Privacy Policy

The Somatic Tinnitus Project is operated by Oliver (sole trader, United Kingdom). For privacy questions or to exercise any of the rights listed below, email oliver@somatictinnitusproject.com.

We are registered with the UK Information Commissioner's Office (ICO).

When you create an account and use the platform, we collect:

Account information

• Email address
• Username (chosen by you)
• Password (stored encrypted, we never see it)
• Account creation date

Health and assessment data

• Your test classification result (A, B, or C from the somatic tinnitus screening test)
• Phase 1 self-assessment responses (jaw, neck, postural, and nervous system findings)
• Daily progress logs (perceived tinnitus loudness, jaw tension, neck tension, stress, sleep quality, optional notes)
• Tinnitus Functional Index (TFI) questionnaire responses at intake and Phase 5 completion
• Your generated profile (e.g. dual driver, primary cervical with secondary jaw)
• Phase and session progression dates

Consent records

• Whether you have given consent for health data processing (required to use the platform)
• Whether you have given optional consent for anonymised research use of your data
• Date and time consents were given or withdrawn

Communications

• Community posts and replies you choose to publish
• Email correspondence with us

Technical information

• Standard server logs (IP address, request timestamps, browser type) collected by our hosting providers for security and performance purposes
• Email engagement (open and click events) collected by our email provider

Under UK GDPR, we rely on the following legal bases:

For account information and platform functionality

Contract: processing is necessary to provide the platform service you have signed up for.

For health and assessment data

Explicit consent (UK GDPR Article 9(2)(a)): you provide explicit consent during onboarding to process this special category data to deliver and personalise your rehabilitation framework. You can withdraw this consent at any time, which will result in deletion of your account and associated data.

For research data (optional, only with separate consent)

Explicit consent (UK GDPR Article 9(2)(a)): you may separately consent to your anonymised data being used to improve understanding of somatic tinnitus. You can withdraw this consent at any time in your account settings without affecting your platform access.

For communications about your account

Legitimate interest: we send essential service emails (account verification, password resets, framework completion). You cannot opt out of these while you have an active account.

Account information

• To provide you access to the platform
• To send essential service communications
• To respond to support requests

Health and assessment data

• To generate your personalised somatic profile and protocol recommendations
• To track your progress through the 12-week framework
• To display your analytics, trends, and insights
• To deliver content tailored to your profile

Research data (optional, with separate consent)

• Anonymised data may be used to improve the framework, identify patterns across members, and inform future development
• Anonymised aggregated data may be shared in publications, conference presentations, or research collaborations
• Anonymisation means removing your email, username, and any free-text responses that could identify you. Aggregated patterns cannot be linked back to you.

Communications

• To send you platform updates, new content notifications, and service announcements
• To send marketing communications about new features (you can opt out at any time using the unsubscribe link)

Only Oliver, the sole operator of the platform, has access to your data. We do not employ staff, contractors, or third parties who can access member health data.

Your data is stored with the following service providers, who process it on our behalf as data processors:

Supabase (database and authentication)

Hosted in the European Union. Supabase processes your account data, health data, and progress logs. Their privacy policy: supabase.com/privacy

Vercel (web hosting)

Vercel hosts the platform and processes standard server logs. Their privacy policy: vercel.com/legal/privacy-policy

Cloudflare Stream (video content)

Cloudflare hosts our exercise demonstration videos. They process basic playback metrics (no personal identification). Their privacy policy: cloudflare.com/privacypolicy

EmailOctopus (email delivery)

EmailOctopus processes your email address and engagement data for marketing communications. Their privacy policy: emailoctopus.com/legal/privacy

Brevo (transactional email)

Brevo sends account verification and password reset emails. Their privacy policy: brevo.com/legal/privacypolicy

Stripe (payments)

Stripe processes subscription payments. We do not store payment card details. Their privacy policy: stripe.com/gb/privacy

All processors have appropriate data protection agreements in place and are GDPR-compliant.

Some of our processors are based outside the United Kingdom, including in the United States. Where data is transferred internationally, transfers are protected by appropriate safeguards including UK adequacy decisions or Standard Contractual Clauses.

Active accounts

We retain your data for as long as your account is active.

Closed accounts

If you delete your account, all personal data is deleted within 30 days. Anonymised research data, if you consented to its use, is retained indefinitely as it can no longer be linked to you.

Inactive accounts

If your account has had no login activity for 24 months, we will email you to confirm whether you want to continue. If we receive no response within 60 days, the account is deleted.

Email correspondence

We retain support emails for up to 3 years for service improvement and dispute resolution.

Under UK GDPR, you have the right to:

Access

Request a copy of the data we hold about you. We will respond within 30 days.

Rectification

Correct any inaccurate data we hold. You can update most of your data directly in your profile settings.

Erasure

Delete your account and all associated personal data. You can do this from your account settings or by emailing us. Account deletion is permanent and cannot be undone.

Restriction

Ask us to limit how we use your data while a complaint or correction is being resolved.

Data portability

Request your data in a machine-readable format to transfer to another service.

Object

Object to processing based on legitimate interests. You can opt out of marketing communications at any time using the unsubscribe link.

Withdraw consent

Withdraw consent for health data processing (which results in account deletion) or for research use (which leaves your account active). Both can be done in your account settings.

Complain

Lodge a complaint with the UK Information Commissioner's Office at ico.org.uk if you are unhappy with how we handle your data.

To exercise any of these rights, email oliver@somatictinnitusproject.com.

We protect your data through:

• Encryption in transit (HTTPS for all platform interactions)
• Encryption at rest (database and backups)
• Row-level security ensuring members can only access their own data
• Strong password requirements
• No shared accounts or staff access

In the unlikely event of a data breach affecting your personal data, we will notify you and the ICO within 72 hours.

The platform is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete the account.

We may update this policy occasionally. Material changes will be notified to active members by email at least 14 days before they take effect. The "last updated" date at the top of this page reflects when the policy was last revised.

For any privacy-related questions or to exercise your rights:

Email: oliver@somatictinnitusproject.com

The data controller is Oliver, sole operator of the Somatic Tinnitus Project.