Calyx LogoCalyx
Legal

Privacy Policy

Last updated: 19 May 2026

1. Who we are

Calyx is operated by Halcyon Labs, a company registered in England and Wales. Our platform is available at usecalyx.app and portal.usecalyx.app. For any queries regarding this policy, please contact hello@usecalyx.app.

2. What data we collect

We collect several types of information to provide and improve our service to you:

  • Clinic account data: name, email, business name, address, VAT number
  • Practitioner data: name, email, role, registration number, prescriber type
  • Patient data (processed on behalf of clinics): name, contact details, date of birth, medical history, treatment records, clinical notes, consent forms, before and after photographs, prescription records
  • Payment data: processed securely via Stripe - we do not store credit or debit card numbers
  • Usage data: login times, feature usage, session data
  • Technical data: IP address, browser type, device type

3. How we use your data

We process your data for the following purposes:

  • To provide and operate the Calyx platform
  • To process subscription payments via Stripe
  • To send transactional emails via Resend (including booking confirmations, reminders, and digital consent forms)
  • To sync financial records to Xero where enabled by the clinic
  • To provide dedicated customer support
  • To continuously monitor and improve the platform

4. Our legal basis under UK GDPR

Under the UK General Data Protection Regulation (UK GDPR), we rely on the following legal bases for processing your data:

  • Contract: processing is necessary to provide the platform subscription and services you have signed up for
  • Legal obligation: compliance with UK prescribing regulations and Care Quality Commission (CQC) requirements
  • Legitimate interests: maintaining platform security, fraud prevention, and service improvement
  • Consent: marketing communications (you may easily withdraw your consent at any time)

5. Data we process on behalf of clinics

Calyx acts as a data processor for patient data held by clinics. Clinics are the data controllers for their patient records. We process this data only on the documented instructions of the clinic. Clinics are solely responsible for obtaining appropriate consent from their patients and for maintaining their own compliance with the UK GDPR.

6. Data storage and security

We take security seriously and enforce robust protection controls:

  • All database records are securely stored in the European Union via Supabase (PostgreSQL)
  • All data in transit is encrypted using Transport Layer Security (TLS)
  • All data at rest is encrypted at the database level
  • Row-level security (RLS) ensures clinic data is strictly isolated between tenants
  • Access is restricted by strict role-based permissions

7. Third-party processors

We partner with the following sub-processors to deliver core parts of our service:

ProcessorPurposeLocation
SupabaseDatabase and authenticationEU
StripePayment processingUS (Standard Contractual Clauses in place)
ResendTransactional email deliveryUS (Standard Contractual Clauses in place)
VercelHosting and deploymentUS / EU
XeroAccounting sync (where enabled)New Zealand (EU Adequacy Decision)

8. Data retention

We keep personal data only for as long as is necessary:

  • Active clinic accounts: retained for the duration of the active subscription
  • Patient records: retained in accordance with each clinic's own retention policy - clinics may export or delete their data at any time
  • Payment records: retained securely for 7 years in line with HMRC requirements
  • Deleted accounts: data is fully purged within 30 days of subscription termination

9. Your rights under UK GDPR

You have the right to access, rectification, erasure, restriction of processing, data portability, and to object. To exercise any of these rights, please contact hello@usecalyx.app. You also hold the right to lodge a formal complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Cookies

We use cookies to keep you signed in, remember your preferences, and secure the platform. For a detailed list of cookies and options to manage them, see our Cookie Policy at usecalyx.app/cookies.

11. Changes to this policy

We will notify clinic account holders of any material changes to this policy by email at least 14 days in advance.

12. Contact

If you have any questions or require clarification regarding your data, please email us directly at hello@usecalyx.app.