Privacy Policy

1. Introduction

Zults ("we," "us," "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, share, and protect your data when you use the Zults App or myrezults.com (together, the "Services").
Zults helps adults 18 years and older turn STI results into Rezults - a verified, shareable record of sexual-health status.

We never sell personal data and process it only to deliver, secure, and improve your experience.

2. Who We Are and How to Reach Us

Data Controller: eWellness Limited
14 Royal Star & Garter, Richmond, TW10 6BF, UK
Company No. 12346871
Appointed Data Protection Officer (DPO): The DPO Centre Ltd
Registered DPO Partner for eWellness Limited
Website: www.dpocentre.com
Email (for all privacy enquiries): contact@myrezults.com

If you have questions or wish to exercise your rights, contact us or your local data-protection authority (ICO in the UK, an EEA authority, or the US HHS Office for Civil Rights).

3. Who This Policy Applies To

This Policy applies to everyone who uses the Zults App or website.
Zults is intended only for individuals aged 18 or older. We do not knowingly collect data from minors.

4. Data Retention

Your Rezults card remains in your account until you choose to delete or replace it. We do not auto-expire your verified Rezults while your account is active.

Source artifacts used to create your Rezults are kept only as long as needed:

- Uploaded PDFs are deleted from our servers as soon as your Rezults card is created, or when an admin rejects your submission. A 60-day server-side cleanup acts as a backstop for any PDF that is never finalised.
- Provider link content is fetched once for parsing and is not stored as a file.
- Identity verification selfies are auto-deleted from our servers within 24 hours.
- ID document captures from our verification provider are auto-deleted within 30 days.
- Internal review records (admin queue artefacts) are auto-deleted within 90 days.

When you delete your Rezults or your account, we hard-delete your records from our production systems immediately. There is no soft-retention period or grace window. Encrypted backup snapshots age out per their retention schedule.

Some records may also be retained where required by law (security, abuse prevention, audit logs, fraud investigation, or other legal obligations).

5. How We Collect Data

- Directly from you: When you create an account, upload a file, verify your identity, or contact support.
- Automatically: Through cookies or similar technologies, analytics tools, and device logs.
- From trusted third parties: Such as testing providers, verification partners, or analytics platforms.
- From optional device permissions: Such as contacts (for Partner Notification) and location (for nearby provider search).

6. Data from Providers and User Uploads

Zults allows users to import their STI test results by manually uploading a PDF or by copying and pasting a public or shareable results link from their testing provider (for example, SHL, Luud Health, SH.UK, or other authorised providers).
This process is entirely user-initiated - Zults does not have a direct system integration or API connection with any healthcare provider or laboratory.
Providers do not share or transfer any data directly to Zults.
You remain fully in control of whether, when, and how you share your information.

Once a file or link is submitted:

- The document is processed using artificial intelligence (OpenAI) to extract key details such as your name, provider, test date, and results.
- Uploaded PDFs are kept only until your Rezults card is created or your submission is rejected, then deleted. Provider link content is fetched once for parsing and is not stored as a file.
- No persistent connection or access is retained between Zults and your provider.
- Zults never retrieves or stores your provider credentials or account information.
- Temporary upload links may be short-lived URLs and should be treated as sensitive.

Your Rezults remains active until you choose to delete or replace it. When you delete your Rezults or replace it with new results, active account records are removed, subject to the retention limitations in Section 4.

7. Document Verification and Fraud Prevention

To protect the integrity of Rezults and prevent fraud, we implement multiple verification measures:

- AI Document Analysis: Uploaded documents are analysed using artificial intelligence to extract health information and detect potential inconsistencies.
- Metadata Analysis: Document properties (such as creation software and timestamps) may be analysed to verify authenticity.
- Manual Review: Uploaded documents may be reviewed by authorised Zults staff to verify authenticity and ensure accuracy. Reviewers are bound by strict confidentiality agreements.
- Fraud Detection: We analyse document patterns to identify potentially fraudulent submissions. Documents flagged as high-risk may be rejected or require additional verification.

8. Training Data

Zults previously retained approved documents in a secure training library to improve our automated verification systems. This program has been retired. We no longer keep copies of user-uploaded documents for training or system-improvement purposes.

9. Identity Verification and Biometric Data

Zults uses biometric verification to ensure credential integrity:

- Initial Verification: When you verify your identity, you submit a government-issued ID and a live facial image (selfie). These are compared to confirm your identity.
- Biometric Reference: Your verified facial image is stored as a reference to maintain credential integrity.
- Continuous Verification: If you change your profile photo after verification, the new photo is compared against your verified reference. If the faces do not match, your verification status and credentials may be automatically revoked for security purposes.
- Recovery: If your verification is revoked, you may re-verify your identity at any time by completing the verification process again.

This system prevents credential transfer and ensures that only you can use your verified Rezults.

10. How We Use Your Data

We process your data only where permitted by law: to perform our contract with you, comply with legal obligations, or pursue legitimate interests that do not override your rights.

Main Purposes:

- Provide and manage your Zults account.
- Generate and verify your Rezults securely.
- Enable private Rezults sharing between users.
- Verify document authenticity and prevent fraud.
- Send optional notifications and reminders with your consent.
- Improve app functionality, usability, and security.
- Comply with legal obligations and prevent fraud.

You may withdraw consent at any time by emailing contact@myrezults.com or using in-app controls.

11. Sharing Your Rezults

When you share your Rezults with others:

- Dynamic Links: Share links display your current Rezults and privacy settings at the time of access. Changes to your privacy settings automatically apply to all existing share links.
- Privacy Controls: You can choose to hide your legal name while still displaying your verified photo and health results. Your verified photo cannot be hidden as it serves as proof of identity.
- Revocation: You can disable any share link at any time. If your verification is revoked, all share links are automatically disabled.

12. Rez - Digital Sexual-Health Assistant

Rez is an in-app educational assistant that provides sexual-health education and reminders only.
Rez may remember limited preference data (such as testing dates or reminder settings) to personalise guidance.
Rez does not provide medical advice, diagnosis, prescriptions, or treatment.
Information is for educational purposes only. For any health concerns, contact a qualified clinician.
If you believe you are experiencing a medical emergency, call 999 (UK), 112 (EU), or 911 (US).
Rez conversations are session-based:

- Messages are processed in real time.
- Conversation snapshots may be saved locally on your device to support pause/resume.
- No permanent message history is stored on our servers.
- You can clear Rez's temporary memory at any time in Settings -> Rez Memory.
- Direct and group user-to-user chat messages are stored to deliver messaging features and apply your retention settings.

13. Data Sharing

We do not sell or rent personal data. We share limited data only with authorised processors under strict confidentiality and data-protection contracts.

- Hosting & Infrastructure
 Zults is hosted on Amazon Web Services (AWS), a secure cloud provider certified under ISO 27001 and SOC 2. All data is encrypted and stored in the UK and EEA, with secure back-ups in the US under Standard Contractual Clauses (SCCs).

- AI Document Processing
 OpenAI (https://openai.com) processes uploaded documents to extract health information. Document content is sent to OpenAI temporarily for parsing. OpenAI processes data in accordance with their Privacy Policy and data processing agreements.

- Identity Verification
 ShuftiPro Ltd (https://shuftipro.com) performs identity and document checks on our behalf as an authorised processor. ShuftiPro receives only the data required for verification and processes it under its own Privacy Policy and applicable data-protection laws.

- Analytics & Performance
 Google Analytics and similar tools provide aggregated, non-identifiable insights to help us improve app performance.

- Communications
 Trusted third-party vendors deliver emails, SMS, and notifications you opt into.
 For Partner Notification, Twilio processes destination phone numbers and delivery metadata as our processor.

- Location & Provider Search
 If you use provider-finder features, we may process your approximate location and send search queries to Google Places or equivalent providers to return nearby clinics.

14. International Transfers

If your data is transferred outside the UK or EEA, we rely on Standard Contractual Clauses (SCCs) or other lawful safeguards to ensure adequate protection.

15. Security

We implement administrative, technical, and physical safeguards to protect your information, including encryption, access controls, and monitoring.
You are responsible for keeping your device secure and logging out after use.
No system is entirely secure, but we will notify you of any personal-data breach where required by law.

16. Your Rights

Depending on your region, you have the right to:

- Access, correct, or delete your data;
- Restrict or object to processing;
- Request data portability; and
- Withdraw consent at any time.

To exercise these rights, email support@myrezults.com. We may ask for proof of identity before processing requests.
Deletion requests are fulfilled subject to legal, security, fraud-prevention, and backup-retention obligations described in this Policy.

17. Cookies and Tracking

We use cookies and similar technologies to operate Zults and analyse performance.
In the mobile app, equivalent device storage and SDK identifiers may be used for session continuity, security, and analytics.
You can adjust preferences in your browser or device settings. See our Cookie Policy for details.

18. Children

Zults is designed for adults 18+. We do not knowingly collect information from minors. If a minor's data is discovered, it will be deleted immediately.

19. Changes to This Policy

We may update this Policy from time to time. The current version will always be available in-app and on our website. Continued use means you accept the updated Policy.

20. Contact

If you believe your data has been misused or compromised, please contact us immediately.
eWellness Limited, 14 Royal Star & Garter, Richmond, TW10 6BF, UK
contact@myrezults.com