Last updated
05.04.2026
Privacy Policy: General
1. Introduction
Connectome GmbH ("Connectome," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, disclose, and safeguard your personal data when you visit our website https://www.connectome.health/ ("Website") and interact with our services, including your use of our website, platform, and related services (together, the “Services”).
This Privacy Policy applies to individuals who access or use our Services, including users, customers, and research participants where applicable.
We comply with applicable data protection regulations, including the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
2. Data Controller
Connectome GmbH is the data controller for personal data processed in connection with the Services, except where we process personal data on behalf of our customers. Where Connectome processes personal data on behalf of a customer (for example, a clinic, research organisation, or employer), Connectome acts as a data processor and the relevant customer is the data controller.
3. Information We Collect and Store
3.1 Users and research participants
We collect the following personal data to provide and operate the Services, including delivering insights, improving functionality, and ensuring compliance with applicable obligations. Please note that where appropriate, personal data may be pseudonymised or aggregated to reduce identifiability.
Category | Examples |
Demographics | Age range, gender |
Contact details | e.g. e-mail address, contact number |
Health & lifestyle questionnaires | Information provided by you e.g. medical history |
Brain imaging (fNIRS) | Brain and physiological data (e.g. imaging outputs) |
Wearable metrics | Device and wearable data (e.g. heart rate, sleep, activity) |
Cognitive task performance | Cognitive and behavioural performance data |
Hair image & type | Biometric or physical characteristics data (where relevant) |
Bank details | Payment and billing information (where applicable) |
Account and service administration | Account information, consent records, and records of interactions with the Services |
3.2 Mail-list subscribers and marketing preferences
Name (optional)
E-mail address
Subscription preferences (topics, language)
4 . Why do we use your data and what is the legal basis?
Purpose | Data categories (see section 3) | Legal basis (UK/EU GDPR) |
Providing and operating the Services | All relevant user data, including account, contact, health, and usage data | Art 6(1)(a) - consent Art 6(1)(b) - contract Art 6(1)(f) - legitimate interests Art 9(2)(a) or (h) - special category data (as applicable) |
Providing insights, analytics, and improving the Services | All relevant user data, including health data, device and wearable data, cognitive and behavioural data, and usage data | Art 6(1)(f) - legitimate interests Art 9(2)(a) or (j) where applicable |
Paying participant honoraria | Bank details, contact details | Art 6 (1)(b) - contract |
Providing and maintaining the platform | Contact details, account data, imaging & wearable outputs | Art 6 (1)(b) - contract |
Operating mailing list | Name, e-mail | Art 6 (1)(a) - consent |
Safety & quality monitoring | Pseudonymised research data | Art 6 (1)(c) - legal basis Art 6(1)(f) – legitimate interests |
Compliance with legal and regulatory obligations | Relevant personal data as required to comply with legal obligations | Art 6(1)(c) – legal basis |
Where we rely on legitimate interests, we have carried out a balancing test and believe our interests do not override your fundamental rights and freedoms. You can obtain a copy on request.
5 . How long do we keep your data?
We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
Dataset | Retention period | Rationale |
Service and analytical data (including health and usage data) | For as long as necessary to provide the Services and for a reasonable period thereafter to improve and develop the Services | Service delivery and product improvement |
Account and profile data | After a defined period of inactivity (as determined by our internal retention policies) | To provide ongoing access to the Services |
Consent records and key account information | For as long as required to demonstrate compliance with legal obligations | Legal and regulatory compliance |
Mailing-list record | Until you unsubscribe | Direct marketing rules |
Bank details & payment records | 6-7 years | Accounting & tax obligations |
Aggregated, fully anonymised datasets | Indefinitely | No longer personal data |
We automatically irreversibly anonymise data when the retention period expires. Users will receive an e-mail reminder 30 days before deletion of their Webapp account data.
6 . How do we secure your information?
Connectome GmbH stored data
Primary Database: Hosted on Cloud SQL (Google Cloud’s managed relational database service) with automated daily backups and point-in-time recovery capabilities.
Storage of Files & Media: Other files, documents, and media are securely stored in Google Cloud Storage.
Encryption: All data is encrypted at rest using Google Cloud Key Management Service (Cloud KMS).
Access Control: Strictly managed through standard identity and access management policies to ensure only authorised personnel can access sensitive data.
User Dashboard: Users will be able to view their results through the Connectome Data Dashboard.
Personal Details: Kept on the Connectome platform unless explicitly requested for deletion by users. This allows users to view personalized data results.
7 . Who do we share your data with?
7.1 Service providers and partners
We may share personal data with trusted partners where necessary to provide, improve, or support the Services, subject to appropriate contractual safeguards.
7.2 Authorised third-party processors
We share personal data with the following trusted service providers, who process data on our behalf:
Processor | Service | Link to privacy notice |
Kernel | Processing fNIRS brain-activity data | https://docs.kernel.com/docs/services-privacy-policy |
H2 Cognitive Design | Cognitive-task platform | https://www.cognitron.co.uk/static/privacy.html |
Terra API | Wearable-device analytics | |
Sahha | Wearable-device data integration and analytics (legacy provider) | https://www.sahha.ai/privacy |
Mailchimp | Mailing-list management | https://mailchimp.com/legal/privacy |
Stripe | Payment processing for participant fees | https://stripe.com/privacy |
Where Connectome provides services to organisational customers (e.g. clinics or employers), personal data may be shared with those customers in accordance with their instructions and applicable agreements.
All processors act on our written instructions and are bound by data‑processing agreements that satisfy Art 28 UK/EU GDPR.
Transitional use of wearable data providers
As part of an ongoing infrastructure upgrade, we are transitioning our wearable data services from Sahha to Terra API. During this transition period, both providers may be used in parallel to support testing, validation, and continuity of service.
Where both providers are active:
Data will be processed by only one provider per integration wherever possible
In limited cases, parallel processing may occur strictly for validation and comparison purposes
This processing is conducted under our legitimate interests in ensuring service reliability and data accuracy
Once validation is complete, Sahha will be fully deprecated and removed as a processor of personal data.
7.3 International transfers
Where data leaves the UK/EEA we rely on:
UK and/or EU adequacy regulations, or
Standard Contractual Clauses (SCCs) with additional safeguards (e.g. encryption at rest, data‑minimisation).
8 . Future Use
We may use personal data to improve and develop our Services, including through research and analysis. Where personal data is used for research or product development, this will typically be in aggregated or pseudonymised form. Where required by law, we will obtain your consent before using your data for specific research purposes.
9. Your Rights Under GDPR
You have the following rights concerning your data:
Right to Access: Request a copy of your personal data.
Right to Rectification: Correct inaccurate or incomplete data.
Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent).
Right to Erasure: Request data deletion where legally applicable.
Right to Data Portability: Receive a copy of your data in a structured format.
Right to Restrict Processing: Limit how we use your data.
Right to Object: Object to processing based on legitimate interests or direct marketing
10. Complaints and Contact Information
If you have concerns about how your data is processed, you may contact the Connectome team on hello@connectome.health.
You also have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK).
Contact Us
If you need to contact us for any reason specified above, or if you have any questions or concerns about our Privacy Policy, please contact us at hello@connectome.health.
Last updated
05.04.2026
Privacy Policy: General
1. Introduction
Connectome GmbH ("Connectome," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, disclose, and safeguard your personal data when you visit our website https://www.connectome.health/ ("Website") and interact with our services, including your use of our website, platform, and related services (together, the “Services”).
This Privacy Policy applies to individuals who access or use our Services, including users, customers, and research participants where applicable.
We comply with applicable data protection regulations, including the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
2. Data Controller
Connectome GmbH is the data controller for personal data processed in connection with the Services, except where we process personal data on behalf of our customers. Where Connectome processes personal data on behalf of a customer (for example, a clinic, research organisation, or employer), Connectome acts as a data processor and the relevant customer is the data controller.
3. Information We Collect and Store
3.1 Users and research participants
We collect the following personal data to provide and operate the Services, including delivering insights, improving functionality, and ensuring compliance with applicable obligations. Please note that where appropriate, personal data may be pseudonymised or aggregated to reduce identifiability.
Category | Examples |
Demographics | Age range, gender |
Contact details | e.g. e-mail address, contact number |
Health & lifestyle questionnaires | Information provided by you e.g. medical history |
Brain imaging (fNIRS) | Brain and physiological data (e.g. imaging outputs) |
Wearable metrics | Device and wearable data (e.g. heart rate, sleep, activity) |
Cognitive task performance | Cognitive and behavioural performance data |
Hair image & type | Biometric or physical characteristics data (where relevant) |
Bank details | Payment and billing information (where applicable) |
Account and service administration | Account information, consent records, and records of interactions with the Services |
3.2 Mail-list subscribers and marketing preferences
Name (optional)
E-mail address
Subscription preferences (topics, language)
4 . Why do we use your data and what is the legal basis?
Purpose | Data categories (see section 3) | Legal basis (UK/EU GDPR) |
Providing and operating the Services | All relevant user data, including account, contact, health, and usage data | Art 6(1)(a) - consent Art 6(1)(b) - contract Art 6(1)(f) - legitimate interests Art 9(2)(a) or (h) - special category data (as applicable) |
Providing insights, analytics, and improving the Services | All relevant user data, including health data, device and wearable data, cognitive and behavioural data, and usage data | Art 6(1)(f) - legitimate interests Art 9(2)(a) or (j) where applicable |
Paying participant honoraria | Bank details, contact details | Art 6 (1)(b) - contract |
Providing and maintaining the platform | Contact details, account data, imaging & wearable outputs | Art 6 (1)(b) - contract |
Operating mailing list | Name, e-mail | Art 6 (1)(a) - consent |
Safety & quality monitoring | Pseudonymised research data | Art 6 (1)(c) - legal basis Art 6(1)(f) – legitimate interests |
Compliance with legal and regulatory obligations | Relevant personal data as required to comply with legal obligations | Art 6(1)(c) – legal basis |
Where we rely on legitimate interests, we have carried out a balancing test and believe our interests do not override your fundamental rights and freedoms. You can obtain a copy on request.
5 . How long do we keep your data?
We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
Dataset | Retention period | Rationale |
Service and analytical data (including health and usage data) | For as long as necessary to provide the Services and for a reasonable period thereafter to improve and develop the Services | Service delivery and product improvement |
Account and profile data | After a defined period of inactivity (as determined by our internal retention policies) | To provide ongoing access to the Services |
Consent records and key account information | For as long as required to demonstrate compliance with legal obligations | Legal and regulatory compliance |
Mailing-list record | Until you unsubscribe | Direct marketing rules |
Bank details & payment records | 6-7 years | Accounting & tax obligations |
Aggregated, fully anonymised datasets | Indefinitely | No longer personal data |
We automatically irreversibly anonymise data when the retention period expires. Users will receive an e-mail reminder 30 days before deletion of their Webapp account data.
6 . How do we secure your information?
Connectome GmbH stored data
Primary Database: Hosted on Cloud SQL (Google Cloud’s managed relational database service) with automated daily backups and point-in-time recovery capabilities.
Storage of Files & Media: Other files, documents, and media are securely stored in Google Cloud Storage.
Encryption: All data is encrypted at rest using Google Cloud Key Management Service (Cloud KMS).
Access Control: Strictly managed through standard identity and access management policies to ensure only authorised personnel can access sensitive data.
User Dashboard: Users will be able to view their results through the Connectome Data Dashboard.
Personal Details: Kept on the Connectome platform unless explicitly requested for deletion by users. This allows users to view personalized data results.
7 . Who do we share your data with?
7.1 Service providers and partners
We may share personal data with trusted partners where necessary to provide, improve, or support the Services, subject to appropriate contractual safeguards.
7.2 Authorised third-party processors
We share personal data with the following trusted service providers, who process data on our behalf:
Processor | Service | Link to privacy notice |
Kernel | Processing fNIRS brain-activity data | https://docs.kernel.com/docs/services-privacy-policy |
H2 Cognitive Design | Cognitive-task platform | https://www.cognitron.co.uk/static/privacy.html |
Terra API | Wearable-device analytics | |
Sahha | Wearable-device data integration and analytics (legacy provider) | https://www.sahha.ai/privacy |
Mailchimp | Mailing-list management | https://mailchimp.com/legal/privacy |
Stripe | Payment processing for participant fees | https://stripe.com/privacy |
Where Connectome provides services to organisational customers (e.g. clinics or employers), personal data may be shared with those customers in accordance with their instructions and applicable agreements.
All processors act on our written instructions and are bound by data‑processing agreements that satisfy Art 28 UK/EU GDPR.
Transitional use of wearable data providers
As part of an ongoing infrastructure upgrade, we are transitioning our wearable data services from Sahha to Terra API. During this transition period, both providers may be used in parallel to support testing, validation, and continuity of service.
Where both providers are active:
Data will be processed by only one provider per integration wherever possible
In limited cases, parallel processing may occur strictly for validation and comparison purposes
This processing is conducted under our legitimate interests in ensuring service reliability and data accuracy
Once validation is complete, Sahha will be fully deprecated and removed as a processor of personal data.
7.3 International transfers
Where data leaves the UK/EEA we rely on:
UK and/or EU adequacy regulations, or
Standard Contractual Clauses (SCCs) with additional safeguards (e.g. encryption at rest, data‑minimisation).
8 . Future Use
We may use personal data to improve and develop our Services, including through research and analysis. Where personal data is used for research or product development, this will typically be in aggregated or pseudonymised form. Where required by law, we will obtain your consent before using your data for specific research purposes.
9. Your Rights Under GDPR
You have the following rights concerning your data:
Right to Access: Request a copy of your personal data.
Right to Rectification: Correct inaccurate or incomplete data.
Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent).
Right to Erasure: Request data deletion where legally applicable.
Right to Data Portability: Receive a copy of your data in a structured format.
Right to Restrict Processing: Limit how we use your data.
Right to Object: Object to processing based on legitimate interests or direct marketing
10. Complaints and Contact Information
If you have concerns about how your data is processed, you may contact the Connectome team on hello@connectome.health.
You also have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK).
Contact Us
If you need to contact us for any reason specified above, or if you have any questions or concerns about our Privacy Policy, please contact us at hello@connectome.health.