Legal

Privacy Policy

Last updated: January 2026 Applies to: HeartFirst by Shyntesy and its products and websites

Who we are

HeartFirst is a product of Shyntesy. We develop cardiovascular health education products including the Heart Risk Clarity Check, HeartFirst Navigate, and HeartFirst Prevent.

For the purposes of this Privacy Policy, "HeartFirst", "Shyntesy", "we", "us", and "our" refer to Shyntesy as the data controller responsible for deciding how personal data is collected and used.

Contact: heartfirst@shyntesy.com

Privacy snapshot: We collect only what we need to deliver and improve our products. We do not sell your data. We do not sell your data, share it with advertisers, or run third-party advertising on our products. We store your data securely and will delete or anonymise it on request where we are legally able to do so.

What data we collect and why

Data	Why we collect it	Legal basis
Email address	To deliver your purchased product and send the welcome email sequence	Contract performance
Name (if provided)	To personalise delivery emails	Contract performance
Payment data	Processed by our payment provider. We do not store card details.	Contract performance
Purchase history	To manage your access, process refund requests, and apply purchase credits	Contract performance / Legitimate interest
Email delivery and engagement data	To confirm that essential product emails are delivered, troubleshoot access issues, and understand whether our communications are useful. Where tracking requires consent, we will request it or disable this tracking.	Legitimate interest / consent where required
Support correspondence	To resolve your queries and improve our products	Legitimate interest
Website and technical usage data	To understand site performance, protect the website, identify errors, and improve the user experience. Where we use analytics, we aim to use privacy-respecting tools and avoid advertising-based tracking.	Legitimate interest / consent where required

Marketing communications

If you subscribe to updates, download a free resource, or purchase a product, we may send you relevant product updates, educational content, or service messages. You can unsubscribe from marketing emails at any time. We will still send essential transactional emails where needed to deliver a product, respond to a request, process a refund, or meet a legal obligation.

What we do not do with your data

We do not sell your personal data to any third party
We do not use your data to serve you advertising
We do not share your data with advertising networks or data brokers
We do not build profiles of you for marketing purposes beyond our own products
We do not use health-related information you share with us for any purpose other than delivering and improving our products

Important note on health-related content

Our products include worksheets and tools that prompt you to record health-related information — cholesterol results, family history, risk factors, and similar data. This information is entered by you into documents stored on your own device. We do not receive, store, or process the health data you enter into our product worksheets.

If you share health-related information with us directly (for example, in a support email or during a preparation session) we treat it with strict confidentiality and use it only to assist you.

Where required, we rely on your explicit consent to process health-related information you choose to send to us, together with our legitimate interest in responding to your request or our need to perform a contract with you.

Who we share data with

Payment providers

We use PCI-compliant payment providers such as Stripe and, where available, PayPal, to process payments. These providers collect and process payment information directly. We receive confirmation of successful payment but do not store card details.

Email service providers

We use email service providers to send transactional emails, product delivery messages, support replies, and, where you have subscribed or where otherwise permitted by law, product updates. Your email address is shared with providers only for these purposes.

Cloudflare

Our websites are served and protected by Cloudflare. Cloudflare may process limited technical data (IP addresses, request metadata) as part of its CDN and security services. See Cloudflare’s privacy policy.

Legal requirements

We may disclose your data if required to do so by law, court order, or regulatory authority.

Data retention

We retain your data for as long as necessary to deliver your purchased product, honour your guarantee period, and comply with our legal obligations. In practice:

Purchase records — retained for 7 years for accounting and legal purposes
Email address and delivery records — retained while you remain an active customer or subscriber
Support correspondence — retained for 2 years after the conversation closes

You can request deletion of your personal data at any time (subject to legal retention requirements) by emailing heartfirst@shyntesy.com.

Your rights

Depending on where you are located, you may have the following rights in relation to your personal data.

Right of access

Request a copy of the personal data we hold about you.

Right to rectification

Ask us to correct inaccurate or incomplete data.

Right to erasure

Ask us to delete your personal data, subject to legal retention requirements.

Right to restrict processing

Ask us to limit how we use your data in certain circumstances.

Right to data portability

Request your data in a structured, machine-readable format.

Right to object

Object to processing based on legitimate interest, including direct marketing.

Right to withdraw consent

Where we rely on consent, you can withdraw it at any time.

To exercise any of these rights, email heartfirst@shyntesy.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. Our websites are served over HTTPS. Payments are handled by Stripe using industry-standard encryption. We do not store payment card data.

No method of transmission over the internet is completely secure. If you have concerns about a specific data security matter, please contact us.

International transfers

Our service providers may process data outside your country of residence, including outside the UK, EU, or European Economic Area. Where this happens, we rely on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, or equivalent lawful transfer mechanisms.

Children

Our products are intended for adults. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to this policy

We may update this policy as our practices evolve or legal requirements change. Significant updates will be noted with a revised date at the top of this page. Where a change materially affects how we use personal data, we will provide additional notice where required by law.

Data enquiries and rights requests

For any privacy-related question, rights request, or concern, contact us at heartfirst@shyntesy.com.

We will acknowledge your request within 5 business days and respond fully within 30 days. If your request is complex or you have made multiple requests, we may extend this by a further 60 days with notice.