Skip to content
GinsengLabs
GinsengLabs
WorkAboutContact
Legal · 02

Privacy Policy.

Effective 17 July 2026 Version 1.3 UK GDPR · England & Wales

We collect as little as we can get away with. This page tells you exactly what data we touch, why, who sees it, and how to get a copy or delete it.

On this page

  1. 01Who we are
  2. 02What this policy covers
  3. 03Data we collect
  4. 04Why we collect it
  5. 05Lawful bases
  6. 06Tracking & advertising
  7. 07Who we share data with
  8. 08International transfers
  9. 09How long we keep it
  10. 10Your rights
  11. 11Security
  12. 12Children
  13. 13Changes to this policy
  14. 14Contact & complaints

01 Who we are

The data controller for personal data processed through GinsengLabs products (currently the Symptoms iOS app) and the website at ginsenglabs.dev is:

  • GinsengLabs LTD
  • Registered in England & Wales · Company No. 17230581
  • Registered office: 124 City Road, London EC1V 2NX, United Kingdom
  • Contact (privacy & data requests): privacy@ginsenglabs.dev

We have not formally designated a Data Protection Officer under Article 37 UK GDPR — our processing does not meet the triggers in that Article. For all privacy matters — including data-subject requests, complaints, and questions about this policy — please email privacy@ginsenglabs.dev. It is monitored directly by our team and we aim to acknowledge requests within five working days.

02 What this policy covers

This policy applies to personal data collected through GinsengLabs products and services, currently:

  • this website (ginsenglabs.dev);
  • the Symptoms iOS application (the “App”); and
  • any direct correspondence you have with us (email, support, press).

We'll update this policy when we publish additional products.

It does not apply to third-party services we link to (such as the App Store) or to clinical workflows of any employer or institution you use the App in connection with.

The data categories described below correspond to the App Privacy label shown on our App Store listing. If you spot a discrepancy between this policy and what Apple displays, please tell us at privacy@ginsenglabs.dev — both should match.

03 Data we collect

We are deliberately minimal with data collection. Here's the complete list:

Email address
In the App: provided automatically by Apple (Sign in with Apple, including Apple's private-relay address if you choose to hide your email) or Google (Sign in with Google) when you create your account, and stored alongside your other account data in our Firebase-hosted database.

On the website: if you join the Symptoms waitlist or the GinsengLabs newsletter via a signup form, your email is stored in our subscriber list (Cloudflare D1) alongside which list you joined, the page URL you signed up from, and the country your request came from (derived from the network connection — the IP address itself is not stored in the subscriber list, though see the IP-address row below for short-lived security logging).
Name
Provided by Apple or Google when you first sign in to the App. With Sign in with Apple you can choose to share or hide your name; we only store what you choose to share. Used to personalise your in-app experience and address you in any correspondence.
IP address
May be processed by our infrastructure (Cloudflare for the website, and our App's backend) to deliver responses, apply rate limits, and detect and mitigate abuse including DDoS attacks. Held in short-lived security logs and then deleted; if a page or request fails, your IP address can also appear in the error report sent to Sentry (see section 7). Never used for advertising or product analytics.
Bot-protection signals
When you submit a signup form on this website, Cloudflare Turnstile runs a brief background bot-check. Cloudflare may process network and browser signals from your request to score the likelihood you're a human; this happens on Cloudflare's infrastructure and we receive only a pass/fail token. No raw signals are stored by us.
Website analytics
Only if you click “Accept all” on this site's cookie banner: Google Analytics 4 and Meta Pixel set cookies and collect usage data — pages visited, how you found us, device and browser type, and approximate (city-level) location derived from your IP address. If you reject the banner, or never answer it, neither tool loads and no analytics cookies are set. Separately, we use Cloudflare Web Analytics, which is cookieless, stores nothing on your device, and gives us only aggregate page-view counts. Your banner choice itself is stored in your browser (localStorage, “gl-consent”) so we don't re-ask on every page.
Friend-link page visits
Friend links contain the inviter's username in the URL (ginsenglabs.dev/symptoms/addFriend/username). Opening one on this website is an ordinary page view: the URL may appear briefly in Cloudflare's short-lived security logs and, if the page fails, in an error report to Sentry (see section 7). The page sets no cookies and never looks the username up, so visiting it reveals nothing about whether an account exists.
Speciality
Self-declared from a drop-down list (e.g. “Internal Medicine”, “Medical Student”). Optional. This is a content-preference setting used to surface puzzles of professional interest. It identifies your occupational interest, not your health — we do not treat it as data concerning health under Article 9 UK GDPR, and we do not infer anything about your own medical conditions or treatment from it.
Game play data
Cases played, guesses submitted, current and longest streak, win rate, distribution. Stored on-device and synced to our Firebase-hosted database as part of your account.
Username & friends
Your username, and the fact that you are friends with another user, are visible to your accepted friends and to anyone you share your friend link with. If you add friends, your daily case result (guess count, win or loss) is also visible to your accepted friends. Friend connections are stored in our Firebase-hosted database as part of your account.
Referral attribution
If you join using a friend link or referral code, we record which user referred you, together with the reward and fraud-check outcomes, to operate the referral reward programme. We keep the referral record for as long as the accounts involved exist; if an account is deleted, the record is anonymised rather than deleted, retaining only de-identified reward outcomes (see section 9).
Referral fraud prevention
We use Apple's DeviceCheck service to record that a device has redeemed a referral reward, so the same device cannot redeem it repeatedly. This is a per-device flag held by Apple, not an identifier, and we cannot read your identity from it. It persists across app reinstalls.
Push token
Only if you enable notifications. We store a Firebase Cloud Messaging registration token for your device (up to ten devices per account) so we can deliver friend notifications, such as pokes and pending-request reminders. The underlying Apple push token is exchanged between the Firebase SDK on your device and Google; our backend never sees it. Your token is removed when you sign out on that device, reassigned if another account signs in on the same device, and deleted entirely with your account.
Device & technical data
iOS version, device model, app version, locale, time zone, anonymous installation ID. Used to debug crashes and understand which devices we need to support.
Crash logs
If the app crashes, a stack trace and the immediately preceding actions are sent to Google Firebase Crashlytics. We do not include any of your case answers in these logs.
Advertising identifier (IDFA)
Only if you allow tracking via the iOS App Tracking Transparency prompt. Shared with Google AdMob to deliver personalised clinical ads.
Product analytics
Anonymous event data (e.g. “onboarding completed”, “case won in 4”) sent to Firebase Analytics. We use a randomly-generated install ID; this is not linked to your email address.
Payment data
None. All payments are handled by Apple via the App Store. We see only whether your subscription is active, never your card details.
What we never collect: we do not collect your real address, phone number, health records, location (GPS), contacts, photos, microphone, fitness data, biometric data, prescription history, diagnoses, symptoms about you, or any identifiers from clinical systems (NHS number; GMC number unless you explicitly enter it in support correspondence).
Symptoms is a puzzle game. Case content is fictional. We do not collect, infer, or track your own health status. Game-play data tells us which puzzles you've played and your score — it does not tell us anything about your own medical conditions, treatments, or healthcare. If you are a Washington (US) resident, we do not collect "consumer health data" as defined by the Washington My Health My Data Act (RCW chapter 19.373).

04 Why we collect it

Each piece of data has a specific job:

  • Provide the Service — store your progress, sync across your devices, give you stats and streaks, and let you add friends and share daily results with them.
  • Run the referral programme — attribute a new sign-up to the friend who referred it, grant both accounts the reward, and keep an auditable record of reward outcomes.
  • Improve the Service — understand which cases are too easy or hard, which features get used, where users drop off.
  • Customer support — respond to your questions and resolve bugs.
  • Show advertising — fund the free tier of the App with relevant clinical ads.
  • Security & fraud prevention — detect abuse, bot activity, or attempts to circumvent paywalls.
  • Legal compliance — comply with our obligations under UK law, including responding to lawful requests from authorities.

05 Lawful bases (UK GDPR)

We rely on the following lawful bases under Article 6 of the UK GDPR:

  • Contract (Art. 6(1)(b)) — to deliver the Service you've signed up for, including processing your subscription via Apple.
  • Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention (including the DeviceCheck flag that stops repeated redemption of referral rewards), error monitoring, and anonymous analytics. We have weighed these interests against your rights and concluded that the processing is proportionate.
  • Consent (Art. 6(1)(a)) — for advertising, for marketing emails, and for website analytics cookies. For advertising in the App, consent is captured in layers, described in full in section 6: our own screen decides whether you take the free, ad-supported tier at all, and we record that choice with a timestamp and the version of the consent prompt; Google's certified consent form then collects the separate consent that governs how ads are personalised and which ad-technology vendors may receive your data. For marketing emails, consent is captured at the point of sign-up and recorded with a timestamp. For website analytics (Google Analytics and Meta Pixel), consent is captured by the cookie banner on this site before either tool loads (see section 6). You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Legal obligation (Art. 6(1)(c)) — where we are required by law to retain or disclose data.

06 Tracking & advertising

Advertising in Symptoms reaches the free tier only. Paid-tier users (Ad-free or Symptoms+, monthly or annual) see no advertising and pass through none of the steps below; no advertising SDK is loaded on their device at all.

On the free tier there are three separate gates. The first is ours, and decides whether you take the ad-supported tier at all. The second is Google's, and decides how ads are personalised and which ad-technology vendors may receive data about your ad requests. The third is Apple's, and governs your device's advertising identifier.

Step 1: our own screen (UK GDPR / EU GDPR / PECR)

Before any advertising SDK is loaded on your device, we show you a screen of our own design. It asks you to choose between using Symptoms free of charge with advertising, or taking a paid subscription and seeing no advertising. This screen exists because UK and EU law (UK GDPR Articles 4(11), 6(1)(a), and 7; the Privacy and Electronic Communications (EC Directive) Regulations 2003 regulation 6; and the Court of Justice's judgment in Planet49 GmbH Case C-673/17) require us to obtain your freely-given, informed, specific, and unambiguous consent before any third-party SDK accesses your device or sets identifiers, whether or not those identifiers are personally identifying.

If you decline advertising here and do not subscribe, you cannot use the App. Declining means you are refusing the free, ad-supported tier, so the App stops at the subscription screen. Nothing is loaded and no ad is requested. We record your choice with a timestamp and the version of the consent prompt, both on your device and against your account. If we change the prompt materially we raise its version, which asks you again.

Step 2: Google's consent form (IAB TCF)

If you take the free, ad-supported tier, Google's User Messaging Platform then presents a second consent form. This form is not ours. Google is a Consent Management Platform certified under the IAB Transparency and Consent Framework, the form is configured in Google's console, and Google's own SDK renders it. This is the step that collects the consent governing how ads are personalised and which ad-technology vendors may receive data about your ad requests.

The form's first screen offers Consent and Customise. There is no reject button on that first screen: to refuse or narrow any purpose, or to remove vendors, you have to open Customise. Your choices are stored on your device as an IAB TCF consent string, which Google reads and passes on to the vendors you have allowed. Narrowing your choices here does not stop advertising: on the free tier AdMob will still serve non-personalised or otherwise limited ads.

Step 3: Apple's App Tracking Transparency (ATT) prompt

iOS then shows Apple's standard App Tracking Transparency prompt. ATT is a separate, system-level confirmation specific to your iOS Advertising Identifier (IDFA).

  • If you allow tracking at the ATT prompt, your IDFA is shared with Google AdMob to deliver personalised ads.
  • If you don't allow tracking at the ATT prompt, no IDFA is shared — iOS returns a zeroed value — and you will see non-personalised, contextual ads instead.

Changing your mind

You can change your Step 1 choice at any time in Symptoms → Settings → Privacy. You can change your ATT choice at any time in iOS Settings → Privacy & Security → Tracking. Changing your Step 1 choice to decline advertising returns you to the paid-or-free decision described above.

Ad partners

Ads are served solely through Google AdMob: it is the only ad network we contract with, and we do not work with Meta Audience Network or any other network at this time. However, AdMob's consent form runs Google's default Transparency and Consent Framework vendor list, so your ad requests may be shared with the Google-certified ad-technology vendors named in that form. You can see the full list, and restrict it, via Customise on the form described at Step 2 above. Google's own processing of your data is governed by Google's Privacy Policy.

On this website (ginsenglabs.dev)

This website uses two consent-gated analytics tools — Google Analytics 4 and Meta Pixel — to understand how people find the site and which pages they read. Neither loads, and no analytics cookie is set, unless you click Accept all on the cookie banner; Reject all sits next to it with equal prominence and loads nothing. Your choice is remembered in your browser (localStorage, “gl-consent”) and you can change it at any time via Cookie settings in the page footer. Withdrawing consent expires the analytics cookies we can reach and reloads the page so the trackers are gone.

Google Analytics processing is governed by Google's Privacy Policy, and Meta Pixel processing by Meta's Privacy Policy. Both providers may process data in the United States (see section 8).

Independently of the banner, we use Cloudflare Web Analytics — a privacy-first measurement tool that sets no cookies, stores nothing on your device, and does not fingerprint you — to count page views in aggregate (legitimate interests, Art. 6(1)(f)).

07 Who we share data with

We share data only with the small number of service providers we need to run the App, and only what they need to do their job:

Cloudflare
Provides the infrastructure for this website (Cloudflare Workers + static assets), stores your subscriber data when you sign up to the newsletter or waitlist (Cloudflare D1), runs the bot-check on signup forms (Cloudflare Turnstile), and supplies the cookieless aggregate page-view counts (Cloudflare Web Analytics). Their privacy policy at cloudflare.com/privacypolicy.
Apple
App distribution, payments, subscription management, and Sign in with Apple. Receives whatever the App Store handles directly (your Apple ID purchase record), and passes us the email and (if you choose to share it) name associated with your Apple ID when you sign in. Apple also holds the DeviceCheck flag we use for referral fraud prevention (see section 3) and carries push notifications to your device.
Google (Sign in)
Provides Sign in with Google for App authentication. We receive the name and email address associated with your Google account when you sign in.
RevenueCat
Subscription management and entitlement validation across Apple's billing system. Receives an anonymous user ID generated by the App and Apple's purchase receipt; never your payment-card details. Their privacy policy at revenuecat.com/privacy.
Google Firebase
Hosts the App's database — your account record (email, name, subscription state) and your synced game-play data. Also receives crash reports via Firebase Crashlytics (stack trace, device model, OS version, app version, anonymous install ID) and anonymous product-analytics events via Firebase Analytics, keyed to a random install ID and not linked to your email. Both the crash reports and the raw analytics events are exported onward into Google BigQuery, in our own Google Cloud project hosted in the United Kingdom, where we keep them for long-term product and stability analysis (see section 9). The recipient is Google throughout: BigQuery is Google Cloud, not a further third party. If you enable notifications, Firebase Cloud Messaging also stores your device's push registration token (see section 3) and delivers friend notifications, relaying them to Apple's push service for transport.
Google AdMob
Advertising identifier (IDFA, only if you allow tracking), device data, ad interaction data.
Google Analytics
Website usage data (pages visited, how you found us, device/browser type, approximate location) — only if you accept analytics cookies on this site. See section 6.
Meta Platforms
Website usage data via Meta Pixel (pages visited, actions such as joining the waitlist) — only if you accept analytics cookies on this site. See section 6.
Resend
Transactional and marketing email delivery (newsletter, waitlist, account-related notifications). Receives your email address and the message content. Their privacy policy at resend.com/legal/privacy-policy. Direct correspondence (replies to your emails) is sent from our regular mailbox and does not pass through Resend.
Sentry
Error monitoring for this website, in the browser and on our server. If a page or request fails, a technical report (the error, the page URL, browser and device context, and your IP address) is sent to Sentry so we can find and fix the fault. On errors only, a recording of the failing page may be captured with all text and input contents masked, so what you typed never leaves your browser. This runs as a legitimate interest (Art. 6(1)(f)) and is not gated by the cookie banner, because we need to see failures that happen before any banner choice. Event data is processed in Sentry's EU region and retained for up to 90 days. Their privacy policy at sentry.io/privacy.

We do not sell your personal data to anyone. We do not share data with brokers, employers, insurers, regulators (except where compelled by law), or any third-party clinical-data systems.

We may disclose data if required to do so by law, a valid court order, or to protect the rights, property, or safety of GinsengLabs LTD, our users, or others.

08 International transfers

Some of our service providers (Cloudflare, Google, Meta, RevenueCat, Resend, Sentry) are headquartered in the United States and may process your data across multiple regions. When we transfer your personal data outside the United Kingdom we rely on appropriate safeguards under UK GDPR, including the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or the equivalent under each provider's certifications.

Our two BigQuery datasets (the Crashlytics export and the raw analytics event export, both described in section 9) are stored in Google Cloud's London region, so that data is held at rest in the United Kingdom. Google may still access it from outside the UK for support and maintenance, under the safeguards described above.

You can request a copy of the relevant safeguards by emailing privacy@ginsenglabs.dev.

09 How long we keep it

  • Account data (including your username and friend connections) — kept while your account is active. Deleted within 30 days of an account-deletion request, except where we are required to retain limited records for legal or accounting purposes.
  • Referral records — kept while the accounts involved exist. If an account is deleted, its identifying link to the record is stripped and evaluation stops; only de-identified reward outcomes remain.
  • Push tokens — removed when you sign out on a device, and deleted entirely when you delete your account.
  • DeviceCheck referral flag — a per-device flag held by Apple that persists across app reinstalls and account deletion; it is not linked to your name or email and we cannot identify you from it.
  • Game play data on-device — kept until you uninstall the App.
  • Crash reports: Firebase Crashlytics begins removing its own copy 90 days after a crash is received. Before that, the report is exported to our BigQuery project, where we keep it indefinitely. See Analytics and crash data in BigQuery below.
  • IP-address security logs — kept only as long as needed for rate-limiting and abuse detection (typically a few days at most) and then deleted.
  • In-app analytics events: within Google Analytics itself, event-level data is kept for up to 2 months, and user-level data for up to 14 months from your most recent activity in the App. The 14-month clock restarts each time you are active, so user-level data is held for as long as you keep playing, plus up to 14 months after you stop.
  • Analytics and crash data in BigQuery: we export both the crash reports and the raw analytics events onward into Google BigQuery, in our own Google Cloud project in the United Kingdom, and we keep that copy indefinitely. We do this for long-term product and stability analysis across app versions, which a rolling window cannot support. The Google Analytics limits above govern Google Analytics, not this exported copy. These records are keyed to a random installation identifier and carry no name, email address, or account identifier, so we hold no key linking them back to your account and an account-deletion request does not reach them.
  • Website analytics: Google Analytics event data from this website is kept for up to 14 months. The Meta Pixel involves two separate things: the _fbp cookie it sets on our own domain lasts 90 days, and the event data it sends to Meta is kept by Meta under its Business Tools Terms, which state a maximum of two years. Meta sets that period, not us. Your cookie-banner choice stays in your browser until you clear site data or change it via Cookie settings.
  • Cloudflare Web Analytics: we hold no copy of this data and there is no user-level record to delete. Cloudflare keeps the underlying measurements unsampled for 7 days, then retains only a reduced, aggregated sample, and makes roughly the previous six months of it available to us. Cloudflare does not publish a fixed deletion date beyond that.
  • Email correspondence — kept while it is reasonably useful to do so, then deleted, typically within 24 months of the last reply.
  • Newsletter address — kept until you unsubscribe.

10 Your rights

You have rights over the personal data we hold about you. The specific rights depend on where you live; the contact point is the same for everyone:

  • Email — privacy@ginsenglabs.dev
  • Post — GinsengLabs LTD, 124 City Road, London EC1V 2NX, United Kingdom

Please send the request from the email address associated with your account so we can verify identity. We do not charge a fee for reasonable requests. We may decline manifestly unfounded or excessive requests, or charge a reasonable fee, and will explain why if we do (Art. 12(5) UK GDPR).

United Kingdom (UK GDPR + Data Protection Act 2018)

You have the right to:

  • Access — a copy of the personal data we hold about you;
  • Rectification — correction of inaccurate or incomplete data;
  • Erasure — deletion of your personal data (the “right to be forgotten”), subject to limited exceptions;
  • Restriction — pause processing while a dispute is resolved;
  • Portability — a machine-readable copy of data you've provided to us;
  • Object — to processing based on legitimate interests, including direct marketing;
  • Withdraw consent — at any time, without affecting the lawfulness of processing carried out before withdrawal;
  • Not be subject to solely-automated decision-making (Art. 22 UK GDPR) — we do not currently make any solely-automated decisions about you that produce legal or similarly significant effects;
  • Lodge a complaint with the UK Information Commissioner's Office (see section 14).

We respond within one calendar month (Art. 12(3) UK GDPR), extendable by a further two months where the request is complex.

European Union / EEA (EU GDPR)

If you are in the EU or EEA you have the same set of rights as UK residents, under the equivalent provisions of the EU GDPR (Regulation (EU) 2016/679, Articles 15–22). You also have the right to lodge a complaint with the supervisory authority in your member state of habitual residence, place of work, or place of alleged infringement (Art. 77 EU GDPR). A list of EU supervisory authorities is published by the European Data Protection Board at edpb.europa.eu/members.

We respond within one calendar month (Art. 12(3) EU GDPR).

California (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we have collected about you, the sources, the purposes, and the categories of third parties we share it with (Cal. Civ. Code §§ 1798.110, 1798.115);
  • Delete personal information we have collected from you (§ 1798.105);
  • Correct inaccurate personal information (§ 1798.106);
  • Opt out of "sale" or "sharing" of personal information — see the dedicated paragraph below (§ 1798.120);
  • Limit use and disclosure of sensitive personal information (§ 1798.121) — we do not currently collect or process sensitive personal information as defined in § 1798.140(ae);
  • Non-discrimination for exercising any of these rights (§ 1798.125).

We respond within 45 days (§ 1798.130(a)(2)), extendable by a further 45 days where reasonably necessary.

Do Not Sell or Share My Personal Information. Under the CPRA, "sale" and "sharing" of personal information have specific defined meanings (Cal. Civ. Code § 1798.140(ad) and (ah)). We do not sell your personal information for money. However, if you allow tracking via Apple's ATT prompt, our sharing of your Advertising Identifier (IDFA) with Google AdMob for personalised advertising may constitute "sharing for cross-context behavioural advertising" under California law. To opt out of this sharing: deny the ATT prompt, or — if you previously allowed it — toggle it off at iOS Settings → Privacy & Security → Tracking → Symptoms. On this website, the Meta Pixel (which only runs if you accept the cookie banner) may likewise constitute "sharing"; to opt out, click Reject all on the banner — or Cookie settings in the footer if you previously accepted. You may also email privacy@ginsenglabs.dev with the subject "Do Not Sell or Share" and we will record your choice against your account.

Other US states (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, and others)

If you live in a US state with a comprehensive privacy law, you have broadly similar rights to access, delete, correct, and opt out of targeted advertising. We respond within the applicable statutory deadline (typically 45 days). Send the request to privacy@ginsenglabs.dev indicating your state of residence.

Canada (PIPEDA + Quebec Loi 25)

You have the right to access and correct personal information about you, to withdraw consent, and to lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, if you are in Quebec, the Commission d'accès à l'information du Québec (cai.gouv.qc.ca). We respond within 30 days (PIPEDA s. 8(3)).

Australia (Privacy Act 1988 + Australian Privacy Principles)

You have the right to access (APP 12) and correct (APP 13) personal information about you. You may also complain to the Office of the Australian Information Commissioner (oaic.gov.au). We respond within 30 days.

11 Security

We take security seriously and use industry-standard measures including TLS 1.2+ in transit, encryption at rest, principle of least privilege for staff access, and reputable infrastructure providers. No system is 100% secure; if we ever discover a personal-data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours and, where required, notify affected users directly.

12 Children

The Service is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@ginsenglabs.dev and we will delete it promptly.

We have considered the UK Information Commissioner's Office Age-Appropriate Design Code (the Children's Code), which applies to services likely to be accessed by under-18s. Symptoms is marketed to adult clinicians and medical students; its puzzle format, professional vocabulary, and 16+ age gate make it not "likely to be accessed" by under-18s in the sense the Code contemplates. We keep this assessment under review and will adjust our practices if the audience changes.

13 Changes to this policy

We may update this Privacy Policy from time to time. The “Effective” date at the top will change accordingly. For material changes we will give notice in the App and (where we have your email address) by email, in advance where that is practicable. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

14 Contact & complaints

For any privacy question, request, or concern:

  • Email — privacy@ginsenglabs.dev
  • Post — GinsengLabs LTD, 124 City Road, London EC1V 2NX, United Kingdom

If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority in the UK:

  • Information Commissioner's Office (ICO)
  • Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Helpline: 0303 123 1113
  • Online: ico.org.uk/make-a-complaint

We'd appreciate the chance to address your concerns first — please reach out to us before escalating, where you feel able to.

GinsengLabs
GinsengLabs

A small London studio building careful software for specialists.

Work

  • Symptoms

Contact

  • hello@ginsenglabs.dev

Legal

  • Terms & Conditions
  • Privacy Policy
© 2026 GinsengLabs LTD · Company No. 17230581 · Registered in England & Wales ginsenglabs.dev