Advocate Privacy Statement

At Advocate, we are committed to protecting the privacy and security of your personal data while providing you with a valuable service to assess and support your elderly loved ones’ health. This Privacy Statement explains how we collect, use, store, and protect your data, ensuring transparency and compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Advocate is a service operated by SPA Medical Services Ltd, a company registered in England and Wales with company number 09461686, and our registered address is Monomark House, 27 Old Gloucester Street, London, WC1N 3AX.
1. Who We Are and What We Do
Advocate empowers families to assess the health of elderly relatives through a simple online survey, providing tailored advice and a GP letter to support care. We collect data directly from you to deliver this service, ensuring your loved one’s wellbeing while maintaining the highest standards of privacy. As part of SPA Medical Services Ltd, we operate with a commitment to trust, security, and transparency in all our activities. Our mission is to help you keep your loved ones safe at home, and we take our responsibility to safeguard your data seriously.
2. What Data We Collect
We collect the following types of data when you use Advocate:
Personal Information: Your name, email address, and payment details (processed securely via Stripe) to facilitate the service and communicate with you.
Health Data: Information about your elderly relative, including their name, age, gender, and health-related responses (e.g., frailty indicators like falls, blood pressure readings, and other symptoms such as pain or mood changes). This is collected through our online survey, which you complete on their behalf.
Consent Information: Confirmation that your relative agrees to the assessment, as indicated by you via a consent checkbox on our Carrd website.
Technical Data: IP address, browser type, and device information automatically collected when you visit our Carrd website (https://advocateempower.carrd.co/) or complete the Jotform survey. This helps us improve our service and ensure its functionality.
We only collect data that is necessary to provide the Advocate service, adhering to the principle of data minimization under the UK GDPR (Article 5(1)(c)).
3. How We Use Your Data
We use your data for the following purposes:
Service Delivery: To process your survey responses, generate tailored advice documents, and create a GP letter for your loved one’s NHS doctor. Your data is entered into our proprietary system (operated by SPA Medical Services Ltd) to calculate health risk scores (e.g., frailty score out of 68), which are then used to produce actionable outputs.
AI Processing: A minimal subset of data (age, gender, and a unique PIN) is sent to our AI partner, to generate advice and letters via their premium model. No identifiable health data (e.g., name, specific symptoms) is shared ensuring privacy.
Communication: To email you the survey link (if applicable), confirm payment, and deliver your results securely via Proton Mail with encrypted PDFs. We may also contact you to follow up on your experience or provide support.
Improvement and Analytics: Technical data (e.g., IP address, browser type) is used to monitor website performance, improve user experience, and ensure the security of our service. This data is anonymised and aggregated wherever possible.
Legal Compliance: To comply with legal obligations, such as maintaining records for audits or responding to data subject requests under the UK GDPR.
We will never use your data for purposes beyond those necessary to deliver the Advocate service, nor will we use it for marketing, profiling, or automated decision-making that produces legal effects (Article 22).
4. Our Commitment: We Will Never Share Your Data
At Advocate, we take your privacy seriously and will never share, sell, or disclose your personal or health data to third parties for marketing, advertising, or any other purpose unrelated to the delivery of our service. Your data is used solely to provide the health assessment, advice, and GP letter, and is shared only with the following entities under strict conditions:
We send a minimal, anonymised dataset (age, gender, and a unique PIN) for AI processing to generate advice and letters. No identifiable information (e.g., name, specific health details) is shared, and the AI system deletes the data immediately after processing.
Stripe: Your payment information (e.g., credit card details) is processed securely by Stripe to collect the £30 one-off fee. Stripe does not receive survey responses or health data, and their processing is GDPR-compliant (Stripe Privacy Policy: stripe.com/gb/privacy).
Jotform: Your survey responses are collected via Jotform, which stores data in EU servers (Ireland) to comply with GDPR. Jotform acts as a data processor under a Data Processing Agreement (DPA), ensuring your data is secure and not shared further (Jotform GDPR: jotform.com/gdpr-compliance).
Beyond these processors, your data remains with SPA Medical Services Ltd and is never shared with any other party, including other family members, healthcare providers (beyond the GP letter you choose to share), or external organisations.
5. How We Protect Your Data
We implement robust technical and organizational measures to ensure the security of your data, in compliance with Article 32 of the UK GDPR:
Encryption: All data in transit is encrypted using HTTPS (TLS 1.3), and survey responses are stored on a UK-based server (AWS London) with AES-256 encryption at rest.
Secure Delivery: Advice documents and GP letters are delivered as password-protected PDFs via Proton Mail, which uses end-to-end encryption (E2EE) to prevent unauthorized access.
Minimal AI Processing: We send only anonymised data (age, gender, PIN) to our premium AI, ensuring no identifiable information leaves our control.
Access Controls: Only authorized personnel at SPA Medical Services Ltd can access your data, and access is strictly limited to what is necessary for delivering the service.
Data Deletion: We delete your data (survey responses, PDFs) after 30 days unless you consent to longer retention for repeat assessments. This aligns with the UK GDPR’s storage limitation principle (Article 5(1)(e)).
Third-Party Compliance: Our partners (Jotform, Stripe, xAI) operate under DPAs, ensuring GDPR compliance. Jotform uses EU servers, Stripe processes payment data securely, and xAI deletes data post-processing.
6. Your Rights Under GDPR
As a data subject under the UK GDPR, you have the following rights regarding your personal data:
Right to Access (Article 15): You can request a copy of the data we hold about you.
Right to Rectification (Article 16): You can ask us to correct inaccurate data.
Right to Erasure (Article 17): You can request deletion of your data, subject to legal retention requirements.
Right to Restrict Processing (Article 18): You can limit how we use your data in certain circumstances.
Right to Data Portability (Article 20): You can request your data in a structured, machine-readable format.
Right to Object (Article 21): You can object to processing based on legitimate interests (though our basis is consent).
Right to Withdraw Consent (Article 7): You can withdraw consent at any time, though this may prevent us from delivering the service.
To exercise these rights, contact us at [email protected]. We will respond within one month, as required by law, and there is no fee for most requests unless they are manifestly unfounded or excessive (Article 12).
7. Legal Basis for Processing
We process your data under the following legal bases:
Consent (Article 6(1)(a), Article 9(2)(a)): You provide explicit consent via a checkbox on our Carrd website to process your data, including your relative’s health data, for the purpose of generating advice and a GP letter. You also confirm your relative’s consent to the assessment.
Contract (Article 6(1)(b)): Processing is necessary to fulfill our contract with you (delivering the Advocate service after payment of £30 or a subscription).
Legitimate Interests (Article 6(1)(f)): We process technical data (e.g., IP address) to improve our website and ensure security, balanced against your rights and freedoms.
8. Data Retention and Deletion
We retain your data only as long as necessary to fulfill the purpose for which it was collected:
Survey Responses: Stored for 30 days after submission to allow for processing and delivery of results. After this period, responses are deleted unless you consent to longer retention (e.g., for monthly subscriptions).
Payment Data: Stripe retains payment details per their retention policy (stripe.com/gb/privacy), typically for legal compliance (e.g., 7 years for tax purposes). We do not store payment details ourselves.
Technical Data: Anonymised and retained for up to 12 months to improve our service, then deleted. You can request early deletion of your data by contacting us subject to legal obligations (Article 17).
9. International Data Transfers
Advocate ensures all data processing occurs within the UK or EU to comply with GDPR requirements:
UK Server: Survey responses and PDFs are stored on AWS London (UK), with AES-256 encryption.
EU Processing: Jotform uses Ireland servers for EU data storage, compliant with Article 44.
AI Partner: processes minimal, anonymized data (age, gender, PIN). We have a Data Processing Agreement (DPA) with, and if data is transferred outside the UK/EU (e.g., to the US), Standard Contractual Clauses (SCCs) ensure GDPR compliance (Article 46).
Stripe: Payment data is processed in the EU (Ireland servers), with SCCs for any US transfers (web ID 1).
10. Children’s Data
Advocate is not intended for use by children under 18. We do not knowingly collect data from individuals under 18, and our service is designed for adults assessing elderly relatives. If you believe we have collected data from a child, please contact us immediately at [[email protected]] to request deletion.
11. Third-Party Links
Our Carrd website (https://advocateempower.carrd.co/) and Jotform survey may include links to third-party sites (e.g., Stripe for payments). These sites have their own privacy policies, and we are not responsible for their practices. We encourage you to review their policies before providing any data.
12. Cookies and Tracking
We use minimal cookies on our Carrd website to ensure functionality and improve user experience:
Essential Cookies: Required for site operation (e.g., session management).
Analytics Cookies: Anonymized data (e.g., page views) to monitor performance. You can manage cookie preferences via your browser settings. We do not use cookies for advertising or tracking across sites, ensuring your privacy.
13. Data Breaches
In the unlikely event of a data breach, we will notify the UK Information Commissioner’s Office (ICO) within 72 hours, as required by Article 33, and inform affected users if there is a high risk to their rights and freedoms (Article 34). Our security measures (encryption, E2EE) minimize the likelihood and impact of breaches.
14. Changes to This Privacy Statement
We may update this Privacy Statement to reflect changes in our practices or legal requirements. Updates will be posted on our Carrd website with the revised date. If changes significantly affect your rights, we will notify you via Proton Mail at least 30 days in advance.
You also have the right to lodge a complaint with the ICO if you believe we have not handled your data appropriately: Information Commissioner’s Office
Website: ico.org.uk
Phone: 0303 123 1113
16. Our Commitment to Privacy
At Advocate, we understand the sensitivity of the health data you entrust us with, and we are dedicated to maintaining your trust. As part of SPA Medical Services Ltd, we uphold the highest standards of privacy and security, ensuring your data is used solely to deliver our service and never shared with third parties. We are here to support you in protecting your loved one’s health, and we will always prioritise your privacy in doing so.