Privacy Policy

Last updated
November 21, 2025

BrightTrack is provided by Phlo Technologies Ltd (“Phlo”,“we”, “us”). We take your privacy and the security of your personal information seriously and are committed to protecting it.

This Privacy Policy explains:

  •  who we are
  •  what personal information we collect through the BrightTrack app
  • how and why we use it
  • who we share it with
  • your rights under UK data protection law

This policy applies to your use of the BrightTrack mobile application (the “App”) and any related services we provide through it.

1. Who we are

Phlo Technologies Ltd is a digital health technology company, incorporated in Scotland under company number SC496769.

  • Registered address:
    Phlo Technologies Ltd
    c/o Addleshaw Goddard LLP
    Exchange Tower
    19 Canning Street
    Edinburgh
    EH3 8EH
  • Data Protection Officer (DPO): dpo@wearephlo.com

If you have any questions about this policy or how we use your personal information, you can contact our DPO using the email above.

2. About BrightTrack

BrightTrack is a GLP-1 companion app designed to help you:

  • log GLP-1 medicine use
  • record side-effects and symptoms
  • track weight and related metrics
  • view trends, reminders and general information

BrightTrack is a self-tracking and informational tool only. It does not provide medical advice or replace healthcare professionals. However, the information you enter into the App can include health-related data, which is treated as special category data under data protection law and receives additional protection.

3. Personal information we collect

To provide the App safely and effectively, we process different types of personal information. If you choose not to provide certain information, you may not be able to use some features.

3.1 Information you give us

When you create and use a BrightTrack account, you may provide:

  • Identification and contact details
    • Name
    • Email address
    • Other profile information you choose to share
  • GLP-1–related health information
    • GLP-1 medicine name and dose
    • Injection dates and times
    • Side-effects, symptoms and wellbeing check-ins
    • Weight, measurements and other progress data
    • Free-text notes about your treatment or lifestyle
  • Subscription and billing information (for premium tiers)
    • Information about your subscription plan and status
    • Transaction details (processed via app store or payment provider)
  • Support and communication
    • Messages you send us via email or in-app support
    • Your responses to surveys, feedback requests or in-app prompts

3.2 Information we collect automatically

When you use the App, we automatically collect certain technical data, such as:

  • Device information (device model, operating system and version)
  • App version and settings
  • IP address and general location (e.g. country or region)
  • Usage information (which screens you visit, which features you use, timestamps, crash logs)
  • Notification tokens, to send you push notifications if you have enabled them

We use analytics and crash-reporting tools to help us understand how people use the App and to improve stability and performance.

3.3 Information from other sources

Where relevant, we may also receive limited information from:

  • Other Phlo services, where you use those with the same email address and you have agreed to joined-up use of your data
  • App store platforms (e.g. subscription status, purchase confirmations)

4. Special category (health) data

Information about your GLP-1 treatment, weight, symptoms and side-effects is health data, which is a special category of personal data.

We process this data because:

  • you choose to enter it into the App so that you can track your GLP-1 journey; and
  • doing so is necessary to provide the App and its features to you.

The main legal bases we rely on for processing your health data are:

  • your explicit consent, which you give when you create an account and start using the App for GLP-1 tracking; and
  • performance of our contract with you (providing the App and its features).

You can withdraw your consent to our processing of your health data at any time by:

  • deleting your account (where available in-app), or
  • contacting us using the details in section 13.

If you withdraw consent, we may still need to keep some information if we are required to do so by law or if it is necessary for our legitimate interests (for example, to keep basic records of consent and deletion requests).

5. How we use your personal information and legal bases

We only use your personal information when we have a valid legal basis for doing so. The main purposes and legal bases are:

5.1 To provide and maintain the App

Legal bases: performance of a contract; legitimate interests

We use your information to:

  • create and manage your BrightTrack account
  • store your entries (GLP-1 doses, weight, symptoms, notes)
  • show you charts, trends and summaries
  • provide reminders and notifications you opt into
  • ensure the App functions correctly on your device

5.2 To provide customer support and communicate with you

Legal bases: performance of a contract; legitimate interests

We use your information to:

  • respond to questions, support tickets and feedback
  • send important service messages(for example, changes to this policy or our terms, security notices, or issues affecting your account)

You cannot opt out of service messages that are necessary for your safety or the functioning of the App.

5.3 To run analytics and improve the App

Legal basis: legitimate interests

We analyse aggregated and pseudonymised usage data to:

  • understand which features are used and how
  • troubleshoot issues, crashes and performance problems
  • plan and prioritise improvements and new features

We aim to avoid identifying you personally in analytics reports wherever possible.

5.4 To manage subscriptions and payments

Legal bases: performance of a contract; legitimate interests; legal obligations

Where you choose a premium subscription, we use your information to:

  • verify your subscription status with the relevant app store or payment provider
  • manage billing, refunds and account changes
  • comply with our financial and accounting obligations

5.5 To send marketing (where you agree)

Legal basis: consent or legitimate interests (depending on how we contact you)

We may contact you about:

  • new features and updates to BrightTrack
  • related Phlo services we think might be relevant

You can opt out of marketing communications at any time using the unsubscribe link in emails or by contacting us. We will still send you essential service messages (see 5.2).

5.6 To create aggregated insights about GLP-1 use

Legal basis: legitimate interests

We may create aggregated, de-identified datasets based on information entered into the App (for example, general patterns on how people use GLP-1 medicines, when they log side-effects, or adherence trends).

Before sharing any such insights externally, we remove personal identifiers (such as name and email) and apply measures to reduce the risk of re-identification. These aggregated outputs may be used to:

  • help us understand and improve our services
  • contribute insights to healthcare and research partners
  • support product development and communication

We do not sell your identifiable personal data.

6. Who we share your personal information with

We only share your personal information when necessary and with appropriate safeguards in place. Typical recipients include:

  • Infrastructure and hosting providers
    e.g. cloud hosting, content delivery networks and security services that keep the App running.
  • Analytics and crash-reporting providers
    To understand how the App is used and to investigate errors.
  • Payment and subscription providers
    e.g. app store platforms or subscription management tools used to manage premium tiers.
  • Communication tools
    To send emails, push notifications or in-app messages.
  • Professional advisers and regulators
    e.g. lawyers, auditors, insurance providers, and regulatory bodies where required by law.
  • Other Phlo group services
    Where it’s appropriate and lawful to provide integrated experiences across Phlo products.
  • Potential buyers or investors
    If we undergo a merger, acquisition or other corporate transaction, your information may be shared as part of due diligence or transferred as part of the business. If this happens, we will ensure that your rights continue to be protected and you are informed where required.

We require all service providers who process personal data on our behalf to:

  • use it only for the purposes we instruct;
  • keep it secure; and
  • act in accordance with data protection laws.

We do not share your identifiable GLP-1 tracking data with third parties for their own independent marketing purposes.

7. International transfers

Some of our service providers may be located outside the UK or the European Economic Area (EEA). Where this is the case and your personal information is transferred internationally, we will ensure that:

  • the destination country has been recognised as providing an adequate level of protection; or
  • appropriate safeguards (such as standard contractual clauses and, where relevant, UK addenda) are in place.

You can contact us for more details about the safeguards we use for international transfers.

8. Where your personal information is stored

Your information may be stored in:

  • our offices in the UK; and
  • secure data centres used by our infrastructure and service providers in the UK, EEA or other permitted locations (see section 7).

We limit access to your information to those people and organisations who have a genuine need to access it and are subject to confidentiality obligations.

9. Keeping your information secure

We use technical and organisational measures to keep your personal information secure, including:

  • encryption in transit and at rest where appropriate
  • access controls and authentication
  • logging and monitoring of key actions and security events
  • regular security reviews and updates

We also have procedures in place to deal with suspected data security incidents. Where we are legally required to do so, we will notify you and the relevant regulator of a suspected breach.

10. How long we keep your information

We keep your personal information only for as long as necessary to:

  • provide the App and related services to you
  • meet legal, accounting or reporting requirements
  • resolve disputes and enforce our agreements

In general:

  • account and app usage data is kept while you actively use the App and for a reasonable period afterwards;
  • where you request account deletion, we will delete or anonymise your identifiable data unless we need to keep it for legal or regulatory reasons.

If you would like more detail on specific retention periods, you can contact our DPO.

11. Your rights

Under UK data protection laws, you have a number of rights in relation to your personal information. These rights may be subject to certain conditions and exceptions. They include:

  • Right to be informed – to know how we use your information (this policy is part of that).
  • Right of access – to ask for a copy of the personal data we hold about you.
  • Right to rectification – to have inaccurate or incomplete data corrected.
  • Right to erasure – to ask us to delete your personal data in certain circumstances.
  • Right to restrict processing – to ask us to limit how we use your data in certain cases.
  • Right to data portability – to receive your personal data in a structured, commonly used format or have it transferred to another provider, where technically feasible.
  • Right to object – to object to certain types of processing, including direct marketing.
  • Rights related to automated decision-making and profiling – where applicable.

To exercise any of these rights, please email dpo@wearephlo.com with:

  • your name and the email address linked to your BrightTrack account; and
  • details of your request.

We may ask for additional information to verify your identity before responding.

12. Children

BrightTrack is intended for adults aged 18 and over and is not designed for use by children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided information to us via the App, please contact us so we can take appropriate steps.

13. How to complain

We hope we can resolve any concerns you raise about our use of your personal information. You can contact our DPO at dpo@wearephlo.com in the first instance.

You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner’s Office (ICO)
Website: https://ico.org.uk/concerns

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in:

  • how we process personal data
  • the App’s features or services
  • applicable laws or regulatory guidance

When we make significant changes, we will:

  • update the “Last updated” date at the top of this page; and
  • where appropriate, notify you via the App or by email.

We encourage you to review this policy regularly to stay informed about how we protect your information.

© BrightTrack.
Download iOSDownload AndroidContactPrivacy PolicyTerms & Conditions