01 Who we are
The data controller for personal data processed through GinsengLabs products (currently the Symptoms iOS app) and the website at ginsenglabs.dev is:
- GinsengLabs LTD
- Registered in England & Wales · Company No. 17230581
- Registered office: 124 City Road, London EC1V 2NX, United Kingdom
- Contact (privacy & data requests): privacy@ginsenglabs.dev
We have not formally designated a Data Protection Officer under Article 37 UK GDPR — our processing does not meet the triggers in that Article. For all privacy matters — including data-subject requests, complaints, and questions about this policy — please email privacy@ginsenglabs.dev. It is monitored directly by our team and we aim to acknowledge requests within five working days.
02 What this policy covers
This policy applies to personal data collected through GinsengLabs products and services, currently:
- this website (ginsenglabs.dev);
- the Symptoms iOS application (the “App”); and
- any direct correspondence you have with us (email, support, press).
We'll update this policy when we publish additional products.
It does not apply to third-party services we link to (such as the App Store) or to clinical workflows of any employer or institution you use the App in connection with.
The data categories described below correspond to the App Privacy label shown on our App Store listing. If you spot a discrepancy between this policy and what Apple displays, please tell us at privacy@ginsenglabs.dev — both should match.
03 Data we collect
We are deliberately minimal with data collection. Here's the complete list:
On the website: if you join the Symptoms waitlist or the GinsengLabs newsletter via a signup form, your email is stored in our subscriber list (Cloudflare D1) alongside which list you joined, the page URL you signed up from, and the country your request came from (derived from the network connection — the IP address itself is not stored in the subscriber list, though see the IP-address row below for short-lived security logging).
04 Why we collect it
Each piece of data has a specific job:
- Provide the Service — store your progress, sync across your devices, give you stats and streaks, and let you add friends and share daily results with them.
- Run the referral programme — attribute a new sign-up to the friend who referred it, grant both accounts the reward, and keep an auditable record of reward outcomes.
- Improve the Service — understand which cases are too easy or hard, which features get used, where users drop off.
- Customer support — respond to your questions and resolve bugs.
- Show advertising — fund the free tier of the App with relevant clinical ads.
- Security & fraud prevention — detect abuse, bot activity, or attempts to circumvent paywalls.
- Legal compliance — comply with our obligations under UK law, including responding to lawful requests from authorities.
05 Lawful bases (UK GDPR)
We rely on the following lawful bases under Article 6 of the UK GDPR:
- Contract (Art. 6(1)(b)) — to deliver the Service you've signed up for, including processing your subscription via Apple.
- Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention (including the DeviceCheck flag that stops repeated redemption of referral rewards), error monitoring, and anonymous analytics. We have weighed these interests against your rights and concluded that the processing is proportionate.
- Consent (Art. 6(1)(a)) — for advertising, for marketing emails, and for website analytics cookies. For advertising in the App, consent is captured in layers, described in full in section 6: our own screen decides whether you take the free, ad-supported tier at all, and we record that choice with a timestamp and the version of the consent prompt; Google's certified consent form then collects the separate consent that governs how ads are personalised and which ad-technology vendors may receive your data. For marketing emails, consent is captured at the point of sign-up and recorded with a timestamp. For website analytics (Google Analytics and Meta Pixel), consent is captured by the cookie banner on this site before either tool loads (see section 6). You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
- Legal obligation (Art. 6(1)(c)) — where we are required by law to retain or disclose data.
06 Tracking & advertising
Advertising in Symptoms reaches the free tier only. Paid-tier users (Ad-free or Symptoms+, monthly or annual) see no advertising and pass through none of the steps below; no advertising SDK is loaded on their device at all.
On the free tier there are three separate gates. The first is ours, and decides whether you take the ad-supported tier at all. The second is Google's, and decides how ads are personalised and which ad-technology vendors may receive data about your ad requests. The third is Apple's, and governs your device's advertising identifier.
Step 1: our own screen (UK GDPR / EU GDPR / PECR)
Before any advertising SDK is loaded on your device, we show you a screen of our own design. It asks you to choose between using Symptoms free of charge with advertising, or taking a paid subscription and seeing no advertising. This screen exists because UK and EU law (UK GDPR Articles 4(11), 6(1)(a), and 7; the Privacy and Electronic Communications (EC Directive) Regulations 2003 regulation 6; and the Court of Justice's judgment in Planet49 GmbH Case C-673/17) require us to obtain your freely-given, informed, specific, and unambiguous consent before any third-party SDK accesses your device or sets identifiers, whether or not those identifiers are personally identifying.
If you decline advertising here and do not subscribe, you cannot use the App. Declining means you are refusing the free, ad-supported tier, so the App stops at the subscription screen. Nothing is loaded and no ad is requested. We record your choice with a timestamp and the version of the consent prompt, both on your device and against your account. If we change the prompt materially we raise its version, which asks you again.
Step 2: Google's consent form (IAB TCF)
If you take the free, ad-supported tier, Google's User Messaging Platform then presents a second consent form. This form is not ours. Google is a Consent Management Platform certified under the IAB Transparency and Consent Framework, the form is configured in Google's console, and Google's own SDK renders it. This is the step that collects the consent governing how ads are personalised and which ad-technology vendors may receive data about your ad requests.
The form's first screen offers Consent and Customise. There is no reject button on that first screen: to refuse or narrow any purpose, or to remove vendors, you have to open Customise. Your choices are stored on your device as an IAB TCF consent string, which Google reads and passes on to the vendors you have allowed. Narrowing your choices here does not stop advertising: on the free tier AdMob will still serve non-personalised or otherwise limited ads.
Step 3: Apple's App Tracking Transparency (ATT) prompt
iOS then shows Apple's standard App Tracking Transparency prompt. ATT is a separate, system-level confirmation specific to your iOS Advertising Identifier (IDFA).
- If you allow tracking at the ATT prompt, your IDFA is shared with Google AdMob to deliver personalised ads.
- If you don't allow tracking at the ATT prompt, no IDFA is shared — iOS returns a zeroed value — and you will see non-personalised, contextual ads instead.
Changing your mind
You can change your Step 1 choice at any time in Symptoms → Settings → Privacy. You can change your ATT choice at any time in iOS Settings → Privacy & Security → Tracking. Changing your Step 1 choice to decline advertising returns you to the paid-or-free decision described above.
Ad partners
Ads are served solely through Google AdMob: it is the only ad network we contract with, and we do not work with Meta Audience Network or any other network at this time. However, AdMob's consent form runs Google's default Transparency and Consent Framework vendor list, so your ad requests may be shared with the Google-certified ad-technology vendors named in that form. You can see the full list, and restrict it, via Customise on the form described at Step 2 above. Google's own processing of your data is governed by Google's Privacy Policy.
On this website (ginsenglabs.dev)
This website uses two consent-gated analytics tools — Google Analytics 4 and Meta Pixel — to understand how people find the site and which pages they read. Neither loads, and no analytics cookie is set, unless you click Accept all on the cookie banner; Reject all sits next to it with equal prominence and loads nothing. Your choice is remembered in your browser (localStorage, “gl-consent”) and you can change it at any time via Cookie settings in the page footer. Withdrawing consent expires the analytics cookies we can reach and reloads the page so the trackers are gone.
Google Analytics processing is governed by Google's Privacy Policy, and Meta Pixel processing by Meta's Privacy Policy. Both providers may process data in the United States (see section 8).
Independently of the banner, we use Cloudflare Web Analytics — a privacy-first measurement tool that sets no cookies, stores nothing on your device, and does not fingerprint you — to count page views in aggregate (legitimate interests, Art. 6(1)(f)).
07 Who we share data with
We share data only with the small number of service providers we need to run the App, and only what they need to do their job:
We do not sell your personal data to anyone. We do not share data with brokers, employers, insurers, regulators (except where compelled by law), or any third-party clinical-data systems.
We may disclose data if required to do so by law, a valid court order, or to protect the rights, property, or safety of GinsengLabs LTD, our users, or others.
08 International transfers
Some of our service providers (Cloudflare, Google, Meta, RevenueCat, Resend, Sentry) are headquartered in the United States and may process your data across multiple regions. When we transfer your personal data outside the United Kingdom we rely on appropriate safeguards under UK GDPR, including the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or the equivalent under each provider's certifications.
Our two BigQuery datasets (the Crashlytics export and the raw analytics event export, both described in section 9) are stored in Google Cloud's London region, so that data is held at rest in the United Kingdom. Google may still access it from outside the UK for support and maintenance, under the safeguards described above.
You can request a copy of the relevant safeguards by emailing privacy@ginsenglabs.dev.
09 How long we keep it
- Account data (including your username and friend connections) — kept while your account is active. Deleted within 30 days of an account-deletion request, except where we are required to retain limited records for legal or accounting purposes.
- Referral records — kept while the accounts involved exist. If an account is deleted, its identifying link to the record is stripped and evaluation stops; only de-identified reward outcomes remain.
- Push tokens — removed when you sign out on a device, and deleted entirely when you delete your account.
- DeviceCheck referral flag — a per-device flag held by Apple that persists across app reinstalls and account deletion; it is not linked to your name or email and we cannot identify you from it.
- Game play data on-device — kept until you uninstall the App.
- Crash reports: Firebase Crashlytics begins removing its own copy 90 days after a crash is received. Before that, the report is exported to our BigQuery project, where we keep it indefinitely. See Analytics and crash data in BigQuery below.
- IP-address security logs — kept only as long as needed for rate-limiting and abuse detection (typically a few days at most) and then deleted.
- In-app analytics events: within Google Analytics itself, event-level data is kept for up to 2 months, and user-level data for up to 14 months from your most recent activity in the App. The 14-month clock restarts each time you are active, so user-level data is held for as long as you keep playing, plus up to 14 months after you stop.
- Analytics and crash data in BigQuery: we export both the crash reports and the raw analytics events onward into Google BigQuery, in our own Google Cloud project in the United Kingdom, and we keep that copy indefinitely. We do this for long-term product and stability analysis across app versions, which a rolling window cannot support. The Google Analytics limits above govern Google Analytics, not this exported copy. These records are keyed to a random installation identifier and carry no name, email address, or account identifier, so we hold no key linking them back to your account and an account-deletion request does not reach them.
- Website analytics: Google Analytics event data from this website is kept for up to 14 months. The Meta Pixel involves two separate things: the _fbp cookie it sets on our own domain lasts 90 days, and the event data it sends to Meta is kept by Meta under its Business Tools Terms, which state a maximum of two years. Meta sets that period, not us. Your cookie-banner choice stays in your browser until you clear site data or change it via Cookie settings.
- Cloudflare Web Analytics: we hold no copy of this data and there is no user-level record to delete. Cloudflare keeps the underlying measurements unsampled for 7 days, then retains only a reduced, aggregated sample, and makes roughly the previous six months of it available to us. Cloudflare does not publish a fixed deletion date beyond that.
- Email correspondence — kept while it is reasonably useful to do so, then deleted, typically within 24 months of the last reply.
- Newsletter address — kept until you unsubscribe.
10 Your rights
You have rights over the personal data we hold about you. The specific rights depend on where you live; the contact point is the same for everyone:
- Email — privacy@ginsenglabs.dev
- Post — GinsengLabs LTD, 124 City Road, London EC1V 2NX, United Kingdom
Please send the request from the email address associated with your account so we can verify identity. We do not charge a fee for reasonable requests. We may decline manifestly unfounded or excessive requests, or charge a reasonable fee, and will explain why if we do (Art. 12(5) UK GDPR).
United Kingdom (UK GDPR + Data Protection Act 2018)
You have the right to:
- Access — a copy of the personal data we hold about you;
- Rectification — correction of inaccurate or incomplete data;
- Erasure — deletion of your personal data (the “right to be forgotten”), subject to limited exceptions;
- Restriction — pause processing while a dispute is resolved;
- Portability — a machine-readable copy of data you've provided to us;
- Object — to processing based on legitimate interests, including direct marketing;
- Withdraw consent — at any time, without affecting the lawfulness of processing carried out before withdrawal;
- Not be subject to solely-automated decision-making (Art. 22 UK GDPR) — we do not currently make any solely-automated decisions about you that produce legal or similarly significant effects;
- Lodge a complaint with the UK Information Commissioner's Office (see section 14).
We respond within one calendar month (Art. 12(3) UK GDPR), extendable by a further two months where the request is complex.
European Union / EEA (EU GDPR)
If you are in the EU or EEA you have the same set of rights as UK residents, under the equivalent provisions of the EU GDPR (Regulation (EU) 2016/679, Articles 15–22). You also have the right to lodge a complaint with the supervisory authority in your member state of habitual residence, place of work, or place of alleged infringement (Art. 77 EU GDPR). A list of EU supervisory authorities is published by the European Data Protection Board at edpb.europa.eu/members.
We respond within one calendar month (Art. 12(3) EU GDPR).
California (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we have collected about you, the sources, the purposes, and the categories of third parties we share it with (Cal. Civ. Code §§ 1798.110, 1798.115);
- Delete personal information we have collected from you (§ 1798.105);
- Correct inaccurate personal information (§ 1798.106);
- Opt out of "sale" or "sharing" of personal information — see the dedicated paragraph below (§ 1798.120);
- Limit use and disclosure of sensitive personal information (§ 1798.121) — we do not currently collect or process sensitive personal information as defined in § 1798.140(ae);
- Non-discrimination for exercising any of these rights (§ 1798.125).
We respond within 45 days (§ 1798.130(a)(2)), extendable by a further 45 days where reasonably necessary.
Do Not Sell or Share My Personal Information. Under the CPRA, "sale" and "sharing" of personal information have specific defined meanings (Cal. Civ. Code § 1798.140(ad) and (ah)). We do not sell your personal information for money. However, if you allow tracking via Apple's ATT prompt, our sharing of your Advertising Identifier (IDFA) with Google AdMob for personalised advertising may constitute "sharing for cross-context behavioural advertising" under California law. To opt out of this sharing: deny the ATT prompt, or — if you previously allowed it — toggle it off at iOS Settings → Privacy & Security → Tracking → Symptoms. On this website, the Meta Pixel (which only runs if you accept the cookie banner) may likewise constitute "sharing"; to opt out, click Reject all on the banner — or Cookie settings in the footer if you previously accepted. You may also email privacy@ginsenglabs.dev with the subject "Do Not Sell or Share" and we will record your choice against your account.
Other US states (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, and others)
If you live in a US state with a comprehensive privacy law, you have broadly similar rights to access, delete, correct, and opt out of targeted advertising. We respond within the applicable statutory deadline (typically 45 days). Send the request to privacy@ginsenglabs.dev indicating your state of residence.
Canada (PIPEDA + Quebec Loi 25)
You have the right to access and correct personal information about you, to withdraw consent, and to lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, if you are in Quebec, the Commission d'accès à l'information du Québec (cai.gouv.qc.ca). We respond within 30 days (PIPEDA s. 8(3)).
Australia (Privacy Act 1988 + Australian Privacy Principles)
You have the right to access (APP 12) and correct (APP 13) personal information about you. You may also complain to the Office of the Australian Information Commissioner (oaic.gov.au). We respond within 30 days.
11 Security
We take security seriously and use industry-standard measures including TLS 1.2+ in transit, encryption at rest, principle of least privilege for staff access, and reputable infrastructure providers. No system is 100% secure; if we ever discover a personal-data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours and, where required, notify affected users directly.
12 Children
The Service is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@ginsenglabs.dev and we will delete it promptly.
We have considered the UK Information Commissioner's Office Age-Appropriate Design Code (the Children's Code), which applies to services likely to be accessed by under-18s. Symptoms is marketed to adult clinicians and medical students; its puzzle format, professional vocabulary, and 16+ age gate make it not "likely to be accessed" by under-18s in the sense the Code contemplates. We keep this assessment under review and will adjust our practices if the audience changes.
13 Changes to this policy
We may update this Privacy Policy from time to time. The “Effective” date at the top will change accordingly. For material changes we will give notice in the App and (where we have your email address) by email, in advance where that is practicable. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
14 Contact & complaints
For any privacy question, request, or concern:
- Email — privacy@ginsenglabs.dev
- Post — GinsengLabs LTD, 124 City Road, London EC1V 2NX, United Kingdom
If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority in the UK:
- Information Commissioner's Office (ICO)
- Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Helpline: 0303 123 1113
- Online: ico.org.uk/make-a-complaint
We'd appreciate the chance to address your concerns first — please reach out to us before escalating, where you feel able to.