Data retention
We keep as little as possible, for as short a time as makes sense, and always tell you what we're doing.
Uploaded images are only retained if you opt in. If you don't, the image is not stored after your scan.
Opt-in only
Images are retained solely when you give explicit consent.
Deletion on withdrawal
Withdraw consent and your image is scheduled for deletion.
Scan images (no consent)
If you don't opt in, your uploaded image is used only to produce your result and is not retained for training.
Consented training images
- Kept securely, with hidden metadata removed, and linked to a consent record.
- Reviewed and labelled by trained people to build a high-quality dataset.
- Retained for as long as your consent remains in place, so the model can keep learning.
Withdrawal and deletion
When you withdraw consent, we immediately mark the image as withdrawn, stop it being included in any future dataset or export, and schedule it for deletion (within 30 days).
If a copy already exists in a frozen dataset version, it is flagged for exclusion from all future versions.
Consent records
The record of your consent decision (what you agreed to and when) is retained by our consent platform so we can prove your choices were respected — even after an image is deleted.
Clinic listing claims
Clinic claim records are retained for security, verification, and directory administration. Verification emails are transactional and claim records are kept separate from scanner consent and training-image consent.
Rejected, expired, and approved claim records may be retained so we can prevent duplicate or fraudulent claims and keep an audit trail of listing ownership decisions.
School Partnership applications and hubs
School Partnership applications, approved school hub records, and hashed management tokens are retained in Postgres to operate the free school programme, prevent duplicate applications, and support admin review.
Email verification tokens are hashed at rest, single-use, and cleared after verification or expiry. Revoked management tokens remain hashed for audit but cannot grant access. Aggregate engagement events may be retained with other analytics event logs.
School Partnership records are separate from scanner images and training consent. No pupil accounts, parent accounts, or individual scan outcomes are stored against a school.
Other data
- Anonymous analytics is only collected if you allow it, and is aggregated.
- Any contact details you submit are handled per our Privacy Policy and can be removed on request.
Manage your choices
View or withdraw consent and manage cookie preferences any time.
