Skip to content
Veska· Legal
Last updated 21 April 2026

Privacy Policy

This policy explains what personal data we collect when you use Veska, why we collect it, and the rights you have over it. We follow the UK GDPR and the Data Protection Act 2018.

1. Who we are

Veska is operated by Veska Health Ltd (“we”, “us”, “our”), a company registered in England and Wales.

  • Registered office: [COMPANY ADDRESS — SET IN ENV]
  • Companies House number: [COMPANY NUMBER — SET IN ENV]
  • ICO registration number: [ICO REGISTRATION — SET IN ENV]
  • Data protection contact: privacy@veska.health

For the purposes of UK data protection law, we are the data controller in respect of personal data we collect through this website.

2. What personal data we collect

We collect the following categories of personal data when you use the Veska website and our waitlist intake questionnaire.

Health and eligibility information

Information you enter into the intake questionnaire, including height, weight, goal weight, sex assigned at birth, date of birth, existing medical conditions, current medications, prior surgeries, blood pressure and heart rate ranges, and programme preferences. This is special category health data under Article 9 of the UK GDPR.

Contact and identity data

First name, email address, and UK mobile phone number. Consent status for communications. Any free-text information you choose to share (e.g. a list of current medications).

Technical and analytics data

IP address (truncated where possible), device and browser type, language, referring URL, pages visited, timestamps, and interaction events. Marketing attribution identifiers such as UTM parameters and click identifiers (e.g. gclid, fbclid) that travel in the URL when you arrive from an advert.

Cookies and similar technologies

We set essential cookies that keep the site functional and, with your consent, analytics and marketing cookies. Full details are in our Cookie Policy.

3. Why we collect it

  • Eligibility assessment. To determine whether our future medical weight management programme is likely to be appropriate for you.
  • Communication. To email you about your waitlist placement, launch updates, and, if you opt in, occasional tips and product news.
  • Analytics and product improvement. To understand how the site is used and improve the experience.
  • Marketing measurement. To measure the performance of adverts we run on third-party platforms and reach people who might benefit from our programme.
  • Legal and regulatory compliance. To keep records required of us by law and to respond to lawful requests from regulators.

4. Lawful basis for processing

We rely on the following lawful bases under Article 6 of the UK GDPR:

  • Consent (Art. 6(1)(a)): for marketing emails, non-essential cookies, and processing of your health data in the intake questionnaire (Art. 9(2)(a) for special category data).
  • Contract (Art. 6(1)(b)): to take steps at your request prior to entering a contract with you for our programme (e.g. holding your waitlist place).
  • Legitimate interests (Art. 6(1)(f)): to operate and secure the website, maintain records, and measure the effectiveness of our advertising. We have balanced these interests against your rights and freedoms.

You can withdraw consent at any time by emailing us or using the unsubscribe link in any marketing email. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

5. How long we keep your data

  • Lead and intake data: up to 2 years from your last interaction with us, after which records are deleted or fully anonymised. We may retain longer if law requires.
  • Analytics data: up to 26 months, aligned with default retention settings in PostHog and Google Analytics.
  • Consent records: kept as long as needed to demonstrate compliance, and no longer than 5 years.
  • Transactional and tax records (when we begin charging): up to 6 years as required by HMRC.

6. Who we share data with

We do not sell personal data. We share personal data only with carefully selected providers, each bound by a written data processing agreement.

  • Resend: transactional and marketing email delivery (EU/US processing).
  • PostHog: product analytics and session insights.
  • Meta Platforms Ireland Ltd: advertising measurement via the Meta Pixel and Conversions API.
  • Google LLC / Google Ireland Ltd: Google Analytics and Google Ads measurement.
  • Stripe Payments Europe Ltd: payment processing (once charging begins).
  • Vercel Inc.: website hosting and edge delivery.
  • Regulators, law enforcement, and professional advisers: where legally required or to protect our rights.

7. International transfers

Some of our providers (including Meta, Google, and certain Vercel and Resend infrastructure) process data in the United States or other countries outside the UK. Where this happens we rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an applicable adequacy decision, together with appropriate supplementary measures such as encryption in transit and at rest.

8. Your rights

Under UK GDPR you have the following rights in respect of your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure (right to be forgotten): request deletion in certain circumstances.
  • Restriction: ask us to limit how we use your data while a query is resolved.
  • Portability: receive a copy of data you have provided in a machine-readable format.
  • Objection: object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent: at any time, without affecting prior lawful processing.

To exercise any of these rights, email us at privacy@veska.health or use our privacy request form. We will respond within one month. If you are unhappy with our response, you can complain to the Information Commissioner’s Office (ICO). We would prefer the chance to resolve the issue with you first.

9. Security

We take appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, and audit logging. No system is perfectly secure, and we cannot guarantee absolute security of data transmitted over the internet.

10. Changes to this policy

We may update this policy from time to time. When we make material changes we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email.

11. Contact

Questions or requests about this policy or your personal data can be sent to privacy@veska.health or by post to the registered office above.