Privacy notice

HeadFlow is a research prototype for tracking migraine attacks and (optionally) sharing a structured summary with a clinician. It is not a medical device, has not been NHS-approved, and is not a substitute for clinical advice.

This notice explains what data we collect about you, why, where it lives, and what rights you have under the UK GDPR.

Who we are

HeadFlow is operated by Cloud Kinetic Solutions Limited (the "Controller"), a company registered in England and Wales with company number 06098383, whose registered office is at:

For the purposes of UK GDPR enquiries you can contact the Controller at: hello@headflow.co.uk.

What we collect

• Account identifiers: your email address and (if you sign in via Google, Apple or Microsoft) the unique identifier that provider issues for your HeadFlow account.
• Profile data: display name, country of residence, sex (used to render the head-map anatomy), and (optionally) NHS number. NHS numbers are encrypted at column level and indexed only by a one-way hash.
• Migraine attack records: the date and time of each attack, the head regions affected and severity, phase boundaries (prodrome, aura, headache, postdrome), symptoms, triggers and any medications taken. This is special-category health data under UK GDPR.
• Clinician linkage: if you redeem a clinician invite, we store the link from your profile to that clinician along with the time window the clinician may review.
• Operational metadata: log timestamps, IP-derived rough locations for abuse-prevention, and aggregated request counts. We do not run third-party tracking, advertising pixels, or behavioural analytics.

Lawful basis

• Consent (Article 6(1)(a)) for creating an account and recording your attack history.
• Explicit consent (Article 9(2)(a)) for processing the special-category health data your attack records contain.
• Legitimate interests (Article 6(1)(f)) for the operational metadata that keeps the service secure and reliable.

You can withdraw consent at any time. Withdrawing consent stops further processing and triggers deletion as set out below.

Where your data lives

• Application hosting: Microsoft Azure UK South region (United Kingdom).
• Database and authentication: Supabase EU West (Ireland) for the duration of the prototype phase. Migration to Microsoft Azure (UK only) is planned before any commercial launch.
• Email delivery: Microsoft 365 / Microsoft Graph (UK datacentres).

No HeadFlow data is processed outside the United Kingdom or the European Economic Area. We do not transmit identifiable patient data to any generative AI service.

Who we share data with

• Your linked clinician, if and only if you redeem a clinician invite. The clinician sees only the attacks within the time window you authorised. They can read but not modify your data.
• Sub-processors required to operate the service: Microsoft (hosting + email) and Supabase (database + authentication during the prototype phase). Both organisations have signed Data Processing Agreements.

We do not sell, rent, or share your data with third parties for marketing or profiling.

How long we keep data

• Account and attack records: kept while your account is active and for 30 days after deletion (during which a restore is possible). After 30 days the data is permanently and irrecoverably deleted.
• Audit logs: retained for 12 months for security review, then deleted.
• Backups: rolling encrypted snapshots retained for 35 days.

Your rights

Under the UK GDPR you have the right to:

• access a copy of your data;
• rectify inaccurate data;
• erase your data (right to be forgotten);
• port your data to another service in a structured machine-readable format;
• restrict or object to processing;
• withdraw consent at any time;
• lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email hello@headflow.co.uk. We will respond within one calendar month.

Cookies

HeadFlow uses only strictly-necessary cookies — a session cookie that keeps you signed in, and a small set of theme/preference cookies stored locally in your browser. We do not use analytics, advertising, or tracking cookies. Because all cookies are strictly necessary, we display a notice rather than a consent prompt.

Security

• All traffic is served over TLS 1.3 with HTTP Strict Transport Security.
• Patient data is protected by Postgres row-level security; the database itself enforces that you can only read your own records (and your linked clinician can read yours within the agreed window).
• NHS numbers are encrypted at column level and indexed by hash.
• The application runs in a single-tenant Microsoft Azure subscription with managed identity and Key Vault-backed secrets.

Changes to this notice

We may update this notice from time to time. Material changes will be communicated to your registered email address. The current version is always available at headflow.co.uk/privacy.