Privacy · cookies · data protection

What we know about you, and what we don't.

This notice describes how Averra collects, uses, stores and shares personal data — on this website and across our wider work. It is written to comply with the UK GDPR, the EU GDPR, the UK Privacy and Electronic Communications Regulations (PECR), and — where applicable — HIPAA for protected health information.

Effective · 27 April 2026 Version · 1.2 Controller · Averra Health Ltd

01 — Who we are

Averra Health Ltd ("Averra", "we", "us") is the data controller for personal data processed through this website and through direct correspondence with our team. We are registered in England & Wales, with our registered office at 1 Finsbury Avenue, London EC2M 2PF, and registered with the UK Information Commissioner's Office under registration number ZB000000.

For clinical and research deployments, the relevant healthcare institution is typically the controller of patient data and Averra acts as a processor under a written data-processing agreement.

02 — What we collect

We try to collect as little as possible. The categories below describe the data we may handle on this site and in correspondence; clinical-grade data is governed by separate agreements with the relevant institution.

Category	Examples	Source
Identity & contact	Name, email, organisation, role.	You — when you write to us.
Correspondence	The content of your message and our reply.	You.
Technical	Truncated IP address, browser, device class, referrer.	Your browser, only with consent for analytics.
Usage	Pages visited, time on page, anonymised events.	Privacy-respecting analytics, with consent.
Cookie choices	Your consent record and preferences.	Stored locally on your device.

03 — Why we use it

To answer your message and continue a conversation you started.
To assess whether a partnership, investment or research collaboration is appropriate.
To keep this website secure, available and free of abuse.
To understand — in aggregate, never individually — how the site is used, so we can improve it.
To meet our legal, accounting and regulatory obligations.

We do not sell personal data. We do not use it for automated decision-making or profiling that produces legal or similarly significant effects.

04 — Lawful basis

Under the UK GDPR and EU GDPR we rely on the following bases:

Consent — for analytics, preferences and any future marketing cookies. Withdraw any time at cookie settings.
Legitimate interests — for replying to messages you initiate, keeping the site secure, and basic operations. We have completed a balancing test; you can request a summary.
Legal obligation — where we must process data to comply with law (for example, retaining records for tax purposes).
Contract — where processing is necessary to enter into or perform a contract with you or your organisation.

Where we process special-category data (for example, in clinical deployments), we additionally rely on Article 9 grounds — typically explicit consent of the data subject, the provision of health or social care, or scientific research subject to appropriate safeguards.

05 — Who we share with

We share personal data only with vetted processors under written contracts, and only to the extent necessary. Current processors:

Processor	Purpose	Region
Email host	Receiving and sending the team's email.	EU/UK.
Cloud infrastructure	Site hosting, backups, security.	EU/UK.
Analytics	Aggregated, anonymised site analytics — only with consent.	EU.
Professional advisors	Legal, accounting, audit.	UK.

A current list, with subprocessors and DPAs, is available on request. We do not share personal data with advertising networks and we do not embed third-party trackers on this site.

06 — International transfers

Where personal data leaves the UK or EEA, we rely on adequacy decisions where they exist (for example, the UK–EU adequacy decision and the UK Extension to the EU–US Data Privacy Framework). Where adequacy is not available, we use the UK International Data Transfer Agreement or the EU Standard Contractual Clauses, supplemented by a transfer impact assessment and additional technical measures (encryption in transit and at rest, pseudonymisation where feasible, region locking).

07 — Retention

Category	Retention
Correspondence	Up to 24 months from last contact, unless an active relationship exists.
Server & security logs	Up to 90 days.
Analytics events	14 months, aggregated.
Cookie consent record	12 months, then we ask again.
Accounting records	6 years (UK statutory).

Data is deleted or irreversibly anonymised at the end of its retention window unless a longer period is required by law.

08 — Security

End-to-end TLS in transit; AES-256 at rest.
Role-based access; principle of least privilege; quarterly access reviews.
Single sign-on with hardware second factor for staff.
Encrypted, region-locked backups with point-in-time recovery.
Independent penetration testing on each release; SOC 2 Type II controls in progress.
Documented incident response with a 72-hour breach notification workflow.

09 — Your rights

Under the UK GDPR and EU GDPR you have the right to:

Be informed about how your data is used (this notice).
Access a copy of the personal data we hold about you.
Rectify data that is inaccurate or incomplete.
Erasure ("the right to be forgotten") in defined circumstances.
Restriction of processing where you contest accuracy or lawfulness.
Data portability — receive your data in a structured, commonly used, machine-readable format.
Object to processing based on legitimate interests, including profiling.
Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
Not be subject to a decision based solely on automated processing that has legal or similarly significant effects.
Lodge a complaint with a supervisory authority (see section 13).

To exercise any of these rights, write to privacy@averra.health. We respond within one calendar month.

10 — Cookies

A cookie is a small text file stored on your device. Some are essential to make the site work; others are optional and only set with your explicit consent (UK PECR & ePrivacy Directive). You can review and change your choices any time at cookie settings.

Category	Purpose	Default
Strictly necessary	Theme, security, remembering your cookie choices.	Always on
Preferences	Small UI choices you make.	Off — opt-in
Analytics	Aggregate, anonymised usage with IP truncation.	Off — opt-in
Marketing	Reserved. Not currently used.	Off — opt-in

What's set today

Name	Purpose	Lifetime	Category
averra.theme	Remembers day/night mode.	12 months	Necessary
averra.consent.v1	Stores your cookie choices and timestamp.	12 months	Necessary

Analytics and marketing cookies are listed when, and only when, they are enabled by your consent. We honour the Global Privacy Control (GPC) signal: if your browser sends GPC, we treat it as a request to opt out of any sale or sharing of personal data.

11 — Children

This website is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12 — Changes

We update this notice when our practices change. The current version and effective date are shown at the top. Material changes — for example, a new processor or a new processing purpose — are notified to people who have given us their contact details, and the consent banner is shown again so you can review your choices.

13 — Contact & complaints

For any privacy question, request, or complaint, write to our Data Protection Officer at privacy@averra.health or by post to: Data Protection, Averra Health Ltd, 1 Finsbury Avenue, London EC2M 2PF, United Kingdom.

You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office. In the EU, this is the data protection authority of the member state where you live, work, or where the alleged infringement took place.