Platform Privacy Policy

How Luca Health uses your data on our app, dashboard and platform.

Effective date: June 2026

Summary (Too Long; Didn’t Read)

  • Two controllers. Your school or club controls the account, contact and injury data on the platform, and we process it for them. We control the clinical record created during a consultation — that is covered by our separate Clinical Privacy Notice.
  • Where data comes from. School or club systems, parents, clinicians, and users themselves.
  • Cookies and analytics. On the staff dashboard and app we use PostHog (EU cloud) for anonymised usage analytics — no patient or personal data is sent to PostHog, and analytics require your explicit consent.
  • Recording. Consultations are video calls and are recorded (audio and video) with your permission; you can decline. The clinical record from a consultation is covered by our Clinical Privacy Notice.
  • Deletion. If you ask us to delete your data, your school’s platform data follows a 30-day window, but we may keep the clinical record where the law allows (for example, for health care or to defend legal claims). See our Clinical Privacy Notice.
  • Where it lives. Your data is hosted in the UK and the EEA and is not transferred outside the UK/EEA.
  • Your rights. We follow the UK GDPR (and the EU GDPR where it applies) and support your rights to access, correct, delete or limit your data.

This summary does not replace the full policy — please read on for complete details.

1. Who we are

Luca Health Ltd (company number 14060836) is a concussion-management platform for schools, sports clubs and related organisations. We help monitor and manage injuries — particularly head injuries — through data tracking, neurocognitive assessments, and access to clinical support. Our operations are based in the United Kingdom. We comply with the UK GDPR (and the EU GDPR where it applies).

2. Our role — who controls your data

The data on the platform falls into three groups, and who is responsible differs:

  • Platform data your school or club controls — account, contact, role and injury/incident data, and the neurocognitive assessment data administered through the platform. Your school or club is the controller of this data and decides how it is used; Luca Health processes it on their behalf, on their instructions. Where a clinician reviews this data as part of a consultation, the clinician’s resulting assessment and decisions form part of the clinical record (see our Clinical Privacy Notice). For questions about this data, contact your school or club, or us, and we will work together.
  • Clinical records Luca Health controls — the record created when a clinician provides a consultation, including the consultation recording, transcript, clinician notes, diagnoses and decisions. Luca Health is the controller of this clinical record. It is covered by our separate Clinical Privacy Notice, which explains how we hold it, how long we keep it, and your rights.
  • Technical data Luca Health controls — device, log, security and (consented) analytics data we need to operate and secure the platform. Luca Health is the controller of this data.

3. What data we collect

  • Basic personal information: name, address, phone number, email.
  • Demographic details: age, year/group/team, role (student, coach, parent, clinician).
  • Health data: injury and concussion records, and medical history related to injuries.
  • Neurocognitive data: results of cognitive tasks and baseline assessments.
  • Assessment videos: videos recorded by users in the app as part of baseline or assessment tasks.
  • Consultation recordings: where a consultation takes place, it is recorded (audio and video) with permission. This forms part of the clinical record and is covered by our Clinical Privacy Notice.
  • Technical data: device type, operating system, usage information, and cookies.

4. How we collect your data

  • Integration with school or club systems: synchronising names, email addresses and roles (for a school, via Wonde; for a club, from the club’s game-management system).
  • Direct input by authorised people: parents, coaches, school nurses, clinicians.
  • Self-reported data: entered by users during baseline and neurocognitive tasks.
  • Cookies and tracking tools: on the app and dashboard, necessary and functional cookies to ensure the platform operates correctly. On the staff dashboard (and shortly within the app), we use PostHog (EU cloud) to collect anonymised usage analytics. No personal data, patient data or identifiable information is sent to PostHog; users are identified by a one-way cryptographic hash that cannot be reversed; analytics are only initialised following explicit cookie consent. On the public website, analytics cookies are used as described in our Website Privacy Policy and Cookie Policy.

5. Legal basis for processing

Personal data is processed under the following legal grounds:

  • Legitimate interests: for operational and safety purposes, such as injury tracking and providing and recording health care (Article 6(1)(f)).
  • Performance of the school’s or club’s responsibilities: to deliver the platform and the concussion-management service.
  • Legal obligation: where required under child-protection or healthcare regulations.
  • Consent: for non-essential cookies, and any processing that specifically requires it.

Health data is special category data. In addition to a lawful basis above, we rely on the condition for the provision of health care by, or under the responsibility of, a health professional (Article 9(2)(h) UK GDPR). For platform data, your school or club, as controller, is responsible for establishing the lawful basis; we process that data on their behalf.

6. Data sharing

We do not sell or share your data with third parties for marketing purposes. We may share data only with:

  • authorised clinicians within the Luca Health platform;
  • schools and organisations with direct responsibility for the user; and
  • essential service providers (for example, secure cloud hosting).

All data sharing is governed by written contracts and protective measures.

7. Data deletion and retention

You can ask us to delete your account and the personal information we hold about you or your child. How this works depends on who controls the data:

  • Platform data (controlled by your school or club). When you request deletion, we apply a 30-day window during which your school or club is notified and can export any platform data they are legally required to keep (for safeguarding or risk management). After that window, we delete the platform data we hold, unless the law requires us to keep it. Your school or club may continue to hold its own records under its legal obligations — for those, contact your school’s data protection officer.
  • Clinical records (controlled by Luca Health). We do not automatically delete clinical records after 30 days. As the controller of the clinical record, we retain it in line with recognised standards for health records: for a child, until their 25th birthday (or 26th if they were 17 at the last consultation); for an adult, 8 years from the last consultation. We may keep the clinical record even if you ask us to delete it, where the law allows — for example, where it is needed for the provision of health care or to defend legal claims (Article 17(3) UK GDPR). Our Clinical Privacy Notice explains this in full.

8. Children’s data

Most of the people whose data we hold are children. We apply heightened safeguards to all data about under-18s. The legal basis for processing children’s health and safeguarding data is not parental consent — it is the school’s or club’s lawful basis for the platform data, and the provision of health care for the clinical record. Consent is relevant only for non-essential cookies, where (for younger children) it is given by a parent, guardian or the authorised institution.

9. Your rights

If you make a request, we will need to verify your identity before we act, by matching information you give us with information we already hold (or by contacting you through a method you have previously provided). We will only use information provided for a request to verify your identity or authority, and we will delete any additional information provided for verification once we have finished.

Under the UK GDPR (and the EU GDPR where it applies), you have the right to:

  • access your personal data;
  • rectify inaccurate or incomplete data;
  • request erasure of your data. For clinical records this right is limited, because we are required to retain those records — see section 7 and our Clinical Privacy Notice;
  • object to or restrict certain processing;
  • withdraw consent at any time (where we rely on consent); and
  • lodge a complaint with a supervisory authority, such as the Information Commissioner’s Office (ICO) in the UK.

To exercise your rights, contact us at privacy@luca.health.

10. Where your data is held

Your data is hosted on secure infrastructure in the UK and the European Economic Area (in Ireland). We do not transfer personal data outside the UK or the EEA. Where we use AI to assist clinicians (see our Clinical Privacy Notice), that processing is also carried out within the EEA.

11. Mobile and device information

Device access. We may request access or permission to certain features on your mobile device — including the camera, microphone, storage, notifications and (where relevant) location — so that the app can function (for example, to record a consultation or complete an assessment). You can change these permissions in your device settings.

Device and usage data. We automatically collect technical information when you use the app or platform, such as device ID, model and manufacturer, operating system and version, browser type, IP address, and information about how and when you use our services (including log and error data). This information is used mainly to maintain the security and operation of the platform, for troubleshooting, and for internal analytics and reporting. Much of it does not identify you directly.

Push notifications. We may request to send you push notifications about your account or features of the app. You can opt out in your device settings.

12. Data security

We apply strong technical and organisational measures to protect your data, including encryption in transit and at rest, secure hosting within the UK/EEA, role-based access controls on a need-to-know basis, multi-factor authentication for privileged access, and an ISO 27001 certified information security management system.

13. Changes to this policy

We may update this Privacy Policy from time to time. The effective date above reflects the latest version, and material changes will be communicated via the app or dashboard.

14. Contact us

If you have any questions or concerns about this policy or your data, please contact us at privacy@luca.health. Luca Health Ltd is registered in England and Wales (company number 14060836).

For data we collect on our public website, see our Website Privacy Policy. For cookies, see our Cookie Policy. For the clinical record from consultations, see our Clinical Privacy Notice.