Privacy & Data

Privacy Policy

How PACT Health Tech Ltd collects, uses, and protects your personal data when you use PACT.Health, PAX, our Coach Console, and our website. Written plainly, structured around UK GDPR, and specific about what we actually do — not what a template says.

Last updated18 May 2026
Effective from18 May 2026
Version1.0
01 · Who we are

The controller of your data

PACT Health Tech Ltd is the company behind PACT.Health and PAX. We are the "data controller" for the personal data described in this policy — meaning we decide why and how it is processed.

  • Legal name: PACT Health Tech Ltd
  • Registered in: England and Wales
  • Company number: 17222607
  • Registered office: 29 Renard Way, Trumpington, Cambridge CB2 9EW
  • Privacy contact: privacy@pact.healthcare

We are registered with the UK Information Commissioner's Office (ICO) as a data controller. Our ICO registration number will be added here once issued.

02 · Scope

What this policy covers

This policy explains what we do with personal data when you:

  • Visit our website at pact.healthcare
  • Sign up as a coach using our Coach Console
  • Are invited by a coach and onboard as a client (athlete)
  • Chat with PAX, our AI coaching companion, in WhatsApp
  • Connect third-party services (wearables, calendars, nutrition trackers) to your PACT account

Different sections apply depending on whether you are a coach or a client — we've called out which is which where it matters.

03 · Data

Personal data we collect

If you are a coach

  • Identity and contact: name, email, business name, phone number, address
  • Account data: hashed password, login timestamps, session tokens
  • Business data: client roster you create, programmes you build, notes you record
  • Usage data: Coach Console interactions, features used, support requests
  • Billing data: subscription tier, invoices (we do not store full card numbers; payment is handled by our payment processor)

If you are a client (athlete)

  • Identity and contact: name, WhatsApp phone number, optional email
  • Profile data: training goals, lifestyle context, dietary preferences, equipment access, schedule
  • Health and fitness data: see Section 04 — this is treated as a special category
  • Communication: the content of messages you exchange with PAX, including voice notes (transcribed) and images (analysed)
  • Engagement data: read receipts, reply times, response patterns
  • Coach relationship: the identity of the coach who invited you, and what they have shared with you
04 · Special category data

Health and fitness data

PACT.Health processes data about your physical activity, recovery, body, and habits. Under UK GDPR Article 9, some of this counts as "special category" data — meaning it gets stronger protections, and we can only process it with your explicit consent, which we ask for during onboarding.

The categories we process include:

  • Activity and training: workouts, steps, distance, heart rate, perceived effort, lift history
  • Recovery and sleep: sleep duration and stages, HRV, readiness scores, resting heart rate
  • Nutrition: food logs, calorie intake, macronutrient breakdown, photos of meals you share
  • Body data: weight, body composition where you record it, optional progress photos
  • Self-reported state: mood ratings, stress notes, anything you tell PAX about how you feel
Your control over this data

You can withdraw your consent to health-data processing at any time by emailing privacy@pact.healthcare. Withdrawing consent means PAX can no longer coach you meaningfully — so withdrawing usually means ending your use of the service. We will delete the data as set out in Section 10.

05 · Sources

Where we collect it from

  • Directly from you — when you sign up, complete onboarding, message PAX, or log information in the app
  • From your coach — your name and contact phone number when they invite you, plus any programme they assign you
  • From services you connect — Garmin, Apple Health, Oura, MyFitnessPal, Trainerize, Google Calendar, Outlook Calendar, Strava, and any other integration you authorise via OAuth
  • Automatically — limited technical data when you use our website or apps (see Section 15)

You always choose which third-party services to connect. You can disconnect any of them at any time from your client portal — this stops the flow of new data, and we delete the historical data on request.

06 · Purpose & legal basis

How and why we use it

We only process your personal data where we have a lawful basis under UK GDPR Article 6, and where it involves special category data, an additional condition under Article 9.

Performance of a contract — Article 6(1)(b)

For most of what we do — running your account, delivering PAX's coaching, generating your weekly summaries, syncing your data, providing the Coach Console — we are performing the contract you have with us (or that your coach has with us, with you as a named beneficiary).

Explicit consent — Articles 6(1)(a) and 9(2)(a)

For the health and fitness data described in Section 04, we rely on your explicit consent, which we ask for at onboarding and which you can withdraw at any time.

Legitimate interests — Article 6(1)(f)

For security, fraud prevention, improving the service, and limited internal analytics, we rely on our legitimate interests — balanced against your rights. You can object to this processing at any time (see Section 11).

Legal obligation — Article 6(1)(c)

Where we need to keep certain records to comply with UK law (tax, accounting, responding to regulators), we process the minimum data necessary to do so.

07 · WhatsApp

WhatsApp and messaging

PACT.Health delivers PAX's coaching through WhatsApp. When you message PAX or PAX messages you, the following happens:

  • Message content and metadata (your phone number, the message, timestamps, media attachments) is transmitted between WhatsApp's infrastructure (operated by Meta Platforms Ireland Ltd) and our messaging provider 360dialog GmbH, which is a Meta-authorised Business Solution Provider headquartered in Germany.
  • 360dialog forwards the message to our application, where we store it for the purposes set out in this policy.
  • WhatsApp itself is subject to its own privacy practices set by Meta. Whether your messages are end-to-end encrypted in transit, and how they are handled before they reach us, is governed by WhatsApp's terms.
  • You have opted in to receive messages from PACT.Health when you completed onboarding. You can stop receiving messages at any time by replying with STOP, or by emailing us.

We never use WhatsApp messages for marketing to anyone other than the original recipient. We never sell or share your WhatsApp data with advertisers or unrelated third parties.

08 · Sub-processors

The services we use to run PACT

We use a small set of carefully chosen suppliers (sub-processors) to run the service. Each is bound by a written Data Processing Agreement requiring them to handle your data in line with UK GDPR. The current list:

ProviderPurposeLocation
360dialog GmbH WhatsApp message delivery and inbound receipt Germany (EU)
Anthropic PBC AI language model (Claude) for PAX coaching responses United States
Supabase Inc. Database and authentication infrastructure United States (EU region available)
Railway Corp. Application hosting for the PAX backend United States
Vercel Inc. Hosting for the Coach Console web application United States
OpenAI L.L.C. Voice note transcription (Whisper), where you send voice notes United States
Connected data providers Health and fitness data: Garmin, Apple Health, Oura, MyFitnessPal, Trainerize, Strava, Google, Microsoft — only where you connect them Various

We will update this list when we add or change suppliers. Material changes will be communicated via PAX and through this page being republished.

09 · Transfers

International transfers

Several of our sub-processors are based in the United States, which the UK does not consider to provide an automatically equivalent level of data protection.

For transfers outside the UK and EEA, we rely on:

  • The UK International Data Transfer Agreement or the EU Standard Contractual Clauses as supplemented by the UK Addendum, signed with each US-based sub-processor
  • The UK Extension to the EU–US Data Privacy Framework, where the relevant US provider is certified under it
  • Documented technical and organisational measures, including encryption in transit and at rest

If you want a copy of the safeguards in place for a specific transfer, email privacy@pact.healthcare and we will provide it.

10 · Retention

How long we keep it

We keep your personal data only as long as we need it for the purpose we collected it. Specifically:

DataRetention period
Account data (coach or client) While the account is active, plus 30 days after closure
Message content (PAX conversations) Up to 24 months rolling, then deleted
Health and fitness data While the service is active, plus 30 days after closure
Encrypted backups Up to 90 days for disaster recovery
Billing and tax records 6 years (UK statutory requirement)
Support and complaint correspondence 3 years

Where you ask us to delete your data, we delete it from active systems within 30 days and from encrypted backups within 90 days, unless we are required to retain it by law.

11 · Your rights

What you can ask us to do

Under UK GDPR you have the right to:

  • Access — ask for a copy of the personal data we hold about you (Article 15)
  • Rectification — ask us to correct inaccurate or incomplete data (Article 16)
  • Erasure — ask us to delete your data, sometimes called "the right to be forgotten" (Article 17)
  • Restriction — ask us to limit how we use your data while a question is resolved (Article 18)
  • Portability — ask for your data in a portable, machine-readable format (Article 20)
  • Objection — object to processing based on legitimate interests, including any profiling (Article 21)
  • Withdraw consent — at any time, for any processing we do on the basis of consent (Article 7(3))
  • Lodge a complaint — with the UK Information Commissioner's Office (see Section 17)

To exercise any of these, email privacy@pact.healthcare. We respond within one calendar month, as required by Article 12(3) — usually much sooner. We do not charge for these requests.

12 · Automated processing

PAX, AI, and how it makes decisions

PAX is an AI coaching companion. Its responses are generated by a large language model (Anthropic's Claude) based on the data and context we provide. This is "automated processing" under UK GDPR.

However, PAX does not make decisions that have legal effects or similarly significant effects on you within the meaning of Article 22. Specifically:

  • PAX does not make medical diagnoses. It is not a regulated medical device.
  • PAX does not prescribe medication or clinical interventions.
  • PAX does not make decisions about access to insurance, credit, employment, or housing.
  • Your coach — a qualified human — remains responsible for the training, nutrition, and lifestyle programme you follow.

You can request human review of any PAX response by replying to your coach or by emailing us. You can also reduce automated processing by limiting which data sources are connected, or by stopping use of PAX entirely.

13 · Security

How we protect your data

We use industry-standard technical and organisational measures, including:

  • TLS encryption for data in transit
  • Encryption at rest for our database and backups
  • Role-based access controls for the small number of staff who can see personal data
  • Multi-factor authentication on administrative systems
  • Regular review of supplier security practices and DPAs
  • Logging and monitoring of access to sensitive data

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK ICO within 72 hours as required, and we will tell affected individuals without undue delay where the risk is high.

14 · Children's data

PACT is for adults only

PACT.Health is not directed at, intended for, or designed to be used by people under the age of 18. We do not knowingly collect personal data from anyone under 18.

If you are a parent or guardian and believe your child has used PACT.Health, please contact us at privacy@pact.healthcare and we will delete the data.

15 · Cookies

Cookies and similar technologies

Our website and Coach Console use a minimal number of strictly necessary cookies for:

  • Authentication — keeping you signed in to the Coach Console
  • Session management — remembering form state across pages
  • Security — preventing cross-site request forgery

We do not use advertising cookies, third-party tracking pixels, or cross-site behavioural targeting. We do not share cookie data with advertising networks.

Strictly necessary cookies do not require consent under the UK Privacy and Electronic Communications Regulations. If we ever add non-essential cookies (for example, basic analytics), we will introduce a cookie banner and update this section.

16 · Changes

Changes to this policy

We may update this policy from time to time — for example, when we add a new sub-processor or a new feature.

When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify active users by message via PAX
  • Where the changes are significant, give you 30 days' notice before they take effect

Continuing to use PACT.Health after a change takes effect means you accept the updated policy. If you don't accept it, you can stop using the service and ask us to delete your data.

17 · Contact

How to reach us — and the ICO

For privacy questions and requests

privacy@pact.healthcare

Email us about anything in this policy — access requests, deletion requests, withdrawal of consent, questions about how we handle a specific bit of data. We respond within one calendar month and usually much sooner.

By post: PACT Health Tech Ltd, 29 Renard Way, Trumpington, Cambridge CB2 9EW.

You also have the right to complain to the UK Information Commissioner's Office (ICO) at any time if you think we have handled your data unlawfully. You can do this without contacting us first, although we'd appreciate the chance to put things right.

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF