Privacy Policy
Version 4.0 Date : 10 June 2026
Introduction
WellQ Ltd (“WellQ”, “we”, “us”, “our”) is committed to protecting personal data and respecting the privacy of all individuals whose data we process.
This Privacy Policy explains how personal information may be collected, used, protected and shared when you use the WellQ Platform and related services. It applies to:
- healthcare providers and clinical staff accessing the WellQ Platform;
- patients accessing the Platform through a participating clinic; and
- visitors to WellQ’s website and communications.
WellQ processes personal data in accordance with applicable data protection laws, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.
Product Classification
WellQ is a digital health software platform designed to support patient engagement, rehabilitation tracking and recovery monitoring. The WellQ Platform enables clinicians to monitor patient rehabilitation progress and supports patients in engaging with their own recovery pathways.
WellQ Ltd has assessed the WellQ Platform against the UK Medical Devices Regulations 2002 (as amended). The Platform is currently operated as a digital wellness and rehabilitation engagement tool. WellQ does not make diagnostic or prescriptive clinical decisions — all clinical judgement and patient care decisions remain with the responsible healthcare provider. WellQ continues to monitor its regulatory obligations and will update this policy accordingly as its regulatory position develops.
Clinical Safety Governance
WellQ operates a Clinical Safety Framework in accordance with DCB0129, the NHS Digital clinical safety standard for health IT software. WellQ maintains a Clinical Safety Case and hazard register as part of its ongoing clinical governance obligations.
WellQ’s Clinical Safety Officer is Anna Aydınç, who is responsible for overseeing clinical safety governance, hazard management and the escalation of any patient safety concerns arising from use of the Platform. Clinical safety incidents or concerns may be reported to WellQ at info@wellq.co.uk.
Where WellQ collects personal data directly (for example, from healthcare providers for account and contractual purposes), WellQ acts as the Data Controller for that specific processing.
Patients should direct any questions relating to their clinical records or medical information to their healthcare provider in the first instance.
1. About WellQ
WellQ Ltd is a company registered in England and Wales (Company No. 16517552), whose registered office is at Suite A, 82 James Carter Road, Mildenhall, IP28 7DE. WellQ provides digital software tools designed to support healthcare providers in delivering direct patient care, monitoring patient engagement, rehabilitation activity, and recovery progress between clinical visits.
The Platform may include tools for:
- patient engagement and rehabilitation tracking;
- digital exercise and recovery pathways;
- progress monitoring and clinical reporting;
- recovery score generation and analytics to support clinicians in delivering patient care;
- integrations with wearable devices, Apple HealthKit and Google Health Connect; and
- patient-reported outcomes capture.
WellQ provides technology infrastructure only. WellQ does not provide medical advice, diagnosis, or treatment. Healthcare providers remain responsible for all clinical decisions and patient care.
The WellQ Platform is hosted on Microsoft Azure cloud infrastructure, operated within the United Kingdom. Microsoft Azure acts as a sub-processor on behalf of WellQ in respect of data hosted on that infrastructure. A current list of sub-processors is available on request by contacting info@wellq.co.uk.
2. Data Controller and Processor Roles
The role WellQ plays in respect of personal data depends on the context in which data is processed:
2.1 WellQ as Data Processor
Where WellQ processes personal data on behalf of a healthcare provider or clinic, the healthcare provider acts as the Data Controller and WellQ acts as the Data Processor. In this context, WellQ processes personal data only on behalf of, and under the documented instructions of, the healthcare provider. The healthcare provider determines the purposes and means of processing patient data and is responsible for establishing the appropriate lawful basis for that processing.
2.2 WellQ as Data Controller
Where WellQ collects and processes personal data for its own purposes — including clinic onboarding, contract administration, customer support, payment management, platform security and system improvement — WellQ acts as the Data Controller for that processing. WellQ determines the purposes and means of such processing and is responsible for establishing the appropriate lawful basis.
Patients should direct any questions relating to their clinical records or medical information to their healthcare provider in the first instance. Where a query relates to data processed by WellQ as Controller, patients and clinicians may contact WellQ directly at info@wellq.co.uk.
3. Personal Information We May Process
3.1 Identity and Contact Information
This may include:
- name, job title and professional registration details;
- email address and telephone number;
- account login and authentication information; and
- organisation or clinic affiliation.
3.2 Health and Rehabilitation Information
When the Platform is used within a clinical environment, the following categories of information may be processed:
- rehabilitation activity and exercise data;
- patient-reported outcomes and feedback;
- recovery progress indicators and engagement metrics;
- health or wellbeing information entered by the user or their clinician;
- algorithmically-generated recovery scores derived from patient-reported data and rehabilitation activity; and
- patient-reported outcome measures (PROMs) and patient-reported experience measures (PREMs).
Where patients have provided consent, the Platform may also process health data accessed through connected wearable devices, Apple HealthKit or Google Health Connect, including activity, movement and recovery-related metrics. This information constitutes special category health data under the UK GDPR and is processed only with the explicit consent of the patient.
All special category health data processed within a clinical context is processed only on behalf of and as instructed by the relevant healthcare provider.
3.2 Health and Rehabilitation Information
Limited technical information may be collected automatically to support system functionality, such as:
- device type and operating system;
- browser type and version;
- platform usage data and session information; and
- system performance and diagnostic information.
This information helps ensure the Platform operates securely and efficiently. It is not used to identify individual users for marketing purposes.
4. How We Use Personal Information
4.1 Processing as Data Processor (on behalf of healthcare providers)
Where WellQ acts as Data Processor on behalf of a healthcare provider, personal data may be processed for the following purposes:
- supporting healthcare providers in delivering direct patient care;
- enabling clinicians to track patient rehabilitation progress, review engagement and monitor recovery outcomes;
- processing patient-reported outcomes and rehabilitation activity data as instructed by the clinic;
- providing rehabilitation pathway tools and patient engagement features; and
- generating recovery scores and progress indicators for clinical review.
WellQ does not use patient health data for advertising, marketing profiling, or sale to third parties.
4.2 Processing as Data Controller (WellQ’s own processing)
Where WellQ acts as Data Controller, personal data may be processed for the following purposes:
- clinic onboarding and contract management;
- payment administration and invoicing;
- customer support and account management;
- audit logging, system security and fraud prevention; and
- platform performance monitoring and improvement.
4.3 Algorithmically-Generated Recovery Scores
The WellQ Platform generates recovery scores using algorithmic processing of patient-reported data and rehabilitation activity. These scores are presented to both patients and clinicians as informational support tools to assist in monitoring rehabilitation progress and engagement.
WellQ provides clinicians with a clear explanation of the methodology used to generate recovery scores within the clinician dashboard. No algorithmically-generated score constitutes a clinical decision. Healthcare providers retain full clinical responsibility and judgement at all times. Patients and clinicians retain the right not to have any significant clinical decision made solely on the basis of automated processing, in accordance with Article 22 of the UK GDPR.
5. Legal Basis for Processing
5.1 Processing as Data Processor
Where WellQ acts as Data Processor on behalf of a healthcare provider, the healthcare provider is responsible for establishing the lawful basis for processing patient personal data. The relevant condition for processing special category health data in a clinical context is:
- Article 9(2)(h) UK GDPR — processing necessary for the purposes of preventive or occupational medicine, the provision of health or social care or treatment, or the management of health or social care systems and services. This applies to rehabilitation monitoring, patient engagement tracking and recovery progress data processed on behalf of healthcare providers.
Where patients have provided explicit consent for integration with wearable devices, Apple HealthKit or Google Health Connect, or for the receipt of push notifications through the application, the lawful basis is:
- Article 9(2)(a) / Article 6(1)(a) UK GDPR — explicit consent of the data subject. Patients may withdraw consent at any time through the application settings, by disabling individual integrations, turning off notifications, or by deleting their account. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
5.2 Processing as Data Controller
Where WellQ acts as Data Controller for its own processing activities, the applicable lawful bases are:
- Article 6(1)(b) — performance of a contract: processing necessary to provide the Platform services to healthcare providers, including clinic onboarding, account management and service delivery.
- Article 6(1)(c) — compliance with a legal obligation: processing required to comply with applicable law, including financial record-keeping obligations, regulatory reporting and audit requirements.
- Article 6(1)(f) — legitimate interests: processing necessary for WellQ’s legitimate interests in operating, securing and improving the Platform, including platform performance monitoring, fraud prevention and audit logging, where these interests are not overridden by the rights of data subjects.
6. Data Sharing
Personal data may be shared only where necessary to operate the WellQ Platform, support direct patient care, or comply with legal obligations.
This may include sharing data with:
- authorised healthcare providers using the Platform to support the delivery of patient care;
- Microsoft Azure, WellQ’s cloud infrastructure and hosting provider, acting as a sub-processor; and
- regulatory authorities or law enforcement where required by applicable law.
All sub-processors and service providers are required to maintain appropriate technical and organisational security measures and are bound by data processing obligations consistent with this Privacy Policy and UK GDPR requirements.
WellQ does not sell personal data to third parties and does not use personal health data for advertising purposes.
7. Data Retention
Personal data is retained only for as long as necessary to provide services and fulfil applicable legal obligations. The following retention periods apply:
7.1 Data Processed as Controller
- Account and contract data: retained for six (6) years from the end of the contract. This period is required to comply with HMRC financial record-keeping obligations and to protect WellQ’s legitimate interests in respect of potential legal claims under the Limitation Act 1980.
- Technical and system logs: retained for twelve (12) months from creation, consistent with operational security monitoring purposes.
- Staff and personnel data: retained for six (6) years following the end of employment or engagement, in line with UK employment law obligations.
7.2 Data Processed as Processor
- Patient rehabilitation and engagement data: retained in accordance with the healthcare provider’s instructions and applicable healthcare record-keeping standards. WellQ will act on the documented instructions of the healthcare provider in respect of retention and deletion of patient data.
- Wearable, Apple HealthKit and Google Health Connect data: retained until consent is withdrawn, the patient’s account is deleted, or as otherwise directed by the healthcare provider, whichever is earliest.
- Patient account deletion: when a patient deletes their account, personal data is scheduled for permanent deletion within thirty (30) days. During this period the data is inaccessible to the patient but is retained solely to allow recovery from accidental deletion. After thirty (30) days the data is permanently and irreversibly deleted.
7.3 Anonymised and Aggregated Data
WellQ may retain anonymised or aggregated data derived from platform usage indefinitely for the purposes of platform improvement, product development, analytics and algorithm refinement. Truly anonymised data does not constitute personal data under the UK GDPR and is not subject to retention limits. WellQ ensures that anonymisation is robust and that re-identification is not reasonably possible before applying this approach.
8. Data Security
8.1 Technical and Organisational Measures
WellQ implements technical and organisational measures designed to protect personal data against unauthorised access, loss, disclosure or destruction. These currently include:
- encryption of data in transit and at rest within Microsoft Azure infrastructure;
- multi-factor authentication (MFA) for patient application access;
- credential-based authentication with audit logging for clinician dashboard access;
- role-based access controls limiting data access to authorised personnel;
- audit logging of all user access events within the Platform;
- secure cloud infrastructure with built-in redundancy and failover provided by Microsoft Azure; and
- staff awareness of data protection and information security obligations.
WellQ commits to conducting penetration testing and implementing a formal vulnerability management programme as the Platform moves beyond its current beta phase. This policy will be updated to reflect those controls when introduced.
8.2 Patient Safety Incidents
WellQ operates a Clinical Safety Framework under DCB0129. In the event of a patient safety concern arising from use of the Platform — including platform failures, missed alerts or clinical workflow issues — concerns should be reported to WellQ’s Clinical Safety Officer, Anna Aydınç, via info@wellq.co.uk. WellQ will investigate and respond to patient safety concerns in accordance with its Clinical Safety Case and incident management procedures.
8.3 Business Continuity and Disaster Recovery
The WellQ Platform is hosted on Microsoft Azure infrastructure, which provides built-in redundancy, failover capability and data backup in accordance with Microsoft’s enterprise service commitments. WellQ relies on Azure’s resilience architecture to support platform continuity and data recovery in the event of a service disruption.
8.4 Access Governance and Offboarding
Clinic administrators are responsible for managing and disabling staff access to the WellQ Platform through their administrator account. Where a clinician leaves a practice or should have their access removed, the clinic administrator should disable that account promptly. WellQ can action access removal upon written request to info@wellq.co.uk.
8.5 Security Incidents and Breach Notification
WellQ maintains an internal incident response procedure covering data security events. In the event of a personal data breach, WellQ will notify affected Data Controllers without undue delay and within 48 hours of becoming aware of the breach, in accordance with the obligations set out in the applicable Data Processing Agreement. WellQ will provide sufficient information to enable the Data Controller to meet its own notification obligations to the ICO and affected data subjects where required.
While these safeguards are designed to protect personal data, no digital system can guarantee absolute security. WellQ will take all reasonable steps to contain and remediate any security incident promptly.
9. Sub-Processors
WellQ currently uses the following authorised sub-processor in connection with the delivery of the Platform:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Microsoft Azure (Microsoft Corporation) | Cloud infrastructure, data hosting and storage | United Kingdom |
WellQ will notify healthcare providers of any intended changes to its sub-processor arrangements in accordance with the terms of the applicable Data Processing Agreement. An up-to-date list of sub-processors is available on request by contacting info@wellq.co.uk.
10. Aggregated Data and Analytics
WellQ may analyse data generated through use of the Platform to:
- improve Platform functionality and user experience;
- develop analytics and insights tools to support healthcare providers in delivering patient care;
- enhance rehabilitation engagement pathways;
- improve system performance and reliability;
- refine recovery scoring algorithms; and
- support product development, research and service improvement.
Where possible, this analysis is conducted using aggregated or de-identified data that does not directly identify individuals. Such aggregated data may be used by WellQ for its own product development and analytics without restriction, as it does not constitute personal data. WellQ ensures that anonymisation processes are robust and that re-identification is not reasonably possible.
Any algorithmic outputs derived from aggregated data are used at a population or cohort level only. No algorithmic model output is applied to individual patient clinical decisions without clinician review and oversight.
11. Clinical Use of Platform Insights
The WellQ Platform generates recovery scores and engagement summaries designed to support healthcare providers in monitoring patient rehabilitation progress and delivering direct patient care.
Recovery scores are generated using algorithmic processing of patient-reported data and activity metrics. The methodology used to generate recovery scores is explained to clinicians within the clinician dashboard. These scores are informational in nature and are designed to assist healthcare professionals — they are not intended to replace professional clinical judgement or constitute a clinical diagnosis or recommendation.
In accordance with Article 22 of the UK GDPR, no significant decision affecting a patient is made solely on the basis of automated processing. Healthcare providers retain full clinical responsibility and judgement at all times. Patients who have concerns about how recovery scores or platform outputs may affect their care should raise these directly with their healthcare provider.
12. Data Ownership
Healthcare providers and patients retain all rights to personal data submitted to the WellQ Platform. WellQ processes such data only for the purpose of providing the Platform services and in accordance with instructions from the relevant healthcare provider.
WellQ may generate aggregated, anonymised or de-identified data derived from platform usage. Such data does not identify individual users and may be used by WellQ to improve the Platform, develop new features, conduct analytics, refine algorithms and support research and product development.
13. Your Data Protection Rights
Under applicable data protection laws, individuals may have the following rights:
- Right of access: to obtain a copy of personal data held about them.
- Right to rectification: to request correction of inaccurate or incomplete personal data.
- Right to erasure: to request deletion of personal data in certain circumstances.
- Right to restriction: to request that processing be restricted in certain circumstances.
- Right to object: to object to processing based on legitimate interests or for direct marketing.
- Right to data portability: to receive personal data in a structured, machine-readable format where processing is based on consent or contract.
- Rights related to automated decision-making: to not be subject to solely automated decisions that produce significant legal or similar effects, in accordance with Article 22 UK GDPR.
- Right to withdraw consent: where processing is based on consent (including wearable device integrations, Apple HealthKit, Google Health Connect and notifications), consent may be withdrawn at any time through the application settings or by deleting your account, without affecting the lawfulness of prior processing.
Where personal data is processed on behalf of a healthcare provider, requests relating to patient data may need to be directed to the relevant healthcare provider as Data Controller. WellQ will assist the Controller in responding to such requests where required.
To exercise rights in relation to data for which WellQ acts as Controller, please contact us at info@wellq.co.uk.
14. Cookies and Website Technologies
WellQ’s website uses cookies and similar technologies in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR. Cookies are used on the WellQ website only — the WellQ Platform application does not use cookies.
Cookies used on the WellQ website are limited to those strictly necessary for the operation and security of the website, including:
- maintaining secure sessions for authenticated users;
- enabling core website functionality and navigation; and
- supporting website security and integrity.
WellQ does not use advertising cookies, tracking cookies or any cookies for marketing profiling purposes. No non-essential cookies are placed without user consent. Users may manage cookie preferences through their browser settings at any time.
15. International Data Transfers
WellQ stores and processes personal data on Microsoft Azure infrastructure located within the United Kingdom. WellQ does not routinely transfer personal data outside the United Kingdom.
In the event that any transfer of personal data outside the United Kingdom is required — for example through a sub-processor operating internationally — WellQ will ensure that appropriate safeguards are implemented in accordance with UK GDPR requirements, which may include:
- transfers to countries with an adequacy decision recognised under UK law;
- use of UK International Data Transfer Agreements (IDTAs) or equivalent standard contractual clauses; or
- other appropriate safeguards as permitted by applicable data protection law.
WellQ will not transfer personal data to a third country without appropriate safeguards in place and, where required, without the prior written consent of the relevant Data Controller. Microsoft’s data processing terms include appropriate safeguards for any international transfers made in connection with Azure’s infrastructure operations.
16. Changes to This Privacy Policy
WellQ may update this Privacy Policy periodically to reflect changes to services, technology, legal requirements or regulatory guidance. Updated versions will be published on the WellQ website or made available through the Platform. Where changes are material, WellQ will provide reasonable notice to healthcare providers.
17. Complaints
If you have concerns about how WellQ handles personal data, WellQ operates the following structured escalation process:
- Step 1 — Contact WellQ directly: Please raise your concern in writing to info@wellq.co.uk, describing the nature of the complaint. WellQ will acknowledge your complaint within five (5) working days.
- Step 2 — Internal resolution: WellQ will investigate the complaint and aim to provide a substantive response and resolution within thirty (30) calendar days of acknowledgement. Where the matter is complex, WellQ will keep you informed of progress.
- Step 3 — ICO escalation: If your complaint is not resolved to your satisfaction, or if you prefer to escalate directly, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection: Website: www.ico.org.uk | Telephone: 0303 123 1113.
WellQ welcomes the opportunity to address concerns directly and is committed to resolving data protection queries promptly and fairly.
18. Contact and Data Governance
For questions regarding this Privacy Policy, the handling of personal data, to exercise your data subject rights, or to raise a data protection concern, please contact WellQ’s designated Data Governance contact:
| Company | WellQ Ltd |
|---|---|
| Address | Suite A, 82 James Carter Road, Mildenhall, IP28 7DE |
| Role | Data Controller (for direct data collection) / Data Processor (in healthcare settings) |
| Data Governance Contact | info@wellq.co.uk |
| Clinical Safety Officer | Anna Aydınç — contact via info@wellq.co.uk |
| ICO Registration | ZB953651 |
Where your query relates to patient safety or clinical governance, please direct your concern to Anna Aydınç, Clinical Safety Officer, via info@wellq.co.uk.