Privacy Policy

Last updated: April 2026

1. Who We Are

BrainSynex is a product of APTENOX Ltd, registered in England and Wales. We act as the data controller for all personal data processed through the BrainSynex platform. For the purposes of UK data protection law, this includes the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Protection Officer: You can contact our DPO at dpo@aptenox.com.

2. What Data We Collect

We collect the following categories of personal data:

• Account data: name, email address, role, organisation membership
• Health data (special category under UK GDPR Article 9): mood scores, anxiety levels, sleep patterns, body weight, journal entries, medication records, therapy session notes, assessment results, and wearable device data
• Audio biomarkers (if voice recording is enabled): voice recordings analysed for vocal biomarkers — this is biometric data requiring explicit consent
• Usage data: login activity, feature usage, crash logs (via cookies and localStorage)
• Communications: messages between patients and their assigned clinical providers

3. Legal Basis for Processing

We process your personal data on the following legal bases:

• Article 6(1)(b) UK GDPR: Performance of contract — to provide the BrainSynex service
• Article 6(1)(c) UK GDPR: Legal obligation — to comply with regulatory requirements
• Article 6(1)(f) UK GDPR: Legitimate interests — service improvement, fraud prevention
• Article 9(2)(a) UK GDPR: Explicit consent — for processing special category health data
• Article 9(2)(h) UK GDPR: Healthcare purposes — processing for preventive or occupational medicine, medical diagnosis, and management of healthcare systems

4. AI Processing & Automated Insights

BrainSynex uses Google's Gemini AI to analyse journal entries and health data in order to generate personalised insights and recommendations. This involves sending your data to Google's servers.

• Google processes your data under a Data Processing Agreement with Aptenox Ltd
• Google does not use your data to train its own models
• AI-generated insights are for informational purposes only and do not constitute a clinical diagnosis
• You can opt out of AI processing at any time in your account settings

This constitutes automated decision-making under UK GDPR Article 22. You have the right not to be subject to a decision based solely on automated processing. All AI insights are advisory — clinical decisions are made by your human therapist.

5. Body Weight Data

Body weight is collected as part of your general health profile because body weight can be an indicator of certain mental health conditions (including eating disorders, medication side effects, and depressive episodes). This data is stored encrypted and shared only with your assigned clinical provider. You can request removal of this data at any time.

6. Data Sharing

We do not sell your data. Your health data is shared only with your assigned clinical provider and organisation administrators, as strictly necessary for your care. Data may also be shared with Google (Gemini AI) for insight generation as described above. We do not share health data with advertising providers or any third parties not directly involved in your care.

7. Data Retention

We retain your data in accordance with NHS guidance on health records management:

• Health records: Retained for 7 years from the date of last entry, per NHS Records Management Code of Practice (HC(20)003)
• Account data: Retained for 2 years from your last activity, after which it is anonymised or deleted
• Deleted account data: When you exercise your right to erasure, all data is soft-deleted and retained for 7 years to comply with healthcare regulatory obligations, after which it is permanently destroyed
• Therapeutic relationship records: If you are assigned to a therapist, your data is retained for the duration of the therapeutic relationship and then 7 years after the relationship ends

8. Your Rights Under UK GDPR

You have the following rights:

• Right of access (Article 15) — Request a copy of all your data
• Right to rectification (Article 16) — Correct inaccurate data
• Right to erasure (Article 17) — Request deletion of your data
• Right to data portability (Article 20) — Export your data in a machine-readable format
• Right to restrict processing (Article 18) — Request we stop processing your data
• Right to object (Article 21) — Object to processing based on legitimate interests
• Rights relating to automated decision-making (Article 22) — Opt out of AI processing

To exercise any of these rights, go to your Profile settings or email dpo@aptenox.com. We will respond within 30 days.

9. Data Security

Your data is encrypted in transit (TLS) and at rest. We use Firebase Authentication and MongoDB with full-disk encryption. Access to your data is restricted to you and your assigned clinical provider. An audit trail records every access to your health records.

10. International Transfers

Your data may be processed outside the UK (including by Google in the US). We rely on UK adequacy regulations and Standard Contractual Clauses to ensure adequate protection.

11. Complaints

If you are unhappy with how your data is handled, please contact us at dpo@aptenox.com. You also have the right to complain to the Information Commissioner's Office (ICO).

12. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via email and a banner in the application.