Last updated: 25th March 2026
This Privacy Policy explains how Consenta (“we”, “us”, “our”) collects, uses, discloses and protects personal data when individuals use our websites, applications, platforms and related services (together, the “Services”).
Consenta is a technology platform that provides consent management, data anonymisation and data aggregation services to organisations that handle clinical, health-related and lifestyle information. It helps those organisations record, manage and evidence individuals' permissions for the use of their data, apply privacy-enhancing techniques, and support compliant reuse of data for purposes such as care delivery, operations, analytics and research.
This Policy also explains how we comply with the UK General Data Protection Regulation (“UK GDPR”), the EU General Data Protection Regulation (“EU GDPR”) and, where applicable, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
Controller: Manorath LLC (trading as “Consenta”)
Registered address: Delaware, USA.
Privacy contact / Data Protection Officer: Manjinder Virk
Email: Info@Consenta-global.com
This Policy applies when:
When we process personal data on behalf of our customers, we generally act as a “processor” or “business associate” and our customer remains responsible for providing appropriate privacy information to individuals.
We may process the following types of personal data, depending on how you interact with us:
Identification and contact data — Names, email addresses, postal address, telephone numbers, job title, employer or organisation.
Account and usage data — Usernames, login details (hashed), account settings, support queries, activity logs, audit trails and similar information relating to your use of the Services.
Clinical and lifestyle data — Health-related data, laboratory data, demographic information and lifestyle data that are provided to us by our customers or directly by you, where this is necessary for the purpose of the Services and permitted by law.
Consent and preference data — Records of consent and permissions, including consent wording, policy versions, scope, timestamps, revocations, and other preference information, where relevant.
Technical and device data — IP address, device identifiers, browser type, operating system, referral URLs, pages viewed, and the dates and times of visits and interactions with our Services.
We do not intentionally collect information from children without appropriate authorisation from a parent, guardian or relevant organisation.
We collect personal data in the following ways:
Directly from you — When you create an account, complete forms, contact us, participate in a pilot or trial, or otherwise communicate with us.
From our customers and partners — When organisations (such as healthcare providers, laboratories, research institutions or commercial partners) provide data to us in order for us to deliver the Services to them.
Automatically — Through the use of cookies, SDKs, pixels and similar technologies when you visit or use our websites or applications.
Where the UK GDPR or EU GDPR applies, we rely on one or more of the following legal bases:
Consent (Article 6(1)(a), Article 9(2)(a)) — For certain activities, particularly the processing of special category data such as health information, where explicit consent is required.
Performance of a contract (Article 6(1)(b)) — To provide, maintain and support our Services, including setting up accounts, responding to support requests and fulfilling our contractual obligations.
Legal obligation (Article 6(1)(c)) — To comply with applicable laws and regulations, including record-keeping, regulatory reporting and responses to lawful requests.
Legitimate interests (Article 6(1)(f)) — To operate, secure and improve our Services, prevent fraud and misuse, manage our business, and communicate with you about updates or similar information, provided that these interests are not overridden by your rights and freedoms.
Where we process special category data, such as health data, we rely on an additional condition under Article 9 GDPR, for example explicit consent, processing for the provision of health or social care under professional secrecy, or processing for scientific research in accordance with applicable safeguards and local laws.
For certain US-based customers that are subject to HIPAA, we may act as a “Business Associate” in relation to Protected Health Information (“PHI”). In those cases:
We use personal data for the following purposes:
To provide and operate the Services — Operating our consent, data management, anonymisation and aggregation features; enabling users to access and use the platform; maintaining user accounts and preferences.
To manage consent and permissions — Capturing, storing and updating records of consent and permissions associated with particular datasets and use cases, and enabling customers to audit such records.
To support analytics, research and product development — Where lawful and subject to appropriate safeguards, using de-identified, pseudonymised or aggregated data to analyse usage, improve our Services and support research and innovation.
To provide support and communicate with you — Responding to enquiries, providing customer support, sending administrative messages, service announcements and security alerts.
To ensure security and prevent misuse — Protecting our Services and users against fraud, abuse and security incidents; monitoring, investigating and mitigating suspicious activity.
To comply with legal and regulatory requirements — Meeting obligations under applicable laws, regulations, codes of practice and professional standards, and responding to lawful requests by public authorities.
We apply a privacy-by-design and privacy-by-default approach, including:
We may share personal data with:
Customers and their authorised users — Where our platform processes data on behalf of a customer, data is made available to that customer and its authorised personnel in accordance with our contracts with them.
Service providers and processors — Third-party vendors that provide hosting, infrastructure, security, analytics, communication tools, customer support and other services necessary for us to deliver the Services. These parties act on our instructions and are subject to contractual obligations of confidentiality and data protection.
Professional advisers — Legal, accounting, insurance and other advisers bound by confidentiality obligations, where necessary for the operation of our business.
Authorities and third parties — Where required by law or reasonably necessary to protect the rights, safety or property of us, our users or others, we may disclose information to regulators, law enforcement or other competent authorities.
We do not sell personal data.
Personal data may be transferred and processed in countries outside the UK or European Economic Area (“EEA”), including countries that may have different data-protection laws. Where we transfer personal data internationally, we will ensure that appropriate safeguards are in place, such as:
You may contact us for more information about the specific safeguards in place for international transfers.
We retain personal data only for as long as reasonably necessary to fulfil the purposes described in this Policy, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
When it is no longer necessary to retain personal data, we will delete or anonymise it, or if this is not possible (for example, because it is stored in backup archives), we will securely store the data and isolate it from any further processing until deletion is possible.
Where the UK GDPR or EU GDPR applies, you may have the following rights in relation to your personal data, subject to certain conditions and exemptions:
Where we process personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before consent was withdrawn.
If we process your data on behalf of a customer, you may need to exercise your rights directly with that customer. We will support our customers in responding to such requests where required by law and our contracts.
To exercise your rights or ask questions about this Policy, please contact us using the details in section 2.
You also have the right to lodge a complaint with your local supervisory authority, for example:
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage.
These measures may include access controls, encryption, network and application security, logging and monitoring, staff training and internal policies, and regular review of our security posture.
We may update this Privacy Policy from time to time. When we make material changes, we will take appropriate steps to inform you, which may include a notice on our website or direct communication.
The “Last updated” date at the top of this Policy indicates when it was most recently revised.