1. Who we are
Finally Seen ("Finally Seen", "we", "us") is the data controller for the personal data described in this notice. You can contact us at hi@finallyseen.org.uk.
2. What data we collect
- Identity & contact, your name, email address, postcode.
- Health information (special category data under Article 9 UK GDPR), the conditions you tick, the symptoms you describe, the impact on your life, what your GP has said and done, and what outcome you want. You choose what to share.
- GP details, your GP surgery name and (optionally) the GP's name.
- Payment data, handled by Stripe Payments UK Ltd. We receive a confirmation and a transaction ID; we never see your full card number.
- Technical data, server logs needed to keep the service running and secure. We use cookieless, anonymised analytics, no tracking cookies.
We do not collect your NHS number, date of birth, or medical records. If you choose to add your NHS number to the letter yourself before sending it to your GP, that copy is between you and your GP.
3. Our lawful bases
We rely on a separate lawful basis for each thing we do with your data, so you can see exactly what is covered by what.
- Contract (Art. 6(1)(b)), for taking your payment, drafting the letter you have ordered, emailing it to you, and the day-14 / day-21 / day-45 follow-up emails that ask whether your GP replied. These are part of the service you bought; we cannot deliver it without them.
- Explicit consent (Art. 9(2)(a)), and only that, for processing the health information you type into the assessment (symptoms, GP responses, condition details, free-text notes). You give this consent by ticking the box on the assessment that says you understand we will use your answers to draft a letter. It is separate from payment and from the follow-up emails, so you can withdraw it without affecting anything else. To withdraw, email support@finallyseen.org.uk and we will delete your health information within 7 days. Withdrawal does not affect the lawfulness of processing carried out before you withdrew, and it does not undo a letter we have already drafted or sent to you.
- Establishment or exercise of legal claims (Art. 9(2)(f)), for keeping the letter text and a minimal audit trail (Stripe IDs, consent flags, send timestamps) for as long as it might be needed to defend a complaint, a chargeback or a regulatory enquiry. See §5 for exact retention periods.
- Legal obligation (Art. 6(1)(c)), for the payment records we are required by HMRC and the Consumer Rights Act to keep for 6 years.
- Legitimate interests (Art. 6(1)(f)), for the rate-limiting, IP-hash logging and abuse detection that keep the service from being overwhelmed by automated traffic. Balanced against the minimal data involved (an IP hash, not your identity), we consider this proportionate. You can object: see §7.
4. Who we share it with (processors)
The full list of sub-processors below is canonical. We will update this page before introducing a new sub-processor; material changes are reflected in the "Last updated" date at the top.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase Inc. (via Lovable Cloud) | Database, file storage, server hosting for the app itself. | EU (Frankfurt) |
| Lovable AB | Hosting and edge compute for the website. | EU |
| Cloudflare, Inc. | CDN and DDoS protection in front of the app. | Global edge; UK / EU PoPs preferred. |
| Stripe Payments UK Ltd | Card processing and refunds. | UK |
| OpenAI Ireland Ltd | AI drafting of your letter. Inputs and outputs are excluded from training under the API zero-retention agreement. | EU / US (SCCs) |
| Google Ireland Ltd | Backup AI drafting (Gemini) when OpenAI is degraded. Same zero-retention terms. | EU / US (SCCs) |
| Perplexity AI, Inc. | Retrieval-only lookups of public NHS / NICE guidance during drafting. Health information you provide is not sent. | US (SCCs) |
| Resend, Inc. | Delivery of your letter PDF and the day-14 / 21 / 45 follow-ups. | EU / US (SCCs) |
| Sendinblue SAS (Brevo) | Marketing-list management for people who explicitly opt in (waitlist, newsletter). Not used for the letter itself. | EU |
| PostHog Inc. | Product analytics and session replay. Health information is scrubbed from inputs before capture; replays mask form fields. | EU (Frankfurt) |
| HMRC, ICO, NHS England, courts | Where required by law or by a binding order. | UK |
We do not sell your data and we do not share it with advertisers. Any transfer outside the UK / EEA is covered by UK International Data Transfer Addendum or EU Standard Contractual Clauses, plus the zero-retention terms noted above for the AI providers.
5. How long we keep it
- NHS number, postcode, GP name and surgery, removed within 24 hours of your letter being delivered.
- Assessment answers (symptoms, GP responses, notes, condition details), removed after 60 days.
- Your email address and full name, removed after 60 days. We keep an irreversible hash of your email so we can recognise you as a returning customer and honour unsubscribe requests, but the address itself is gone.
- Generated letter text, up to 24 months, so we can reissue it if you ask. Then removed.
- Payment records (amount, Stripe session, consent flags), 6 years, as required by HMRC and the Consumer Rights Act.
- Email-suppression records, kept indefinitely to honour unsubscribe requests.
The redaction runs as a scheduled job every day. You can also ask us to wipe your record immediately at any point, see Section 7.
6. Security
Data is encrypted in transit (TLS) and at rest (AES-256 disk encryption at our database provider). On top of disk encryption, your name, email, GP details, postcode and the generated letter bodies are individually encrypted at the column level with a key held outside the database, so a leaked backup or stolen database copy returns ciphertext for those fields rather than readable text. Access is restricted to authorised personnel and audited. Row-level security is enabled on every table holding personal data, so only systems acting on your behalf can reach your record. We will notify the ICO within 72 hours of becoming aware of any breach that is likely to result in a risk to your rights and freedoms, and we will tell you directly if the risk is high.
7. Your rights
You have the right to:
- access a copy of your data;
- have it corrected or erased;
- restrict or object to processing;
- data portability;
- withdraw consent at any time (this does not affect anything already done lawfully).
To exercise any of these, email hi@finallyseen.org.uk. We will respond within one month.
You can also complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.
8. Children
The service is for adults aged 18 and over. We do not knowingly collect data from anyone under 18.
9. Changes
We may update this notice. When we make material changes, we will revise the "last updated" date at the top and, where appropriate, notify you by email.