Advoca Health Ltd

Privacy Policy

Last updated: March 17, 2026

Your privacy is critically important to us. This Privacy Policy explains how Advoca Health Ltd (“Advoca,” “we,” “us,” or “our”) collects, uses, stores, shares, and protects your personal data when you use our Advoca mobile application and related services (collectively, the “Services”). We are committed to being transparent about our data practices and ensuring you understand how your information is handled.

By using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and use of your information as described herein.

This Privacy Policy applies to users worldwide. If you are located in the United States, please review Section 12 (“Your US State Privacy Rights”) carefully, as additional rights and disclosures apply to you depending on your state of residence. If you are located in the United Kingdom or European Union, your rights under UK GDPR and EU GDPR are set out in Section 7. If you are a Washington State consumer, a separate Consumer Health Data Privacy Policy is also available and applies to you.

1. Who We Are

Advoca Health Ltd is a company registered in London, United Kingdom. We operate the Advoca mobile application, which acts as an appointment assistant for patients. Our Services help you record and summarise health-related appointments, explaining medical terms in simple language and providing links to official, verified information sources.

Advoca is not a medical device and is not regulated by the U.S. Food and Drug Administration (FDA). Advoca is not a covered entity or business associate under the U.S. Health Insurance Portability and Accountability Act (HIPAA). Data stored in Advoca does not constitute a designated record set under HIPAA. The protections described in this Privacy Policy are provided by Advoca directly and under applicable law.

You can contact us at:

Advoca Health Ltd London, United Kingdom Email: [email protected]

Please note that our team is based in the United Kingdom (GMT/BST timezone). We aim to respond to all enquiries within two (2) business days. For US-based users, please be aware that response times may be affected by the time zone difference; however, we commit to acknowledging all requests within one (1) business day and providing a substantive response within two (2) business days.

2. What Information We Collect

We collect different types of information, including personal data and sensitive health data, to provide and improve our Services.

(a) Appointment Data

This is the core data processed by Advoca and includes:

  • Audio Recordings: Live audio from your appointments recorded through the app, or audio from telephone appointments that you choose to upload. Please note, we do not store audio files on our backend servers; they are temporarily cached for processing and immediately deleted (see Section 4 for details). Audio is encrypted and stored locally on your device.
  • Transcripts: Raw and verified text versions of your audio recordings.
  • Summaries: AI-generated summaries of your appointments in simple language, created from the verified transcripts.
  • Associated Metadata: Data related to your appointment recordings and summaries (e.g., date, time).
  • Personal Data: Audio recordings and raw transcripts may contain personal data about you or others, including healthcare professionals present during your appointment. We employ processes to remove personal data from transcripts, but some may remain in verified transcripts and summaries.

(b) User Profile Data

When you register for our Services, we collect:

  • Account Information: Your email address and name, provided by Google or Apple authorisation services upon login. On Apple devices you have the option to remain anonymous and use a relay email address to hide your own — this does not prevent you from using all of Advoca’s features. These details are used for account management and essential communications from Advoca.
  • Attribution Information: When you click certain links and download Advoca we gather data on the link source, such as what social media or charity you were directed from.
  • Optional Health and Personal Data: You can choose to provide additional personal data, including sensitive health data such as your health conditions and ongoing investigations. This information is only used to help us understand our user base, tailor the application to you, and to improve our Services.

(c) Device and App Interaction

We collect certain technical information about your device and how you use the App to ensure the proper functioning, security, and management of our Services. This may include technical information about your mobile device (e.g., operating system, IP address) and data related to your interactions with the App for purposes such as monitoring for managing service performance and identifying violation of our terms. This data is also used to analyse our user engagement so we can improve our services.

(d) Anonymised Data

With your separate and explicit consent, we process certain data in a fully anonymised form. Once anonymised, this data is no longer considered personal data under applicable law, meaning it cannot be used to identify you.

3. How We Use Your Information (Purposes and Legal Basis)

We process your data for the following purposes. For users in the UK and EU, we rely on the specified lawful bases under UK GDPR. For users in the United States, we process data on the basis of your consent and as described in this Privacy Policy and our Terms and Conditions.

(a) To Provide Core Services

  • Purpose: To record, transcribe, and generate patient-friendly summaries of your health-related appointments. This helps you retain information, improves communication with carers, relatives, and healthcare professionals, and enables you to conduct further research.
  • Lawful Basis (UK/EU): Your explicit consent (UK GDPR Article 6(1)(a) and Article 9(2)(a)). This consent is obtained through a clear and accessible process within the App before you can use these features.
  • US Legal Basis: Your explicit, informed consent obtained through the App before you can use these features. This processing is strictly necessary to provide the service you have requested.

(b) For Account Management and Communications

  • Purpose: To manage your Advoca account and send you essential service-related communications. We gather your explicit consent before contacting you by email.
  • Lawful Basis (UK/EU): Your explicit consent for the Services, which includes the creation and management of your account.
  • US Legal Basis: Your explicit consent for the Services. We obtain affirmative consent before sending electronic communications, in accordance with the Electronic Signatures in Global and National Commerce Act (E-SIGN Act).

(c) To Understand Our Users and Improve Services

  • Purpose: To analyse our user cohort based on the data we gather on your interactions with the app, as well as the optional health and personal data you provide (e.g., age range, health conditions) to enhance the Advoca application and tailor our services to you.
  • Lawful Basis (UK/EU): Your explicit consent for the Service and to submit optional personal and health data.
  • US Legal Basis: Your explicit consent for the Service and to submit optional personal and health data.

(d) For Optional Anonymised Data Processing

  • Purpose: If you provide explicit consent (given separately), your data will be fully anonymised and may be used for research, development, and commercial purposes. This includes being shared with trusted partners to promote medical research, foster innovation in healthcare, and improve patient outcomes. It also includes internal use within Advoca to optimise the application.
  • Important: Once data is fully anonymised through our robust anonymisation pipeline, it can no longer be traced back to you or any individual. Anonymised data is not considered personal data under UK GDPR, EU GDPR, the California Consumer Privacy Act (CCPA), the Washington My Health My Data Act (MHMDA), or any other applicable privacy law. The sharing of fully anonymised data does not constitute a sale or sharing of personal information.
  • Lawful Basis (UK/EU): Your separate and explicit consent for this optional purpose.
  • US Legal Basis: Your separate and explicit consent for this optional purpose.

(e) For User-Initiated Sharing

  • Purpose: To enable you to share specific transcripts and summaries with other Advoca users you choose (e.g., carers, relatives).
  • Lawful Basis (UK/EU): Your explicit consent each time you choose to share data within the App.
  • US Legal Basis: Your explicit consent each time you choose to share data within the App.

(f) For Security and Service Management

  • Purpose: To monitor the Services for compliance with our Legal Terms, prevent fraud, troubleshoot technical issues, and ensure the proper functioning and security of the Services. This includes managing excessive data or system burdens.
  • Lawful Basis (UK/EU): Our legitimate interests in maintaining a secure and functional service, and where necessary, compliance with a legal obligation.
  • US Legal Basis: Our legitimate business interest in maintaining a secure and functional service, and compliance with applicable legal obligations.

4. How We Share Your Personal Data

We only share your personal data under specific circumstances and with robust safeguards in place:

(a) With Data Processors for Core Service Delivery

  • We use enterprise-grade cloud service providers to process audio into transcriptions and generate summaries. This processing occurs exclusively in the European Union region.
  • Zero Data Retention: Crucially, we have strict zero data retention policies in place with these processors. This means no audio or transcription data is stored by them; it is only processed and the output (transcription or summary) returned to us.
  • Data Processing Agreements: We have signed Data Processing Agreements (DPAs) with all our processors to ensure they comply with data protection laws and our strict privacy standards. These agreements meet the requirements of UK GDPR, and where applicable, the California Consumer Privacy Act (CCPA) service provider contract requirements, and the Washington My Health My Data Act (MHMDA) processor contract requirements.
  • Processor Contract Obligations: Under our binding processor contracts, processors may only process consumer health data in a manner consistent with the processing instructions we provide. Processors are contractually prohibited from using your data for any purpose other than performing the specific services we have engaged them to provide.

(b) With Data Processors for Analytics and Monitoring

  • We use a third-party service called PostHog to analyse app interactions and the personal data outlined in Section 3(c).
  • This data is stored and processed securely exclusively within the European Union.
  • PostHog cannot access, sell, or use your data for their own business — we simply use their software to understand how our app is being used so we can improve it.
  • We have signed a strict Data Processing Agreement (DPA) with PostHog that ensures they handle your data safely and strictly follow privacy laws.

(c) For Legal Obligations and Enforcement

  • In exceptional circumstances we may disclose your information where legally required to do so in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, or to enforce our Legal Terms.

(d) Third Parties and Affiliates

For transparency, the categories of third parties and specific affiliates with whom we share personal data are:

  • Microsoft Azure (Microsoft Corporation) — audio transcription processing (EU region, zero data retention)
  • Google Cloud Platform (Google LLC) — audio transcription, transcript processing and summary generation (EU region, zero data retention)
  • Supabase (Supabase Inc.) — database hosting and storage (United Kingdom).
  • PostHog (PostHog Inc.) — analytics processing (European Union)
  • Apple Inc. / Google LLC — authentication services (account login only)

We do not share personal data with any other third parties except as described above or as required by law.

We do not sell your personal data to third parties. We do not share your personal data for cross-context behavioural advertising.

5. How We Store and Secure Your Information

We are committed to protecting your personal data through stringent security measures:

(a) Storage Location

  • All your summary, transcript, appointment, and user profile data is permanently stored in a database server located entirely within the United Kingdom.
  • To ensure optimal performance and low latency for users located in the United States, your audio recording data is temporarily uploaded to US servers managed by our database provider, Supabase, then transferred to the UK. All data remains fully encrypted both in transit and at rest.
  • All data processing (audio transcription and summary generation) occurs exclusively in the United Kingdom and European Union.
  • Analytics data is processed and stored exclusively in the European Union by PostHog.

(b) International Data Transfers

Your personal data may transit through or be temporarily cached in multiple jurisdictions as part of normal service delivery. We ensure that all such transfers are protected by appropriate safeguards:

  • US to UK/EU transfers: Data from US-based users is transmitted to our UK and EU infrastructure for permanent storage and primary processing. This transfer is necessary to provide the Services you have requested and is conducted with end-to-end encryption (TLS 1.3) in transit.
  • UK to EU transfers: Conducted in accordance with UK GDPR Chapter V (Articles 44–49), based on appropriate safeguards under Article 46, and pursuant to the UK adequacy decision for the EU.
  • EU to UK transfers: Processing outputs (such as transcripts and summaries) are returned from EU processors to UK storage under the same safeguards described above.

 

By using the Services, you acknowledge and consent to the transfer of your data to the United Kingdom and European Union for storage and processing as described in this Privacy Policy. You understand that the United Kingdom and European Union maintain comprehensive data protection laws, including the UK GDPR and EU GDPR respectively.

(c) Security Measures

  • End-to-End Encryption: Data is encrypted both when it is in transit (between your device, our backend, and processors) and when it is at rest (stored in our database or temporarily cached). We enforce Transport Layer Security (TLS 1.3) for all data in transit.
  • Enterprise Cloud Services: We exclusively use enterprise-grade cloud services (Microsoft Azure, Google Cloud Platform, Supabase) with reputable state-of-the-art security controls.
  • Zero Data Retention: As noted in Section 4(a), our processors for sensitive data (audio, raw transcripts) operate under zero data retention policies.
  • Access Controls:
  • Application Access: The Advoca app enforces multi-factor authentication (MFA) and biometric identification (where supported by your device) for secure login.
  • Internal Access: We implement a Zero Trust architecture, strict Role-Based Access Control (RBAC), and mandate Two-Factor Authentication (2FA) for all developer and administrative access to our infrastructure services. Sensitive production access keys and variables are secured in enterprise cloud services key vaults.
  • Auditing and Monitoring: We implement auditable logging on our database and web console to monitor and audit database access.
  • Personal Data Minimisation: We use AI to greatly minimise your personally identifiable information being present in transcripts and summaries.
  • Anonymisation: When you consent for us to process your data for the purposes described in 3(d) we use a robust process to fully anonymise your transcripts and summaries. After this process it is not possible to trace this data back to you.

6. Important Notice Regarding Recording Laws

The core functionality of Advoca involves recording audio from appointments. It is critically important that you understand and comply with the recording laws that apply in your jurisdiction.

(a) Varying Consent Requirements

Recording laws vary significantly depending on where you are located. 

 

United Kingdom and European Union

Under the UK Data Protection Act 2018 and UK GDPR, individuals may record their own healthcare appointments for personal use under the "domestic purposes" exemption. However, when you use Advoca to record and process your appointment, the recording is handled by our platform — meaning UK GDPR applies to us as a data processor, and we treat your data accordingly, as described in this Privacy Policy.

This exemption covers strictly personal use. Sharing recordings publicly (such as on social media) removes this protection and can breach data protection and privacy law. If your recording captures third parties not involved in your consultation (e.g. other patients), their consent is required.

We still strongly recommend you inform and obtain consent from all parties before recording.

United States

In the United States, recording consent laws differ by state:

  • All-Party (Two-Party) Consent States: The following US states require the consent of all parties to a conversation before it may be recorded: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington. In these states, you must obtain the explicit consent of every person present in the appointment — including your healthcare professional(s) and any other attendees — before using Advoca to record. It is a criminal offense to not consent all involved parties in these states.
  • One-Party Consent States: Most other US states require only one party to the conversation (which may be you, the person recording) to consent. However, best practice is always to inform all parties that a recording is taking place.
  • Federal Law: Under federal law (18 U.S.C. § 2511, the Electronic Communications Privacy Act), one-party consent is sufficient. However, state laws may impose stricter requirements, and the stricter standard applies.

 

(c) Your Responsibility

You are solely and entirely responsible for ensuring that you comply with all applicable recording laws before using Advoca to record any appointment. This includes obtaining the informed consent of all parties to the conversation where required by law. Advoca provides the recording tool but does not and cannot verify that you have obtained the necessary consents. We strongly recommend that you:

  1. Inform your healthcare provider that you wish to record the appointment before the appointment begins.
  2. If any party objects to being recorded, do not use Advoca to record that appointment.
  3. Familiarise yourself with the recording laws in your state. If you are unsure, assume that all-party consent is required.

7. Your Data Rights (UK and EU Users)

If you are located in the United Kingdom or European Union, you have the following rights under UK GDPR and EU GDPR:

  • Right to Be Informed: This Privacy Policy serves to inform you about our data processing activities. We also provide clear information within the App before you consent to processing.
  • Right of Access: You can request a copy of all data associated with your account, including appointment summaries, transcripts, associated metadata, profile health data, personal data, and account data, in a machine-readable format, via the application.
  • Right to Rectification: You can modify your profile health and personal data directly in the app. You can also report any summary or transcript content as inaccurate and request rectification.
  • Right to Erasure (Right to Be Forgotten):
  • You can delete specific appointment data (summaries, transcripts, and associated metadata) from within the app. Access for any secondary users you have shared this data with will also be revoked.
  • You can delete all data associated with your account (appointment data, profile health data, personal data, and account data).
  • We will automatically remove all your information if your account is inactive for a continuous period of two (2) years.
  • Right to Withdraw Consent: You can separately give or revoke consent for Advoca to anonymise your data for the purposes stated in 3(d) at any time through the application. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal.
  • Right to Data Portability: This is covered by your right to request a local copy of your data in a machine-readable format.

To exercise any of these rights, please use the features within the Advoca application or contact us directly using the details provided in Section 15.

8. Data Retention

We retain your data for the following periods:

  • Summaries, Transcripts, and Associated Metadata: Retained for as long as your account is active or as needed to provide you with the Services.
  • User Profile Data (account information, optional health data): Retained for as long as your account is active or as needed to provide you with the Services.
  • Inactive Accounts: If your account remains inactive for a continuous period of two (2) years, we will remove all associated information, including summaries, transcripts, metadata, profile data, and account data.
  • Audio Files: Audio files are only temporarily cached on our backend servers and are immediately deleted once they have been processed. They are not stored on our servers long-term.
  • Device and App Interaction Data: Retained for as long as your account is active or as needed to provide you with the Services, and deleted upon account deletion or after two (2) years of inactivity.
  • Attribution Information: Retained for as long as your account is active or as needed to provide you with the Services, and deleted upon account deletion or after two (2) years of inactivity.
  • Anonymised Data: Once data has been fully anonymised, it is no longer considered personal data and is not subject to personal data retention rules.

9. Children’s Privacy

Advoca is not designed for or marketed to children. Our Terms of Service require that all account holders must be at least 18 years old. Persons under the age of 18 are not permitted to register for or independently use the Services.

(a) Appointments Concerning Children

We recognise that a parent or legal guardian may use Advoca to record and manage appointments that concern a child (a person under 18 years of age). In such cases:

  • The account holder must be an adult (aged 18 or older) with the legal authority to provide explicit consent on the child’s behalf for the processing of any personal data.
  • The parent or legal guardian is responsible for ensuring that the recording of any appointment involving a child complies with applicable recording consent laws (see Section 6).
  • Audio recordings and transcripts of a child’s appointment may contain personal data and sensitive health data about that child. This data is processed and protected in the same manner as all other appointment data described in this Privacy Policy.

(b) Compliance with the Children’s Online Privacy Protection Act (COPPA)

For users in the United States: Advoca does not knowingly collect personal information directly from children under 13 years of age. When a parent or legal guardian uses Advoca to record a child’s appointment, Advoca processes the child’s data solely on the basis of the parent or guardian’s verifiable consent, provided through the account registration and consent mechanisms within the App.

Parents and legal guardians have the right to:

  • Review the personal information collected from their child’s appointments via the App’s data access features.
  • Request deletion of their child’s personal information by deleting the data within the App or by contacting us.
  • Refuse to permit further collection of their child’s personal information by ceasing to use the recording feature for that child’s appointments or by deleting their account.

We maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from or about children, consistent with COPPA requirements. We do not collect more personal information than is reasonably necessary to provide the Services. We do not disclose children’s personal information to third parties except as described in Section 4 for the purpose of providing the Services.

If you believe we have collected personal information from a child under 13 without proper parental consent, please contact us immediately at [email protected] and we will take steps to delete such information.

10. Breach Notification

We take the security of your data extremely seriously. In the event of a breach of security involving your personal data or health information:

(a) US Users — FTC Health Breach Notification Rule

Advoca is subject to the Federal Trade Commission’s Health Breach Notification Rule (16 CFR Part 318), as a vendor of personal health records not covered by HIPAA. In the event of a breach of unsecured personally identifiable health information, we will:

  • Notify affected individuals without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the breach, or within thirty (30) days where required by applicable state law.
  • Notify the Federal Trade Commission contemporaneously with individual notifications where the breach affects 500 or more individuals.
  • Notify prominent media outlets serving the affected state or jurisdiction where the breach affects 500 or more residents of that state or jurisdiction.
  • Provide notifications that include: a brief description of the breach, the types of information involved, steps individuals should take to protect themselves, what we are doing to investigate and mitigate the breach, and contact information for further enquiries.

(b) US Users — State Breach Notification

All fifty US states and the District of Columbia have enacted data breach notification laws. We will comply with the breach notification requirements of every state in which affected individuals reside, including the shortest applicable notification timelines. Where a state requires notification to the state Attorney General or other regulatory body, we will provide such notification within the required timeframe.

(c) UK and EU Users

We will comply with our obligations under UK GDPR and EU GDPR regarding breach notification to supervisory authorities and affected individuals.

11. Your US State Privacy Rights

This section provides additional disclosures and rights for users who are residents of certain US states. These rights are in addition to the rights described elsewhere in this Privacy Policy.

(a) California Residents — CCPA/CPRA Rights

If you are a California resident, the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), provides you with the following rights regarding your personal information:

Right to Know: You have the right to request that we disclose the categories of personal information we have collected about you, the categories of sources from which we collected the information, the business or commercial purposes for collecting the information, the categories of third parties with whom we share the information, and the specific pieces of personal information we have collected about you.

Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.

Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.

Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale or sharing of your personal information. Advoca does not sell your personal information and does not share your personal information for cross-context behavioural advertising. We do not use cookies or other tracking technologies for advertising purposes. Data that has been fully anonymised (as described in Section 3(d)) cannot be traced back to any individual and is therefore not personal information subject to this right.

Right to Limit Use of Sensitive Personal Information: Health data is classified as sensitive personal information under CPRA. You have the right to limit our use of your sensitive personal information to what is necessary to provide the Services. Given that we only process your health data to provide and improve the Services, and with your explicit consent, our current processing is already limited to necessary purposes.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you the Services, charge you different prices, provide you with a different level of quality, or suggest that exercising your rights will result in any of these outcomes.

Notice at Collection: At or before the point of collection, we inform you of the categories of personal information we collect and the purposes for which they are used, as described in Sections 2 and 3 of this Privacy Policy.

Authorised Agents: You may designate an authorised agent to make a privacy request on your behalf. To do so, you must provide the authorised agent with written permission and verify your own identity directly with us, or provide the authorised agent with a power of attorney.

Global Privacy Control: We honour Global Privacy Control (GPC) signals as valid opt-out requests. We do not use cookie-based tracking or behavioural advertising technologies. If we detect a GPC signal from your browser or device, we will treat it as a valid request to opt out of any sale or sharing of personal information.

Response Timing: We will acknowledge your request within ten (10) business days and provide a substantive response within forty-five (45) calendar days of receiving your verifiable request. If we require more time (up to an additional forty-five (45) days), we will inform you of the reason and extension period in writing.

Categories of Personal Information Collected: For the purposes of CCPA, the categories of personal information we collect are: identifiers (name, email address, IP address); health information (audio recordings, transcripts, summaries, optional health profile data); internet or other electronic network activity information (app interaction data, device information); and geolocation data (general location derived from IP address).

Categories of Sensitive Personal Information Collected: Health data contained in audio recordings, transcripts, summaries, and optional health profile data.

(b) Washington State Consumers — MHMDA Rights

If you are a consumer in Washington State, the Washington My Health My Data Act (MHMDA) provides you with additional protections regarding your consumer health data. A separate, standalone Consumer Health Data Privacy Policy is available and applies to you in addition to this Privacy Policy. That policy is accessible via a separate link on our homepage and within the App.

Under MHMDA, you have the following rights:

Right to Confirm and Access: You have the right to confirm whether we are collecting, sharing, or selling consumer health data concerning you, and to access such data, including a list of all third parties and affiliates with whom we have shared your consumer health data and an active email address or other online mechanism to contact those third parties. A current list of our third-party processors and their contact information is provided in Section 4(d) of this Privacy Policy.

Right to Withdraw Consent: You have the right to withdraw your consent to the collection and sharing of your consumer health data at any time. You may withdraw consent by deleting your account through the App or by contacting us at [email protected]. Note that withdrawing consent will mean we can no longer provide the Services to you.

Right to Delete: You have the right to request deletion of your consumer health data. You can exercise this right through the App or by contacting us.

Appeals Process: If we refuse or are unable to act on a request you have made regarding your consumer health data, you may appeal our decision. To submit an appeal, please email [email protected] with the subject line “MHMDA Appeal” and include a description of your original request and the reason for your appeal. We will review your appeal and inform you in writing of our decision within forty-five (45) calendar days of receiving your appeal, including a written explanation of our reasons. If we deny your appeal, we will provide you with information on how to submit a complaint to the Washington State Attorney General, including the online complaint form available at https://www.atg.wa.gov/file-complaint.

(c) Other US State Rights

Several other US states have enacted comprehensive privacy laws that provide residents with rights to access, delete, and correct their personal data, and to opt out of certain processing activities. These states include, but are not limited to, Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Delaware, Iowa, Tennessee, Indiana, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, Kentucky, and Rhode Island.

If you are a resident of a state with a comprehensive privacy law, we will honour your applicable rights as required by that law. To exercise your rights, please contact us at [email protected] or use the features within the App. We will respond to verified requests within the timeframe required by your state’s law.

12. Do Not Track and Global Privacy Control

Advoca does not use cookies, pixel trackers, or other tracking technologies for advertising or cross-context behavioural advertising purposes. We honour Global Privacy Control (GPC) browser signals as valid opt-out requests. Because we do not engage in tracking for advertising purposes, a Do Not Track or GPC signal will not change our processing of your data, as our processing is already limited to the purposes described in this Privacy Policy.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will provide you with prior notice of any scheduled changes to the Services you are using. Changes to this Privacy Policy will become effective seven (7) days after the notice is given, except if the changes apply to new functionality, security updates, and bug fixes, in which case the changes will be effective immediately. By continuing to use the Services after the effective date of any changes, you agree to be bound by the modified terms. If you disagree with such changes, you may terminate Services as per our Terms and Conditions.

14. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, or if you wish to exercise your data rights, please contact us at:

Advoca Health Ltd London, United Kingdom Email: [email protected]

Our team is based in the United Kingdom (GMT/BST timezone). We aim to respond to all enquiries within two (2) business days. For US-based users, we commit to acknowledging all requests within one (1) business day and providing a substantive response within two (2) business days during UK business hours (Monday–Friday, 9:00 AM – 5:30 PM GMT/BST).

For California residents: We will acknowledge your CCPA/CPRA request within ten (10) business days and provide a substantive response within forty-five (45) calendar days.

For Washington State consumers: We will respond to MHMDA requests within forty-five (45) calendar days, and to appeals within forty-five (45) calendar days.