Privacy Policy for Patiento

Last updated: 20 March 2026

Patiento Innovations Ltd (“Patiento”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal data.

This Privacy Policy explains how we collect, use, store and protect personal data when you visit www.patiento.io, contact us, join a waitlist or pilot, or otherwise interact with us online.

It also explains, at a high level, how we intend to handle personal data in connection with the Patiento product and related pilot or research activities where applicable. Additional privacy information may be provided at the point of collection for specific activities.

1. Who we are

Controller
Patiento Innovations Ltd
2b Lyndhurst Grove Derby DE21 6RX
Email: ewa.lobato@patiento.io
Website: www.patiento.io

Patiento is developing a patient-owned digital health wallet designed to help people securely store, organise and access important medical documents. Current project materials describe the product as privacy-by-design, offline-first, patient-controlled, and intended to support secure storage and organisation of medical documents.

2. What this policy covers

This policy applies to personal data collected through:

  • our website;

  • contact forms, email enquiries, partnership enquiries and demo requests;

  • pilot or waitlist expressions of interest;

  • limited website analytics and cookies, where used;

  • related communications with patients, carers, clinics, hospices, partners or researchers.

This policy does not replace any more specific privacy notice we may provide for:

  • a product pilot;

  • user testing or academic evaluation;

  • app account creation and app use;

  • health-document upload and storage;

  • research participation.

Where those apply, we will provide a separate or supplementary notice.

3. The personal data we may collect

Depending on how you interact with us, we may collect:

A. Identity and contact data

  • name;

  • email address;

  • phone number;

  • organisation name;

  • job title.

B. Enquiry and communications data

  • the contents of messages you send us;

  • information you provide through contact forms;

  • records of correspondence with you.

C. Website usage and technical data

  • IP address;

  • browser type and version;

  • device type;

  • operating system;

  • referral source;

  • pages viewed;

  • dates, times and duration of visits;

  • cookie identifiers and similar online identifiers, where used.

D. Marketing and preferences data

  • your communication preferences;

  • whether you want updates, pilot information or partnership contact.

E. Health or other sensitive data

If you contact us about the product, pilot, accessibility needs, or provide details about medical conditions or care circumstances, this may include health data, which is special category data under UK GDPR. The ICO states that health information is special category data and needs extra protection, with both an Article 6 lawful basis and an Article 9 condition identified for lawful processing.

We ask that you do not send full medical records or highly sensitive clinical documents through the website contact form or ordinary email unless we have specifically asked you to do so through an appropriate process.

4. How we collect personal data

We collect data:

  • directly from you when you fill in forms, email us, book a call, join a waitlist, or otherwise contact us;

  • automatically through cookies and similar technologies when you browse our website, where enabled;

  • from trusted service providers that support website hosting, forms, analytics, scheduling, email communications or CRM tools;

  • occasionally from publicly available sources such as company websites or professional profiles where you contact us in a business capacity.

5. How we use your personal data

We may use your personal data to:

  • respond to your enquiries;

  • provide information about Patiento, our services, pilots or partnerships;

  • assess expressions of interest in pilots, partnerships or collaborations;

  • manage communications with patients, carers, clinicians, providers, investors, researchers or partners;

  • improve our website, content, usability and user experience;

  • maintain website security and prevent misuse;

  • comply with legal, regulatory and governance obligations;

  • establish, exercise or defend legal claims;

  • plan, deliver or evaluate product development, pilot readiness, compliance readiness or research participation where appropriate.

Current Patiento project materials also describe planned compliance, data protection, clinical safety and evaluation work, including DPIA, lawful basis documentation, privacy notices, RoPA, and academic evaluation support.

6. Our lawful bases

UK privacy notices should state the lawful basis relied on for processing.

We generally rely on one or more of the following lawful bases under Article 6 UK GDPR:

A. Legitimate interests

We may process your data where necessary for our legitimate interests, including:

  • operating and improving our website;

  • responding to business, partnership or general enquiries;

  • managing our communications;

  • improving our product, content and services;

  • protecting our business, systems and users.

When we rely on legitimate interests, we consider your rights and interests and make sure our use is proportionate.

B. Consent

We may rely on consent where:

  • you opt in to receive marketing or updates;

  • you voluntarily provide certain information;

  • we use non-essential cookies or similar technologies, where consent is required.

You can withdraw consent at any time.

C. Contract

Where relevant, we may process your data because it is necessary to take steps at your request before entering into a contract, or to perform a contract with you or your organisation.

D. Legal obligation

We may process personal data where necessary to comply with legal or regulatory obligations.

7. Special category data, including health data

If we process health information or other special category data, we will only do so where we have both:

  • a lawful basis under Article 6 UK GDPR; and

  • a valid condition under Article 9 UK GDPR.

Depending on the context, the Article 9 condition may include:

  • your explicit consent;

  • processing necessary for the establishment, exercise or defence of legal claims;

  • another condition permitted by applicable data protection law.

For website enquiries, we usually aim to avoid collecting unnecessary health data. If special category data is collected unexpectedly through an enquiry, we will handle it carefully, minimise use, and retain it only where necessary.

8. Cookies and similar technologies

We may use cookies and similar technologies on our website.

The ICO explains that cookies and similar technologies are regulated by PECR, and non-essential uses generally require consent.

We may use:

  • Strictly necessary cookies to make the website function properly.

  • Analytics cookies to understand how visitors use the website and improve performance.

  • Preference cookies to remember settings, where relevant.

Where required, we will ask for your consent before placing non-essential cookies on your device.

You can also manage cookies through your browser settings. Blocking some cookies may affect website functionality.

9. Marketing communications

We may send updates about Patiento, our pilots, partnerships, product developments or events where:

  • you have asked to receive them;

  • you have consented; or

  • we are otherwise permitted by law.

You can opt out of marketing communications at any time by:

  • clicking “unsubscribe” in emails, where available; or

  • contacting us at ewa.lobato@patiento.io

10. Sharing your personal data

We do not sell your personal data.

We may share your data with trusted service providers and professional advisers where necessary, such as:

  • website hosting providers;

  • email and communications platforms;

  • form and CRM providers;

  • analytics providers;

  • scheduling providers;

  • IT, development, compliance, legal, security or regulatory advisers;

  • academic or research partners, where relevant and appropriately governed;

  • regulators, authorities or courts where required.

Patiento’s current project documents also describe the involvement of software, compliance/cybersecurity, and academic evaluation partners in development and governance.

All third parties are expected to process personal data only on appropriate instructions and with suitable confidentiality and security safeguards.

11. International transfers

We aim to use providers that store and process data in the UK or EEA where possible. Project materials currently describe UK-based suppliers for the proposed project delivery.

If personal data is transferred outside the UK, we will ensure appropriate safeguards are in place, such as:

  • adequacy regulations;

  • the UK International Data Transfer Agreement;

  • the UK Addendum to EU Standard Contractual Clauses; or

  • another lawful transfer mechanism.

12. Data security

We take appropriate technical and organisational measures to protect personal data.

Patiento’s materials describe a privacy-by-design, secure, offline-first architecture, with encrypted local storage, biometric security, cybersecurity testing, and planned Cyber Essentials and governance workstreams.

Website and organisational measures may include:

  • access controls;

  • secure hosting;

  • encryption in transit where appropriate;

  • password protection and authentication controls;

  • monitoring and vulnerability management;

  • restricted access to personal data;

  • confidentiality obligations for staff and contractors.

No online transmission or storage method is completely secure, but we work to reduce risk appropriately.

13. Data retention

We keep personal data only for as long as reasonably necessary for the purposes for which it was collected, including to satisfy legal, regulatory, tax, accounting, security or reporting requirements.

Typical retention periods may include:

  • general enquiries: up to 12–24 months after the last meaningful contact;

  • business development / partnership communications: up to 24 months after last contact;

  • marketing records: until you unsubscribe or ask us to stop, plus a limited suppression record to respect your preference;

  • website analytics data: according to the settings of the relevant analytics tool;

  • pilot, testing or research data: according to the specific notice provided for that activity.

We may keep data longer where required by law, for legal claims, or for legitimate governance and audit purposes.

14. Your data protection rights

Depending on the circumstances, you may have the right to:

  • be informed about how your data is used;

  • access your personal data;

  • have inaccurate data corrected;

  • have your data erased;

  • restrict processing;

  • object to processing;

  • data portability;

  • withdraw consent where processing is based on consent;

  • complain to the Information Commissioner’s Office (ICO).

The ICO is the UK regulator for data protection and privacy law.

To exercise your rights, contact us at: ewa.lobato@patiento.io

We may need to verify your identity before responding.

15. Complaints

If you have concerns about how we use your personal data, please contact us first and we will try to resolve the issue.

You also have the right to complain to the Information Commissioner’s Office (ICO).

16. Children

Our website is not directed at children, and we do not knowingly collect personal data from children through the website without appropriate lawful basis and safeguards.

If you believe a child has provided personal data to us through the website inappropriately, please contact us.

17. Third-party links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. Please read their privacy policies separately.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our website, technology, services, legal obligations or data processing practices.

We encourage you to review this page periodically.

19. Contact us

If you have any questions about this Privacy Policy or how we handle personal data, please contact:

Patiento Innovations Ltd
2a Lyndhurst Grove, Derby DE21 6RX
Email: ewa.lobato@patiento.io