HealthcountHealthcount

How Healthcount protects personal data

Healthcount is designed around data minimisation and privacy by design. We collect only what is needed, report only in aggregate, and never share individual health data with employers or insurers.

  • Designed around data minimisation
  • Individual health data is never shared with employers or insurers
  • Employers only see aggregated, de-identified cohort reporting
  • Employees control participation and can stop at any time
  • Data is processed in line with UK GDPR and privacy-by-design principles

Data minimisation

Healthcount collects the minimum data needed to support maintenance. We don't require detailed food diaries, extensive health questionnaires, or continuous monitoring. The inputs are:

  • An occasional weight datapoint (not daily)
  • Optional activity and sleep trends (connected where available)
  • An optional medication schedule with lightweight check-ins
  • Short check-ins when prompted by drift signals

Purpose limitation

Data collected by Healthcount is used for one purpose: supporting GLP-1 maintenance. It is not used for marketing, profiling, or resold to third parties. Member data drives two outputs — personal maintenance signals for the member and anonymised, aggregated reporting for funders.

Roles in different programme models

Healthcount's data governance role depends on how the service is accessed.

  • When used directly by individuals, Healthcount acts as data controller.
  • In employer or insurer programmes, Healthcount may act as processor for some functions and controller for the member experience.
  • Employers never receive identifiable employee health data, regardless of the programme model.

Data processing agreements are available for employer and insurer programmes.

Legal basis for processing health-related data

Health data is special category data under UK GDPR. Healthcount processes it carefully and transparently.

  • We process health-related data using appropriate UK GDPR conditions, including explicit consent where required.
  • Participation is always voluntary. No one is required to use Healthcount.
  • Processing is limited to supporting maintenance behaviour — nothing more.
  • Members can withdraw at any time without affecting their employment or clinical care.

Protections in employer programmes

Employers do not see individual employee health data. This is a non-negotiable design principle. Specific protections include:

  • Minimum cohort size thresholds before any reporting is shared
  • Aggregated reporting only — no individual-level data
  • No identifiable employee reports
  • No individual monitoring by employers
  • No behavioural scoring of individuals
  • No automated employment decisions based on Healthcount data

If a cohort is too small for safe reporting, data is withheld until the group size threshold is met.

Aggregation and anonymisation

Reporting for insurers and employers is grouped and de-identified. We use minimum group sizes to reduce re-identification risk. Funders see cohort-level patterns, not individual journeys.

What funders see

  • Activation rates (e.g. first check-in within 14 days)
  • Retention rates (e.g. active at 8 weeks)
  • Stop-start proxies (28+ day gaps and restart rates)
  • Drift signal distributions across the cohort
  • Safety signposting frequency

Operational details

Data retention

Personal data is retained for as long as a member actively uses Healthcount, plus a reasonable period to allow for pauses in treatment. Aggregated reporting data is retained separately and does not contain personal identifiers. Members can request deletion at any time.

Your rights

Under UK GDPR, you have the right to access your data, request correction of inaccurate data, request deletion, restrict processing, and data portability. To make a data subject access request (DSAR) or exercise any of these rights, contact us at anna@healthcount.app.

Data deletion

Members can request full deletion of their personal data at any time. Deletion requests are processed promptly. Once deleted, personal data cannot be recovered. Aggregated, anonymised data that has already been included in cohort reporting is retained as it contains no personal identifiers.

Subprocessors

Healthcount uses a limited number of subprocessors to deliver the service. All subprocessors are reviewed for data protection compliance and are bound by appropriate contractual terms. A current list is available on request.

International transfers

Data is hosted on infrastructure within the UK and EU. Where any processing involves transfers outside the UK, appropriate safeguards are in place in line with UK GDPR requirements.

Healthcount is designed so employers can support employee health without accessing personal health data.

For full legal details, see our Privacy Policy and GDPR Compliance pages.

Related reading

Clinical boundaries

What Healthcount does and does not do

Security

How Healthcount protects your data

Partner FAQ

Common questions from employers and insurers

What is Healthcount?

A quiet-by-design maintenance companion

Privacy-safe reporting for funders

Aggregated insights without individual data exposure. See how a pilot works.

Request pilot