Privacy Policy

Last updated: 5 Sept 2025 — This Privacy Policy explains how Cellast processes your information in compliance with the UK GDPR, EU GDPR, and applicable US privacy laws (including state-level frameworks where applicable).

What we collect

• Account data: name, email, phone, address.
• Identity and medical logistics data you provide (e.g., date of birth, gender for clinical eligibility, documents you upload).
• Operational data: appointment details, storage metadata, audit logs.
• Technical data: device, IP, and cookie information for security and analytics.

How we use data (lawful bases)

• Contract: create and manage your account; schedule appointments; store Samples; provide support.
• Legitimate interests: security, fraud prevention, service improvement.
• Consent: optional marketing; sharing certain health-related info where required.
• Legal obligation: regulatory/record-keeping requirements.

Special category data

Where we process health-related information (e.g., suitability for a biopsy), we do so under your explicit consent or another GDPR Article 9 condition permitted by law. You may withdraw consent at any time (this does not affect prior lawful processing).

Sharing

We share data with: partner clinics and laboratories (to deliver services), secure infrastructure providers (e.g., cloud hosting, email), payment processors, and professional advisors. We require appropriate data processing agreements and safeguards (including UK/EU standard contractual clauses for international transfers). We do not sell your personal data.

Retention

We keep personal data for as long as needed to provide services, meet regulatory requirements, resolve disputes, and enforce agreements. Account information may be retained for statutory periods even after closure.

Your rights

• Access, rectification, erasure, restriction, and portability (subject to legal limits).
• Right to object to processing based on legitimate interests.
• Withdraw consent where processing relies on consent.
• Complain to a supervisory authority (e.g., the ICO in the UK or your EU DPA).

Security

We use administrative, technical, and physical safeguards appropriate to the risk, including encryption in transit, access controls, audit logs, and least-privilege principles. No system is perfectly secure; please use strong passwords and keep them confidential.

Children

Our services are not directed to children under 18. If we learn we processed a child’s data, we will delete it.

Changes

We may update this Policy. If changes are material, we will notify you by email or prominent notice in the app.

Contact

Email: privacy@cellast.com

Note: This template is provided for convenience and does not replace independent legal advice.