GDPR policy

For Maze Interactive Health · Effective date: 13 May 2026

General Data Protection Regulation (GDPR) policy

Maze Interactive Health (“the Company”, “we”, “our”, “us”) is committed to protecting the privacy, confidentiality, integrity, and security of personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable data protection legislation.

This GDPR policy outlines how we collect, process, manage, and protect personal data across our operations, digital platforms, immersive technologies, healthcare applications, and website services.

This policy applies to:

  • Employees
  • Contractors
  • Consultants
  • Technology partners
  • Clients
  • Suppliers
  • Website users
  • Any third parties processing personal data on behalf of Maze Interactive Health

It covers all personal data processed by the Company in both digital and physical formats.

Maze Interactive Health adheres to the core GDPR principles that personal data must be:

a) Processed lawfully, fairly, and transparently

We ensure individuals understand how their data is used and processed.

b) Collected for specified, explicit, and legitimate purposes

Personal data is only collected for clearly defined purposes.

c) Adequate, relevant, and limited

We only collect data necessary for the intended purpose.

d) Accurate and kept up to date

Reasonable steps are taken to ensure data accuracy.

e) Stored only as long as necessary

Data retention periods are defined and monitored.

f) Processed securely

Appropriate technical and organisational measures are implemented to safeguard personal data.

g) Accountable

We maintain governance processes demonstrating GDPR compliance.

Depending on the service provided, we may process:

  • Names
  • Contact information
  • Business information
  • Device and technical information
  • User engagement analytics
  • Authentication data
  • Healthcare-related information where applicable and lawfully processed
  • Research or clinical feedback data
  • Usage and behavioural interaction data within immersive platforms

Where special category data is processed, additional safeguards and lawful processing conditions will apply.

Maze Interactive Health processes personal data under one or more of the following lawful bases:

  • Consent
  • Contractual necessity
  • Legitimate interests
  • Legal obligations
  • Vital interests
  • Healthcare and research exemptions where applicable under UK GDPR

Individuals have the right to:

  • Access their personal data
  • Request correction of inaccurate data
  • Request erasure (“Right to be Forgotten”)
  • Restrict processing
  • Object to processing
  • Withdraw consent
  • Request portability of their data
  • Challenge automated decision-making where applicable

Requests may be submitted via:
Email: info@mazeinteractivehealth.com

We aim to respond to valid requests within one calendar month.

Maze Interactive Health implements appropriate technical and organisational security measures including, where appropriate:

  • Encryption
  • Access controls
  • Role-based permissions
  • Secure cloud hosting
  • Authentication and password controls
  • Secure development practices
  • Data minimisation
  • Audit logging
  • Secure backups
  • Vulnerability management procedures

We regularly review and improve security controls to align with evolving threats and compliance requirements.

Personal data will only be retained for as long as necessary to:

  • Fulfil contractual obligations
  • Deliver services
  • Meet legal and regulatory requirements
  • Support legitimate business operations

Secure deletion and disposal procedures are followed when data is no longer required.

Where personal data is transferred outside the UK or EEA, Maze Interactive Health ensures appropriate safeguards are implemented, including:

  • UK International Data Transfer Agreements (IDTA)
  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable

Where third-party service providers process personal data on our behalf, we ensure:

  • Appropriate due diligence is completed
  • Data Processing Agreements (DPAs) are in place
  • Security and confidentiality obligations are maintained
  • GDPR compliance obligations are contractually enforced

Maze Interactive Health maintains procedures for identifying, investigating, managing, and reporting personal data breaches.

Where required by law:

  • Breaches will be reported to the relevant supervisory authority within 72 hours
  • Affected individuals will be informed where there is a high risk to their rights and freedoms

We are committed to embedding privacy and data protection principles into:

  • Platform development
  • Software engineering
  • Healthcare applications
  • Immersive technologies
  • Research and innovation activities

Data minimisation, security, and user privacy are considered throughout the development lifecycle.

All staff, contractors, and partners handling personal data are expected to:

  • Follow GDPR requirements
  • Maintain confidentiality
  • Report security incidents promptly
  • Complete relevant data protection awareness training where applicable

Unauthorised disclosure or misuse of personal data may result in disciplinary or contractual action.

Our website may use cookies and analytics technologies to improve user experience and website performance.

Further information is available within our Privacy policy.

The supervisory authority in the United Kingdom is the:
Information Commissioner’s Office (ICO)ico.org.uk

This policy will be reviewed periodically and updated where necessary to reflect:

  • Regulatory changes
  • Operational developments
  • Security improvements
  • Technology advancements

For GDPR or data protection enquiries, please contact:

Maze Interactive Health

Website: www.mazeinteractivehealth.com

Email: info@mazeinteractivehealth.com