Privacy Policy

Effective Date: 22 May 2025

Thank you for trusting Cambridge Vision Technology Ltd. ("Aykua", "we," "us,") to help speed up your medical paperwork. Your privacy matters, so we wrote this notice in plain English, so you know exactly what happens to your information.

Note: This policy complements our Terms of Service. Because we're a UK-based company working with U.S. medical data, we follow both UK and U.S. data-protection laws.

1. Who we are

  • Cambridge Vision Technology Ltd. is a company registered in England and Wales.
  • We help U.S. patients and their healthcare providers complete medical paperwork.
  • When you give us information to start a form request, we decide how it's processed, so we're the data controller.
  • Once your healthcare provider signs a Business Associate Agreement (BAA) with us, we handle your data only on their instructions as a processor (or "Business Associate" under HIPAA).

2. Data we collect

We only collect the information you submit through the Aykua patient portal. This information varies depending on the type of form or paperwork request, and may include:

  • Contact details – such as your name, address and email.
  • Employment details – employer name or job title.
  • Health info – the medical condition or health reason responsible for your paperwork request.
  • Payment reference – a Stripe payment ID and confirmation (never your full card number).
  • Technical basics – IP address and browser type so the site runs securely.

3. How we use your information

We use your data to:

  1. Provide the service – share your form details with your healthcare provider to help them complete the request efficiently.
  2. Keep you up to date – send status emails, error alerts, and payment receipts.
  3. Take payment – provide required details to Stripe so they can process your card.
  4. Protect the service – monitor for fraud, keep audit logs, and limit staff access.
  5. Follow the law – meet UK and US data protection laws.
  6. Optional updates – if we want to send non-essential messages, we'll ask first.

Our legal bases under UK law are contract performance, legal obligation, our legitimate interests (like fraud prevention), and – when we ask for it – your consent.

4. Who we share your data with

We never sell or rent your data. We share your information only when necessary:

  • Your healthcare provider – so they can complete the paperwork request.
  • Stripe – to process your payment securely.
  • Our secure hosting partner – we use Google Cloud Platform under strict data-handling agreements.
  • Law enforcement or regulators – if the law says we must.
  • Anyone else – only if you tell us to.

5. How we keep your data safe

Your information lives on secure servers in the U.S. We use strong encryption, tight access controls, regular security checks, and detailed audit logs. If something does go wrong, we'll let you and the relevant authorities know as soon as we're required to. We also keep system-level audit records (which don't include identifiable health details) for up to 6 years to meet our HIPAA compliance obligations.

6. Where your data is stored

We're based in the UK, but your information is stored securely on servers in the U.S. To meet UK data protection rules, we use approved legal safeguards to protect your data to a similar standard.

7. How long we keep your data

  • We keep your form details only as long as needed to finish the job and meet any legal duties.
  • Want your data deleted sooner? Email privacy@aykua.com and, unless the law says otherwise, we'll erase or anonymise it within 30 days.

8. Your choices and rights

You have the right to:

  • Ask for a copy of the information we hold about you.
  • Correct it if it's wrong.
  • Delete or restrict it in certain cases.
  • Object to some uses, like marketing.
  • Move it to another service.
  • Withdraw consent at any time (this won't affect past processing).

To exercise any of these rights, email privacy@aykua.com. We may need to verify who you are first. If we don't resolve your concern, you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

9. Children and proxy submissions

Our service is for adults (18+) only. Parents, guardians, or other authorised persons can submit a form on someone else's behalf by confirming they are authorised to act on the patient's behalf using a declaration on the form.

10. Links to other sites

If you click a link to another website (like your hospital portal), their privacy rules apply, not ours. Check their notices before you share anything.

11. Changes to this policy

If we make big changes (for example, start using cookies), we'll post the update here and, where the law requires, give you at least 30 days' notice.

12. Contact us

Have a question or concern?

  • Email: privacy@aykua.com
  • Post: Data Protection Officer, Cambridge Vision Technology Ltd., 184 Cambridge Science Park Milton Rd, Cambridge CB4 0GA, United Kingdom