Metrix Search Logo
Metrix Search
by Metrix Health

Privacy Policy

Metrix Health Privacy Policy

Effective Date: 4 June 2025

1. Introduction

Metrix Health Ltd ("Metrix Health", "we", "us" or "our") provides a semantic‑search platform and medically‑trained large‑language‑model (LLM) services that enable healthcare professionals to search national, specialty‑specific and local medical policies and guidelines (the “Service”). Protecting your privacy is fundamental to our mission. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you interact with the Service, and describes the choices and rights available to you.

2. Scope of This Policy

This Policy applies to information we process when you:

  • visit metrixhealth.ai or any sub‑domain we control;
  • create or manage an account;
  • submit search queries or other content to the Service; or
  • communicate with us by any means.

This Policy does not cover any third‑party websites, integrations, or content that we do not control. If you access external resources, their privacy statements govern.

3. Key Principles

  1. Data Minimisation & Purpose Limitation. We collect only the information necessary to deliver and improve the Service.
  2. No Patient‑Level Data by Default. The indexed corpus comprises publicly available or properly licensed clinical guidance—not identifiable patient data. We ask users not to upload, paste, or otherwise share personal health information (PHI) through the Service.
  3. Security by Design. We employ industry‑standard technical and organisational measures to protect information.
  4. Transparency & Control. We provide clear explanations and honour your privacy rights.

4. Information We Collect

CategoryExamplesSource
Account & Profile Dataname, professional role, organisation, email address, authentication credentialsYou
Query & Interaction Datasearch strings, clicked results, feedback, timestampsYou; automated logging
Usage & Device InformationIP address, browser type, operating system, device identifiers, referring URLs, session duration, cookies, local storage objects, crash reportsAutomated
Communicationssupport tickets, emails, survey responsesYou
Derived/Statistical Dataaggregated usage metrics, anonymised embeddingsGenerated by us

Note on Special‑Category Data (GDPR) / PHI (HIPAA): Metrix Health is not designed to ingest identifiable patient information. If a user nevertheless submits such data, it is processed under strict access controls and promptly purged or de‑identified.

5. How We Use Your Information

We process information to:

  1. Provide & Maintain the Service. Operate core semantic indexing, LLM inference, account management, customer support.
  2. Improve & Develop Features. Analyse usage patterns, run A/B tests, fine‑tune model parameters on non‑identifiable query snippets.
  3. Ensure Security & Prevent Abuse. Detect, investigate, and mitigate suspicious or unauthorised activity.
  4. Comply with Legal Obligations. Maintain records, respond to lawful requests, enforce agreements.
  5. Communicate With You. Send service announcements, security alerts, and, where permitted, product updates or surveys.

We do not sell, rent, or lease your personal information.

6. Legal Bases for Processing (GDPR/UK GDPR)

Legal BasisTypical Processing Activities
Performance of a ContractCreating and administering your account, delivering the Service
Legitimate InterestsSecuring the platform, improving models, fraud prevention
ConsentOptional marketing emails, cookies requiring opt‑in
Legal ObligationTax records, regulatory reporting

Where we rely on legitimate interests, we balance them against your rights and expectations.

7. Sharing & Disclosure

We share information only as described:

  • Service Providers. Cloud hosting, intrusion detection, analytics, or AI‑inference vendors under confidentiality and data‑processing agreements.
  • Legal or Safety Requirements. To comply with subpoenas, court orders, or protect rights, property, or safety.
  • Business Transfers. In connection with a merger, acquisition, or asset sale (you will be notified of any change of ownership or uses of your personal information).
  • Aggregated/De‑identified Data. Usage statistics that cannot reasonably identify you.

We do not permit service providers to use personal information for their own marketing purposes.

8. Cookies & Similar Technologies

We use strictly necessary cookies for authentication and security. With your consent, we may use optional analytics cookies to understand feature adoption. Cookie settings can be adjusted at any time via the account or browser controls.

9. Data Retention

  • Account Data: retained for the life of the account plus 90 days, unless longer is required by law.
  • Query Logs: anonymised after 30 days; aggregate statistics retained.
  • Back‑ups: encrypted and purged on a rolling 35‑day schedule.

Upon verified deletion request or account closure, personal data is removed from active systems within 30 days and from back‑ups within 35 days.

10. Security Measures

  • Encryption in transit (TLS 1.3) and at rest (AES‑256)
  • Role‑based access controls & multi‑factor authentication for staff
  • Continuous vulnerability scanning & third‑party penetration testing
  • ISO 27001‑aligned policies and employee training

No transmission or storage system is 100% secure; we therefore encourage responsible disclosure of any suspected vulnerabilities.

11. International Data Transfers

If we transfer personal data outside the UK/EEA—for example, to US‑based cloud providers—we rely on approved transfer mechanisms such as the EU Standard Contractual Clauses (SCCs) and UK Addendum. Additional safeguards (encryption, access controls) are applied.

12. Your Privacy Rights

Subject to local laws, you may:

  • Access the personal information we hold about you;
  • Rectify inaccurate or incomplete data;
  • Erase data ("right to be forgotten");
  • Restrict or Object to certain processing;
  • Port data to another controller;
  • Withdraw Consent at any time (without affecting prior lawful processing);
  • Complain to a supervisory authority.

To exercise any right, email privacy@metrixhealth.ai or use the in‑product portal. We will respond within 30 days.

13. Children’s Privacy

The Service is intended for users aged 16 or older. We do not knowingly collect personal data from children. If you believe a child has provided us personal information, contact us for prompt deletion.

14. Automated Decision‑Making & Profiling

The platform’s ranking algorithms and LLM outputs assist professional judgement but do not make decisions with legal or similarly significant effects on individuals.

15. Additional Disclosures for California Residents

We act as a “service provider” under the California Consumer Privacy Act (CCPA) as amended by the CPRA. We do not share personal information for cross‑context behavioural advertising and have not sold personal information within the preceding 12 months.

16. Changes to This Privacy Policy

We may update this Policy periodically. Material changes will be announced via email or an in‑product banner at least 30 days before they take effect. The “Effective Date” at the top reflects the latest revision.

17. Contact Us

For any privacy‑related questions or concerns, contact our Data Protection Officer:

Email: privacy@metrixhealth.ai
Postal: Metrix Health Ltd, 12 Harbour Exchange, London E14 9QG, United Kingdom
DPO: dpo@metrixhealth.ai

Last Reviewed: 4 June 2025