Back to TestPlain

Privacy Policy

Last updated: 11 January 2026

1. Who We Are

TestPlain is operated by Aryash Health. We are the data controller for the personal data processed through this service. Our Clinical Safety Officer is Dr Krishnan Pasupathi (GMC: 6050795).

2. Data Minimisation Approach

TestPlain is designed to collect the minimum data necessary. We deliberately avoid collecting identifiable patient data.

We Collect:

  • Patient first name only
  • Patient age
  • Test type and value
  • Known condition flags
  • Staff/GP user accounts

We Do NOT Collect:

  • NHS numbers
  • Patient surnames
  • Dates of birth
  • Addresses
  • Contact details

3. Lawful Basis for Processing

We process data under:

  • Article 6(1)(f) GDPR — Legitimate interests (supporting healthcare delivery)
  • Article 9(2)(h) GDPR — Healthcare purposes for health data

4. How We Use Your Data

  • Generate personalised patient education content
  • Maintain audit trails for clinical governance
  • Authenticate users and manage access
  • Improve the service based on usage patterns

5. Data Security

  • All data transmitted via HTTPS/TLS encryption
  • Database hosted in EU region (Supabase) with encryption at rest
  • Role-based access control (Staff vs GP permissions)
  • Row Level Security in database
  • Complete audit logging of all actions
  • Individual user accounts — no shared logins

6. Data Retention

Entry data is retained for audit purposes in line with NHS records management guidelines. User accounts remain active until deactivated by the practice. You may request deletion of your account data by contacting us.

7. Data Sharing

We do not sell or share patient data. Limited sharing occurs with:

  • Supabase — Database hosting (EU region, GDPR compliant)
  • Vercel — Application hosting
  • Anthropic — AI processing (no patient data sent to AI)

Note: Our template system means no identifiable patient data is sent to AI services.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure (where applicable)
  • Restrict processing
  • Data portability
  • Object to processing
  • Lodge a complaint with the ICO

9. Cookies

TestPlain uses essential cookies only for authentication and session management. We do not use tracking or advertising cookies.

10. Contact Us

For privacy queries or to exercise your rights:
Aryash Health
Email: privacy@aryash.health

You may also contact the Information Commissioner's Office (ICO) at ico.org.uk

Full Data Protection Impact Assessment available on our Governance page.