Privacy Policy

TrackTogether Ltd (referred to as we, us, our etc. in this policy) is committed to protecting your personal data and respecting your privacy.


This policy applies to your use of our website (the Site).

This policy sets out the basis on which any personal data we collect (or that you provide to us) will be processed by us.

We do not knowingly collect data relating to children.

Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

This policy is provided in a layered format so you can click through to the specific areas set out below.

Important Information And Who We Are

TrackTogether Ltd is the controller and is responsible for your personal data.

We have appointed a data protection officer (DPO). If you have any questions about this privacy policy, please contact them using the details set out below.

Contact details

Our full details are:

You have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues.

Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review. This version was last updated on 10th June 2020. It may change and – if it does – these changes will be notified to you when you next provide information to us via the Site. The new policy may be displayed on-screen and you may be required to read and accept the changes to continue your use of elements of the Site.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.

The Data We Collect About You

We may collect, use, store and transfer different kinds of personal data about you as follows:

We explain these here.

As discussed below – where you have given us consent to do so – we may also create, use and share aggregated data (such as statistical or demographic data) for various purposes. In this case, the aggregated data will be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your personal data with the personal data of other users in order to calculate the proportion of users in specific areas of the country who likely have contracted COVID-19.

We do not collect any information about criminal convictions and offences.

How is Your Personal Data Collected?

We will collect and process the following data about you:

How We Use Your Personal Data

We will only use your personal data when the law allows us to do so. Most commonly, we will use your personal data in the following circumstances where you have consented before the processing takes place.

Click here. to find out more about the types of lawful basis that we will rely on to process your personal data.

Purposes for which we will use your personal data

 Purpose Type of data Lawful basis for processing
 Creation of aggregated data  
  • Age
  • Location Data
  • Symptom Data
 Your consent
Sharing data with research institutions   
  • Age
  • Location Data
  • Symptom Data
  • Unique ID
Your consent 

Disclosures Of Your Personal Data

When you provide data to us via the Site, we will also ask you for your consent to share your personal data (as set out above) with the following research institutions:

Each of these institutions is a separate controller and has its own privacy policy setting out how they will use the personal data that we share with them.Links to their privacy policies are:

International Transfers

Some of the third parties with whom we share your data are based outside the EEA and – in this case – their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

For each third party outside of the EEA, in the Glossary, we have provided details of the specific mechanism used by us when transferring your personal data out of the EEA.

Data Security

All of the information that you provide to us (or that we collect) is stored on our secure servers.

Once we have received your personal data, we will use strict procedures and industry-leading security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.

Data Retention

Every six months, we assess whether your personal data (along with other individuals’ personal data) is of value to any current research conducted by the institutions with whom we share it (see Third Parties below). In the event that we decide that this is not the case, we will promptly erase your personal data.

In some circumstances, you can ask us to delete your personal data. See your legal rights [Insert as link.] below for further information about this.

As discussed above, in certain circumstances, we may create aggregated data using your personal data. We may use this aggregated data indefinitely without further notice to you.


Lawful Basis

Third Parties