Legal

CircadiaLog Privacy Policy

Effective Date: 13 April 2026

CircadiaLog ("we", "our", or "us") is committed to protecting personal data and respecting privacy in accordance with the United Kingdom General Data Protection Regulation ("UK GDPR"), the European Union General Data Protection Regulation ("EU GDPR"), and applicable data protection legislation.

This Privacy Policy explains how personal data is processed when individuals use the CircadiaLog application and related services (the "App").

1. Our Role Under Data Protection Law

For the purposes of UK GDPR and EU GDPR:

  • CircadiaLog acts as a Data Processor
  • Universities, research institutions, research groups, or Principal Investigators ("PIs") act as Data Controllers

The Data Controller determines the purposes and lawful bases for processing personal data. CircadiaLog processes personal data solely on the documented instructions of the Data Controller and does not determine research purposes, research design, or research outcomes.

If you are a research participant and have questions about how your data is used, you should contact the research organisation or Principal Investigator responsible for your study.

2. Categories of Personal Data Processed

Depending on how a research study is configured by the Data Controller, CircadiaLog may process the following categories of personal data:

2.1 Pseudonymised Participant Data

  • Participant identifiers assigned by the Data Controller
  • Optional display names chosen by participants for dashboard or interface use

Display names are user-defined labels and are not required to be identifying. CircadiaLog does not link participant identifiers to real-world identities. Any identifier linkage logs are maintained exclusively by the Data Controller.

2.2 Research and Chronobiology Data

  • Sleep timing and duration data
  • Circadian rhythm and longitudinal chronobiology measurements
  • Repeated measures collected over time for scientific research purposes

These data constitute special category (health-related) personal data under Article 9 GDPR.

2.3 Technical and Operational Data

  • Device type, operating system, and app version
  • Log files, error reports, and system diagnostics
  • Usage metadata necessary to operate, secure, and maintain the App

3. Purpose of Processing

As a Data Processor, CircadiaLog processes personal data only to:

  • Provide and operate the App for scientific research
  • Enable secure collection, storage, visualisation, and export of research data
  • Provide analytics and dashboards to Data Controllers
  • Maintain system security, integrity, and availability
  • Provide technical support to Data Controllers
  • Comply with applicable legal obligations

CircadiaLog does not use personal data for independent research, marketing, advertising, or commercial profiling purposes.

4. Lawful Basis and Scientific Research Safeguards

The lawful basis for processing personal data is determined by the Data Controller and may include consent, performance of a task carried out in the public interest, or other lawful bases permitted under UK GDPR and EU GDPR.

Where applicable, processing is carried out in accordance with:

  • Article 9(2)(j) GDPR: processing of special category data for scientific research purposes
  • Article 89 GDPR: safeguards for scientific research, including pseudonymisation and data minimisation

CircadiaLog supports these safeguards through technical and organisational measures but does not independently rely on or determine the application of research exemptions. CircadiaLog does not engage in automated decision-making or profiling that produces legal or significantly similar effects on participants. All data visualisations and analytics provided by the App are intended for research purposes and are subject to human interpretation by the Data Controller.

5. Minor Participants

Some studies conducted on the CircadiaLog platform may, at the Data Controller's discretion, enrol participants under the age of 18. Where this occurs:

  • The Data Controller is solely responsible for obtaining verifiable parental or guardian consent prior to account creation, in accordance with all applicable laws and regulations, including (without limitation) Article 8 of the UK GDPR concerning the processing of children's data, and any applicable research ethics or institutional review board requirements.
  • CircadiaLog does not perform independent age verification and does not obtain consent directly from minors or their parents or guardians.
  • All data processing safeguards set out in this Policy apply equally to data from minor participants.

Questions regarding a specific study's consent procedures for minors should be directed to the responsible Research Institution or Principal Investigator.

6. Access Controls and Data Segregation

  • Data is segregated by research centre and study
  • Role-based access controls restrict access to authorised users only
  • Data Controllers may view, export, and delete data for their assigned studies
  • CircadiaLog staff do not have access to individual participant-level research data

7. Data Retention and Deletion

CircadiaLog retains personal data only for as long as instructed by the Data Controller.

  • Upon completion of a study, Data Controllers may download and permanently delete study data
  • Secure rolling backups are retained for disaster recovery purposes
  • Backup data is access-restricted and automatically overwritten after the retention period

8. Data Security

CircadiaLog implements appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit and at rest
  • Role-based access controls
  • Logical separation of centres and studies
  • Monitoring and incident response procedures

While no system can guarantee absolute security, CircadiaLog takes data protection and research integrity seriously.

In the event of a personal data breach, CircadiaLog will notify the affected Data Controller(s) without undue delay and provide reasonable assistance in accordance with our contractual obligations under Article 33 of the GDPR.

9. Sub-Processors

CircadiaLog uses trusted Sub-Processors to deliver its services, including:

  • Google Cloud Platform / Firebase (UK and EU region, London)

All Sub-Processors are subject to contractual obligations consistent with UK GDPR and EU GDPR requirements.

10. Cookies and Local Storage

CircadiaLog uses strictly necessary cookies and local storage (e.g., browser-based storage) to provide essential App functionality, such as maintaining secure user sessions, authenticating login credentials, and persisting user-defined interface preferences. We do not use cookies for advertising, tracking, or marketing purposes.

11. International Data Transfers

Where personal data is transferred outside the United Kingdom or the European Economic Area, appropriate safeguards are implemented, including:

  • UK International Data Transfer Agreements (IDTA)
  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions, where applicable

12. Data Subject Rights

Research participants have rights under UK GDPR and EU GDPR, including the right to access, rectify, erase, restrict, or object to processing, and the right to data portability.

As a Data Processor, CircadiaLog assists Data Controllers in responding to data subject rights requests. Requests should be directed to the relevant research organisation or Principal Investigator. If we receive a request directly from a data subject, we will forward that request to the relevant Data Controller without undue delay.

13. Changes to This Privacy Policy

This Privacy Policy may be updated from time to time. Any changes will be reflected by an updated effective date.

14. Contact Information

CircadiaLog Email: privacy@circadialab.org