Privacy Policy & Terms of Service

1. Who we are

NeuroFract LTD ("NeuroFract", "we", "us") operates the platform at neurofract.com. We are the data controller for all personal data processed through this platform.

Principal Investigator: Dr Antonio Valentin, King's College London.

Contact: privacy@neurofract.com

2. Data we collect

Account data

• Email address and password (via Firebase Authentication)
• Full name and display name
• Account role (patient, clinician, or researcher)
• Account creation timestamp

Health data (patients only)

• Therapy type (DBS, VNS, TMS, tDCS, etc.) and medical condition
• Responses to validated clinical instruments: LAEP (Liverpool Adverse Events Profile), SSQ (Seizure Severity Questionnaire), QOLIE-31 (Quality of Life in Epilepsy)
• Cognitive assessment results across 6 domains
• Seizure log entries (date, time, duration, notes)
• Weekly check-in scores and timestamps

Usage data

• Pages visited and features used (not sold or shared with advertisers)
• Device type and browser (via Firebase Analytics, if enabled)

3. How we use your data

• Patients: To display your assessment history, calculate triage scores, and share results with your assigned clinician.
• Clinicians: To show you your assigned patients' scores, triage status, and trend data.
• Researchers: To provide anonymised, aggregated cohort data for academic analysis. Individual identities are never exposed.
• All users: To authenticate your account and secure your data.

We do not use your data for advertising, profiling, or sale to third parties.

4. Legal basis (UK GDPR)

We process your data under the following legal bases:

• Explicit consent (Article 6(1)(a) and Article 9(2)(a)) — for health data collected via assessments. You may withdraw consent at any time.
• Legitimate interests (Article 6(1)(f)) — for platform security, fraud prevention, and service improvement.
• Legal obligation — where required by applicable law.

5. Special category health data

This data is accessible only to: (a) you, (b) your assigned clinician, and (c) researchers viewing anonymised aggregate data. No individual health data is ever exposed to researchers.

6. Data storage & residency

All data is stored in Google Firebase (Firestore and Firebase Authentication), configured to the europe-west2 (London) region. This means your data is stored within the UK/EEA.

Firebase is operated by Google LLC. Google's data processing terms apply: firebase.google.com/terms/data-processing-terms.

Data is retained for the duration of the clinical pilot and for a minimum of 5 years thereafter, as required by clinical research governance standards.

7. Your rights

Under UK GDPR you have the right to:

• Access — request a copy of all data we hold about you
• Rectification — correct inaccurate data
• Restriction — limit processing of your data
• Withdrawal of consent — stop further data collection (your existing data is retained for clinical governance reasons, marked as withdrawn)
• Portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interests

8. Who we share data with

• Your assigned clinician — can see your name, therapy type, and all assessment scores
• Researchers — see only anonymised aggregate data (patient IDs replaced with codes like P-001)
• Google / Firebase — as our infrastructure provider (data processor)
• No one else — we do not sell, share, or transfer data to any other third party

9. Cookies & third-party services

NeuroFract uses the following third-party services that may process data when you use the platform:

• Google Fonts — loads fonts from Google servers (your IP address is sent to Google). We are working to host fonts locally to eliminate this.
• Firebase Authentication — manages login sessions using a secure cookie/token stored in your browser.
• Chart.js — loaded from cdnjs.cloudflare.com for data visualisation.

We do not use advertising cookies, tracking pixels, or analytics beyond what Firebase provides by default. The consent banner on our platform allows you to decline non-essential data collection.

10. Children

NeuroFract is not intended for use by anyone under the age of 16 without explicit parental consent and clinician oversight. If you believe a child has registered without consent, contact us immediately at privacy@neurofract.com.

11. Terms of Service

Permitted use

NeuroFract is provided for clinical monitoring and research purposes only. You agree to use the platform only for its intended purpose and in compliance with applicable law.

Not a medical device

NeuroFract is a clinical monitoring and communication tool. It is not a regulated medical device, does not provide diagnoses, and does not replace clinical judgement. All clinical decisions remain the responsibility of the treating clinician.

Accuracy of data

You agree to provide accurate information when completing assessments. Deliberate falsification of health data may compromise patient safety.

Account security

You are responsible for keeping your login credentials secure. Notify us immediately if you suspect unauthorised access to your account.

Availability

We aim for high availability but cannot guarantee uninterrupted service. The platform is provided "as is" during the pilot phase.

Intellectual property

All platform content, design, and code is owned by NeuroFract LTD. The clinical instruments (LAEP, SSQ, QOLIE-31) are used under their respective licences (QOLIE-31 is RAND public domain).

12. Changes to this policy

We will notify registered users by email of any material changes to this policy at least 14 days before they take effect. The effective date at the top of this page will be updated with each revision.

13. Contact & complaints