Privacy Policy

Version: 1.7 · Last updated: 30 May 2026 · Effective: 30 May 2026 · Controller: Omniwo Ltd, United Kingdom

Quick read: We collect what we need to deliver your blood tests + dashboard, store it securely in the UK/EU, and share only the minimum with vetted sub-processors. Anonymised marker data goes to two AI providers (Anthropic + OpenAI) for second-opinion review — never with your name or identifiers. Operational alerts (e.g. our internal Telegram channel) carry only 8-character ID prefixes — never your name, email, address, or any health value. You can request access, correction, or deletion at any time.

Contents

Who we are
Data we collect
How we use your data
Lawful basis under UK GDPR
Sub-processors & third-party services
AI processing safeguards
International transfers
Data retention
Your rights
Security
Cookies & tracking
Children
Changes to this policy
Contact us

1. Who we are

Omniwo Ltd (“we”, “us”, “our”) is a UK-incorporated longevity platform offering at-home blood testing, biomarker analysis, and AI-assisted insight generation. We are the data controller for the personal data described in this policy. Our registered office is at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. We are registered with the UK Information Commissioner's Office (ICO) under the Data Protection (Charges and Information) Regulations 2018; our ICO registration reference is 00013396887.

2. Data we collect

Account & profile

Name, email, phone, date of birth, gender, postal address
Lifestyle questionnaire responses (diet, sleep, exercise, alcohol, smoking, supplements, peptides, medications, conditions, family history, goals)
Optional: ethnicity (only with explicit consent — special-category data under UK GDPR Article 9)

Orders & payments

Products purchased, order status timeline, Royal Mail tracking number, lab order references
Payment card details — tokenised by Stripe; we never store your full card number

Health data

Blood biomarker results with values, units, statuses, and longevity-optimal ranges
Computed scores: health score, biological age, pace of aging
Raw HL7 lab message archives
AI-generated insights, sanity-check results, customer-facing summaries

Wearable & sensor data

Daily metrics from Oura, WHOOP, Strava, Polar, Dexcom CGM (sleep, HRV, resting heart rate, recovery score, glucose) — only with your explicit OAuth grant

Operational

Login timestamps, IP address (hashed + truncated for fraud detection), audit logs of admin actions on your account
Crash + performance traces (anonymised, no marker values)

IP address handling: before storage, IPv4 addresses are truncated to /24 (last octet zeroed) and IPv6 addresses to /48; the truncated address is then hashed with salted SHA-256 using a rotating IP_HASH_SALT. The raw IP address is never written to persistent storage.

3. How we use your data

To deliver your blood test: dispatch a kit / arrange a nurse visit, route your sample to our partner lab, process results, calculate scores, generate insights, surface them to your dashboard
To improve clinical accuracy: send anonymised marker data to AI providers (Anthropic + OpenAI) for second-opinion review — see section 6
To notify you: order confirmations, kit dispatched, results ready, retest reminders (all transactional — you cannot opt out while you have an active order)
To run the platform: hosting, authentication, billing, error monitoring, customer support
To meet legal obligations: tax records, anti-fraud, medical-device adverse event reporting if required

We do not sell your data, share it with advertisers, or use it for marketing without your explicit consent.

4. Lawful basis under UK GDPR

UK GDPR Article 13(1)(c) requires us to tell you the lawful basis for every category of personal data we process. The table below maps each processing purpose to the corresponding Article 6 basis (for personal data) and, where applicable, the Article 9 condition (for special-category data such as health).

Data category	Purpose	Lawful basis (Art. 6)	Special-category condition (Art. 9)
Account & profile (name, email, DOB, address)	Create your account, authenticate logins, deliver the service you purchased	Contract — Art. 6(1)(b)	n/a
Orders & payments (products, Stripe tokens, lab references)	Process your purchase, dispatch the kit, route the sample to the lab, issue refunds	Contract — Art. 6(1)(b)	n/a
Health data (blood biomarkers, scores, HL7 archives, AI insights, wearable-derived health metrics)	Generate your results, calculate biological age and Pace of Aging, surface insights, longitudinal tracking	Contract — Art. 6(1)(b)	Preventative medicine — Art. 9(2)(h) (standalone basis): provision of health or social care under a contract with a healthcare provider. Applies to all blood biomarker results, computed scores, HL7 lab archives, AI-assisted insights, and wearable-derived health metrics displayed on your dashboard.
Anonymised marker data sent to AI providers (Anthropic, OpenAI)	Second-opinion AI review of biomarker patterns (see §6)	Legitimate interest — Art. 6(1)(f) (improving clinical accuracy of insights)	Data is de-identified before transmission — Art. 9 generally does not apply to anonymised data; treated as in-scope as a precaution under the contract basis
Optional special-category fields (ethnicity, family history, mental health disclosures, sexual health, lifestyle questionnaire, wearable data tied to identity)	Tailor scoring and recommendations where you have voluntarily disclosed this data	Explicit consent — Art. 6(1)(a)	Explicit consent — Art. 9(2)(a) (standalone basis). Withdrawing consent for an optional item removes that item only; the core service continues to operate under Art. 9(2)(h).
Wearable & sensor data (Oura, WHOOP, Strava, Polar, Dexcom)	Integrate sleep, HRV, recovery, glucose into your dashboard	Explicit consent (via OAuth grant) — Art. 6(1)(a)	Explicit consent — Art. 9(2)(a)
Transactional emails (order confirmation, kit dispatched, results ready, retest reminders)	Communicate the status of the service you purchased	Contract — Art. 6(1)(b)	n/a
Marketing emails & product updates	Send opt-in promotional content, longevity research digests, new-product launches	Consent — Art. 6(1)(a) (PECR Reg 22 for electronic marketing; soft-opt-in for existing customers only where applicable)	n/a
Cookies, analytics & pixels (GA4, Microsoft Clarity, Google Ads, Meta Pixel)	Measure traffic, debug user-journey friction, attribute marketing spend	Consent — Art. 6(1)(a) + PECR Reg 6 (banner-gated; default-denied via Google Consent Mode v2)	n/a
Operational logs (IP address, login timestamps, admin audit, crash traces)	Detect fraud, investigate abuse, keep the platform secure and stable	Legitimate interest — Art. 6(1)(f) (security and service availability)	n/a
Customer support tickets & communications	Respond to your queries, resolve service issues, document complaints	Contract — Art. 6(1)(b) for service-related; legitimate interest — Art. 6(1)(f) for quality review	Preventative health — Art. 9(2)(h) where a ticket discusses your results
Tax records, financial audit logs, statutory reporting	Comply with HMRC, Companies House, and accounting obligations	Legal obligation — Art. 6(1)(c)	n/a

Withdrawing consent. Where the lawful basis is consent (Art. 6(1)(a) or Art. 9(2)(a)), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. See section 9 for how to exercise this right.

Legitimate-interest assessment. Where we rely on legitimate interest, we have carried out a balancing test under ICO guidance for each of six discrete purposes:

Authentication & fraud telemetry — login timestamps and /24-truncated salted-SHA-256 hashed IP addresses for failed-auth tracking and abuse detection. (LIA-01)
Application monitoring — anonymised crash and performance traces via Sentry, configured with sendDefaultPii: false, sendClientReports: false, autoSessionTracking: false, and a beforeSend PII scrubber that strips emails, UK postcodes, Stripe identifiers, phone numbers, and free-text from every event before transmission. (LIA-02)
Ops-case workflow — internal case records linking a user reference + (where relevant) an order reference to a state-machine label, retained for 90 days under native Firestore TTL. (LIA-03)
Internal Telegram alert channel — no-PII operational alerts: 8-character prefixId() outputs for user and order references only. We never send names, emails, postcodes, dates of birth, Stripe PaymentIntent IDs, Inuvi order UUIDs, or biomarker values to Telegram. (LIA-04)
Backups & resilience — Firestore + Cloud Storage point-in-time backups for disaster recovery on a 30-day rolling natural-expiry schedule; restore cadence and DSR-in-backup procedure documented in §8.bis. (LIA-05)
Anonymised aggregate analytics — service-improvement metrics computed only after k-anonymity / aggregation such that they cannot be linked back to an individual. (LIA-06)

In each case we concluded that our interest does not override your fundamental rights and freedoms. The full Legitimate Interest Assessment register (LIA-01…LIA-06) is maintained internally and available to data subjects on request to privacy@omniwo.com. You can object to processing on this basis at any time under UK GDPR Article 21 — see section 9 for the per-user suppression mechanism.

4.bis AI-Assisted Engineering Transcripts

We use AI-assisted tools (e.g. Claude Code) to accelerate engineering work on the platform itself. These tools generate session transcripts on the engineer's local workstation.

Scope confirmation: these transcripts cover engineering activities only — code, infrastructure, deployment commands, debugging. They contain zero customer personal data, zero special-category health data, and zero authentication credentials, because customer records are accessed via short-lived admin tooling and not pasted into AI prompts. PII-redacting hooks at the source-control and log layers prevent accidental leakage.

Retention: transcripts older than 21 days are permanently removed by a daily launchd job at 03:00 UK time on the engineer's workstation. No transcript ever leaves the engineering workstation.

Legal basis: Legitimate Interest (Article 6(1)(f)) — (LIA-02 family — application monitoring & engineering).

5. Sub-processors & third-party services

We have signed Data Processing Agreements (DPAs) with each sub-processor below. Each is bound by UK GDPR Article 28(3).

Sub-processor	Purpose	Data shared	Location / transfer
Google Cloud / Firebase	Application hosting, Firestore database, file storage, authentication, push notifications	All user account + test result data	EU regions (europe-west2 UK + europe-west1 BE). SCC + UK IDTA addendum.
Stripe Payments UK Ltd.	Payment processing, subscription billing	Name, email, tokenised card details, billing address, order amount	UK-based processor; Stripe processes UK card data via Stripe UK.
Inuvi Diagnostics Ltd.	Laboratory blood-testing services, HL7 result delivery	Name, address, DOB, gender, product ordered, blood sample, lab results	UK-based processor.
Royal Mail	Test kit + return sample shipping logistics	Name, postal address	UK-based processor.
Anthropic PBCNew	AI-assisted clinical insight generation (Claude Sonnet 4.5) — second-opinion review of biomarker results	Anonymised payload only: gender, age band, biomarker codes + values + statuses. No user ID, name, email, DOB, address, or order ID is transmitted.	EU endpoints (Ireland). SCC + UK IDTA. Console-level retention & training opt-out enabled; written zero-retention addendum in progress.
OpenAI Ireland Ltd.New	AI-assisted clinical insight generation (GPT-4.1) — independent second-opinion alongside Anthropic, forming an ensemble	Same anonymised payload as Anthropic above.	EU endpoints (Ireland). SCC + UK IDTA. Dashboard-level retention & training opt-out enabled; written zero-retention addendum in progress.
Resend Inc.	Transactional email delivery	Name, email, order reference, public-facing email content	US. SCC + UK IDTA addendum.
Cloudinary Ltd.	Image + video CDN for product photos and test instructional media	No personal data — public content only	US / EU CDN. SCC.
Sentry (Functional Software Inc.)	Error tracking + performance monitoring	Anonymised error logs — `sendDefaultPii: false`, `sendClientReports: false`, `autoSessionTracking: false`, plus a `beforeSend` PII scrubber that strips emails, UK postcodes, Stripe IDs, phone numbers, and free-text before transmission. No marker values. No user identifiers.	Frankfurt (DE) / EU region. SCC + UK IDTA addendum.
Telegram FZ-LLC	Internal admin alert channel for operational triage (no customer-facing data flows through Telegram)	No customer personal data. Operational alerts only — 8-character user/order ID prefixes via `prefixId()`, plus our own product/state labels. Never names, emails, postcodes, DOBs, Stripe PaymentIntent IDs, Inuvi order UUIDs, or biomarker values.	Dubai / BVI. Not an Article 28 processor — because zero customer PII is transferred, protection rests on structural data minimisation at our backend (the `prefixId()` boundary in our Cloud Functions), not on a Telegram-side contractual safeguard. We retain a Legitimate Interest Assessment (LIA-04) covering this design choice.
Webflow Inc.	Marketing website hosting (omniwo.com) — static landing, blog, product pages. The customer dashboard and checkout run on Firebase Hosting, not Webflow.	Anonymous page-view metadata (URL, referrer, user-agent). No account or test-result data passes through Webflow.	US. SCC + UK IDTA addendum.

6. AI processing safeguards

When our clinical engine completes scoring a blood test, an anonymised summary is sent to Anthropic and OpenAI in parallel for second-opinion clinical review. Each provider runs an independent analysis; both outputs are then reviewed by a human UK-based clinician before any results-ready notification is sent to you.

What is sent

Patient gender (M / F)
Patient age band (e.g., “30–40”)
Per biomarker: marker code, numeric value, unit, status (green / amber / red / urgent_red), longevity-optimal range

What is never sent

Your name, email, phone, postal address
Your date of birth (only the age band)
Your account ID or order ID
Any photograph, voice recording, or free-text input you've provided
Payment or billing information
Wearable readings beyond aggregated summary statistics

Retention & training opt-out. We have enabled the maximum retention and training opt-out controls available in both Anthropic's Console and OpenAI's platform dashboard for our organisation accounts. Under these controls, your anonymised data is processed for the duration of the API request and is not used for model training, fine-tuning, or human review. Written zero-retention addenda from both providers are in progress; until they are countersigned and on file, our protection rests on these dashboard-level controls plus the providers' published API data-usage policies. This page will be updated once countersigned addenda are in place.

Human-in-the-loop

AI output is never the final word. A UK-based clinical reviewer reads both providers' analyses, our internal engine's scoring, and the raw marker results before approving the customer-facing summary. You receive only what the human reviewer has explicitly approved.

7. International transfers

Where personal data leaves the UK, we rely on:

The UK International Data Transfer Addendum (IDTA) for transfers to the United States (Anthropic, OpenAI EU endpoints with US parent companies, Resend, Sentry, Cloudinary)
Standard Contractual Clauses (SCC) with each sub-processor
Adequacy decisions for transfers within the European Economic Area

You can request copies of our transfer agreements by emailing privacy@omniwo.com.

8. Data retention

We retain personal data for as long as you have an active Omniwo account, and for the periods below after closure. Where a period is mandated by law (HMRC tax records, NHS audit-trail requirements), we cannot delete sooner.

Account & profile data: retained while your account is active, plus up to 24 months after closure as our standard retention ceiling. You may request earlier deletion at any time under your Article 17 right (see section 9); we are also rolling out an automated retention-cleanup job that will enforce the 24-month ceiling proactively.
Blood test results & health data: retained for 24 months after the test date by default, or for the lifetime of the account if you actively track longitudinal trends. You can delete individual results at any time from the dashboard, or request bulk deletion at privacy@omniwo.com.
Order & payment records: 7 years from the end of the relevant accounting period — required by HMRC under the Companies Act 2006 and VAT Regulations 1995. We cannot delete these earlier.
Audit logs of admin actions on your account: 6 years — aligned to the NHS Records Management Code of Practice 2021 for adult health records. These logs record who in our team accessed what, and are kept for incident-response and regulatory purposes.
Marketing-consent records: 6 years from withdrawal of consent — required by PECR/ICO guidance to evidence the basis on which we contacted you.
Anonymised aggregate analytics: indefinitely — once anonymised the data is no longer personal data and cannot be linked back to you.
Sentry crash + performance traces: 90 days — automatically deleted by Sentry.
Authentication logs (login timestamps, hashed IP): 12 months — automatically deleted.
Firestore + Cloud Storage backups: 30 days rolling — naturally expire; soft-delete pattern handles in-backup erasure (see §8.bis below).
AI engineering transcripts (local engineering workstations): 21 days — permanently removed by daily launchd prune at 03:00 UK time.

How deletion works in practice: when you exercise your Article 17 right via privacy@omniwo.com we hard-delete your user record, health markers, blood test results, dashboard insights and wearable connections within 30 days, retaining only the order/audit/marketing-consent records that are subject to the statutory retention floors above (these become orphaned from your identifying profile and are kept solely for legal compliance).

8.bis Backup Procedure & DSR-in-Backup

We maintain Firestore + Cloud Storage point-in-time backups in the europe-west2 (UK) and europe-west1 (BE) regions on a 30-day rolling natural-expiry schedule. We do not maintain indefinite cold storage.

Restore cadence: restoration is performed only in a documented disaster-recovery scenario or to remedy a confirmed data-corruption incident, by the DPO or a named delegate, under access-logged credentials.

DSR-in-backup procedure. When you exercise your Right to Erasure (Article 17):

We immediately delete all live copies of your personal data in Firestore + Cloud Storage (within the 30-day statutory window, typically same-day).
We mark your records for soft-delete in any subsequent restore — if a backup were restored within the 30-day backup window, our restoration runbook re-applies the deletion as the first post-restore step before any service resumes.
We do not actively purge backups of your records, because doing so would be technically infeasible (point-in-time snapshots are immutable) and would compromise the integrity of the backup itself. Instead, we rely on natural expiry within 30 days.
After 30 days, your records cannot be reconstructed from any source we control.

This approach is consistent with ICO guidance on personal data in back-up archives.

9. Your rights under UK GDPR

You have the following rights with respect to your personal data:

Access (Article 15): request a copy of all personal data we hold about you
Rectification (Article 16): correct inaccurate or incomplete data
Erasure / “right to be forgotten” (Article 17): request deletion of your data, subject to our legal retention obligations above
Restriction (Article 18): ask us to limit how we process your data
Portability (Article 20): receive your data in a machine-readable format
Object (Article 21): object to processing based on legitimate interest (see per-user suppression mechanism below)
Withdraw consent: revoke any consent you have given (e.g., for ethnicity, wearable data) at any time
Complain to the ICO: ico.org.uk/make-a-complaint

Right to Object (Article 21) — per-user suppression mechanism

What we suppress on objection (per-user, applied within 72 hours of confirmed identity verification):

Application monitoring (Sentry): your user-tag is removed from any future event; no event is associated with your account.
Internal Telegram alert channel: your 8-character user-ID prefix is suppressed in any alert that would otherwise include it; alerts continue without your identifier.
Anonymised aggregate analytics: your contribution to aggregate metrics is excluded from future windows.

What we cannot suppress without service withdrawal:

Authentication telemetry — required to keep your account secure and meet our Article 32 security obligations. Objecting here means closing your account.
Ops-case workflow — required to deliver customer support on your open tickets. Objecting here means closing any open cases.
Backups & resilience — required for service integrity. Objecting here means closing your account.

How: Dashboard → Settings → Notification Preferences, or email privacy@omniwo.com

To exercise any of these rights, email privacy@omniwo.com. We respond within one month.

10. Security

Encryption at rest (Firestore + Cloud Storage) and in transit (TLS 1.3)
Role-based access control for our internal team — least-privilege principle
15-minute admin inactivity timer on our internal tools
Audit logging of every administrative action on your account
Regular security reviews and pen-testing
Incident response process — we notify the ICO within 72 hours of any qualifying breach
PII redaction at the log layer: a single-sourced regex set (email, UK postcode, Stripe customer id, phone) redacts sensitive values from server logs, error traces, and internal admin tooling
Source-control pre-commit hook: every staged change is scanned for PII before commit; matches outside a tightly scoped allow-list (test fixtures, the redaction utility itself, founder-only dev seeds) block the commit
90-day TTL on internal ops cases: the case workflow stores only a user reference and (where relevant) an order reference plus a state-machine label, and Firestore native TTL hard-deletes records 90 days after their expiresAt
21-day session-transcript retention: internal AI-assisted engineering session transcripts are pruned daily at 03:00 UK time to a 21-day rolling window via a launchd job; older transcripts are permanently removed
DPO independence safeguards: separation of duties documented at 05_LEGAL/INTERNAL/13_DPO_Independence_Memo.md; external counsel review trigger on any Article 38(6) conflict-of-interest event
Article 9 health-data basis declared explicitly: every health-data processing operation is mapped to Article 9(2)(h) (preventative medicine) or Article 9(2)(a) (explicit consent) in our Record of Processing Activities (RoPA), with no implicit basis anywhere in the pipeline

11. Cookies & tracking

See our separate Cookie Policy for details. In short, we use strictly necessary cookies for authentication, optional analytics cookies (only with consent), and no third-party advertising cookies.

12. Children

Omniwo is for adults aged 16 and over. We do not knowingly collect data from anyone under 16. If you become aware that a minor has registered, please email privacy@omniwo.com and we will delete the account.

13. Changes to this policy

We may update this policy from time to time to reflect changes in our services, sub-processor list, or legal obligations. We will notify you by email of material changes at least 14 days before they take effect. The current version always lives at omniwo.com/privacy-policy with an updated date at the top.

14. Contact us

Data protection enquiries: privacy@omniwo.com

General support: support@omniwo.com

Data Protection Officer: Islam Khusnetdinov — privacy@omniwo.com. Article 37/38 contactable directly; for any matter where you believe the DPO has a material conflict of interest with their executive role, escalation to external counsel is available on request. See 13_DPO_Independence_Memo.md.

ICO registration: 00013396887

Postal address: Omniwo Ltd, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

Supervisory authority: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — ico.org.uk.