Health SharedVersion 1.1
Effective date: June 2026
Health-Shared is operated by Axiom Medical Ltd. Health-Shared provides an online community platform, hosted infrastructure, community tools, moderation systems, educational content, patient activation resources, social prescribing or community referral support, peer-support spaces, and a curated archive of contributor-led health stories and lived health experience.
Health-Shared is not a medical service. We do not provide emergency care, medical advice, diagnosis, treatment, clinical triage, prescribing, regulated clinical services or a substitute for professional medical care.
Health-Shared communities may be created or supported by Health-Shared, GP practices, hospitals, healthcare providers, patient organisations, community organisations, charities, voluntary sector organisations, local groups, employers, educational organisations or other partners.
Some communities involve an organisation sharing limited information with Health-Shared so that Health-Shared can create a pending account or secure individual access link. Other communities involve no prior data sharing with Health-Shared. In those cases, a GP practice, healthcare provider, patient organisation, community organisation, local group, friend or other referrer may simply share a link, QR code, campaign message, email, SMS, poster, leaflet or invitation, and Health-Shared receives your information only if you choose to sign up, complete first access or provide your information yourself.
This Privacy Notice explains how we collect, use, store, share and protect personal data or personal information when people:
We do not sell personal data or personal information. We do not use personal data or personal information for unrelated advertising. We use personal data or personal information only for the purposes described in this Privacy Notice, our Terms and Conditions, community policies, project-specific notices, consent forms, data sharing agreements or other notices provided to you.
Because Axiom Medical Ltd is based in England and Wales, this Privacy Notice uses UK privacy terms such as “UK GDPR”, “personal data”, “controller”, “processor”, “Article 6” and “Article 9”. If you are outside the UK, similar or additional local privacy, health information, consumer protection or data protection laws may also apply to you.
Health-Shared is operated by:
Axiom Medical LtdFor privacy, data protection, moderation, contributor rights, safety, correction, restriction, removal, takedown or hardship requests, contact:
For general platform queries, contact:
Where required, our Data Protection Officer or privacy lead can be contacted via legal@health-shared.com.
This Privacy Notice applies to personal data or personal information processed by Axiom Medical Ltd in connection with Health-Shared.
It covers:
Some projects, communities, NHS/GP partner workflows, hospital workflows, healthcare-provider workflows, community organisation projects, patient organisation projects, charity or voluntary sector programmes, local group initiatives, research activities, contributor media activities or healthcare professional roles may have additional privacy information, consent forms, participant information sheets, data sharing agreements, DPIAs, HIPAA-related documents where applicable, business associate terms where applicable, community partner terms or other governance documents. Where those apply, they should be read together with this Privacy Notice.
This Privacy Notice is separate from our Terms and Conditions.
Health-Shared provides educational, community, social prescribing or community referral, peer-support, patient activation and health literacy resources.
Health-Shared is not a healthcare provider, medical advice service, emergency service, diagnostic service, regulated clinical service, clinical triage service or substitute for professional medical care.
You should not rely on Health-Shared content for medical decisions. You should speak to a qualified healthcare professional before making, delaying, stopping or changing any health-related decision. In an emergency, contact emergency services immediately.
Some Health-Shared communities may include healthcare professionals, health workers, community health contributors or people with lived experience. Unless Health-Shared expressly states that a specific pathway is a verified clinical service, community participation remains educational and supportive only and does not create a doctor-patient, clinician-patient, provider-patient or other regulated clinical relationship with Health-Shared.
Health-Shared is intended for adults aged 18 or over.
You must be at least 18 years old to create an account, complete first access to an account, participate in a community, submit content, complete surveys or contribute stories or media.
We do not knowingly allow children to create accounts or contribute content. If we become aware that an account or contribution belongs to someone under 18, we may suspend or delete the account and remove, restrict or preserve associated records where appropriate for safety, legal, audit or safeguarding reasons.
Health-Shared communities may be created or supported by Health-Shared, healthcare providers, GP practices, hospitals, patient organisations, community organisations, charities, voluntary sector organisations, local groups, community partners, employers, educational organisations or other partners.
Not every Health-Shared community involves a GP practice, hospital, healthcare provider or prior sharing of your personal information with Health-Shared.
In some cases, an organisation may share limited information with Health-Shared so that we can create a pending account or secure individual access link. In other cases, no personal information is shared with Health-Shared before you choose to sign up. You may simply receive a link, QR code, email, SMS, event invitation, campaign message, community invitation or friend referral link.
In this Privacy Notice, references to “activate”, “activation”, “account activation”, “first access” or “first-access completion” include completing the first-access pop-up, modal, sign-up confirmation or equivalent first-access step before proceeding into a Health-Shared community.
Participating GP practices, primary care providers or family doctors may share limited information with Health-Shared so that eligible adult patients can be invited to join a Health-Shared Community of Practice.
The information we may receive from your GP practice, primary care provider or family doctor is:
We use this information to create a pending account record, generate a secure individual sign-up or access link, support the first-access process, and help operate the Health-Shared Community of Practice if you choose to proceed.
Your date of birth is used as a basic security check for your individual access link. Your email address and telephone number may be used for invitation, account setup, sign-up support and service-related patient activation messages.
Your Health-Shared account is not active unless you choose to click the link and complete the first-access step, including accepting the Health-Shared Terms and Conditions and being given access to this Privacy Notice. If you do not want to join, you do not need to take any action and this will not affect your GP, primary care, healthcare or NHS care relationship.
Before first access, Health-Shared processes your information on behalf of your GP practice, primary care provider or family doctor for the purpose of creating the pending account and secure access link, unless a project-specific notice or agreement explains a different role. Once you complete first access and proceed into the community, Health-Shared becomes responsible for operating your account and providing the Health-Shared service to you.
When you first follow the secure link, you may be taken directly to the relevant Health-Shared community, but you will not be able to proceed until you complete the first-access pop-up, modal or equivalent first-access step.
If you do not complete first access within 90 days of the invitation being sent, we will delete or minimise the pending account record, unless we need to retain a limited record for legal, audit, security, suppression or dispute-resolution purposes.
Some GP practices, primary care providers, family doctors, hospitals, healthcare providers or care organisations may create or support Health-Shared communities without sharing any personal information with Health-Shared before people choose to sign up.
For example, they may send or publish:
In these cases, Health-Shared does not create a pending account for you and does not receive your registration details unless you choose to click the link and provide your information yourself.
If you choose to sign up or proceed, we collect information from you directly and use it to create and operate your account, support secure access, provide community access, send service-related communications and operate the Health-Shared platform.
The GP practice, healthcare provider or care organisation that sent or published the invitation is responsible for its own use of your contact details or other information when sending that invitation.
Hospitals, NHS trusts, healthcare providers, care providers, social prescribing services, public health teams, health systems, clinics or other health and care organisations may invite eligible adults to join Health-Shared.
Where such an organisation shares limited information with Health-Shared before you sign up, we use it only for the purposes explained in the relevant invitation, project notice, partner notice or agreement, such as creating a pending account record and generating a secure individual access link.
The information we may receive may include:
Your account is not active unless you choose to click the link and complete the first-access step, including accepting the Health-Shared Terms and Conditions and being given access to this Privacy Notice. If you do not want to join, you do not need to take any action. Not joining Health-Shared will not affect your NHS, healthcare or care relationship.
Before first access, Health-Shared processes your information on behalf of the inviting healthcare provider or care organisation for the limited purpose of creating the pending account and secure access link, unless a project-specific notice or agreement explains a different role.
Once you complete first access and proceed into the community, Health-Shared becomes responsible for operating your account and providing the Health-Shared service to you.
When you first follow the secure link, you may be taken directly to the relevant Health-Shared community, but you will not be able to proceed until you complete the first-access pop-up, modal or equivalent first-access step.
If you do not complete first access within 90 days of the invitation being sent, we will delete or minimise the pending account record, unless we need to retain a limited record for legal, audit, security, suppression or dispute-resolution purposes.
Community organisations, patient organisations, charities, voluntary sector organisations, local groups, community partners, employers, educational organisations or other non-healthcare partners may create or support Health-Shared communities.
In some cases, such an organisation may share limited information with Health-Shared so that we can create a pending account record, generate a secure individual access link, route you to the correct community, or support the invitation process.
The information we may receive may include:
Your account is not active unless you choose to click the link and complete the first-access step, including accepting the Health-Shared Terms and Conditions and being given access to this Privacy Notice.
If you do not want to join, you do not need to take any action.
Before first access, Health-Shared processes your information for the limited purpose explained in the relevant invitation, partner notice, community notice or agreement. Depending on the arrangement, Health-Shared may act on behalf of the inviting organisation for the pending-account stage, or may act as a controller or equivalent responsible organisation where Health-Shared determines the purposes and means of processing.
Once you complete first access and proceed into the community, Health-Shared becomes responsible for operating your account and providing the Health-Shared service to you.
If you do not complete first access within 90 days of the invitation being sent, we will delete or minimise the pending account record, unless we need to retain a limited record for legal, audit, security, suppression or dispute-resolution purposes.
Some Health-Shared communities are promoted or shared through direct invitation routes where Health-Shared does not receive your personal information before you choose to sign up.
For example, you may receive or see:
In these cases, Health-Shared does not create a pending account for you and does not receive your registration details unless you choose to click the link and provide your information yourself.
If you choose to sign up, we collect information from you directly and use it to create and operate your account, support secure access, provide community access, send service-related communications and operate the Health-Shared platform.
You may choose to sign up to Health-Shared directly or self-refer into a Health-Shared community.
If you sign up directly, we collect information from you such as:
We use this information to create and operate your account, check eligibility where needed, support secure access, send service-related communications, provide community access, support patient activation activities and operate the Health-Shared platform.
Where direct self sign-up or self-referral relies on consent, we will ask you to take a clear action to confirm that you agree to the relevant processing. Once you complete first access and accept our Terms and Conditions, some processing will also be necessary to provide the Health-Shared service to you.
A Health-Shared member, community member or other person may share a Health-Shared referral link with you.
The preferred Health-Shared referral model is link-based. This means your friend or referrer shares a link with you, and Health-Shared does not create your account or process your registration details unless you choose to click the link and provide your information yourself.
A friend or referrer cannot consent on your behalf. You decide whether to sign up.
If you use a referral link and choose to sign up, we collect information from you directly and use it to create and operate your account, support secure access, provide community access, send service-related communications and operate the Health-Shared platform.
This is also an example of a direct invitation route where Health-Shared does not receive your personal information before you choose to sign up, unless a separate project-specific notice explains otherwise.
Some users may come to Health-Shared through a project, public health initiative, research-awareness activity, social prescribing or community referral workflow, healthcare-provider initiative, hospital pathway, charity partner, patient organisation, community organisation, voluntary sector organisation, local group, employer, educational organisation, community programme or other partner arrangement.
Some of these routes may involve a partner sharing limited information with Health-Shared before you sign up. Other routes may involve no prior data sharing, with Health-Shared receiving your information only when you choose to sign up.
Where additional rules apply, you may receive extra privacy information, consent forms, participant information sheets, project information, data sharing notices, partner notices or partner terms.
Depending on how you use Health-Shared, we may collect and process the following categories of personal data or personal information.
This may include:
This may include:
This may include:
You should not post information about another person unless you have a lawful and appropriate basis to do so and it complies with our Terms and community rules.
If you choose to complete optional activation surveys, self-assessments, health-related questionnaires, feedback forms or patient activation tools, we may collect information about:
These activities are voluntary unless a specific project notice says otherwise.
If you contribute stories, interviews, videos, audio, written materials, photographs, quotations or other media, we may process:
Published archive content may be more widely available than private account information.
If you request, self-declare, accept, are awarded or use a healthcare professional, health worker, community health contributor, moderator, community admin or similar role, we may process:
A community-recognised role does not necessarily mean Health-Shared has verified your qualifications, registration, licence, employment, insurance, indemnity or professional status.
We may collect:
This may include:
Some information processed by Health-Shared may be special category data under UK GDPR, or sensitive information under other privacy laws, especially if it reveals information about health, ethnicity, religion, sex life, sexual orientation, disability, genetic information or other sensitive matters.
Health-Shared communities are health-related, so even contact or account data may be processed in a health and care context. We take extra care with this information and use additional safeguards where required.
We may receive personal data or personal information from:
In many invitation routes, Health-Shared does not receive your personal information from the inviting organisation. Health-Shared receives your information only if you choose to sign up, complete first access or provide your information yourself.
We use personal data or personal information for the following purposes.
Where an inviting organisation has shared limited information with us for this purpose, we may use GP-supplied, primary-care-supplied, hospital-supplied, healthcare-provider-supplied, community-partner-supplied or partner-supplied data to create pending accounts, generate secure access links, support first access, perform age or date-of-birth security checks where needed, and prevent misidentification or unauthorised access.
Not all invitations involve pending account creation. Where you join through a public link, QR code, friend referral, direct invitation or self-sign-up route, Health-Shared may receive your information only when you choose to provide it.
We use personal data or personal information to create, maintain, secure and administer Health-Shared accounts, manage access, provide community tools, deliver service-related communications and support users.
We use personal data or personal information to support access to health and wellbeing information, patient activation resources, peer-support communities, healthcare-provider-generated content, community organisation content, patient organisation content, community discussions and health literacy resources.
We may use email, SMS, in-app messages or other service communications to send:
We do not use your information for unrelated advertising and we do not sell your personal data or personal information.
We use personal data or personal information to moderate content, review reports, enforce community standards, protect users, manage safeguarding concerns, prevent abuse, investigate misuse, handle appeals and maintain community integrity.
Moderation may involve automated, AI-assisted and human review. AI-assisted tools may help identify harmful, unsafe, unlawful, infringing, privacy-risk, clinical-risk or policy-breaching content. Final handling may involve human review where appropriate.
We do not use solely automated decision-making that has legal or similarly significant effects on you unless we have a lawful basis to do so and provide any required additional information.
Where you contribute stories, interviews, media or other materials, we use personal data or personal information to record, edit, publish, moderate, archive, display, distribute, preserve and manage the contribution in line with the relevant contributor release, media release, consent form, community rules or project terms.
Published archive content may remain available long term and is not automatically removed just because you later change your mind. We will consider rights requests, correction, restriction, anonymisation, contextualisation, de-indexing, removal and hardship requests case by case.
We may invite you to complete voluntary activation surveys, self-assessments, feedback forms or community questionnaires.
We use this information to support patient activation, improve the community, evaluate engagement, identify common themes, improve resources and understand community needs.
Where survey responses include health-related or other special category data or sensitive information, we will rely on an appropriate condition or legal basis, such as explicit consent where required, unless a specific project notice explains another basis.
We use usage and analytics data to understand how the platform is used, improve features, detect errors, measure engagement, support community development, improve accessibility and maintain service quality.
Where possible, we use aggregated or pseudonymised information for analytics and reporting.
We use personal data or personal information to secure the platform, prevent misuse, investigate incidents, maintain logs, respond to legal requests, comply with regulatory duties, manage data protection rights, defend legal claims and keep appropriate audit records.
We may produce aggregated or anonymised reports about Health-Shared activity, community engagement, patient activation, service uptake or themes.
We do not provide identifiable user data to commissioners, funders, partners or third parties for unrelated purposes unless we have a lawful basis, appropriate transparency, and any required approvals or consent.
We rely on different lawful bases depending on the purpose and route by which your data is processed.
The UK GDPR lawful bases and Article 9 conditions below apply to UK-regulated processing and are included because Axiom Medical Ltd is based in England and Wales. If you are outside the UK, equivalent local privacy, health information or consumer protection rules may also apply.
Where an organisation shares limited information with Health-Shared to create a pending account, route you to a community, or generate a secure access link, that organisation is normally responsible for selecting the people to invite and for identifying its own lawful basis or equivalent legal basis for sharing the information.
If the inviting organisation is a GP practice, hospital, NHS trust, healthcare provider, care provider, social prescribing service or other health and care organisation, it may rely on:
If the inviting organisation is a community organisation, patient organisation, charity, voluntary sector organisation, local group, employer, educational organisation or other non-healthcare partner, it may rely on a different lawful basis, such as consent, legitimate interests, contract, legal obligation or another applicable basis under local law. The relevant partner notice, project notice or invitation should explain this where required.
In the pending-account stage, Health-Shared processes the information only for the limited purpose explained in the relevant invitation, partner notice, project notice or agreement, such as creating the pending account, routing you to the correct community, generating a secure access link, supporting first access and maintaining appropriate audit, security or suppression records.
Depending on the arrangement, Health-Shared may act on behalf of the inviting organisation for this limited stage, or Health-Shared may act as a controller or equivalent responsible organisation where Health-Shared determines the purposes and means of processing. The applicable arrangement may be explained in the project-specific notice, partner notice, data sharing agreement or data processing agreement.
Once you complete first access to your Health-Shared account or community, Health-Shared processes your account and platform data as a controller or equivalent responsible organisation.
Depending on the processing activity, we may rely on:
Where processing is carried out by or for a public-sector healthcare partner, social prescribing partner, healthcare provider or NHS-related project, the relevant healthcare partner may also rely on Article 6(1)(e) public task or an equivalent lawful basis for its own processing.
Where you sign up directly, self-refer, join through a friend referral link, or join through a direct invitation route where Health-Shared did not receive your personal information before sign-up, we may rely on Article 6(1)(a) consent, or equivalent consent under applicable law, for registration, account setup, service-related onboarding and specific optional activities where consent is the chosen basis.
We may also rely on Article 6(1)(b) contract for processing necessary to provide the Health-Shared service after you accept our Terms and complete first access.
A friend, community member, community organisation, patient organisation, charity, local group or other referrer cannot consent on your behalf. You decide whether to sign up.
Where we process special category data, such as health-related information, under UK GDPR we must identify both an Article 6 lawful basis and an Article 9 condition. Other countries may use different terms, such as sensitive information, health information, protected health information, consumer health data or similar terms.
Depending on the activity, we may rely on:
Where explicit consent is used, you can withdraw that consent at any time. Withdrawal does not affect processing carried out before withdrawal, and it may not automatically require removal of already published archive content where other lawful grounds apply.
We may ask for consent or explicit consent for certain activities, including:
Where we ask for consent, we will try to make it clear what you are consenting to. Where we ask for explicit consent for special category data or sensitive information, we will ask you to make a clear statement or take a clear action confirming that consent.
You may withdraw consent where consent is our lawful basis. You can contact us at legal@health-shared.com to do this.
Withdrawing consent may mean that some features are no longer available to you. It will not affect the lawfulness of processing carried out before withdrawal.
We may send service-related communications by email, SMS, in-app notification or other appropriate channel.
Service-related communications may include:
These are not unrelated marketing messages.
Where we send direct marketing or promotional communications, we will only do so where we have an appropriate lawful basis and comply with applicable electronic communications rules. You can opt out of marketing communications at any time.
Health-Shared may invite you to complete activation surveys or self-assessments at intervals.
These are voluntary unless a specific project notice says otherwise.
We may use responses to:
We do not use activation survey data to make automated decisions about your NHS care, healthcare access, insurance eligibility or healthcare-provider relationship.
If identifiable activation survey data is shared with a GP practice, primary care provider, hospital, healthcare provider, patient organisation, community organisation, commissioner, research partner or other third party, this will be explained in the relevant project notice, consent form, data sharing agreement or privacy information.
When you post, comment, reply, react or participate in a Health-Shared community, your content may be visible to other members of that community or to a wider audience depending on the community settings.
You are responsible for the content you submit. You should not post another person’s private, confidential, sensitive or health information unless you have a lawful and appropriate basis to do so.
We may moderate, restrict, remove, label, preserve, de-index or escalate content where this is necessary or appropriate for safety, privacy, legality, safeguarding, clinical risk, community governance, copyright, defamation, platform integrity or compliance reasons.
Health-Shared may host and preserve contributor-led health stories, lived-experience materials, interviews, audio, video, written content and archive materials.
If you submit informal community content, you grant us rights to host, store, display, moderate, adapt and use that content for platform operation, community governance, safety and compliance.
If you take part in a formal media, interview, filmed, recorded or archive contribution, you may be asked to sign or accept a separate Media Contributor Release. That release may grant broader and longer-term rights.
Published archive content may be retained long term and may not be automatically removed if you later change your mind. We will consider correction, restriction, anonymisation, contextualisation, de-indexing, removal and hardship requests case by case.
Health-Shared may use human moderation, automated tools and AI-assisted tools to support safety, governance and moderation.
These tools may help identify:
AI-assisted tools may support review, but final handling may involve human review where appropriate.
Moderation records, flags, decisions and escalation notes may be retained as restricted-access audit and safety records.
Health-Shared may support:
Research participation, NHS/GP workflows, hospital workflows, healthcare-provider workflows, community organisation workflows, patient organisation workflows, direct-care-related activities, social prescribing activity, patient activation projects or research recruitment activity may require separate privacy information, consent, data sharing agreements, DPIAs, ethics approval, institutional review board or ethics committee approval, partner governance approval, professional oversight or other safeguards.
Where separate documents apply, they should be read together with this Privacy Notice.
Health-Shared may use cookies and similar technologies to operate the website, maintain security, remember preferences, support account access, understand platform use and improve the service.
Some cookies or technologies may be essential for the website or platform to work. Others, such as non-essential analytics, may require your consent.
Where required, we will provide a cookie banner or cookie settings tool so that you can manage non-essential cookies.
We may use analytics tools such as PostHog or similar services to understand usage, product performance and platform improvement needs.
We may share personal data or personal information with the following categories of recipients where necessary and lawful.
Where you were invited through a GP practice, primary care provider, hospital, healthcare provider, care provider, social prescribing service, health system, community organisation, patient organisation, charity, voluntary sector organisation, local group, community partner, employer, educational organisation or other partner, we may communicate with that organisation about matters covered by the relevant agreement, notice or project arrangement.
This may include invitation process, first-access status, objections, suppression requests, errors, data quality, security incidents, safeguarding concerns, community administration, moderation support or other matters needed to operate the relevant community or programme.
We will not routinely share detailed community participation, posts, optional survey responses or activation scores back to an inviting organisation unless this is explained in a project notice, you ask us to, safeguarding requires it, or another lawful basis applies.
Where you joined through a direct invitation route where no data was shared with Health-Shared before sign-up, we will not assume that the inviting organisation is entitled to receive information about your Health-Shared activity unless this is explained in a project notice, you ask us to, safeguarding requires it, or another lawful basis applies.
Community administrators, moderators and authorised staff may access relevant information to operate communities, support users, moderate content, manage safety concerns and enforce community rules.
We use suppliers and subprocessors to support hosting, storage, authentication, communications, analytics, search, moderation, security, support and platform operations.
Current supplier categories include:
A current supplier and subprocessor list is provided in Section 28.
Where possible, reports to commissioners, funders, partners or researchers will be aggregated or anonymised.
We do not provide identifiable personal data or personal information to commissioners, funders, partners or researchers for unrelated purposes without a lawful basis, appropriate transparency, and any required approvals or consent.
We may share information where necessary with regulators, courts, law enforcement, professional advisers, insurers, auditors, safeguarding bodies, emergency services, NHS or healthcare organisations, healthcare systems, or other bodies where required or permitted by law.
Health-Shared is operated by Axiom Medical Ltd in England and Wales, but users may access Health-Shared internationally.
Some suppliers may process or access personal data or personal information outside the United Kingdom. Where we transfer personal data internationally, we use appropriate safeguards where required, such as adequacy regulations, standard contractual clauses, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, transfer risk assessments, processor terms, business associate or service provider terms where applicable, and security measures.
Published content may be viewed, shared, indexed, embedded, quoted, translated or accessed from other countries. We may not be able to control screenshots, downloads, third-party shares, caches, search results, republications or other copies outside our control.
We use technical and organisational safeguards designed to protect personal data or personal information.
These may include:
No system can be guaranteed to be completely secure. You are responsible for keeping your login details confidential and for not sharing access to your account.
We keep personal data or personal information only for as long as necessary for the purposes described in this Privacy Notice, unless a longer period is required or permitted for legal, regulatory, safeguarding, security, audit, research, archive, dispute-resolution or rights-handling purposes.
Our standard retention approach is set out below.
If a pending Health-Shared account has been created for you and you do not complete first access within 90 days of the invitation being sent, we will delete or minimise the pending account record, unless we need to keep a limited record for legal, audit, security, suppression, dispute-resolution or data quality reasons.
This 90-day pending-account rule applies only where a pending account has been created before you sign up. It does not apply to public links, QR codes, campaign links, friend referral links or other direct invitation routes where Health-Shared has not received your personal information before sign-up.
We keep account information while your account remains active.
If you delete your account or ask us to close it, we aim to delete or de-identify account information from live systems within 30 days, unless we need to retain information for legal, safety, moderation, audit, safeguarding, dispute-resolution, archive or compliance reasons.
Deleted information may remain in encrypted backups for up to 90 days before being overwritten or deleted in the normal backup cycle.
Community posts, comments and replies may remain available unless removed, de-indexed, anonymised, restricted or deleted under our moderation, privacy, hardship or rights review process.
If you delete your account, we may anonymise, restrict or retain certain content where necessary for community integrity, safety, legal compliance, audit, archive, research integrity, or the rights of others.
Published contributor stories, interviews, videos, audio, transcripts and archive materials may be retained long term in accordance with the relevant Media Contributor Release, contributor terms, consent record, publication agreement or archive policy.
Requests for correction, restriction, removal, anonymisation, contextualisation, de-indexing or hardship review will be assessed case by case.
Optional activation survey and self-assessment data will normally be retained while your account remains active and for up to 6 years after the relevant programme or account relationship ends, unless anonymised earlier or a project-specific notice states a different period.
Where possible, we will use aggregated or anonymised data for longer-term evaluation and reporting.
Moderation, safety, safeguarding, abuse, legal, privacy, rights request and complaint records may be retained for up to 6 years after the matter closes, or longer where necessary for serious safeguarding, legal, regulatory, audit or dispute-resolution reasons.
Security logs, system logs and audit records are retained for periods appropriate to security, incident investigation, legal, audit and operational requirements. Typical retention is between 12 and 24 months unless a longer period is required for investigation, legal or security reasons.
We keep records of consent, explicit consent, privacy notice versions, terms acceptance and withdrawal for as long as needed to evidence compliance, usually for the life of the account or relevant processing activity plus up to 6 years.
If you object, unsubscribe, withdraw consent or ask not to be contacted, we may retain a minimal suppression record to make sure we respect your request and do not re-contact you inappropriately.
Depending on the circumstances and applicable law, you may have the right to:
These rights are not absolute. They may depend on the lawful basis, the type of data, the purpose of processing, legal duties, safety considerations, archive considerations, the rights of others and whether the data has already been published.
To make a request, contact legal@health-shared.com.
We may need to verify your identity before acting on your request.
You may request account deletion by using the account tools provided on the platform in your account settings page.
Account deletion does not automatically remove:
If you ask us to remove, anonymise, restrict, de-index, correct or contextualise published content, we will review the request case by case.
If you were invited through a GP practice, primary care provider, hospital, healthcare provider, community organisation, patient organisation, charity, voluntary sector organisation, local group, community partner, employer, educational organisation or other partner, and you do not want to join Health-Shared, you do not need to take any action.
If a pending account was created for you and you want to object to further processing of that pending account record or future invitation, contact legal@health-shared.com or the organisation that invited you.
If you received only a public link, QR code, friend referral link, campaign message, community invitation or other direct invitation where no data was shared with Health-Shared before sign-up, Health-Shared will not receive your registration details unless you choose to provide them.
If you have completed first access to your account, you can manage your preferences, withdraw consent where applicable, request account deletion or contact us.
Where we rely on legitimate interests or a similar lawful basis, you may object to processing. We will consider the objection and stop processing unless we have compelling legitimate grounds or need to continue for legal claims or other lawful reasons.
We hope you will contact us first so that we can try to resolve your concern.
Contact:
You also have the right to complain to the UK Information Commissioner’s Office if UK data protection law applies to you or to the processing.
Information Commissioner's OfficeWebsite: https://ico.org.uk
Telephone: 0303 123 1113
If you are outside the UK, you may also have rights to complain to a local data protection, privacy, consumer protection or health information regulator.
We may update this Privacy Notice from time to time.
Where changes are material, we will take reasonable steps to notify users or make the updated notice available through Health-Shared.
If changes affect particular communities, roles, partner programmes, research activities, HCP-related permissions, contributor activities or patient activation workflows, we may provide additional notice or ask you to accept updated terms or consent wording before continuing to use those features.
This section identifies the main suppliers and subprocessors that may support Health-Shared platform operation, hosting, communications, analytics, search, security, development and AI-assisted workflows.
This public list is not a replacement for Health-Shared’s internal supplier register, data processing agreements, data sharing agreements, DPIAs, asset register, risk register or information security records. Those internal records are maintained separately for audit, contract management and governance review.
A supplier is included below where Health-Shared evidence indicates that the supplier may process personal data or personal information or provide infrastructure that supports the Health-Shared service. Some suppliers may act as processors, subprocessors, independent controllers, service providers, business associates or similar roles depending on the service, configuration, country and use case.
Health-Shared does not publish signed contracts, credentials, internal architecture, audit logs, named developer access details, security records, risk assessments or individual workforce records on the public website. Those records are retained as restricted audit evidence.
Current supplier and subprocessor list
| Supplier / subprocessor | Purpose | Personal data or personal information | Country / location | Notice / legal terms |
|---|---|---|---|---|
| Google Cloud / Google LLC | Cloud hosting, infrastructure, compute, storage, logging, backup, monitoring and security services for Health-Shared platform operation. | Account identifiers, email/account data, community content, contributor/media records, moderation records, technical and audit logs, research-interest records and service data depending on the service used. | UK data residency where configured; Google may process internationally under applicable contractual safeguards. | cloud.google.com/terms/cloud-privacy-notice |
| Google Firebase / Firebase services | Application backend services, authentication support, Firestore, storage-related application services and service logs. | User account identifiers, authentication data, community/platform records, technical logs, service data and other application records depending on configured Firebase services. | UK/EU data residency where configured; Google/Firebase may process internationally under applicable safeguards. | firebase.google.com/support/privacy |
| PostHog | Product analytics, usage measurement and platform improvement analytics. | Usage events, device/browser data, page and product interaction events, limited account or pseudonymous identifiers, and analytics metadata. | EU/UK/US or other configured hosting location depending on deployment and account settings. | posthog.com/privacy |
| Algolia | Search, indexing and retrieval functions within the platform. | Indexed content, metadata, search records, object identifiers and limited user/query information depending on what Health-Shared configures for indexing. | EU/US/global depending on configured data region and Algolia service arrangements. | algolia.com/policies/privacy |
| OpenAI | AI/API services, including content assistance, safety review, moderation support or AI-assisted workflows where approved. | Prompts, content snippets, moderation inputs, outputs and related service metadata submitted through approved Health-Shared workflows. | US/global processing under applicable contractual safeguards depending on service terms and configuration. | openai.com/policies/privacy-policy |
| Twilio / SendGrid | Email, notification and communication delivery, including delivery status and communication support. | Email addresses, message metadata, delivery events, bounce records and communication content where configured. | Global/US processing under Twilio contractual safeguards and subprocessor arrangements. | twilio.com/legal/privacy |
We review this supplier and subprocessor list at least annually, and whenever a new supplier is introduced, a supplier is removed, processing changes materially, data is transferred to a new location, or a DPIA, privacy impact assessment, NHS governance review, healthcare partner governance review or contractual review identifies a required update.
If Health-Shared makes a material change to subprocessors or similar suppliers that affects users, contributors, NHS/GP partners, healthcare partners, community partners or research partners, we will update this public page and, where required by contract or law, notify relevant parties through the appropriate governance route.
Questions about suppliers, subprocessors, privacy, data protection, international transfers or Health-Shared governance should be sent to legal@health-shared.com.
For privacy, data protection, safety, correction, restriction, removal, account deletion, hardship, moderation, contributor rights, takedown or legal requests:
For general platform queries:
Axiom Medical LtdVersion 1.1 — Effective date: June 2026