Privacy Policy
Last updated: 16 May 2026
1. Who we are
MyPKU (“we”, “us”, “our”) is operated at mypku.co.uk. We are the data controller for personal data processed through this platform.
Legal entity: MyPKU Ltd, a company registered in England and Wales (Company No. 17196934). Registered office: International House, 55 Longsmith Street, Gloucester, GL1 2HT, United Kingdom.
For any data protection question, including a request to access, correct, or delete the personal data we hold about you, contact our Data Protection Lead at privacy@mypku.co.uk.
We have not appointed a statutory Data Protection Officer (DPO) under UK GDPR Art. 37 as we have assessed that the conditions requiring one are not currently met. We will review this if the scale of our processing changes.
You may also contact the UK Information Commissioner's Office (ICO): ico.org.uk
2. What data we collect
Account data: When you register we collect your name, email address, username, and password (stored securely via AWS Cognito).
Health data (special category): With your explicit consent, we collect:
- PKU diagnosis date and type
- Daily phenylalanine (Phe) limit and unit
- PKU blood-level test results (date, value, method, notes)
Profile data: Optionally: date of birth, gender, address, phone number, and profile picture.
Social content: Posts and comments you publish to the MyPKU community.
Subscription and payment data: Subscription tier (processed by Stripe; we do not store card details).
Shop order data: When you purchase a physical product, we store your name, email address, shipping address, order amount, and product purchased in order to fulfil your order and handle any returns or refunds.
Technical data: Session tokens and IP address required to operate the service securely.
3. Why we process your data (lawful basis)
| Purpose | Lawful basis |
|---|---|
| Account management and authentication | Contract (Article 6(1)(b)) |
| Processing your health data (PKU records) | Explicit consent (Article 9(2)(a)) |
| AI analysis of blood test results (special category) | Explicit consent (Article 9(2)(a)) |
| Community social features (posts, comments) | Legitimate interests / Contract |
| AI/LLM training using social content (with in-app notice) | Legitimate interests (Article 6(1)(f)) |
| Payment processing via Stripe | Contract |
| Shop order fulfilment (name, email, shipping address) | Contract (Article 6(1)(b)) |
| Data sharing with nominated recipients | Explicit consent |
| Service improvement and security | Legitimate interests |
4. How long we keep your data
We retain your personal data for as long as your account is active. When you delete your account (via the Data & Privacy section of your profile), the following happens immediately:
- Your profile and all personal data are permanently deleted.
- All PKU test results are permanently deleted.
- Your account is removed from our authentication system (AWS Cognito).
- Your community posts and comments are anonymised. The content is retained to preserve the integrity of community discussions, but your name and identity are replaced with “[deleted]”. No information that identifies you as the author is retained.
In exceptional cases (e.g. a system error during deletion) we will complete the erasure within 30 days and you can contact us at privacy@mypku.co.uk to confirm. Financial transaction records are retained for 6 years as required by law.
5. Who we share your data with
We do not sell your personal data. We share it only with:
- AWS (Amazon Web Services). Cloud infrastructure, authentication (Cognito), storage, and AI processing. All data is stored and processed in the UK (eu-west-2 / London).
- MongoDB Atlas (MongoDB Limited). Managed cloud database used to store your account data, PKU records, blood test results, community posts, and related metadata. Your production data is hosted on a dedicated cluster in the United Kingdom (eu-west-2 / London). MongoDB Atlas processes your data under a Data Processing Addendum and applies encryption at rest and in transit.
- Amazon Bedrock (AWS AI service, eu-west-2 / London). Powers three AI features within the platform:
- Blood test result summaries: when you request an AI summary of your results, your test dates, Phe values, test method, and any notes you have added are sent to an AI model (Anthropic Claude Sonnet 4.6, accessed via Amazon Bedrock) to generate a plain-language recap of your diary.
- Community image moderation: images you upload to the social community are sent to the same model to check they are appropriate before being published.
- Food ingredient analysis: when you use the ingredient analysis feature, the ingredient list text from a food product is sent to the same model to identify ingredients that may be unsuitable for PKU management.
- Stripe. Payment processing for subscriptions and shop purchases. When you buy a physical product, Stripe shares your name, email, and shipping address with us to fulfil your order. Although we contract with Stripe Payments UK Ltd as the UK entity, Stripe processes personal data through its group companies including Stripe, Inc. in the United States. These transfers are made under the safeguards set out in Stripe's Data Processing Agreement (the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, and the UK-US Data Bridge where applicable). Stripe's Privacy Policy
- Umami Cloud (Umami Software, Inc.). Cookieless web analytics used to understand which pages and features are most used, so we can improve the service. Umami collects only page URLs, referrer, browser and operating-system type, and country (derived from your IP address, which is hashed and immediately discarded). It also receives the names of feature-usage events we fire from our own code (for example, “barcode-scanned”), together with non-identifying metadata such as the number of items in a list. No account identifier, email address, blood test result, or other health data is ever sent to Umami. Analytics data is hosted in Umami's European Union (Germany) region. Umami Software, Inc. is a US-incorporated company; the operator-level transfer to the United States is made under the safeguards in Umami's Data Processing Agreement (the UK International Data Transfer Addendum to the EU Standard Contractual Clauses). Because Umami sets no cookies and writes nothing to your browser storage, this processing falls outside the consent requirements of PECR.
- Other MyPKU users. Only where you have explicitly granted data-sharing permissions in your profile.
We require all third-party processors to handle your data in accordance with UK GDPR and to implement appropriate security measures.
6. International transfers
Account, health, and community data. All routine processing of your account data, PKU records, blood test results, AI summaries, and community content takes place within the United Kingdom. AWS services (authentication, storage, AI inference via Amazon Bedrock, and email delivery) run in eu-west-2 / London. Your data is held on MongoDB Atlas in eu-west-2 / London. No international transfer safeguards are required for these flows.
Payments and shop checkout (Stripe). Stripe Payments UK Ltd is the UK entity we contract with, but Stripe processes payment and customer data through its group companies, including Stripe, Inc. in the United States. These transfers are subject to the safeguards set out in Stripe's Data Processing Agreement, specifically the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (the “UK IDTA”), and the UK Extension to the EU-US Data Privacy Framework (the “UK-US Data Bridge”) where the recipient is certified. The data transferred is limited to what is required for payment processing: name, email, billing and shipping address, and the transaction details associated with your subscription or shop order. Card data is processed by Stripe directly and is never transmitted to or held by MyPKU.
Sub-processors. AWS, MongoDB Atlas, and Stripe each maintain a published list of their sub-processors and bind them to equivalent contractual protections. Each provider's Data Processing Addendum is on file with us. Links to the current sub-processor lists are available on request from privacy@mypku.co.uk.
7. AI features
MyPKU offers AI-powered features to help you understand your own data. These are optional and require your explicit consent.
Blood test result summary: When you request an AI summary, your blood test records (dates, Phe values, method, and notes) are sent to an AI language model to generate a plain-English recap. This summary is a diary-style overview of your own recorded data; it is not medical advice and does not diagnose, prescribe, or recommend treatment changes. Your metabolic team remains responsible for clinical decisions.
Community image moderation: Images uploaded to the social community are automatically checked by an AI model before publication to ensure they are appropriate for the platform.
Food ingredient analysis: When you use the ingredient analysis feature in food search, the ingredient list text from a food product is sent to an AI model to identify ingredients that may be problematic for PKU management. This is a convenience tool only and is not a substitute for reading labels or seeking professional dietary advice.
All three features use Anthropic Claude Sonnet 4.6, accessed via Amazon Bedrock in eu-west-2 (London). Your data is not retained by Amazon Bedrock after processing and is not used to train AI models.
Withdrawing consent. You can withdraw consent at any time:
- For AI features: stop using the feature, then email us at privacy@mypku.co.uk to confirm the withdrawal. AI features are opt-in per request, so simply not requesting an AI summary or analysis means no further AI processing of your data takes place. This does not affect your ability to use other features of the platform.
- For health data more broadly: you can delete specific records (or your entire profile) via the Data & Privacy section of your profile, or email us at privacy@mypku.co.uk to withdraw consent for ongoing processing without deleting your account. We will action the request within one calendar month and confirm by email.
Withdrawing consent does not affect the lawfulness of processing that took place before withdrawal. Where you have withdrawn consent for ongoing processing of your health data, we will stop processing that data unless we have an alternative lawful basis to retain it (for example, a legal obligation), in which case we will tell you what that basis is.
8. Your rights
Under UK GDPR you have the right to:
- Access. Request a copy of the data we hold about you.
- Rectification. Correct inaccurate data.
- Erasure. Permanently delete your account and associated data (“right to be forgotten”). This can be done immediately via the Data & Privacy section of your profile, or by contacting us. See section 4 for details of what is deleted and what is anonymised.
- Restriction. Ask us to limit how we process your data.
- Portability. Receive your data in a machine-readable format.
- Object. Object to processing based on legitimate interests.
- Withdraw consent. At any time for consent-based processing. See section 7 for how to do this. Withdrawal does not affect processing that has already taken place.
To exercise any of these rights, email privacy@mypku.co.uk or use the Data & Privacy section of your profile.
9. Right to complain
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
10. Cookies
We use cookies to operate the service. See our Cookie Policy for details.
11. Children
MyPKU is not intended for children under 13. Users aged 13–17 must have parental or guardian consent. If you believe a child has provided data without appropriate consent, contact us at privacy@mypku.co.uk.
12. Changes to this policy
We will notify you of material changes by email or in-app notice. The “last updated” date at the top of this page always reflects the current version.