The quick version. We only collect what we really need. We never sell your details. Your name and email stay private — only big-picture findings go to the organisations we work with. You can leave any time, and we'll delete your information if you ask.
1. Who we are
Equity Engine is a research platform. It helps the NHS, health charities and university researchers hear from people who often get missed.
Equity Engine is run by Unwritten Health Ltd. That's the company that decides how your information gets used. (The law calls this being the "data controller" — it means we're responsible for looking after your details.)
You can write to us at chat@equityengine.health any time. For privacy questions specifically, use privacy@equityengine.health.
Swan Buildings, 20 Swan Street
Manchester, M4 5JW, UK
Phone: +44 (0) 161 524 8800
We're registered with the Information Commissioner's Office (the UK's privacy watchdog) under registration number ZC109542. Our company number is 16561594.
2. What information we collect — and why
Information you give us
| What | Why | Do you have to give it? |
|---|---|---|
| Your first and last name | So we know what to call you in emails. | Yes |
| Your email address | So we can email you about surveys, and so you can log in. | Yes |
| Your password (turned into a scrambled code we can never read) | To keep your account safe. | Yes |
| Things about you — age group, where you live, ethnicity, health conditions, work, housing, and so on | So we can match you with surveys that fit your life, and so research shows experiences across all kinds of communities. | No — share as much or as little as you want |
| Your phone number | So we can send a quick text message to check it's really you, if we need to. | No |
| Your UK postcode | So we can match you to local research. We never share your postcode with the organisations we work with — only the region you live in. | No |
| Your survey answers | This is the whole point — your answers are the research. | No — you pick which surveys to do |
Information we pick up automatically
- Your internet address (called your "IP address") — like a return address for the internet. We use it to spot fake accounts and check you're in the UK.
- A scrambled fingerprint of your web browser — built from things like your screen size, time zone and language. It helps us tell if someone is trying to make lots of accounts on one computer. We don't use this to follow you around the internet or show you adverts.
- What kind of phone or computer you're using — so we know if the website is working properly on your device.
- Which pages of our site you visit — so we can fix bugs and improve things.
Information we get from other companies that help us
- Cloudflare Turnstile — a free service that checks you're a real person and not a robot.
- IPQS — checks if your internet address looks suspicious (like a known fraud network).
- Kickbox — checks your email address is real before we send you anything.
- Twilio — sends you a one-time code by text if we need to check your phone number.
- ORCID — used only by university researchers who apply for special access. It checks their researcher ID is real.
3. The rules we follow when using your data
UK law says we need a clear, fair reason before we can use your information. The reasons we use are:
- You said yes — when you choose to share something (like your ethnicity or a survey answer), that counts as you saying we can use it. (The law calls this "consent".) You can change your mind any time.
- To do what we promised — like give you an account, count your points, and send you your voucher. (The law calls this "performing a contract".)
- To run the platform safely — like spotting fake accounts, keeping our systems secure, and emailing you about important changes. (The law calls this "legitimate interest". We've weighed up what we're doing against your rights, and we think it's fair.)
- Because the law says so — if a court or government body asks us to share something, we have to.
4. Extra-sensitive information — like health and ethnicity
Some of what you can share — your health conditions, ethnicity, religion, sexuality — is more sensitive than other things. UK law gives this kind of information extra protection. The law calls it "special category data".
We only use this kind of information because you chose to share it. You can change your mind, edit your answers, or delete your account whenever you like.
When we use it, it's locked away with extra security, kept apart from your name and email, and never shared in a way that could point back to you.
5. Who we share information with
What the research partners see
The organisations we work with — health charities, the NHS, university researchers — only see big-picture findings, like:
- "35% of people we asked said they felt unheard at their GP."
- A chart showing how trust differs across regions.
- A few anonymous quotes that show a common theme.
They never see:
- Your name
- Your email
- Your phone number
- Your postcode
- Any single answer that could point back to just one person
If a group is too small to be safely anonymous (fewer than 10 people), we hide it from the report.
Companies that help us run the platform
We use some other companies to do specific jobs for us. They've all signed legal agreements that bind them to the same UK rules we follow. Here they are, and what they do:
- MongoDB Atlas — stores your data securely in EU/UK servers.
- Render — hosts the website on EU servers.
- Mailjet — sends our emails.
- Anthropic — an AI service that reads written answers to find common themes. Anything that could identify you is stripped out first.
- Cloudflare — keeps the site safe from attacks.
- IPQS, Kickbox, Twilio — the verification services we mentioned above.
- Sentry — helps us spot bugs. We make sure it never sees your survey answers or sensitive information.
If we send data outside the UK
A few of these companies are based outside the UK (for example, Anthropic and Twilio are in the United States). When we send your data abroad, we use special legal agreements (called "Standard Contractual Clauses" or the "UK International Data Transfer Addendum") that make sure your data stays just as protected as it would be at home.
6. How long we keep your information
- Your account details — while you're a member, plus 12 months after you leave. (We have to keep them a bit longer for tax and audit reasons.)
- Your survey answers — kept forever as part of the research dataset, but only in a form where it's impossible to tell who said what. If you ask us to delete your answers specifically, we will, within 30 days.
- Email confirmation and password-reset links — 24 hours.
- Day-to-day logs — 30 days.
- Security logs — 12 months.
- Backup copies — we keep rolling backups for 30 days. If you ask us to delete something, it disappears from the backups within 35 days too.
7. Your rights — what you can ask us to do
UK law gives you lots of rights over your own information. You can:
- Get a copy of everything we hold about you.
- Correct anything wrong — like a misspelled name.
- Ask us to delete you ("the right to be forgotten"). We do this within 30 days unless we're legally required to keep something.
- Pause us using certain bits of your data while you check something with us.
- Take your data with you in a format you can use elsewhere.
- Say no to some kinds of use.
- Change your mind about anything you previously said yes to. (Past use stays legal, but we stop from then on.)
- Complain to the UK's privacy watchdog (the ICO) at ico.org.uk. We'd love the chance to fix things first if you tell us, but it's your right.
To use any of these rights, email privacy@equityengine.health. We'll reply within a calendar month.
8. How we keep your information safe
- Everything you send to the website is encrypted — that means it travels in a locked, scrambled form so nobody in the middle can read it.
- Your password is stored as a scrambled code (called a "hash") that no-one — including us — can turn back into your real password.
- If you share your phone number, we keep it only as a scrambled code too. Your real number is thrown away as soon as we've checked it.
- Only certain trusted computers are allowed to talk to our database.
- We keep records of what important things happen in the system, so we can investigate if anything looks odd.
- We rotate our security keys regularly and follow standard industry practice.
9. Cookies (small files on your device)
A "cookie" is a tiny file your web browser keeps so a website can remember things — like keeping you logged in.
The Equity Engine app only uses essential cookies. Those are the ones the site can't work without — like the one that keeps you logged in, and the one that remembers your language choice. We don't use any tracking cookies, advertising cookies or analytics cookies on the app itself.
Our marketing website (equityengine.health) may use a few extra cookies. Those are explained in a separate cookie notice on that site.
10. Points and rewards
When you do a survey, you earn points. You can swap points for shopping vouchers (£5, £10, £25 or £50). Points are personal to your account and can't be swapped or sold. They have no cash value on their own. If we find someone has been creating fake accounts or otherwise cheating, we may cancel the points. The full rules are in our Terms.
11. People under 16
Equity Engine isn't designed for children under 16. We don't knowingly let anyone under 16 sign up. If you think a younger person has joined, email us at privacy@equityengine.health and we'll close the account.
12. Changes to this policy
If we change this policy in a meaningful way, we'll email you to let you know, and the new date will appear at the top of this page. For big changes, we'll ask you to agree again.
13. How to get in touch
General contact: chat@equityengine.health
Privacy questions: privacy@equityengine.health
Security worries: security@equityengine.health
By post or phone:
Unwritten Health LtdSwan Buildings, 20 Swan Street
Manchester, M4 5JW, UK
Phone: +44 (0) 161 524 8800
This is version 1.0 — still being reviewed. This is our first published Privacy Policy. We're having it checked by a lawyer and will share an updated version when that's done. If anything here doesn't make sense, please email privacy@equityengine.health and we'll explain.