Privacy Policy
Last updated: 1 May 2026
Document version: 2026.05.01.2
TriageMethod Ltd, trading as TriageHealth, (“we”, “us”, “our”) is committed to protecting your privacy, especially given the sensitive nature of health data. This policy explains what data we collect, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) and, where applicable, the UK GDPR. TriageMethod Ltd is a company registered in Ireland; our lead supervisory authority is the Irish Data Protection Commission.
1. Data Controller
TriageMethod Ltd (trading as TriageHealth) is the data controller for the personal data processed through this platform. The company is registered in Dublin, Ireland; full registered-office details are on the public Irish Companies Registration Office record at core.cro.ie. For data protection enquiries, contact our Data Protection Officer, Patrick Farrell, at info@triagemethod.com. Our lead supervisory authority under the one-stop-shop mechanism of GDPR Article 56 is the Irish Data Protection Commission (dataprotection.ie). Users in the UK and elsewhere in the EEA may also complain to their local supervisory authority — see section 7 below.
2. Data We Collect
2.1 Account Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account authentication, transactional emails | Contract performance |
| Name (optional) | Personalisation | Legitimate interest |
| OAuth provider data | Social login authentication | Contract performance |
2.2 Health Data (Special Category — Article 9)
| Data Category | Examples | Legal Basis |
|---|---|---|
| Blood work results | Cholesterol, glucose, vitamin D, ferritin, etc. | Explicit consent |
| Dietary data | Food frequency responses, food diary entries, nutrient intake | Explicit consent |
| Body measurements | Height, weight, waist circumference, body fat % | Explicit consent |
| Exercise data | Type, frequency, duration, intensity | Explicit consent |
| Sleep data | Hours, quality, consistency, disorders | Explicit consent |
| Stress data | PSS-10 scores, perceived stress levels | Explicit consent |
| Medical history | Conditions, family history, allergies | Explicit consent |
| Medications | Names, doses, frequencies | Explicit consent |
| Supplements | Names, doses, frequencies | Explicit consent |
| Symptoms | Free-text + structured symptom catalogue entries (e.g., fatigue, brain fog), severity, frequency, duration, syndrome-cluster matches | Explicit consent |
| Mental-health screening | PHQ-9 (depression, 9 items), GAD-7 (anxiety, 7 items), PC-PTSD-5 (PTSD primary-care screen, 5 items), ICD-11 QD85 burnout cluster — raw item responses + computed scores | Separate explicit consent (MENTAL_HEALTH purpose) — captured at intake, declinable without losing access to the rest of the assessment |
| Reproductive health | Cycle dates, cycle length, contraception, pregnancy / postpartum status, perimenopause / menopause symptoms (where the user opts in to the reproductive module) | Explicit consent |
| Apple Health imports | Steps, heart rate, HRV, sleep stages, workout sessions and similar Apple Health metrics imported on the user’s explicit action via Sign in with Apple + HealthKit | Separate explicit consent (APPLE_HEALTH_IMPORT purpose) — re-confirmed each time the import flow runs |
| Genetic data (sub-special category) | Raw genome upload (23andMe, AncestryDNA, MyHeritage formats) — parsed and immediately discarded after SNP extraction. Persisted: ~120 catalogued SNPs (rsId, gene, genotype call, computed risk level). APOE rs429358 (Alzheimer’s risk) is gated behind a separate disclosure consent and is suppressed from the genetics page and reports unless that disclosure consent is also granted. | Separate explicit consent (GENETIC_DATApurpose) — required at upload time, withdrawable at any moment via Settings; APOE Alzheimer’s-risk disclosure has its own additional consent (APOE_ALZHEIMERS_DISCLOSURE) |
All health data processing is based on your explicit consent (GDPR Article 9(2)(a)). You may withdraw consent at any time by deleting your data via Settings or contacting us. Withdrawing genetic, mental health, or Apple Health consent stops further processing immediately (Art. 7(3)); existing records stay on disk until you trigger erasure separately, so you can re-grant consent later without losing your data.
2.3 Payment Data
Payment processing is handled entirely by Stripe. We do not store your credit card number. We receive: last 4 digits (for display), card brand, billing country, and transaction records.
2.4 Technical Data
IP address, browser type, device type, and page views — collected for security (rate limiting, abuse prevention) and service improvement. Legal basis: legitimate interest.
3. How We Use Your Data
- Assessment generation: Your health data is processed locally on our servers to generate personalised health reports.
- AI features:If you use AI chat features, relevant health context may be sent to Google Cloud (Vertex AI, Gemini model) for response generation. See “AI Data Processing” below for full details.
- Cross-referencing: Your data across health domains (blood work, diet, exercise, etc.) is cross-referenced to identify connected patterns. This processing occurs entirely on our servers.
- Communication: We send transactional emails (password reset, assessment ready) to your registered email address.
4. Data Sharing
We do not sell your data. We share data only with:
| Sub-Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Database provider | Data storage | All user data (encrypted at rest) | EU/UK |
| Stripe | Payment processing | Payment details, email | US (SCCs in place) |
| Google Cloud (Vertex AI) | AI-powered health chat and lab report OCR | Health-data summaries sent as context for personalised responses. Google Cloud’s Vertex AI terms state that prompts and responses submitted via Vertex AI are not used to train Google’s foundation models, are not retained for any purpose other than abuse monitoring (24-hour cache), and are not made available to other customers. | EU (europe-west4 region — Eemshaven, Netherlands). Region selection is enforced at runtime by an EU-allowlist guard that refuses to start the application if GOOGLE_CLOUD_LOCATION is set outside the europe-*prefix. Covered by Google Cloud’s Data Processing Addendum (which incorporates the EU Standard Contractual Clauses and the UK International Data Transfer Addendum) and our DPIA. |
| Resend | Transactional email delivery | Email address, email content | US (Standard Contractual Clauses + UK IDTA in place) |
| Vercel | Application hosting | All requests pass through | EU — compute pinned to the fra1 region (Frankfurt, Germany) via vercel.json. Vercel’s control plane is operated from the United States; all data processing under our DPA is governed by the EU Standard Contractual Clauses and the UK IDTA. |
| Google LLC (Google Analytics 4) | Website usage analytics (opt-in only) | Page views, session duration, device type, approximate location. No health data, blood work results, assessment findings, or personal health information is sent to Google Analytics. | US (SCCs in place) |
| Sentry (Functional Software, Inc.) | Application error monitoring and performance telemetry | Stack traces, request URL/path, anonymised user ID, browser type. PII filters strip email addresses, auth tokens, and request bodies before transmission. No health data is captured. | EU (de.sentry.io region, Frankfurt) — SCCs in place for the US-based controller |
| Upstash (Redis) | Rate-limit counters and short-lived caches (e.g. CSRF tokens, login throttles) | Anonymised request fingerprints (hashed IP + endpoint), counters, ephemeral session keys. Health data is never written to Upstash. | EU (Frankfurt) — SCCs in place |
| Vercel Blob (Vercel Inc.) | Object storage for user-uploaded lab report PDFs/images pending OCR | The uploaded file itself, retained only until OCR completes (then deleted). Encrypted at rest. Access is restricted to the uploading user’s session. | EU (fra1region, Frankfurt) — covered by Vercel’s DPA, SCCs and UK IDTA |
| Vercel Analytics & Speed Insights (Vercel Inc.) | Real-user performance metrics (Core Web Vitals) and page-view counts | Aggregated, anonymised page-view + Web Vitals data. No personal identifiers; no health data. Used to identify slow pages and regressions. | EU — covered by Vercel’s DPA, SCCs and UK IDTA |
| GitHub Inc. (OAuth sign-in only) | Optional third-party sign-in for users who choose “Continue with GitHub” | Email address and public profile fields returned by GitHub at sign-in. Only used to provision/identify the user account; no health data is shared with GitHub. | US (SCCs in place via GitHub’s DPA) |
| Google LLC (OAuth sign-in) | Optional “Continue with Google” authentication | Email address, display name, and profile photo returned by Google at sign-in. Only used to provision/identify the user account; no health data is shared with Google via OAuth. | US (SCCs via Google Cloud DPA) |
| Anthropic | Admin-only AI house-rules suggestions | System prompt and anonymised rule context. No user health data is sent to Anthropic. | US (EU SCCs + Anthropic DPA) |
5. AI Data Processing
When you use AI chat features, summaries of your health assessment data are sent to Google Cloud Vertex AI (Gemini model family) to generate personalised responses. This includes blood-work interpretations, nutrient analysis, exercise and sleep summaries, and other assessment findings relevant to your query.
- This processing is covered by the AI_RECOMMENDATIONSconsent purpose. You must grant this consent before using AI chat features, and you may withdraw it at any time via Settings > Consent. If you withdraw AI_RECOMMENDATIONS consent, AI chat is disabled until you re-enable it; existing chat history remains accessible until you delete it via Settings.
- Requests are served from the EU region
europe-west4(Eemshaven, Netherlands). Region selection is enforced at runtime — the application refuses to start if the configured Vertex AI region is outside theeurope-*prefix, so health-data inference cannot accidentally be routed to a non-EU region. - Vertex AI is covered by Google Cloud’s Data Processing Addendum, which incorporates the EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Prompts and responses submitted via Vertex AI are not used to train Google’s foundation models, are not retained beyond a 24-hour abuse-detection cache, and are not made available to other customers. See Google Cloud’s Data Processing Addendum for details.
- No raw personal identifiers (name, email, date of birth) are included in the data sent to the API — only health-metric summaries and assessment findings.
- Records of processing (Article 30): for each AI chat round-trip we write one immutable audit-log row capturing the user ID, conversation ID, timestamp, prompt-template version, message and output character counts, and guardrail status. We do not store the message content or the AI response in this audit row — only the structured metadata needed to reconstruct what happened, when, and under whose authority. The chat history itself is stored separately and is subject to your erasure rights (section 7).
- Automated decision-making (Article 22): AI chat does not produce decisions that have legal effects or similarly significant effects on you. Outputs are educational interpretations of the health data you provided; they are not diagnoses, prescriptions, or eligibility determinations. You always retain the ability to review, ignore, or act on the output as you see fit, and any decision to seek or change medical care should be made with a qualified clinician.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | Retained indefinitely while account is active |
| Deleted account data | All personal data hard-deleted immediately upon confirmed deletion request (within the same HTTP request); audit log retained for 2 years per Article 5(2) accountability |
| Individually deleted records (while account active) | When you delete a single bloodwork, diet, weight, exercise, sleep, stress, or assessment entry, the row is soft-deleted for 90 days (letting you undo accidental deletions), then permanently hard-deleted by our daily retention job. This 90-day window does not apply to full-account deletion, which is immediate. |
| AI chat conversations | Retained for 12 months, then auto-deleted |
| Email logs | Retained for 6 months |
| Payment records | 7 years (Irish Companies Act 2014 s.281 — accounting records retention) |
| Audit logs | Retained for 2 years (GDPR accountability) |
| Unverified accounts | Purged after 7 days |
7. Your Rights (EU / UK GDPR)
You have the right to:
- Accessyour personal data (Article 15) — available via Settings > Export Data, including a portable FHIR R4 export of your longitudinal health records.
- Rectification (Article 16) — edit any data via the dashboard forms. Editing your raw health data (blood work, weight, symptoms, exercise, sleep, stress, etc.) is always free of charge; regenerating an interpretation report from corrected data is a paid action.
- Erasure(Article 17) — consumer users delete all data via Settings > Data & Privacy > Delete Account; professional users via Pro Settings > Data & Privacy > Delete Account. You can also delete individual records from any health-data dashboard.
- Data portability(Article 20) — export in JSON or FHIR R4 format via Settings > Data & Privacy (Pro Settings > Data & Privacy for professional accounts).
- Withdraw consent(Article 7(3)) — at any time via Settings > Consent, without affecting the lawfulness of processing carried out before withdrawal.
- Object to processing (Article 21) — for processing based on legitimate interest (e.g. security telemetry).
- Restrict processing (Article 18) — while accuracy is verified or objections are considered.
- Not be subject to solely automated decisions (Article 22) — AI chat outputs are educational interpretations, not legally significant decisions; see section 5.
- Lodge a complaint with our lead supervisory authority, the Irish Data Protection Commission at dataprotection.ie, or with your local EEA / UK supervisory authority. UK residents may complain to the UK Information Commissioner’s Office at ico.org.uk.
7a. Response Times (Data Subject Request SLA)
Our commitment to responding to requests made under section 7:
- Self-service rights (Access, Rectification, Erasure, Portability): available 24/7 via Settings. Exports and deletions complete within the same HTTP request, so there is no wait.
- Emailed requests (to info@triagemethod.com): acknowledged within 72 hours and resolved within 30 calendar days of receipt, as required by Article 12(3). Where a request is complex or we have received multiple requests from the same person, we may extend this by a further two months and will tell you why within the initial 30-day window.
- Fee: free of charge, except where requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse to act — Article 12(5)).
- Identity verification: for emailed requests we will ask you to confirm the request from the email address associated with your account, or provide other reasonable evidence that you are the data subject. We cannot action a request until we have verified who is asking.
- If we cannot act on your request: we will tell you why within 30 days and explain your right to complain to our lead supervisory authority (the Irish Data Protection Commission) or your local supervisory authority, and your right to a judicial remedy.
8. International Transfers
Health data and AI inference are processed inside the EEA — Vercel compute is pinned to fra1 (Frankfurt) and Vertex AI inference is pinned to europe-west4 (Eemshaven, Netherlands), with a runtime allowlist that refuses to start the application if either is misconfigured.
Some sub-processors operate from the United States (Stripe, Resend, Vercel’s control plane, Google Analytics where you have opted in). For those transfers we rely on the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented by technical and organisational measures (encryption in transit and at rest, access controls, pseudonymisation where possible, and minimisation of payload contents to non-health metadata for the analytics path).
8a. For US Residents — State-Specific Rights
In addition to the rights set out in section 7, TriageHealth honours the following rights for US residents under applicable state privacy laws. These rights mirror — and are served by the same mechanisms as — the GDPR rights above. To exercise any of them, email info@triagemethod.com or use the in-app data export and deletion tools in your account settings.
8a.1 California (CCPA / CPRA)
California residents have the right to know what personal information we collect, to request access to and copies of that information, to request correction of inaccurate information, and to request deletion. You also have the right to limit the use of “sensitive personal information” (which includes health data under California law) to purposes necessary to provide the service you requested.
We do not sell or share your personal information for cross-context behavioural advertising (as those terms are defined in the CPRA). We do not discriminate against users who exercise their CCPA/CPRA rights.
8a.2 Washington (My Health My Data Act — MHMDA)
Washington residents (and any user whose “consumer health data” we process about activities in Washington) have the right to: (a) confirm whether we are processing their consumer health data, (b) access that data, (c) withdraw consent for its collection and processing, (d) request deletion of that data, and (e) appeal a refusal of any of the above. The health data you provide to TriageHealth (blood work, diet, symptoms, genetic variants, etc.) is “consumer health data” under MHMDA.
We do not sell consumer health data. All collection and processing is based on your explicit consent given at registration and in in-app consent flows, which you may withdraw at any time from your account settings.
8a.3 Nevada (SB 370) and other US states
Nevada residents have the right to opt out of the sale of their personal information. We do not sell any personal information.
Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Delaware, and other US states with comprehensive privacy laws have substantively similar rights (access, correction, deletion, portability, opt-out of targeted advertising and sale). We honour all of them through the same mechanisms described above.
8a.4 Appeals and complaints
If we decline a rights request and you believe we did so in error, you may appeal by replying to our denial email. If you remain dissatisfied with our response to your appeal, you may complain to your state Attorney General’s office. California residents may contact the California Privacy Protection Agency; Washington residents may contact the Washington State Attorney General.
8a.5 Not a HIPAA Covered Entity
TriageHealth is a consumer health education tool, not a medical device or healthcare provider, and is not acting as a HIPAA Business Associate for its direct users. The US health professionals who use TriageHealth (nutritional therapists, health coaches, functional medicine practitioners, personal trainers) are not typically HIPAA Covered Entities. If you are a licensed medical provider subject to HIPAA and wish to use TriageHealth with your patients, contact us at info@triagemethod.com before doing so.
9. Security
We implement the following security measures:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Strict access controls — health data is only accessible by the data subject and, where applicable, their designated healthcare professional.
- Audit logging of all health data access.
- Rate limiting and brute-force protection on authentication endpoints.
- Security headers (CSP, HSTS, X-Frame-Options).
- Regular security assessments.
9a. Incident Response & Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the Irish Data Protection Commission within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach affects users in other EEA member states or in the UK, we will also notify the relevant supervisory authorities through the lead-authority mechanism.
- Notify affected users directly within 48 hoursof identifying the scope of the breach, where the breach is likely to result in a high risk to your rights and freedoms (Article 34). This 48-hour commitment is tighter than the legal minimum (“without undue delay”) and reflects our judgement that users of a health-data service need fast notice to take protective action.
- Provide the nature of the breach, the categories of data affected, the likely consequences, the mitigation measures we are taking, and concrete steps you can take to protect yourself.
- Record every breach in an internal register per Article 33(5), regardless of whether notification was required, so our response can be audited by the supervisory authority on request.
10. Cookies & Analytics
We use essential cookies for authentication and session management. With your explicit consent, we also use Google Analytics 4 to understand how people use our service. No health data is ever shared with Google Analytics. You can opt out at any time via the cookie preferences banner or by visiting our Cookie Policy for details.
11. Children
TriageHealth is not intended for use by anyone under 18 years of age. The digital age of consent under Irish law (Data Protection Act 2018, section 31) is 16; the 18+ floor we apply is stricter than that minimum and reflects a deliberate product choice given the sensitivity of clinical-grade health data and the need for capacity to engage with educational interpretations of laboratory results. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us immediately at info@triagemethod.com and we will erase it.
12. Changes to This Policy
We will notify registered users of material changes via email at least 30 days before they take effect. Minor clarifications may be made without notice.
13. Contact
Data Protection Officer: Patrick Farrell — info@triagemethod.com
General enquiries: info@triagemethod.com
Registered office: Dublin, Ireland (full address on the public CRO record at core.cro.ie)