Skip to main content

This policy covers personal data collected through the Anne Health website.

It does not cover data collected when you register as a patient or use our clinical services. A separate Patient Privacy Notice applies to that processing, which you will receive when you create an account.

1. Who we are

Enna Limited OÜ, trading as Anne Health (“Anne”, “we”, “us”), owns and operates the website at anne.health. We are registered in Estonia under company number 17512388 and are the data controller for personal data collected through this website.

The website is managed and updated by ATHL Limited (ATHL) on behalf of Enna Limited OÜ.

Registered address: Harju maakond, Tallinn, Nõmme linnaosa, Pärnu mnt 388b, 11612 Estonia

Data protection contact: hello@anne.health

Telephone: 0333 004 7394

2. What data we collect

This website collects limited personal data. We do not collect health data, clinical data, or special category data through the website. If you are a client organisation, we may also process contact data relating to your staff under a separate contract.

Category Examples How collected
Website usage and technical data
  • IP address, browser type, pages visited, time and duration of visits, device identifiers
  • Collected automatically via cookies and server logs, with your consent where required. See Section 7.
Enquiry and contact data
  • Name, email address, and any information you include in a message to us
  • Provided by you when you contact us through the website
Business contact data
  • Name, job title, email address, and telephone number of contacts at client organisations

 

  • Provided under contract by client organisations

3. Why we process your data and our lawful bases

We must have a lawful basis for every processing activity under the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”) Article 6, as implemented in Estonia.

For website data collection only, we rely on Article 6 lawful bases, as shown below. We do not process special category data, including health data, through this website.

Purpose Data used Lawful basis
Operating and improving the website
  • Usage and technical data
  • Consent under Article 6(1)(a), via cookie banner
Responding to enquiries submitted through the website
  • Enquiry and contact data
  • Legitimate interests under Article 6(1)(f), responding to an enquiry you have initiated
Delivering services to client organisations and fulfilling contractual obligations
  • Business contact data
  • Contract under Article 6(1)(b), or legitimate interests under Article 6(1)(f) where the individual is a third-party contact rather than a party to the contract
Marketing communications, where you have opted in
  • Email address, name
  • Consent under Article 6(1)(a), express opt-in only. You can withdraw at any time.
Complying with legal obligations
  • Any data we are required to retain or disclose
  • Legal obligation under Article 6(1)(c)

Note on special category data: If you become a patient member and access clinical services, you will be asked to provide separate consent for the processing of health data under Article 9 conditions, as set out in our Patient Privacy Notice.

We do not use website data for AI model training or to generate AI-supported content without your express permission.

4. How long we keep your data

Below is a list of the data type and the relative retention periods for keeping your data.

  • Website analytics and usage data: Up to 26 months
  • Enquiry and contact data: Up to 2 years from last contact, unless we enter a contract with you
  • Business contact data under contract: Duration of the contract plus 7 years, in line with accounting and limitation period requirements
  • Marketing consent records: Until consent is withdrawn, plus 3 years as evidence of consent

5. Who we share your data with

We do not sell your personal data. We share it only in the circumstances below.

Recipient Purpose Basis
Website hosting and analytics providers
  • Hosting the site and understanding how it is used
  • Processor relationship, bound by data processing agreement
Regulatory bodies and law enforcement
  • Legal and regulatory compliance, or response to court orders
  • Legal obligation under Article 6(1)(c)
Successor business on sale or transfer
  • Business continuity
  • Legitimate interests. You will be notified.

Any third party processing data on our behalf is bound by a written data processing agreement and may only act on our documented instructions.

6. Where your data is stored and transferred

Personal data may be transferred between Estonia and the European Economic Area (EEA) under the EU GDPR framework. Where personal data is transferred to any country outside the EEA, we ensure an appropriate transfer mechanism is in place before any transfer takes place.

Personal data may also be transferred to the United Kingdom on the basis of mutual adequacy. The European Commission’s adequacy decisions permit transfers from the EEA to the UK. The UK’s Data (Use and Access) Act 2025 enables the UK to maintain data protection standards. The Commission renewed its UK adequacy decisions on 19 December 2025, following its assessment of the changes introduced by the Data (Use and Access) Act 2025. These decisions are currently in force and are subject to ongoing monitoring and periodic review by the Commission.

Where personal data is transferred to any other country outside the EEA and UK, we rely on an appropriate transfer mechanism recognised under EU GDPR, such as an International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses.

Contact us using the details in Section 12 if you want to know which transfer mechanisms apply to a specific processing activity.

7. Cookies

This website uses two categories of cookie:

  • Strictly necessary cookies: required for the site to function. No consent is needed for these.
  • Analytics cookies: these help us understand how visitors use the site. We only place these with your consent, which you give or withhold through the cookie banner when you first visit. You can change your preferences at any time through the banner. Declining analytics cookies does not affect your ability to use the site.

We do not use advertising or marketing cookies on this website.

8. Security

We protect your data through:

  • Access controls limiting data to staff with a legitimate need
  • Encryption of data in transit and at rest
  • Confidentiality obligations on all staff and contractors
  • Documented breach response procedures, including notification to you and the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) where legally required

9. Your rights

Under the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”) as implemented in Estonia, you have the rights set out below. We respond to requests within one calendar month, or up to three months for complex or numerous requests. We will notify you within the first month if we need the extension.

Right What it means in practice
To be informed
  • This policy fulfils that obligation for website data processing
Access
  • To receive a copy of the personal data we hold about you. See Section 10.
Rectification
  • To have inaccurate or incomplete data corrected
Erasure
  • To ask us to delete data we no longer need
Restriction
  • To ask us to pause processing in certain circumstances
Objection
  • To object to processing based on legitimate interests, including direct marketing, which we must stop immediately on request
Data portability
  • To receive data you provided to us in a machine-readable format, where processing is consent- or contract-based and automated
Withdraw consent
  • To withdraw consent at any time. This does not affect processing carried out before withdrawal.

To exercise any right, contact us using the details in Section 12. We may ask you to verify your identity. The response clock runs from the point identity is confirmed.

10. Subject access requests

You can ask for a copy of the personal data we hold about you at any time. A request form is available on our website, but you are not required to use it.

  • No charge unless the request is manifestly unfounded or excessive. We will tell you before applying any fee.
  • Response within one calendar month. We may extend to three months for complex or numerous requests and will notify you within the first month if we do.
  • We may ask for proof of identity. The response clock is paused until we receive it.

11. Complaints

If you have a concern about how we have handled your personal data, please raise it with us first.

Step 1: Raise your concern
Contact us using the details in Section 12. Tell us what happened, what data is involved, and what outcome you are looking for.

Step 2: Acknowledgement
We will acknowledge your complaint within five working days.

Step 3: Investigation and response
We aim to provide a full written response within 28 calendar days. If your complaint is complex, we may need longer and will notify you with an expected resolution date.

Step 4: Escalation
If you are unhappy with our response, or we have not resolved your complaint within 56 calendar days, you can escalate to the Estonian Data Protection Inspectorate. You may also go directly to the Inspectorate at any point.

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Väike-Ameerika 19, 10130 Tallinn, Estonia
+372 661 9090
info@aki.ee
www.aki.ee

12. Contact us

For anything about your personal data or this policy, including subject access requests and rights requests:

Data protection contact: Enna Limited OÜ, trading as Anne Health

Email: hello@anne.health

Telephone: 0333 004 7394

Post: Harju maakond, Tallinn, Nõmme linnaosa, Pärnu mnt 388b, 11612 Estonia

13. Third-party websites

Our website may contain links to other websites. We have no control over how those sites collect, store, or use your data. Check their privacy policies before sharing data with them.

14. Changes to this policy

We update this policy when our practices change or when the law requires it. The version date at the top of this document shows when it was last updated.

Enna Limited OÜ · Company No. 17512388 · Registered in Estonia

Your journey, your pace, your care

Take the first step with Anne Health.

We’re here to guide and support you with inclusive, gender-affirming care built around you.

Sign up to our mailing list

For all the tea, T and trans+ healthcare updates.

 

See our privacy policy

 

    
* indicates required