1. INTRODUCTION
1.1 About This Policy
This Privacy Policy explains how TorabiSignals Ltd (“TorabiSignals”, “we”, “us”, or “our”) collects, uses, shares, and protects your personal data when you use our AI-powered cardiovascular signal analysis platform, including our website, mobile applications, smartwatch applications, and web dashboards (collectively, the “Service”).
We are committed to protecting your privacy and handling your data openly and transparently : 14652669 . This Policy should be read together with our Terms of Service, which are available on our website.
1.2 Data Controller
TorabiSignals Ltd is the data controller responsible for your personal data. We are a company registered in England and Wales (Company Number: 14652669) with our registered office at Kingston upon Hull, United Kingdom.
For any questions about this Privacy Policy or our data practices, please contact us at: info@torabisignals.com
1.3 Regulatory Framework
We process personal data in accordance with: the UK General Data Protection Regulation (UK GDPR); the Data Protection Act 2018 (DPA 2018); the EU General Data Protection Regulation (EU GDPR) for users in the European Economic Area; the Privacy and Electronic Communications Regulations 2003 (PECR); and other applicable data protection laws.
We are registered with the Information Commissioner’s Office (ICO) under registration number 14652669.
2. OUR PRIVACY-FIRST APPROACH
2.1 Signal Analysis Service Only
IMPORTANT: TorabiSignals operates fundamentally differently from traditional health data platforms. We are a signal analysis service only. When you submit ECG or PPG signals for analysis, we process them in real-time, return the analysis results, and immediately discard the raw signal data. We do not build databases of your health signals. We do not retain sensitive health information.
2.2 Data Minimisation Principles
Our approach is built on strict data minimisation:
• Cryptographic Hashing: All signal data processed through our systems is cryptographically hashed using industry-standard algorithms. Raw signal data cannot be reconstructed from these hashed values.
• No Permanent Storage of Raw Signals: We do not permanently store your raw ECG or PPG signal data. Signal data exists in our system only for the duration necessary to perform the analysis (typically seconds).
• Minimal Account Information: We collect only the minimum account information required to provide the Service — primarily your email address for authentication and essential communications.
• Analysis Results Are Yours: You control whether to save your analysis results. If you choose to save them, they are stored securely. If you don’t, they are not retained.
• No Sensitive Health Database: We do not maintain a database of sensitive health information. We cannot sell, share, or exploit health data we don’t have.
2.3 Privacy by Design
Our technical architecture implements privacy by design principles as required by Article 25 of the UK GDPR. Privacy protection is built into the foundation of our systems, not added as an afterthought. This includes: end-to-end encryption; automatic data deletion after processing; anonymisation techniques; access controls and audit logging; and regular privacy impact assessments.
3. WHAT PERSONAL DATA WE COLLECT
3.1 Data You Provide Directly
Account Registration Data: When you create an account, we collect your email address (required for authentication and communication), password (stored only as a secure hash — we never store plain text passwords), and optionally your name if you choose to provide it.
Profile Information (Optional): You may optionally provide additional profile information such as age range, general health goals, or device preferences. This information is used solely to improve your experience and is not required.
Payment Information: For paid subscriptions, payment processing is handled by our third-party payment provider, Stripe. We do not store your full credit card numbers, bank account details, or other sensitive payment information on our servers. We receive only a tokenised reference and basic transaction records.
Communications: If you contact us for support or other enquiries, we retain your communication and our responses to provide better service and maintain records as required.
3.2 Signal Data (Processed, Not Stored)
CRITICAL DISTINCTION: When you submit ECG or PPG signals for analysis, this data is processed in real-time to generate analysis results. The raw signal data is NOT permanently stored. It exists in our processing systems only for the brief period required to complete the analysis (typically a few seconds), after which it is automatically and irreversibly deleted. We retain only the analysis results if you choose to save them.
3.3 Analysis Results (User-Controlled)
Analysis results (such as heart rate data, rhythm classifications, and AI-generated insights) may be saved at your election. You control: whether to save results; how long to retain them; whether to share them (e.g., with healthcare providers); and when to delete them. Saved analysis results are stored securely with encryption at rest and are associated with your account.
3.4 Automatically Collected Data
Device and Technical Information: We automatically collect certain technical information when you use the Service, including: device type and operating system; browser type and version; IP address (anonymised after processing); general location (country/region level only, derived from IP); app version; and connection type.
Usage Information: We collect anonymised, aggregated usage statistics to improve the Service, including: feature usage patterns; analysis completion rates; app performance metrics; and error logs (anonymised). This data is used in aggregate form and is not linked to individual users.
3.5 Data We Do NOT Collect
To be absolutely clear, we do NOT collect or store:
• Your raw ECG or PPG signal data (processed and immediately discarded)
• Your medical records or diagnoses
• Information about your healthcare providers
• Your precise GPS location
• Your contacts or address book
• Your photos, messages, or other personal content
• Biometric data for identification purposes
4. HOW WE USE YOUR PERSONAL DATA
4.1 Purposes of Processing
We use your personal data for the following purposes:
| Purpose | Data Used | Lawful Basis |
| Provide signal analysis service | Signal data (processed, not stored), account data | Contract performance |
| Account management | Email, password hash, profile | Contract performance |
| Process payments | Payment tokens (via Stripe) | Contract performance |
| Store analysis results (if elected) | Analysis results only | Explicit consent |
| Send service communications | Email address | Contract / Legitimate interests |
| Improve service quality | Anonymised usage data | Legitimate interests |
| Security and fraud prevention | Technical data, IP (anonymised) | Legitimate interests |
| Legal compliance | As required by law | Legal obligation |
4.2 Lawful Bases Explained
Contract Performance (Article 6(1)(b)): Processing necessary to provide the signal analysis service you have requested and to manage your account.
Explicit Consent (Article 9(2)(a)): Where we process any health-related data you choose to save (analysis results), we rely on your explicit consent. You can withdraw this consent at any time.
Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests in improving the Service, ensuring security, and preventing fraud, provided your rights do not override these interests.
Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal requirements, such as tax laws, anti-money laundering regulations, or lawful requests from authorities.
4.3 What We Do NOT Do With Your Data
We will NEVER:
• Sell your personal data to third parties
• Share your data with advertisers
• Use your health data for marketing purposes
• Create profiles for targeted advertising
• Share your data with insurance companies
• Share your data with employers
• Use your data in ways incompatible with this Policy
5. WHO WE SHARE YOUR DATA WITH
5.1 Service Providers
We share limited personal data with trusted service providers who assist us in operating the Service. These providers are contractually bound to protect your data and use it only for specified purposes:
• Cloud Infrastructure: We use secure cloud hosting services with data centres in the UK/EEA to store account data and analysis results.
• Payment Processing: Stripe processes payment transactions. They receive only payment information necessary to process your subscription.
• Email Services: We use email service providers to send transactional emails (password resets, receipts, etc.).
• Analytics (Anonymised Only): We use privacy-focused analytics tools that process only anonymised, aggregated data.
5.2 Healthcare Providers (Only With Your Consent)
If you choose to share your analysis results with a healthcare provider, we will facilitate this sharing only with your explicit consent. You control which results are shared, with whom, and for how long they can access them.
5.3 Legal Requirements
We may disclose your personal data if required to do so by law or in response to valid legal process (such as a court order or lawful subpoena). We will notify you of such requests where legally permitted to do so.
5.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.
5.5 No Sale of Personal Data
WE DO NOT SELL YOUR PERSONAL DATA. We have never sold personal data and have no plans to do so. This is a fundamental principle of our business.
6. INTERNATIONAL DATA TRANSFERS
6.1 Where Your Data Is Processed
We primarily store and process data in the United Kingdom and the European Economic Area (EEA). Our main data centres are located in the UK.
6.2 Transfers Outside UK/EEA
Where we transfer personal data outside the UK or EEA (for example, to service providers), we ensure appropriate safeguards are in place in accordance with Chapter V of the UK GDPR and EU GDPR. These safeguards include: Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO; adequacy decisions where the destination country ensures an adequate level of data protection; and binding corporate rules where applicable.
6.3 Your Rights Regarding Transfers
You have the right to obtain a copy of the safeguards we use for international transfers by contacting us at info@torabisignals.com.
7. DATA RETENTION
7.1 Retention Periods
We retain personal data only for as long as necessary for the purposes set out in this Policy:
• Raw Signal Data: NOT RETAINED. Processed in real-time and immediately deleted (within seconds).
• Account Data: Retained while your account is active, plus 30 days after account deletion to allow for reactivation.
• Analysis Results (if saved): Retained until you delete them or close your account. You control retention.
• Payment Records: Retained for 7 years after the transaction as required by UK tax law.
• Support Communications: Retained for 2 years to provide ongoing support and maintain service quality.
• Anonymised Analytics: May be retained indefinitely as it cannot be linked to individuals.
7.2 Account Deletion
When you delete your account: your profile information is deleted within 30 days; your saved analysis results are permanently deleted; your email is removed from our systems (except as retained in anonymised backup archives for up to 90 days); and payment records are retained only as required by law.
8. YOUR DATA PROTECTION RIGHTS
8.1 Rights Under UK GDPR and EU GDPR
You have the following rights regarding your personal data:
• Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to access a copy of that data.
• Right to Rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete data completed.
• Right to Erasure (Article 17): You have the right to have your personal data deleted in certain circumstances (“right to be forgotten”).
• Right to Restriction (Article 18): You have the right to restrict the processing of your personal data in certain circumstances.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing.
• Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that significantly affect you.
8.2 Right to Withdraw Consent
Where we process your data based on consent (such as storing analysis results), you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing before the withdrawal.
8.3 How to Exercise Your Rights
To exercise any of your rights, please contact us at info@torabisignals.com. We will respond to your request within one month. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension.
8.4 Right to Complain
If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO): Website: www.ico.org.uk; Telephone: 0303 123 1113. For EU users, you may also complain to your local Data Protection Authority.
9. DATA SECURITY
9.1 Technical Measures
We implement robust technical security measures to protect your data:
• Encryption at Rest: All stored data is encrypted using AES-256 encryption.
• Encryption in Transit: All data transmitted to and from our servers uses TLS 1.3 encryption.
• Cryptographic Hashing: Passwords and signal data are hashed using secure algorithms.
• Access Controls: Strict role-based access controls limit who can access data.
• Audit Logging: All access to sensitive systems is logged and monitored.
• Regular Security Testing: We conduct regular vulnerability assessments and penetration testing.
9.2 Organisational Measures
We also implement organisational security measures, including staff training on data protection, confidentiality agreements for all personnel, security incident response procedures, regular policy reviews, and vendor security assessments.14652669
9.3 Data Breach Procedures
In the unlikely event of a personal data breach, we will: notify the ICO within 72 hours where required; notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights; document the breach and our response; and take steps to mitigate any harm.
10. COOKIES AND SIMILAR TECHNOLOGIES
10.1 What Are Cookies
Cookies are small text files placed on your device when you visit our website or use our apps. They help us provide you with a better experience and understand how you use our Service.
10.2 Cookies We Use
• Essential Cookies: Required for the Service to function (e.g., authentication, security). These cannot be disabled.
• Functional Cookies: Remember your preferences (e.g., language, display settings). Optional.
• Analytics Cookies: Help us understand how users interact with the Service (anonymised). Optional.
10.3 Your Cookie Choices
You can manage your cookie preferences through: our cookie consent banner when you first visit; your browser settings; and your account settings within the app. Note that disabling certain cookies may affect functionality.
11. CHILDREN’S PRIVACY
The Service is intended for users aged 18 and over. Users aged 13-17 may use the Service only with verified parental or guardian consent. We do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13, we will take immediate steps to delete such data. If you believe we have collected data from a child under 13, please contact us at info@torabisignals.com.
12. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of any material changes by: posting the updated Policy on our website; sending an email to your registered address; or displaying a notice within the Service. The “Last Updated” date at the top indicates when the Policy was last revised. We encourage you to review this Policy periodically.
13. CONTACT US
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please get in touch with us:
TorabiSignals Ltd
Kingston upon Hull, United Kingdom
Email: info@torabisignals.com
Company Number:14652669