Privacy Policy

At a glance

CrossSense is in active development and is not yet on the commercial market. The processing described in this notice currently covers: public-event demonstrations, user testing in community and home settings, a research study planned for summer–autumn 2026, and a late-2026 pilot intended to evolve into commercial release. We will update and re-issue this notice ahead of any commercial launch and whenever our processing materially changes.

This notice is one layer of how we communicate about your data. You will also see short, plain-language prompts in the companion app at the moments your data is collected. This notice is available on request in accessible formats — large print, plain text, audio, or read aloud by the companion app.

Contact details

CrossSense Ltd
41 Mitchell Street
London EC1V 3QD

Email: privacy@crosssense.com

Data Protection Officer: Szczepan Orlins (privacy@crosssense.com)

Who we are

CrossSense Ltd develops and operates CrossSense, an augmented reality smartglasses system and companion smartphone application designed to support people living with early-to-mid stage dementia to maintain independence at home. The AI assistant within CrossSense is called Wispy.

CrossSense Ltd is a spin-out from Animorph Ltd and is independent from it. All intellectual property, operational control, and data processing responsibilities transferred to CrossSense Ltd in December 2025. Animorph Ltd is no longer a controller or processor of any CrossSense personal data. Earlier versions of this notice referenced both entities; that arrangement has been superseded.

CrossSense Ltd is the sole data controller for all personal data described in this notice.

What information we collect, use, and why

We collect or use the following information to provide the CrossSense service:

• Name, address, and contact details
• Date of birth
• Gender
• Emergency contact details and designated support network information
• Accessibility information needed to make the device work for you (for example, prescription lens requirements, hearing-aid preferences, language settings)
• Cognitive condition status and care needs, where you choose to share them so we can adapt support
• Account and registration information
• Communications you send us (support requests, feedback)
• Payment details, where applicable to a paid pilot or commercial phase

Information collected during use of the smartglasses

• Visual data — camera images for object recognition, scene analysis, and navigation assistance
• Audio data — voice commands and ambient audio captured when you interact with Wispy
• Movement data — accelerometer and gyroscope readings for activity and fall detection
• Derived inferences — what Wispy learns about your routines, preferences, and patterns of cognitive activity in order to personalise support
• Device interactions — voice commands, movement patterns, and object interactions
• Error reports and diagnostic data — technical logs keyed to a device identifier. These remain personal data even when they do not describe you directly, because the device ID can be linked back to you through our account database. We minimise their content and pseudonymise them on collection.

Special category data

The data above includes special category data under UK GDPR Article 9, in three distinct ways which we treat separately:

1. Health and care information you provide directly — your cognitive condition status, hearing or vision accessibility needs, and any care information you share.
2. Health information we infer — for example, from the labelling of medical equipment visible in your home, the rhythm of your routines, or your interactions with Wispy. Inferred data is special category data where we intend to draw an inference linked to a special category or to treat you differently on the basis of it.
3. Other categories that may be inferred from environmental context — for example, religious or philosophical beliefs may be inferable from objects in scene labels. We do not seek this data, we apply technical suppression to avoid recording it in summaries, and where it is unavoidable we treat it as Article 9 data.

Information from your support network

With your explicit consent, designated carers or family members may provide basic contact information for emergency or support purposes. You control who is added, what they can see, and can revoke access at any time without affecting your own use of the device.

People other than the primary user

The smartglasses' cameras and microphones may capture other people — household members, visitors, or passers-by — who are not CrossSense users. We minimise this incidental collection through local processing where technically feasible, by discarding non-relevant frames at the earliest possible point, and by not retaining identifiable images of non-users beyond the 24-hour raw-data window described below. Bystanders may exercise the data subject rights described later in this notice.

Our lawful bases

Article 6 UK GDPR

• Consent (Article 6(1)(a)) — for processing of visual, audio, and movement data captured by the smartglasses; for personalised AI features; and for sharing high-level activity insights with designated carers.
• Contract (Article 6(1)(b)) — for account administration, service delivery, and payment processing.
• Legitimate interests (Article 6(1)(f)) — for bot-protection on our signup forms (see below) and for limited service-improvement analytics using anonymised or strongly pseudonymised data. A Legitimate Interests Assessment is available on request from privacy@crosssense.com.

Article 9 UK GDPR (special category data)

Our primary Article 9 condition is explicit consent (Article 9(2)(a)). This consent is:

• Captured separately from general terms, in plain language, with layered just-in-time prompts in the app
• Reconfirmed every three months through the companion app, in recognition of the progressive nature of cognitive conditions
• Withdrawable at any time, in the app or by contacting privacy@crosssense.com, without affecting basic device functionality

We maintain an Appropriate Policy Document for the processing of special category data, as required by Schedule 1 of the Data Protection Act 2018.

Consent, capacity, and continuity

For users living with a progressive condition, consent given today may not always be possible to renew tomorrow. We address this as follows:

• Pre-capacity-loss instructions. During setup, while you have capacity, you can record your wishes for how CrossSense should continue (or stop) processing your data if you later become unable to manage your own privacy settings.
• Authorised representative. You may designate a person (under a Lasting Power of Attorney, deputyship, or equivalent arrangement) to exercise your data protection rights on your behalf. We will verify the legal basis before acting on any such request.
• Vital interests (Article 9(2)(c)) for emergency processing only — for example, alerting your designated carer to a detected fall — where you or another person are physically incapable of giving consent in the moment.
• Fresh consent at material change. If our processing or your capacity materially changes, we will seek fresh, appropriately supported consent, or rely on your authorised representative, or pause the affected processing.
• Pause-by-default. Where consent has lapsed and no other condition applies, we pause processing rather than continue without a lawful basis.

Your data protection rights

You have the rights of access, rectification, erasure, restriction, objection, data portability, and (where we rely on consent) withdrawal of consent. More information is available on the ICO's website.

We will respond without undue delay and within one calendar month. To make a request, contact us at privacy@crosssense.com.

Erasure and the usefulness of CrossSense. Some of what Wispy learns about you is what makes the device useful (for example, which cupboard you keep mugs in, what time you usually eat breakfast). If you ask us to erase derived inferences, we will do so promptly, and we will be transparent with you that the device may become less helpful as a result. We will never use this as a reason to refuse an erasure request.

Where we get personal information from

• Directly from you
• Family members or carers (with your explicit consent)
• Sensors on the smartglasses you are wearing
• Limited technical telemetry from the companion app

How we process your data

All data collected by CrossSense smartglasses is transmitted to secure servers located in the United Kingdom and processed by CrossSense Ltd. With one exception described below, no personal data leaves the UK.

What counts as "raw" data

For the purposes of this notice and our retention schedule, "raw" data means all unprocessed sensor streams collected by the smartglasses: images, audio, and movement/sensor data.

Raw data is retained strictly for safety monitoring and critical troubleshooting, for no longer than 24 hours from processing. After that window, the raw stream is permanently deleted; only the derived inferences and high-level activity summaries remain.

Visual-language-model inference

For computer-vision and visual-language tasks, we currently send the minimum necessary data to the Google Gemini API. This is the only external AI processing service we use.

• We send only what is needed for the inference — typically selected image frame or a short audio fragment.
• We configure the API with the most privacy-protective settings available, and we operate under terms intended to prevent use of our data for advertising or for training Google's general models.
• We acknowledge that, as with any third-party API, we cannot independently verify Google's infrastructure-level behaviour. We monitor changes to Google's terms and will move provider, or bring this processing in-house, if our assessment changes.
• We are working towards self-hosting these models on UK-based infrastructure so that no personal data needs to leave our control. We will update this notice when that transition takes place.

Cloud architecture

CrossSense initially processed all data locally on the user's edge device. As the product developed, processing requirements exceeded what a wearable and a lightweight processing unit could do to reliably run, so we now process audio, visual, and movement data on our UK cloud infrastructure under an Article 28(3) processor contract with a UK-resident cloud provider. We recognise that cloud processing is more intrusive than edge-only processing and we mitigate this through encryption, minimisation, short raw-data retention, strict UK residency, and the planned self-hosting transition above.

Granularity and minimisation

Activity summaries that may be shared with designated carers are expressed at a high level (for example, "spent two hours in the kitchen this morning") rather than at the level of individual actions. We review this granularity periodically against the data minimisation principle.

Bot-protection on our signup forms

To protect our signup forms from automated abuse, we use Cloudflare Turnstile, a privacy-respecting alternative to traditional CAPTCHA. When you load a page with one of our forms, Cloudflare receives your IP address, basic browser signals, and a short-lived challenge token; we exchange that token with Cloudflare at submission time to verify the request is genuine. Cloudflare may set a strictly-necessary first-party cookie during the challenge; we do not use Cloudflare for analytics or tracking.

Our lawful basis is legitimate interest in preventing automated abuse. Cloudflare acts as our processor for this flow. See Cloudflare's privacy statement for further detail.

Data sharing and third parties

Cloud infrastructure (UK)

Our primary UK cloud infrastructure is provided under an Article 28(3) processor agreement, encryption in transit and at rest, regular security review, and contractual obligations to assist with data subject rights requests.

Google Gemini API

As described above, Google acts as our processor under a Data Processing Addendum aligned with UK GDPR Article 28. for visual-language-model inference, on terms intended to prevent use of our data for advertising or for training Google's models. We will reassess this relationship if Google's terms change.

Designated carers and support network

With your explicit consent, designated carers may receive:

• High-level insights only — aggregated activity summaries
• No granular detail — carers cannot see individual actions
• No night-time data — unless an emergency alert is triggered
• Instant revocation — you can remove carer access at any time without affecting your own use

What we do not do

• We never sell your personal data
• We never use your data for advertising
• We never share your data with any third party without your fresh, specific consent
• We do not use your data for automated decision-making that produces legal or similarly significant effects on you

International transfers

Currently, only visual-language-model inference is processed outside the UK, via the Google Gemini API. All other processing takes place in the UK.

For that limited transfer, data is sent encrypted, minimised to what is strictly necessary for the inference task, and is covered by the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses together with a transfer risk assessment. We are working to bring this processing within the UK through self-hosted infrastructure.

How long we keep information

Data category	Retention period
Raw data (images, audio, movement)	24 hours from processing
Derived inferences	Duration of active account
Activity summaries shared with carers	90 days, or as agreed with you
Account details	Up to 3 years after closure or last interaction
Health and accessibility information	Maximum 7 years from last service interaction (Limitation Act 1980)
Payment details	Up to 1 year after final transaction or account closure
Error reports / pseudonymised diagnostics	12 months
Anonymised usage data	Up to 12 months
App settings and preferences	Up to 3 years after closure
Communications and support records	Up to 1 year from last interaction

Special circumstances

• Death of the user. Health-related data deleted within 30 days of notification, subject to any legal hold.
• Loss of capacity. Authorised representative may request earlier deletion; otherwise standard retention applies, with periodic review.
• Inactive accounts. Closed after 1 year of inactivity; we attempt to contact you first where contact details remain valid.
• Account deletion via the app. Personal data erased immediately, except where longer retention is required by law. Raw data is always deleted within the 24-hour window regardless of account state.

All personal data is stored encrypted with access controls. On expiry of the retention period, data is permanently and irreversibly deleted.

Security measures

• AES-256 encryption at rest; TLS 1.3 in transit
• Role-based access with multi-factor authentication for staff
• Regular security review and incident response procedures
• Maintained Software Bill of Materials for all dependencies
• Logical separation of user data on shared infrastructure

Data Protection Impact Assessment (DPIA)

CrossSense processes special category health data and carries out systematic monitoring of vulnerable individuals in their homes. A DPIA has been completed and is reviewed regularly, and after any model retraining, privacy-affecting feature, or change of processor. Key risks tracked include: over-reliance and skill atrophy, carer surveillance creep, model inversion, incidental capture of non-users, inferred special category data, and capacity-related consent erosion. We consult external stakeholders, including dementia-support organisations, in our review process.

Regulatory background

CrossSense Ltd (then operating jointly with Animorph Ltd) participated in the ICO's Regulatory Sandbox between November 2024 and early 2026. This notice reflects the conclusions of that work and the post-Sandbox change of operating entity.

How to complain

If you have any concerns about our use of your personal data, please contact us using the details above.

If you remain unhappy after raising the concern with us, you can complain to the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Helpline: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Changes to this notice

We review this notice periodically and update it to reflect changes to our service, infrastructure, or legal obligations. Material changes will be communicated through the companion app and by email where we hold a current address for you.