MAXine Privacy Policy

About this version. MAXine is currently distributed only as part of a closed clinical pilot. This privacy policy applies to invited adult participants (aged 18 or over). It will be updated before any wider release.

1. Who we are

MAXine ("the App") is provided by Gnosis Health Limited, a company registered in England and Wales (company number 11635640), with its registered office at The Catalyst, 3 Science Square, Newcastle Helix, Newcastle upon Tyne, NE4 5TG, United Kingdom ("Gnosis", "we", "us"). For the purposes of UK data-protection law Gnosis Health Limited is the data controller for personal data processed through the App.

You can reach our data-protection contact at support@gnosishealth.ai.

2. What this policy covers

This policy explains what personal data the MAXine mobile app collects, how it is used, who it is shared with, how long it is kept, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

3. What data we collect

Account information — email address, name, date of birth, gender, phone number, user type (patient or care partner) and any profile fields you choose to provide.
Authentication identifiers — identifiers issued by Firebase Authentication and session tokens stored securely on your device.
Health and wellbeing data — symptoms you log, medications you record, questionnaire responses, and voice messages you choose to send to the in-app AI assistant.
Health Connect data (Android, optional, only if you grant permission) — steps, heart rate, active calories burned, sleep, distance, and exercise sessions.
Apple Health data (iOS, optional, only if you grant permission) — equivalent metrics where available.
Chat content — messages you send to and receive from the in-app AI assistant.
Care-partner linking data — if you link a care partner, we exchange the partner's name, email, and the link relationship between accounts.
App diagnostics — anonymous usage analytics, crash reports, and performance traces collected via Firebase Analytics, Crashlytics and Performance Monitoring.
Push-notification identifiers — Firebase Cloud Messaging registration tokens used to deliver medication and symptom reminders.
Photos and audio — profile photos you upload and voice recordings you send to the AI assistant.

The App does not collect device location, contacts, calendar, files stored elsewhere on your device, financial information, or any data not listed above.

4. Why we use this data (lawful bases)

To provide the App and its features — lawful basis: performance of a contract / provision of a service.
To deliver the clinical pilot study you have agreed to participate in — lawful basis: explicit consent and, where applicable, scientific research in the public interest.
To diagnose and fix faults and improve the product — lawful basis: legitimate interests, balanced against your right to expect minimal data collection.
To detect and prevent abuse — lawful basis: legitimate interests in protecting the platform.

5. Who we share data with

We share personal data only with the following processors, all of whom act on our written instructions:

Google LLC / Google Ireland Limited — Firebase Authentication, Cloud Messaging, Analytics, Crashlytics, and Performance Monitoring.
Microsoft Corporation / Microsoft Ireland Operations Limited — Azure cloud hosting and Azure OpenAI, used to power the AI assistant.
Expo (650 Industries, Inc.) — mobile-app build and over-the-air update infrastructure.
Apple Inc. — if you use the iOS version, Apple HealthKit and Apple's notification services.

We do not sell your data, share it with advertisers, or use it for marketing purposes outside the pilot study.

6. International transfers

Some processors operate outside the UK and the European Economic Area. Where this happens we rely on UK adequacy decisions, the UK International Data Transfer Agreement, and / or Standard Contractual Clauses to safeguard your data. A list of current sub-processors and the safeguards in place is available on request.

7. How long we keep data

Account data and clinical-pilot data, including health data: kept for the duration of the pilot and for up to 7 years after account deletion, in line with healthcare retention norms, unless you ask us to delete it sooner.
Crash reports and diagnostics: 90 days.
Push-notification tokens: until you uninstall the App or change device.

8. Your rights

You have the right to access, correct, delete, restrict, or export your personal data, to object to certain processing, and to withdraw consent at any time. To exercise any of these rights, please email support@gnosishealth.ai. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

9. Security

Data is encrypted in transit using HTTPS / TLS. Tokens and other credentials on your device are stored using the operating system's secure storage (Keychain on iOS, Keystore-backed Encrypted Shared Preferences on Android). Backend data is stored on access-controlled cloud infrastructure with encryption at rest.

10. Children

MAXine is for adults aged 18 or over. We do not knowingly collect data from children.

11. Changes to this policy

We will publish updates to this policy on this page and, where the change is material, notify you in the App.

12. Contact

For questions about this policy, please email support@gnosishealth.ai.