Privacy Policy
Last Updated: October 23, 2025
1. Introduction
Connectome GmbH ("Connectome," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, disclose, and safeguard your personal data when you visit our website https://www.connectome.health/ ("Website") and interact with our services, including participation in the LUCID: Understanding the Connection Between Lifestyle and fNIRS-Defined Brain States research study ("the Study").
We comply with applicable data protection regulations, including the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
2. Data Controller
| Role | Organisation | Contact | Key responsibilities |
|---|---|---|---|
| Joint Controllers (Art 26 UK/EU GDPR) | Connectome GmbH Imperial College London | Connectome DPO: hello@connectome.health Imperial DPO: dpo@imperial.ac.uk | Determining the purposes and means of processing Study data. |
| Sole Controller (mailing list & Webapp outside Study) | Connectome GmbH | hello@connectome.health | Operating mailing lists, marketing communications and analytics for the Website & Webapp. |
3. Information We Collect and Store
3.1 Study participants
We collect the following personal data to facilitate study administration, participant tracking, and compliance with research ethics. Please note that all data collected except for your account data will be pseudonymized (i.e. decoupled from any personal identifying descriptors).
| Category | Examples | Collected by / stored at |
|---|---|---|
| Demographics | age, gender | Connectome & Imperial |
| Contact details | e-mail address | Connectome |
| Health & lifestyle questionnaires | medical history, sleep, exercise, mood | Connectome |
| Brain imaging (fNIRS) | haemodynamic responses | Connectome; raw data mirrored to Imperial Research data store (RDS) |
| Wearable metrics | heart-rate, HRV, sleep, activities | Connectome |
| Cognitive task performance | accuracy, reaction time | Connectome |
| Hair image & type | close-up photograph of hair only | Connectome |
| Bank details | account/IBAN needed for participant reimbursement | Connectome |
| Study administration | signed consent forms, session logs, withdrawal requests | Imperial (paper originals) & Connectome (digital consent) |
3.2 Mail-list subscribers
- Name (optional)
- E-mail address
- Subscription preferences (topics, language)
4. Why do we use your data and what is the legal basis?
| Purpose | Data categories (see section 3) | Legal basis (Art 6 UK/EU GDPR) |
|---|---|---|
| Eligibility assessment | Demographics, Health and life questionnaire, hair image and type and study administration | Imperial College London Public task – scientific research in the public interest (Art 6 (1)(e)); Connectome GmbH Art 6 (1)(a) UK GDPR – Consent You have given clear consent for us to process your personal data for the purpose of determining your suitability for the study. Article 9 (2)(a) UK GDPR – Explicit consent for special-category data "You have given explicit consent for us to process your health information contained in the eligibility questionnaire." |
| Conducting & analysing the Study | All study participant data | Imperial College London Public task – scientific research in the public interest (Art 6(1)(e)); Connectome GmbH Legitimate interests Art 6(1)(f) |
| Paying participant honoraria | Bank details, contact details | Contract – performance of the participation agreement (Art 6(1)(b)) |
| Maintaining Connectome Webapp | Contact details, account data, imaging & wearable outputs | Contract (Art 6 (1)(b)) – providing the service you request |
| Operating mailing list | Name, e-mail | Consent (Art 6 (1)(a)) – you may withdraw at any time |
| Safety & quality monitoring | Pseudonymised research data | Legal obligation to ensure participant safety (Art 6 (1)(c)) |
Where we rely on legitimate interests, we have carried out a balancing test and believe our interests do not override your fundamental rights and freedoms. You can obtain a copy on request.
5. How long do we keep your data?
| Dataset | Retention period | Rationale |
|---|---|---|
| Raw & processed research data (pseudonymized) | 10 years after Study completion (estimated 31 December 2035) | Good research practice, audit & reproducibility |
| Consent forms & key-code linking table | 10 years (paper originals stored by Imperial) | Ethical & sponsor requirements |
| Connectome Webapp account | Until 10 years of inactivity or account deletion request | Provide ongoing access to personal results |
| Mailing-list record | Until you unsubscribe | Direct marketing rules |
| Bank details & payment records | 7 years | Accounting & tax obligations |
| Aggregated, fully anonymised datasets | Indefinite – no longer personal data | Indefinite – no longer personal data |
We automatically irreversibly anonymise data when the retention period expires. Participants will receive an e-mail reminder 30 days before deletion of their Webapp account data.
6. How do we secure your information?
Connectome GmbH stored data
- Primary Database: Hosted on Cloud SQL (Google Cloud’s managed relational database service) with automated daily backups and point-in-time recovery capabilities.
- Storage of Files & Media: Other files, documents, and media are securely stored in Google Cloud Storage.
- Encryption: All data is encrypted at rest using Google Cloud Key Management Service (Cloud KMS).
- Access Control: Strictly managed through standard identity and access management policies to ensure only authorised personnel can access sensitive data.
- Participant Dashboard: Participants will be able to view their results through the Connectome Data Dashboard.
- Personal Details: Kept on the Connectome platform unless explicitly requested for deletion by participants. This allows participants to view personalized data results.
Imperial College London stored data
Imperial College London will store primary research data in its Research Data Store, ensuring compliance with academic and regulatory standards:
- Storage Location: All raw and processed research data will be stored on Imperial College’s Research Data Store (RDS).
- Access Control: Only authorized researchers will have access, managed via role-based access permissions.
- Pseudonymization: Raw and processed data will be separated from participant identifying information and assigned a unique study ID to maintain participant anonymity.
- Physical Document Security: Any physical documents, such as consent forms, will be securely stored in a locked cabinet inside the door-coded office of the principle investigator at Imperial College London.
- Participant Access: Participants will be able to view their own results via the Connectome dashboard.
7. Who do we share your data with?
7.1 Research collaborators (jointly responsible)
- Imperial College London – data storage & statistical analysis
- University of Zurich – bias-mitigation research on hair-type (data sharing agreement in place)
7.2 Authorised third-party processors
| Processor | Service | Link to privacy notice |
|---|---|---|
| Kernel | Processing fNIRS brain-activity data | https://docs.kernel.com/docs/services-privacy-policy |
| H2 Cognitive Design | Cognitive-task platform | https://www.cognitron.co.uk/static/privacy.html |
| Sahha | Wearable-device analytics | https://www.sahha.ai/privacy |
| Mailchimp | Mailing-list management | https://mailchimp.com/legal/privacy |
| Stripe | Payment processing for participant fees | https://stripe.com/privacy |
All processors act on our written instructions and are bound by data‑processing agreements that satisfy Art 28 UK/EU GDPR.
7.3 International transfers
Where data leaves the UK/EEA we rely on:
- UK and/or EU adequacy regulations, or
- Standard Contractual Clauses (SCCs) with additional safeguards (e.g. encryption at rest, data‑minimisation).
8. Future use
Imperial College London
Participants will be asked during the consent process whether they agree for their data to be used in future research, including:
- Development of new tests, medications, or treatments by an academic institution or commercial company, including those outside the United Kingdom.
- If participants do not consent to future use, their data will be excluded from any subsequent studies and securely deleted.
University of Zurich
- Pseudonymized fNIRS, cognitive task, and hair type data (description and photograph) will be shared with Professor Manuel Gunther, AI & ML Group Lead at the University of Zurich.
- This collaboration supports a study to remove hair-related biases from Connectome’s signal processing, ensuring equity in fNIRS neuroimaging.
Connectome GmbH
9. Your Rights Under GDPR
You have the following rights concerning your data:
- Right to Access: Request a copy of your personal data.
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Withdraw Consent: Withdraw from the Study at any time.
- Right to Erasure: Request data deletion where legally applicable.
- Right to Data Portability: Receive a copy of your data in a structured format.
- Right to Restrict Processing: Limit how we use your data.
10. Commercialisation and Future Research
- Data may contribute to commercial research (e.g., development of neurotechnology software analysis tools).
- Any commercial use of your data will involve aggregated or pseudonymized datasets.
- Your personal identity will never be shared with commercial partners.
- You may at any time opt-out of future research data use.
11. Complaints and Contact Information
If you have concerns about how your data is processed, you may contact:
Connectome GmbH
hello@connectome.healthImperial College London Data Protection Officer (DPO):
Contact Us
If you need to contact us for any reason specified above, or if you have any questions or concerns about our Privacy Policy, please contact us at hello@connectome.health.