

If implemented:

- Processing will occur only when actively initiated by the user

- No directly identifiable personal data will be transmitted

- Only user-entered health data may be processed

- Processing will be based on explicit user consent

e-Zap Health Ltd will update this Privacy Policy prior to enabling such functionality.

11. Generated Reports

The App may allow users to generate PDF health summaries.

These reports:

- Are generated locally on the device

- Are not stored by e-Zap Health Ltd

- Are shared solely at the user’s discretion

At present, uploaded images from the Image Hub are not pulled into these generated PDF reports.

At present, optional usernames entered by the user are also not pulled into these generated PDF reports.

12. Device Permissions

The App may request the following permissions:

Photo Library – to allow the user to select and upload images into the Image Hub

Camera – (not currently used, may be introduced in future versions)

Storage – for saving data locally

Notifications – for reminders

Internet Access – for authentication services

Photo library access is used solely to enable the user to manually select images. The App does not access or process the user’s photo library without user interaction and does not retrieve or analyse images beyond those explicitly selected.

Permissions can be managed via device settings.

If future versions of the App enable camera capture, expanded photo library access, image analysis, or any comparable functionality, this Privacy Policy will be updated before those features are made available.

13. Security

The App is designed to minimise risk by avoiding centralised storage of sensitive data.

Security measures include:

- Minimised data collection

- Localised storage of health data

- Secure authentication processes

limited technical diagnostics processing for crash reporting, debugging, fraud prevention, quality assurance, and service reliability

Users are responsible for:

- Securing their device

- Maintaining device encryption and updates

Because health data and images are stored locally, users are responsible for making informed decisions about what they store in the App, including whether to upload documents or screenshots that may contain sensitive identifiers.

The App does not request or require users to upload identifiable documents. Where a user chooses to do so, that decision is made solely by the user and at the user’s own discretion.

14. Children

The App is intended for users aged 16 and over.

15. Your Data Protection Rights

Under UK GDPR, users have the right to:

- Access personal data

- Request correction

- Request deletion

- Restrict processing

- Object to processing

- Data portability (where applicable)

Because most data is stored locally, many rights can be exercised directly within the App.

For authentication data or other enquiries, contact:

enquiries@ezaphealth.com

Users also have the right to lodge a complaint with the Information Commissioner's Office:

https://ico.org.uk

16. Changes to This Policy

This Privacy Policy may be updated from time to time.

The latest version will always be published on the e-Zap Health web site.

17. Contact

e-Zap Health Ltd

United Kingdom

Email: enquiries@ezaphealth.com

'