ARIA: PRIVACY POLICY
Latest Revised Date: 01/11/2025
This Privacy Policy outlines the scope of processed data and the ways we treat your data received through our mobile app. Together with the Terms of Use, this Policy stands for the foundation of our binding relationship.
‘Medstars’, ‘Aria’, 'we', 'our', 'us' means Medstars Limited, a company registered in England and Wales company number 08982663, with registered address The Oakley, Kidderminster Road, Droitwich, Worcestershire, WR9 9AY. Email contact: feedback@medstars.co.uk
For the purpose of the Data Protection Act 1998 and the General Data Protection Regulation 16/679, the data controller is Medstars, which has ICO registration number ZB047428.
The General Data Protection Regulation 16/679
In this statement We have used certain terms which are set out in the EU’s General Data Protection Regulation (GDPR or the Regulation):
-
personal data means: any information relating to an identified or identifiable natural person (data subject)
-
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
-
controller means: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
-
processor means: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
-
processing means: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Our status: How We use personal data
-
We may act a processor of personal data for our clients, with whom we have signed a data processing agreement, which is compliant with the Regulation under which Medstars is bound by the terms of this agreement.
-
Medstars may act as a controller; where Medstars acts as a controller, any personal data We collect is treated and managed according to the approach We have set out in this privacy statement.
However, there are different situations when you may decide to share more data, or we are requesting some information from you. Find the data types, the justification, and the ways of such processing cases below:
Type of data | Processing reasons | Lawful Basis | Notes to Processing |
|---|---|---|---|
Email address | To set up an account | Execution of the contract | Occurs during registration |
User ID | User IDs are used to perform A/B testing | Controller interest | We do not tie your email to our internal processes. We generate a unique identifier for you, as such use enhances your email privacy |
Information related to your mood, general well-being, feelings, or any other thoughts | To process inbound messages, analyse them and deliver personalised content | Execution of the contract | Occurs during conversations with the AI chatbot while we deliver conversation output or personalised content to you |
Sensitive personal information, or personal health information, including about mental health | To process inbound messages, analyse them and deliver personalised content | Consent | Occurs during conversations with the AI chatbot while we deliver conversation output or personalised content to you |
Email address, full name or nickname, the content of the email | To process feedback, or feature suggestion, received from you via email | Execution of the contract | We process this data if you are reaching out to us via email for solution suggestion, complaints, or claims |
Email address, results of the interviews | To run in-depth interviews, questionaries | Controller interest (when we make a list of users whom to question), consent (when we directly ask you to participate in the interview/fill in questionary) | We may use such data to improve our Services. If you agree to such an interview, we may offer you discounts or other benefits |
Postal code, address, signature, full name. or nickname | To enable refunds or any inquiries received at our physical address | Execution of the contract | We may process it either for refund purposes or any Services-related mail if you decide to send it by post |
Email address | To inform you about technical updates and new features | Controller interest | Once we launch new features, significantly update our Services, or solve technical inaccuracies |
Log data of your usage of the Services | To analyse how you interact with our Services | Controller interest | We may analyse how you tap, for how long and how often you interact with the content, and your usage frequency and preferences |
Email address | To send you newsletters to promote our products and services | Consent | Once you opt in to the newsletter in the Settings section of the Services |
(Only anonymised to the maximum extent possible) conversational data about your mood, preferences, worries, reflections, or symptoms alongside language preferences, time of the conversation | To train our model for improving existing models, delivering more tailored result | We do not need a legal basis for processing the anonymised data | We run the AI trainings once we delete all possible identifiers of your personal data. Please note, that once anonymised, data that cannot be attributed to the user is no longer “personal” |
Will Medstars share my personal data with anyone else?
Medstars may pass your personal data on to third-party service providers contracted to Medstars. In these circumstances, the third party may be another controller, processor or sub-processor.
Where the third party is a processor or a sub-processor, they are obliged to keep your details securely, and to use them only to fulfil their contractual obligations to Medstars. When they no longer need your personal data to fulfil this service, they will dispose of the details in line with Medstars’ data retention policy.
We follow the principle of data minimisation. This means we only share the absolute minimum data required for each service to work properly. For example:
-
error reporting service provider is only able to process technical information needed for the quality assurance, it does not receive the gist of your conversation or your email address;
-
analytic service providers receive aggregated, often anonymised usage data; and
-
AI service providers receive the content necessary to generate your personalised responses only.
Please note, if you contact us through third party providers, such as other messengers or our social media, you are subject to their Terms of Use. We do not control how these providers process your data.
Data Retention Periods
For active users, If you decide to delete your account, we maintain a 30-day freezing period for your convenience. This allows you to restore your account if you change your mind. After 30 days, all associated data will be permanently deleted.
You have full control over your conversational data. When you delete your account, all related messages and communications will also be permanently erased.
Please keep in mind that we may still process anonymised data even after your data is deleted. Once anonymised, the data no longer qualifies as personal data under privacy regulations. We may use such anonymised data for system improvement and training, ensuring identifying information is removed before processing.
Your rights as a data subject
At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
-
Right of access – you have the right to request a copy of the information that we hold about you.
-
Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
-
Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
-
Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
-
Right of portability – you have the right to have the data we hold about you transferred to another organisation.
-
Right to object – you have the right to object to certain types of processing such as direct marketing.
-
Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
How to Exercise Your Rights
Some rights can be exercised directly through our Services. Simply navigate to Settings to manage your preferences, adjust privacy controls, or delete your data.
For additional requests or inquiries, please contact us at feedback@medstars.co.uk This might include, but is not limited to:
-
changing the email associated with your registration;
-
requesting access to all data we retain about you;
-
seeking further clarification on security, data retention, or AI processing features toward data processing; or
-
any other privacy-related concerns.
The Response Standard
We acknowledge receipt of your request within 10 business days and reserve 45 calendar days to respond. We may also extend the response time, adding 15 more calendar days, notifying you promptly.
Regardless of your location, if your request does not require additional information or is not complex, we typically aim to provide a response in less than 5 days.[11]
To process your request efficiently, we may require additional information to verify your identity and the nature of your request. If needed, we will reach out to request further details.
Please note that using VPN services may impact our ability to timely process your request.
Sometimes your request might be unenforceable. In some cases, we may refuse to fulfill your request. This can happen if:
-
the request is unclear or not directly related to your own data;
-
it may be restricted due to legal requirements or specific case-by-case limitations;
-
your data has already been permanently deleted.
If we are unable to process your request, we will inform you promptly and provide further details where applicable.