Privacy Policy – Luca Health

TL;DR (Too Long; Didn’t Read)

Here’s a quick summary of our privacy practices:

  • We collect health and personal data to help schools and sports organisations track injuries, especially head injuries.

  • Data comes from school systems, parents, clinicians, and users themselves.

  • We use cookies on our app, dashboard, and public website.

  • We do not sell your data. Only authorised professionals and schools can access it.

  • If you request deletion of your data, your associated school may still retain some records, and you might lose access to certain school-related activities.

  • We follow both UK and EU GDPR and support your rights to access, correct, delete, or limit your data.

  • We collect device data and may ask for permissions like access to your camera or location.

  • Your data is secured with strong protection measures.

This summary doesn’t replace the full policy—please read on for complete details.



Effective Date: June 2025

Luca Health (“we”, “us”, or “our”) is committed to safeguarding your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services via our mobile app, web app, or dashboard.


 

1. Who We Are

Luca Health is a health tracking platform designed for schools, sports organisations, and related institutions. We assist in monitoring and managing injuries—particularly head injuries—through data tracking, neurocognitive assessments, and professional clinical support.

Our operations are based in the United Kingdom and may extend to Greece. We comply with the UK GDPR and EU GDPR.


 

2. What Data We Collect

We collect the following types of personal and health-related information:

  • Basic personal information: Name, address, phone number, email

  • Demographic details: Age, gender, role (e.g., student, coach, parent, clinician)

  • Health data: Injury records, medical history related to injuries

  • Neurocognitive data: Results of cognitive tasks and assessments

  • Multimedia data: Videos recorded by users via the app

  • Technical data: Device type, operating system, usage information, and cookies

 

3. How We Collect Your Data

We collect personal and health data through the following means:

  • Integration with school systems: Synchronising data such as names, email addresses, and roles

  • Direct input by authorised stakeholders: Parents, coaches, school nurses, clinicians

  • Self-reported data: Entered by users during neurocognitive tasks

  • Cookies and tracking tools:

    • On the app and dashboard: Necessary and functional cookies to ensure the platform operates correctly

    • On the public website: Analytics cookies to understand user behaviour and improve our services

 

 

4. Why We Collect Your Data

We collect and process this data for the following purposes:

  • To create and manage user accounts (e.g., for schools and their students)

  • To monitor and track injury incidents

  • To assess neurocognitive performance and build user baselines

  • To facilitate communication between users and clinicians

  • To maintain and improve the quality, functionality, and security of our services


 

5. Legal Basis for Processing

We process personal data under the following legal grounds:

  • Consent: For non-essential cookies and any processing requiring guardian approval for minors

  • Legitimate interest: For operational and safety purposes, such as injury tracking

  • Performance of a contract: To deliver our health monitoring services

  • Legal obligation: Where required under child protection or healthcare regulations


 

6. Data Sharing

We do not sell or share your data with third parties for marketing purposes.

We may share data only with:

  • Authorised clinicians within the Luca Health platform

  • Schools and organisations with direct responsibility for the user

  • Essential service providers (e.g., secure cloud hosting)

All data sharing is governed by strict contracts and protective measures.


 

7. Data Deletion and Retention

You have the right to delete your account and request the erasure of personal information we hold about you or your child. Please note that requesting deletion of your or your child’s personal data may result in loss of access to certain services or activities provided by institutions (e.g., schools or sports organisations) that rely on this data to fulfil their safeguarding, health monitoring, or operational responsibilities.

Upon receiving a deletion request, we implement a 30-day delay period to allow your child’s school to review and export any important medical or injury-related information they are legally obligated to retain for safeguarding or risk management purposes.

During this period, your child’s school will be notified and provided with tools to securely export any necessary data. After this window, all personal and health-related data will be permanently deleted from our systems, and cannot be recovered.

Certain records may continue to be stored by the school under their legal obligations. For questions regarding this, please contact your school’s data protection officer.


 

8. Children’s Data

We process data for users under 13 only with verifiable consent from a parent, guardian, or authorised institution. We apply heightened safeguards to protect all children’s data.


 

9. Your Rights Under the UK GDPR and EU GDPR

Verification Process

Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information in our system. These verification efforts require us to ask you to provide information so that we can match it with information you have previously provided us. For instance, depending on the type of request you submit, we may ask you to provide certain information so that we can match the information you provide with the information we already have on file, or we may contact you through a communication method (e.g. phone or email) that you have previously provided to us. We may also use other verification methods as the circumstances dictate.

We will only use personal information provided in your request to verify your identity or authority to make the request. To the extent possible, we will avoid requesting additional information from you for the purposes of verification. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes. We will delete such additionally provided information as soon as we finish verifying you.

Under both the UK GDPR and EU GDPR, you have the right to:

  • Access your personal data

  • Rectify inaccurate or incomplete data

  • Request erasure of your data (where applicable)

  • Object to or restrict certain types of processing

  • Withdraw consent at any time

  • Lodge a complaint with a supervisory authority such as the Information Commissioner’s Office (ICO) in the UK or the relevant Data Protection Authority in your EU member state

To exercise your rights, contact us at: info@luca.health


 

10. Mobile and Device Information

Mobile Device Access. We may request access or permission to certain features from your mobile device, including your mobile device’s reminders, storage, social media accounts, SMS messages, Bluetooth, contacts, sensors, microphone, camera, calendar, and other features. If you wish to change our access or permissions, you may do so in your device’s settings.

Mobile Device Data. We automatically collect device information (such as your mobile device ID, model, and manufacturer), operating system, version information and system configuration information, device and application identification numbers, browser type and version, hardware model, Internet service provider and/or mobile carrier, and Internet Protocol (IP) address (or proxy server). If you are using our application(s), we may also collect information about the phone network associated with your mobile device, your mobile device’s operating system or platform, the type of mobile device you use, your mobile device’s unique device ID, and information about the features of our application(s) you accessed.

Push Notifications. We may request to send you push notifications regarding your account or certain features of the application(s). If you wish to opt out from receiving these types of communications, you may turn them off in your device’s settings.

This information is primarily needed to maintain the security and operation of our application(s), for troubleshooting, and for our internal analytics and reporting purposes.

Information Automatically Collected

In short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

The information we collect includes:

Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called ‘crash dumps’), and hardware settings).

Device Data. We collect device data such as information about your computer, phone, tablet, or other device you use to access the Services. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information.

Location Data. We collect location data such as information about your device’s location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the Services. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. However, if you choose to opt out, you may not be able to use certain aspects of the Services.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.


 

11. Data Security

We apply strong technical and organisational measures to protect your data, including encryption, secure hosting, and role-based access controls.


 

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the app or dashboard.


 

13. Contact Us

If you have any questions or concerns about this policy or your data, please contact:

Luca Health
Missionworks, 41 Iffley Road, London W0 6PB, United Kingdom

Email: info@luca.health