Privacy Policy
Last updated: 24 March 2026
Introduction
EILEEN ("we", "our", "us") is a trauma-informed mental health support application developed by CTRL Ltd. We take the privacy and security of your personal data extremely seriously, particularly given the sensitive nature of mental health information.
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the EILEEN mobile application ("the App"). It applies to all users of our iOS and Android applications.
We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable healthcare data protection requirements.
Data Controller
CTRL Ltd
United Kingdom
Email: privacy@eileen.app
Data Protection Officer: dpo@eileen.app
What Data We Collect
Account Information
- Name, email address, and phone number
- Password (encrypted, never stored in plain text)
- Preferred language and accessibility settings
Health and Wellbeing Data (Special Category Data)
- Appointment records: dates, times, locations, appointment types, care coordinator details, and notes you provide
- Mood tracking entries: mood levels, contributing factors, and personal notes
- Medication records: medication names, dosages, frequencies, schedules, and dose logs
- Crisis support data: safety plan entries, emergency contacts
- Care coordination data: interactions with your care team
Technical Data
- Device type and operating system version
- App version
- Push notification tokens (for sending reminders)
- Crash reports and performance metrics (anonymised)
Location Data (Optional)
- Appointment locations (if you choose to add them)
- Your location during emergency alerts (only when you explicitly trigger an alert)
We do not collect location data in the background.
How We Use Your Data
We process your data for the following purposes:
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Providing the App's core features (appointments, mood tracking, medications) | Performance of contract (Article 6(1)(b)) |
| Processing health data | Explicit consent (Article 9(2)(a)) |
| Sending appointment reminders and notifications | Legitimate interest (Article 6(1)(f)) |
| Emergency alert functionality | Vital interests (Article 6(1)(d)) |
| AI-powered appointment letter scanning | Explicit consent (Article 9(2)(a)) |
| App improvement and bug fixing | Legitimate interest (Article 6(1)(f)) |
| Legal compliance | Legal obligation (Article 6(1)(c)) |
AI Data Processing
EILEEN uses artificial intelligence to extract appointment details from scanned letters. When you use this feature:
- Your scanned image is sent to an external AI provider for processing
- We require your explicit consent before any AI processing occurs
- You can enable or disable AI features at any time in Privacy Settings
- AI providers do not retain your data after processing
- All AI interactions are logged for your records (viewable in Data Management)
You can withdraw consent for AI processing at any time without affecting other App functionality.
Data Sharing
We do not sell your personal data. We share data only with:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Your assigned care coordinator | Care coordination (with your consent) | End-to-end encryption, access controls |
| Cloud infrastructure providers | Hosting and data storage | UK/EU data centres, Data Processing Agreements |
| AI processing providers | Appointment letter scanning (with your consent) | Data minimisation, no retention by provider |
| Emergency services | When you trigger an emergency alert | Only location + contact data, only on your action |
We never share your data with advertisers, marketing companies, or social media platforms.
Data Security
We implement comprehensive security measures to protect your data:
- Encryption at rest: AES-256-GCM encryption for all sensitive fields in the database
- Encryption in transit: TLS 1.3 for all network communications
- Authentication: Token-based authentication with secure session management
- Audit logging: All access to personal data is logged and monitored
- Access controls: Role-based access — only your care team can see your data
- Regular security assessments: Quarterly penetration testing and security audits
Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Until account deletion + 30-day cooling-off period | Service provision |
| Health records | 7 years from last update | UK healthcare records retention guidance |
| Audit logs | 7 years | HIPAA/GDPR compliance requirements |
| Crash reports | 90 days | Bug fixing and app improvement |
| AI interaction logs | 3 years | Accountability and your right of access |
After retention periods expire, data is securely deleted using industry-standard methods.
Your Rights
Under UK GDPR, you have the following rights:
- Right of access — Request a copy of all your personal data (available in-app via Data Management)
- Right to rectification — Correct inaccurate personal data
- Right to erasure — Request deletion of your account and data (available in-app with a 30-day cooling-off period)
- Right to restrict processing — Limit how we use your data
- Right to data portability — Export your data in a machine-readable format (available in-app)
- Right to object — Object to processing based on legitimate interest
- Right to withdraw consent — Withdraw consent for AI processing or data sharing at any time
- Rights related to automated decision-making — EILEEN does not make automated decisions that significantly affect you
To exercise any of these rights, use the in-app Data Management screen or contact us at privacy@eileen.app.
Children's Privacy
EILEEN is designed for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a child has provided us with personal data, please contact us immediately.
International Data Transfers
Your data is stored on servers within the United Kingdom and European Economic Area. If any data processing requires transfer outside the UK/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the Information Commissioner's Office (ICO).
Cookies and Tracking
The EILEEN mobile app does not use cookies or third-party tracking. We do not use advertising identifiers. Anonymous crash reporting is used solely for app stability improvements.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via:
- In-app notification
- Push notification (if enabled)
- Email (for material changes)
The "Last Updated" date at the top of this policy indicates when changes were last made.
Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113
Contact Us
For any questions about this Privacy Policy or your personal data:
- Email: privacy@eileen.app
- Data Protection Officer: dpo@eileen.app
- In-app: Settings → Data Management → Contact Us