Privacy

Your health data, on your terms.

This policy explains what we collect, why, and the control you keep over it. Twin connects only the sources you choose, and your consent is explicit, per-source and revocable at any time.

Last updated: 14 July 2026

This policy is an early draft and will evolve — with clearer detail and, where relevant, supporting documentation — before Twin’s public launch. Material changes will be communicated in-app or by email.

Who we are

Auracare Health LTD (“Auracare”, “we”, “us”) is the data controller for the personal data described in this policy. We are a company registered in England & Wales. For any privacy question, or to exercise your rights, contact privacy@auracare.org.uk.

What this policy covers

This policy covers Twin, our consumer product that builds a personal health “digital twin” from the wearables and apps you connect, and checks in with you over iMessage.

Twin is a general-wellness product, not a medical device. It is designed to help you understand your own patterns — it does not diagnose, treat, dose or clinically interpret your data.

The data we process

Account data

When you join, we process the details needed to run your account — such as your name, email address and the mobile identity you use to message Twin — together with basic app and delivery logs that keep the service reliable and secure.

Health & wellness data you connect

When you connect a source, Twin processes the general health and wellness information it provides — such as sleep, activity and recovery trends from the wearables and apps you choose to link. You decide which sources to connect, and you can disconnect any of them at any time.

Health data is special-category personal data under the UK GDPR. We treat it with the heightened protection that classification requires.

Our lawful basis

We rely on your explicit consent (Article 9(2)(a) UK GDPR) to process your health signals. That consent is:

  • Explicit — you actively opt in before any health data is processed.
  • Per-source — you consent to each connector separately, and can connect or disconnect them one at a time.
  • Revocable at any time — withdrawing consent is as easy as giving it, and stops future processing of that source.

How we use your data

We use your data to:

  • build and maintain your personal health digital twin;
  • learn your baselines and notice meaningful changes;
  • send you check-ins — a morning brief, an evening wrap, and nudges when your data warrants one;
  • operate, secure and improve the service.

We do not use your health data for advertising, and we do not sell it.

Wearable connectors

Twin only pulls data from the sources you explicitly connect. Nothing is collected from a source you have not authorised. Connections use each provider’s standard authorisation flow, and the access tokens we hold on your behalf are encrypted at rest. When you disconnect a source, we stop pulling new data from it.

Where your data is processed

We are building Twin to process your data within our own UK/EU cloud tenant. This is a direction of travel, not a guarantee of every processing arrangement today; we will update this section as that infrastructure matures. Where data is processed outside the UK, we put appropriate safeguards in place as required by the UK GDPR.

Sharing your data

We do not sell your data. We do not share your health data with third parties without your consent. We use a small number of service providers (for example, cloud hosting and message delivery) strictly to operate Twin; they act on our instructions under contract and may not use your data for their own purposes. We may disclose data where we are legally required to do so.

Retention & deletion

We keep your personal data only for as long as we need it to provide the service to you, or as required by law. When you delete your account, or ask us to erase your data, we delete or irreversibly anonymise it within a reasonable period, except where we must retain something to meet a legal obligation.

Your rights

Under the UK GDPR you have the right to:

  • access the personal data we hold about you;
  • rectify data that is inaccurate or incomplete;
  • erase your data (“the right to be forgotten”);
  • port your data — receive it in a portable, machine-readable format;
  • withdraw consent at any time, per source, without affecting past processing;
  • complain to the Information Commissioner’s Office (ICO), the UK supervisory authority, at ico.org.uk.

To exercise any of these, email privacy@auracare.org.uk. We would always welcome the chance to resolve a concern directly before you approach the ICO.

Emergencies & safety routing

Twin is not an emergency service and cannot summon help. If Twin surfaces safety information, it routes you to the right lines for your region — for example:

United Kingdom

Emergency
999
Urgent advice
NHS 111
Mental health
Samaritans 116 123

United States

Emergency
911
Mental health
988
Poison control
1-800-222-1222

If you think you or someone else is in danger, contact your local emergency services immediately.

What Twin never does

Twin is a general-wellness product, not a medical device. It does not diagnose, treat, cure or prevent any disease. Always seek professional medical advice for health concerns.

  • Diagnoses, treats or prescribes
  • Interprets a reading as a clinical result
  • Replaces your doctor, pharmacist or 999/111
  • Shares your data without your explicit, per-source consent

Contact

Questions about this policy, or about how we handle your data? Write to us at privacy@auracare.org.uk and we’ll be glad to help.