Seona Privacy Policy

Seona is a trading name operated by Icon Pharmacy Ltd, a pharmacy registered with the General Pharmaceutical Council (GPhC Reg: 1031045), registered in England and Wales (Company No: 12087145), address: 155 Manford Way, Chigwell, Essex, IG7 4DN. We are registered with the Information Commissioner’s Office (ICO Registration No: ZB562076). For privacy queries, contact: info@seona.health

Before you begin the assessment, we ask whether you are based in the United Kingdom. Seona is a GPhC-registered clinical service that operates within the UK regulatory and healthcare framework. We are only able to provide clinical sleep support to people based in the UK.

If you indicate that you are not based in the UK, no further data of any kind is collected and you are shown a signposting message. You are not added to any system.

If you confirm you are UK-based and complete the assessment, we also record your browser locale (e.g. en-GB) and browser timezone (e.g. Europe/London) as reported by your device. This information is used solely to confirm service eligibility and to help us communicate with you at the right time. It is sent to Customer.io alongside the other assessment data described in Section 3. The lawful basis is Article 6(1)(b) — processing necessary for the performance of the service you have requested.

When you complete the Seona sleep assessment, we collect the following information, which you explicitly consent to before submitting:

• Your first name and email address.
• A sleep severity category (e.g. “chronic insomnia”, “moderate disruption”, or “short-term disruption”).
• A numeric sleep score (10–90) derived from your responses, used to personalise your results email.
• Relevant sleep context flags, such as whether shift work, jet lag, menopause, post-natal status, possible sleep apnoea, or restless legs may be contributing to your sleep difficulty. Only the flags that apply to you are recorded.
• Two clinical flags: whether melatonin may be age-appropriate for you, and whether you have previously tried CBT-I.
• The date of your assessment.
• Website traffic source information (e.g. which platform referred you), if present.

We do not collect your raw questionnaire answers. Your answers are processed entirely within your browser and are never transmitted to our servers or any third party. They are deleted from your browser’s memory the moment your assessment is submitted.

We do not collect: the specific answers you gave to any assessment question; biometric data or health records; or any information beyond what is listed in Section 3.

We use your name and email to send you your personalised sleep assessment results and updates about the Seona clinical programme, which you explicitly consented to when completing the assessment. We use the sleep severity category, numeric score, and context flags solely to personalise the content of those communications so the information we send you is relevant to your situation.

We rely on the following lawful bases:

• Marketing emails — PECR explicit consent. We send you your results and programme updates because you ticked the consent checkbox before submitting the assessment.
• Sleep-derived attributes (severity category, numeric score, context flags, clinical flags) — UK GDPR Article 9(2)(a) explicit consent. These constitute special category health data. We process them on the basis of your explicit consent given at the same consent checkbox. You may withdraw consent at any time by unsubscribing or emailing info@seona.health.
• Anonymous usage analytics — legitimate interests, Article 6(1)(f). We have a legitimate interest in understanding, in aggregate, whether visitors complete the assessment and whether the share feature is used, so we can improve the service. We use Plausible Analytics for this. No health conditions, scores, or individual identifiers are included in any analytics event. IP addresses received during transmission are immediately anonymised by Plausible (daily-salted hash, not stored); no individual can be identified from the resulting data. We have assessed that this processing does not override individual privacy interests given the negligible privacy impact of immediately-anonymised, cookie-free analytics.

We use the following third-party processors. We do not sell your data.

• Customer.io (Peaberry Software Inc.) — our email platform. We share your name, email address, sleep severity category, numeric sleep score, applicable sleep context flags, clinical flags (melatonin-age, CBT-I history), assessment date, and traffic source information. Customer.io acts as a data processor under a UK GDPR-compliant Data Processing Addendum and stores all data on EU infrastructure.
• Plausible Insights OÜ (Plausible Analytics) — our cookie-free analytics provider. When you complete the assessment or tap the share button, your browser sends an anonymous event (event name and page URL only — no health conditions, scores, or personal details) to Plausible. Plausible also receives your IP address and browser User-Agent as standard HTTP headers; these are combined with a daily-rotating salt, hashed, and immediately discarded — they are never stored. No cookie is set and no individual visitor can be identified from Plausible’s data. Plausible is incorporated in Estonia and processes data under EU GDPR.
• Vercel Inc. — our hosting provider. Vercel processes request logs (IP addresses, URLs, timestamps) as part of normal web hosting infrastructure. Vercel is SOC 2 certified and processes data under a UK GDPR-compliant DPA.

We keep your data for as long as you remain subscribed. You may request deletion at any time by emailing info@seona.health or unsubscribing.

Under UK GDPR you have the right to: access, correct, delete, restrict, port, and object to processing of your data. Contact info@seona.health to exercise any of these rights.

This website uses two analytics tools:

• Plausible Analytics — cookie-free, sets no tracking cookies, and retains no personal data. Used on marketing pages to count page views, and on the assessment to record two anonymous aggregate events: assessment completed and share button clicked. Neither event includes any health information, scores, or identifying data. IP addresses are received in transit and immediately anonymised (hashed with a daily-rotating salt) before any storage; they are never retained. Individual visitors cannot be identified from Plausible’s data. No consent is required under PECR because no cookies or equivalent device storage is used.
• Google Analytics 4 — used to understand how visitors find and navigate Seona. Google Analytics sets cookies on your device and sends data (including anonymised IP address and device information) to Google. It is only activated after you click “Accept” in the cookie banner. It is never activated on the /assessment pages — health questionnaire data is entirely out of scope.

Consent cookie. When you make a choice in the cookie banner, we store your preference in a first-party cookie named seona_consent for 12 months. This cookie records only your own preference (“granted” or “denied”) and is strictly necessary to honour it — it is exempt from PECR consent requirements.

You can change or withdraw your Google Analytics consent at any time by clearing your cookies or contacting us at info@seona.health. Plausible Analytics cannot be opted out of on an individual basis because it does not collect any data that identifies you.

We will update this policy when our practices change. The date at the top shows when it was last updated.