Privacy Policy
Last Updated
11 May 2026
Scope
This Privacy Policy applies to personal information processed through ChatIBD via our website (chatibd.com), APIs and related online offerings (collectively, “Services”). ChatIBD is operated by Dr Shaun Chuah as a University of Glasgow academic project. Data controller arrangements are described in the Supplemental UK GDPR Notice.
FOR EEA, SWITZERLAND & UK RESIDENTS: see our Supplemental GDPR Notice.
Personal Information We Collect
The categories of personal information we collect depend on how you interact with us, our Services and the requirements of applicable law. We collect information that you provide to us, information we obtain automatically when you use our Services, and information from other sources such as third-party services and organizations, as described below.
Information You Provide to Us Directly
We may collect the following personal information that you provide to us.
- Account Creation. We may collect information when you create an account, such as a unique customer ID or an email address or phone number.
- Your Communications with Us. We may collect personal information, such as email address, phone number, or mailing address when you request information about our Services, request technical support, participate in approved service evaluation, or otherwise communicate with us.
- Surveys. We may contact you to participate in surveys. If you decide to participate, you may be asked to provide certain information which may include personal information.
- Chat Messages. We process chat messages submitted by users to provide responses, maintain conversation history for registered users, monitor safety and performance, troubleshoot errors, and, where separately consented or otherwise lawfully approved, support approved research or service evaluation.
- No Patient-Identifiable Information. Users must not submit directly identifiable patient information, including names, CHI/NHS numbers, dates of birth, addresses, contact details, hospital numbers, or free-text extracts from records that could identify an individual. If such information is submitted, we may delete, redact, or restrict processing of it where practicable.
Information Collected Automatically
We may collect personal information automatically when you use our Services.
- Automatic Data Collection When You Visit Our Website. We may collect certain information automatically when you use our Services, such as your Internet protocol (IP) address, user settings, cookie identifiers, browser or device information, approximate location derived from IP address, and Internet service provider. We may also automatically collect information regarding your use of our Services, such as pages that you visit before, during and after using our Services, information about the links you click, the types of content you interact with, the frequency and duration of your activities, and other information about how you use our Services.
- Automatic Data Collection When You Use Our Services. We may collect other types of technical information about your use of our Services, such as telemetry metrics, to help operate, secure, troubleshoot, and improve our Services.
- Cookies, Pixel Tags/Web Beacons, and Other Technologies. We and our service providers may use cookies, pixel tags, local storage, and other technologies (“Technologies”) to automatically collect information through your use of our Services.
Cookies
Cookies are small text files placed in device browsers that store preferences and facilitate and enhance your experience.
Pixel Tags/Web Beacons
A pixel tag (also known as a web beacon) is a piece of code embedded in our Services that collects information about engagement on our Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular web page or interacted with a service feature. We may also include web beacons in emails to understand whether service messages have been opened or acted on.
Analytics.
We may use Technologies and other third-party tools to process analytics information on our Services.
We use the following Technologies:
- PostHog – We use a service provided by PostHog, Inc. to provide us with analytics data regarding user interaction with our Site and Services. PostHog’s tracking and use of information is governed by the PostHog privacy policy available at https://posthog.com/privacy. PostHog session replay is disabled in the ChatIBD client. If session replay is enabled in future, it will be configured to minimise capture of sensitive content and should not record chat message contents or patient-identifiable information.
- Sentry - We use Sentry, a service provided by Functional Software, Inc., to collect information about errors and performance issues in our Services. Sentry collects information about your device, browser, and the specific error or performance issue encountered. Sentry’s collection and use of information about you is governed by the Sentry privacy policy available at https://sentry.io/privacy.
Information Collected from Other Sources
We may obtain information about you from third-party services that support account access, authentication, analytics, error monitoring, hosting, or other Service operations.
How We Use Your Information
We use your information to provide, secure, evaluate, and improve the Services, as described below.
Provide Our Services
We use your information to fulfill our contract with you and provide you with our Services, such as:
- Managing your information and accounts;
- Providing access to certain areas, functionalities, and features of our Services;
- Answering requests for customer or technical support;
- Communicating with you about your account, activities on our Services, and policy changes;
- Processing chat messages to generate responses and maintain conversation history where that feature is available;
- Allowing you to register for approved events or studies.
Administrative Purposes
We use your information for various administrative purposes, such as:
- Pursuing legitimate interests such as service operation, network and information security, misuse prevention, service evaluation, and functionality improvement;
- Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity;
- Measuring engagement in our Services;
- Improving, upgrading or enhancing our Services;
- Ensuring internal quality control and safety;
- Authenticating and verifying individual identities;
- Debugging to identify and repair errors with our Services;
- Auditing relating to interactions, transactions and other compliance activities;
- Enforcing our agreements and policies;
- Complying with our legal obligations.
Service Communications
We may use personal information to send service-related communications, such as account notices, technical updates, policy changes, support responses, and information about approved research or service evaluation opportunities where appropriate. We do not use ChatIBD to deliver personalised advertising.
Other Purposes
We also use your information for other purposes as requested by you or as permitted by applicable law.
- Consent. We may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information or with your consent.
- De-identified and Aggregated Information. We may use personal information and other information about you to create de-identified and/or aggregated information, such as de-identified demographic information, de-identified location information, information about the device from which you access our Services, or other analyses we create.
- Academic Research. Where we have a separate, approved research notice and consent or another approved lawful basis, we may use limited data for academic research and service evaluation. Routine use of ChatIBD is separate from research participation. Chat messages will only be included in research datasets where the user has provided consent through an approved research consent process, or where another lawful basis has been approved by the relevant governance route. Withdrawal from research will not prevent continued use of the Service.
How We Disclose Your Information
We disclose your information to third parties where needed to provide the Services, protect users and the Service, comply with law, or support approved research or service evaluation, as described below.
Disclosures to Provide our Services
The categories of third parties with whom we may share your information are described below.
- Service Providers. We may share your personal information with third-party service providers who use that information to help us provide the Services. This includes service providers that support hosting, authentication, analytics, error monitoring, IT support, and related services.
- Model and AI Infrastructure Providers. To generate responses, chat messages may be processed by third-party AI/model infrastructure providers acting as service providers or processors. We use such providers to deliver the Service and apply contractual, technical, and organisational safeguards where appropriate.
- APIs/SDKs. We may use third-party Application Program Interfaces (“APIs”) and software development kits (“SDKs”) as part of the functionality of our Services. For more information about our use of APIs and SDKs, please contact us as set forth below.
- Research Collaborators. If an approved research program is active, we may share research-eligible, minimised, or de-identified data with approved academic collaborators, ethics partners, and service providers who support the study.
Disclosures to Protect Us or Others
We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.
Disclosure in the Event of Service Transfer
If responsibility for operating ChatIBD transfers to the University of Glasgow, a University-approved operator, or another lawful service provider, your information may be transferred as part of that transition as permitted by law and applicable governance arrangements.
Your Privacy Choices and Rights
The privacy choices you may have about your personal information are determined by applicable law and are described below.
Email Communications.
If you receive a non-essential email from us, you may contact us to opt out of similar future messages. You will continue to receive service-related emails such as account, security, technical support, research-consent, or policy notices where appropriate.
“Do Not Track.”
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.
Cookies.
You may stop or restrict the placement of Technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, our Services may not work properly. You may also use the cookie banner or cookie management controls provided by the Service where available.
Your Privacy Rights.
In accordance with applicable law, you may have the right to:
- Access Personal Information about you, including: (i) confirming whether we are processing your personal information; (ii) obtaining access to or a copy of your personal information; and (iii) receiving an electronic copy of personal information that you have provided to us, or asking us to send that information to another company (the “right of data portability”);
- Request Correction of your personal information where it is inaccurate or incomplete. In some cases, we may provide self-service tools that enable you to update your personal information;
- Request Deletion of your personal information;
- Request Restriction of or Object to our processing of your personal information; and
- Withdraw your Consent to our processing of your personal information.
If you would like to exercise any of these rights, please contact us as set forth below. We will process such requests in accordance with applicable laws.
Security of Your Information
We take steps to ensure that your information is treated securely and in accordance with this Privacy Policy. Unfortunately, no system is 100% secure, and we cannot ensure or warrant the security of any information you provide to us. We have taken appropriate safeguards to require that your personal information will remain protected and require our third-party service providers and partners to have appropriate safeguards as well. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized disclosure. By using our Services or providing personal information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on our Services, by mail or by sending an email to you.
International Data Transfers
Personal information may be transferred, processed, and stored in countries outside the UK or EEA where our service providers operate, including the United States. We use safeguards intended to protect your information consistent with applicable data protection laws. If you are a resident of the European Economic Area, Switzerland, or the United Kingdom, please see our supplemental GDPR notice here.
Retention of Personal Information
We store the personal information we collect as described in this Privacy Policy for as long as you use our Services or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, maintain security, enforce our agreements, and comply with applicable laws.
Research Participation
Routine use of ChatIBD is separate from research participation. If an approved research program is active, your participation will be governed by the separate research consent form and research privacy notice provided to you. Chat messages will only be included in research datasets where you have provided consent through an approved research consent process, or where another lawful basis has been approved by the relevant governance route. You may withdraw from the research program without deleting your account, and we will stop using your future activity for research once the withdrawal is recorded.
Children's Information
Our Services are not intended for use by children under the age of 16. If we become aware that a child has provided us with personal information in violation of applicable law, we will delete any personal information we have collected.
Supervisory Authority
If you are in the EEA, Switzerland or the UK, you have the right to lodge a complaint with your local data protection authority.
Changes to This Privacy Policy
We may update this policy from time to time. Material changes will be published on this page with an updated “Last updated” date. By continuing to use our Services after changes take effect, you accept the revised policy.
Contact Us
If you have any questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at:
ChatIBD
Email: privacy@chatibd.com