UK GDPR
Privacy Policy — United Kingdom
Last updated: 21 March 2026 · Effective date: 21 March 2026
1. Who We Are
The Fractal Resonance Model platform ("FRM", "we", "us", "our") is operated by Neuro-Medtech UK Ltd, a company registered in England and Wales.
We are the data controller for the personal data processed through this platform, as defined under UK GDPR (the retained EU law version of the General Data Protection Regulation) and the Data Protection Act 2018.
Data Controller: Neuro-Medtech UK Ltd
3 Janson Court, Reading, RG1 6NA
Phone: +44 7402 802288
2. What Data We Collect
We collect and process the following categories of personal data depending on your role and use of the platform:
Account and Identity Data
- Full name, email address, and login credentials (hashed with bcrypt)
- Role assignment (super_admin, admin, technician, or patient)
- Clinic association and organisational identifiers
Patient Clinical Data
- Date of birth, age, sex, and clinical identifiers
- Medical history and medication records relevant to neurological assessment
- Session recordings and condition metadata (eyes-closed, eyes-open, activity)
Neurological and qEEG Data
- Quantitative electroencephalography (qEEG) recordings across 19 standard 10-20 electrodes
- Spectral analysis results: power spectral density, band power, and alpha peak frequency
- Fractal analysis metrics: DFA, Hurst exponent, Higuchi fractal dimension, entropy, and correlation dimension
- Resonance model outputs: i-APF, i-FAI, CDI, BDWS scores, and Better Frequencies
Usage and Technical Data
- IP address, browser type, and device information
- Session timestamps and platform interaction logs
- Audit trail records (immutable, append-only)
3. Special Category Health Data
EEG recordings and neurological analysis results constitute special category data under UK GDPR Article 9. We process this data under the following conditions:
- UK GDPR Article 9(2)(h) — processing is necessary for the provision of health care or treatment, or the management of health care systems and services
- Data Protection Act 2018, Schedule 1, Part 1, Paragraph 2 — health or social care purposes condition
- UK GDPR Article 9(2)(a) — explicit consent of the data subject, where applicable
- UK GDPR Article 9(2)(j) — processing for scientific research purposes in accordance with Article 89(1), where applicable
All processing of special category health data adheres to the Caldicott Principles, which govern the use and transfer of patient-identifiable information within the NHS and partner organisations.
The Seven Caldicott Principles
- Justify the purpose(s) for using confidential information
- Don't use personal confidential data unless it is absolutely necessary
- Use the minimum necessary personal confidential data
- Access to personal confidential data should be on a strict need-to-know basis
- Everyone with access to personal confidential data should be aware of their responsibilities
- Comply with the law
- The duty to share information can be as important as the duty to protect patient confidentiality
4. Legal Basis for Processing
Under UK GDPR Article 6, we rely on the following lawful bases for processing personal data:
| Processing Activity |
Legal Basis |
UK GDPR Article |
| User account creation and authentication |
Performance of a contract |
Art. 6(1)(b) |
| qEEG analysis and clinical reporting |
Provision of health care (special category) |
Art. 9(2)(h) |
| Platform security and audit logging |
Legitimate interests |
Art. 6(1)(f) |
| Fractal resonance research (Research Mode) |
Scientific research with safeguards |
Art. 9(2)(j) / Art. 89 |
| Compliance with legal and regulatory obligations |
Legal obligation |
Art. 6(1)(c) |
| Optional marketing and service communications |
Consent |
Art. 6(1)(a) |
5. How We Use Your Data
We process your personal data for the following purposes:
- Clinical analysis: Processing qEEG recordings through our spectral and fractal analysis pipeline to generate individual Alpha Peak Frequency (i-APF), Fibonacci Alpha Index (i-FAI), Cognitive Decline Index (CDI), and Brain Dynamic Wellness Scores (BDWS)
- Report generation: Producing clinical reports with fractal resonance metrics, Better Frequencies, and neuromodulation protocol recommendations
- Protocol computation: Calculating personalised fractal neuromodulation protocol adjustments using our proprietary formula
- Longitudinal monitoring: Tracking changes in neurological metrics across sessions to assess treatment efficacy
- Platform security: Maintaining audit trails, enforcing role-based access control, and detecting unauthorised access
- Scientific research: When Research Mode is enabled, processing anonymised data for academic and clinical research purposes in compliance with IRB/ethics committee approvals
6. Data Storage and Security
We implement comprehensive technical and organisational measures to protect your personal data in accordance with UK GDPR Article 32.
Where Data Is Stored
All personal data is stored on servers located within the United Kingdom or the European Economic Area (EEA). Where data is transferred outside the UK, we ensure appropriate safeguards are in place under UK GDPR Chapter V, including adequacy decisions or Standard Contractual Clauses (International Data Transfer Agreement).
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. API communications use HTTPS exclusively.
Encryption at Rest
Patient data is protected by two layers of encryption at rest:
- Application layer: Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256) applied to sensitive fields before database storage
- Volume layer: AES-256 full-disk encryption on all storage volumes
Key Management
Encryption keys are stored separately from encrypted data, rotated periodically, and never committed to version control. Environment variables and secrets management services are used for key storage.
Authentication and Access Control
- JWT-based authentication: Access tokens (30 minutes) and refresh tokens (7 days) with automatic expiry
- Password security: All passwords hashed with bcrypt (cost factor 12)
- Role-Based Access Control (RBAC): Four-tier permission model (super_admin, admin, technician, patient) enforced server-side on every request
Organisational Safeguards
- Staff data protection training and awareness programmes
- Non-disclosure agreements for all personnel with data access
- Regular security assessments and vulnerability testing
- Documented incident response procedures
Breach Notification
In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay under Article 34.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with the NHS Records Management Code of Practice 2021 and applicable legal requirements.
| Data Type |
Retention Period |
Basis |
| Clinical EEG records (adults) |
8 years after last treatment |
NHS Records Management Code |
| Clinical EEG records (children) |
Until 25th birthday or 8 years after last treatment, whichever is longer |
NHS Records Management Code |
| User account data |
Duration of account plus 2 years |
Contract performance / Legitimate interest |
| Audit trail logs |
10 years (immutable) |
Regulatory compliance / Legal obligation |
| Anonymised research data |
Indefinite (no longer personal data) |
UK GDPR Art. 89 / Scientific research |
| Technical and usage logs |
12 months |
Legitimate interest / Security |
8. Third Parties and Data Sharing
We do not sell your personal data. We may share data with the following categories of recipients, under appropriate safeguards:
- Clinical team members: Authorised technicians and administrators within your clinic, governed by RBAC permissions and the Caldicott Principles
- AI processing services: Where AI-assisted analysis is used (Ollama for local inference, or Claude API for cloud-based analysis), data is processed under strict data processing agreements. Local AI processing (Ollama) keeps all data on-premises.
- Legal and regulatory authorities: Where required by law, court order, or regulatory investigation
- Service providers: Hosting, database, and infrastructure providers operating under data processing agreements compliant with UK GDPR Article 28
9. AI Processing and Automated Analysis
The FRM platform uses algorithmic and AI-assisted processing to analyse qEEG data. Under UK GDPR Article 22, we confirm the following:
- Decision-support only: All AI and algorithmic outputs (i-APF, i-FAI, CDI, BDWS, Better Frequencies, neuromodulation protocols) are presented as decision-support tools. No solely automated decisions with legal or similarly significant effects are made.
- Clinician oversight: A qualified clinician must review, interpret, and approve all analysis results before any clinical action is taken. The platform is a tool, not a substitute for professional clinical judgement.
- Transparency: You have the right to request meaningful information about the logic involved in any automated processing, as well as the significance and envisaged consequences of such processing.
- Right to contest: You have the right to contest any automated decision, obtain human intervention, and express your point of view.
10. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access (Art. 15): You may request a copy of the personal data we hold about you, free of charge.
- Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17): You may request deletion of your personal data where there is no compelling reason for its continued processing, subject to legal retention obligations.
- Right to restriction of processing (Art. 18): You may request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability (Art. 20): You may request to receive your personal data in a structured, commonly used, and machine-readable format.
- Right to object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes.
- Rights related to automated decisions (Art. 22): You have the right not to be subject to a decision based solely on automated processing which produces legal effects or similarly significantly affects you.
- Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
To exercise any of these rights, please contact us using the details provided in Section 14. We will respond to your request within one month, as required by UK GDPR Article 12(3).
11. Cookies and Local Storage
The FRM platform minimises the use of client-side storage and does not use tracking cookies or third-party analytics.
- No tracking cookies: We do not set any cookies for advertising, analytics, or cross-site tracking purposes.
- JWT in memory: Authentication tokens are stored in JavaScript memory (not cookies or localStorage) and are discarded when the browser tab is closed.
- sessionStorage for UI state: Temporary UI preferences are stored in sessionStorage and cleared when the session ends.
- localStorage for language: Your selected language preference is stored in localStorage to persist across visits. This contains no personal data.
12. Children's Data
Where the FRM platform processes data relating to children (under 18 years of age), the following additional safeguards apply:
- Parental or guardian consent: Processing of a child's health data requires explicit consent from a parent or legal guardian, in addition to any other lawful basis.
- Extended retention: Clinical records for children are retained until the patient's 25th birthday or for 8 years after last treatment, whichever is longer, in accordance with the NHS Records Management Code.
- Age-appropriate communication: Privacy notices and consent requests are provided in age-appropriate language where the child is competent to understand them (Gillick competence).
13. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:
- The "Last updated" date at the top of this policy will be revised.
- We will notify registered users via the platform or by other appropriate means.
- Where changes affect the lawful basis for processing or introduce new categories of data processing, we will seek fresh consent where required.
We encourage you to review this policy periodically to stay informed about how we protect your data.
14. Contact and Complaints
Data Protection Contact
Neuro-Medtech UK Ltd
3 Janson Court, Reading, RG1 6NA
Phone: +44 7402 802288
Complaints to the ICO
If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Phone: 0303 123 1113
Website: ico.org.uk
15. EEG Data Collection Access Controls
The FRM platform enforces strict access controls on EEG data collection to ensure data integrity and prevent unauthorised access.
Write-Only Collection Poles
EEG data collection endpoints operate on a write-only principle. Technicians who capture qEEG recordings can submit data to the platform but cannot retrospectively modify or delete raw recordings once submitted. This ensures an immutable chain of custody for clinical data.
Data Routing Architecture
| Data Route |
Access Level |
Description |
| Private clinical route |
Clinic-internal only |
Patient-identifiable EEG data remains within the clinic's organisational boundary. Accessible only by authorised clinicians and technicians. |
| Government/regulatory route |
Anonymised / Pseudonymised |
Where data is shared with regulatory or public health bodies, it is anonymised or pseudonymised in accordance with ICO Anonymisation Code of Practice. |
16. Technician Admission and Credential Verification
Access to patient data on the FRM platform is contingent upon successful completion of a multi-gate credentialing process.
Gate 1: Non-Disclosure Agreement (NDA)
All prospective technicians must execute a non-disclosure agreement covering patient data, proprietary algorithms, and platform intellectual property before any account is provisioned.
Gate 2: Continuing Professional Development (CPD)
Technicians must provide evidence of current professional registration and relevant CPD in qEEG data acquisition and analysis. Credentials are verified before the account is activated.
Account Lifecycle States
| State |
Description |
Data Access |
| Pending |
Application submitted, credentials under review |
None |
| Active |
Credentials verified, NDA signed |
Full role-based access |
| Suspended |
Temporarily restricted (e.g., CPD lapse) |
Read-only, no patient data |
| Revoked |
Permanently removed |
None (account disabled) |
17. Research Mode and Academic Anonymisation
When Research Mode is enabled at the clinic level, the following safeguards ensure compliance with academic research ethics and UK GDPR Article 89:
- Opaque identifiers: Patient creation automatically generates a random anonymised identifier (e.g., P-7F3A2C). The real identity is never stored in the system. This identifier cannot be changed by any user, including administrators.
- IRB/Ethics Committee compliance: Research Mode is intended for use in conjunction with institutional review board (IRB) or NHS Research Ethics Committee (REC) approval. The platform's anonymisation mechanisms are designed to satisfy the requirements of these bodies.
- Immutable audit trail: All access to research data is logged in the append-only audit trail with timestamps, user identifiers, and action types. PHI access is flagged with
phi_accessed=True.
- No re-identification: The system is designed so that anonymised research data cannot be linked back to individual patients. No lookup table or mapping between opaque identifiers and real identities exists within the platform.
18. International Compliance (HIPAA / LGPD)
The FRM platform is designed to support international deployment. While this policy addresses UK law, our technical architecture also satisfies the requirements of other jurisdictions:
HIPAA (United States)
- HIPAA §164.312 Technical Safeguards: Our encryption (TLS 1.2+ in transit, AES-256 at rest), access controls (RBAC with JWT), and audit logging satisfy the technical safeguard requirements of the HIPAA Security Rule.
- Minimum necessary standard: Role-based access ensures that each user can only access the minimum data necessary for their function.
LGPD (Brazil)
- LGPD Art. 46 (Security): Technical and organisational measures are implemented to protect personal data from unauthorised access, accidental or unlawful destruction, loss, alteration, or disclosure.
- LGPD Art. 37 (Records): The controller and processor maintain records of personal data processing activities, including purposes, data categories, and retention periods.
International Research Board Alignment
| Requirement |
UK (NHS REC) |
US (IRB) |
Brazil (CEP/CONEP) |
| Informed consent |
Required |
Required (45 CFR 46) |
Required (Res. 466/12) |
| Data anonymisation |
ICO Anonymisation Code |
HIPAA Safe Harbor / Expert |
LGPD Art. 12 |
| Audit trail |
Required |
21 CFR Part 11 |
Required |
| Breach notification |
72 hours (ICO) |
60 days (HHS) |
Reasonable time (ANPD) |