Privacy Policy

Last updated: March 2026 · Omniwo Ltd

Omniwo Ltd — Privacy Notice

Effective date: March 2026

Last updated: March 2026

Version: 1.1

Plain English Summary: This policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have. We've written it in clear, everyday language — no legalese.

1. Who We Are

Omniwo Ltd is a UK-based health and wellness platform that combines at-home blood testing with wearable device data to help you understand your health better.

Detail	Information
Company name	Omniwo Ltd
Role	Data Controller (UK GDPR)
Registered address	71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Company number	17075131
Contact email	privacy@omniwo.com
Data Protection Officer	Islam Khusnetdinov (privacy@omniwo.com)
ICO registration	00013396887

We are registered with the Information Commissioner's Office (ICO) as a data controller. Our registration number is 00013396887.

2. What Data We Collect

We collect several categories of personal data, some of which is classified as special category data (health data) under UK GDPR Article 9.

2.1 Data You Provide Directly

Data	Examples	Classification
Account information	Full name, email address, date of birth, gender	Personal data
Contact details	Phone number, postal address	Personal data
Payment information	Payment is processed by our PCI-certified payment processor — we do not store your card details	Financial (processed by third party)
Consent records	Your choices about how we use your data	Personal data

2.2 Health Data (Special Category)

Data	Source	Classification
Blood test results	Processed by our CQC-registered laboratory partner	Special category health data
Biomarker values & reference ranges	Derived from your blood test results	Special category health data
Overall Status / Health Score	Calculated from your biomarker results	Special category health data
Health insights & interpretations	Generated from your results and (optionally) wearable data	Special category health data

2.3 Wearable Device Data (if you choose to connect)

Data	Source	Classification
Sleep data	Connected wearable devices (via OAuth)	Special category health data
Heart rate & HRV	Connected wearable devices	Special category health data
Recovery & readiness scores	Connected wearable devices	Special category health data
Activity & strain data	Connected wearable devices	Special category health data

Connecting a wearable device is entirely optional. You can disconnect at any time.

2.4 Technical Data

Data	Purpose	Classification
Device type, browser, OS	Service improvement, bug fixing	Technical (non-personal)
IP address (hashed)	Security, fraud prevention	Personal data
Cookie identifiers	See our Cookie Policy	Personal data (with consent)
Page views & interactions	Service improvement (anonymised analytics)	Anonymised (non-personal)

3. How We Collect Your Data

Source	What We Collect	When
Directly from you	Account details, address, consent choices	Registration, checkout, settings
From our laboratory partner	Blood test results, biomarker values	When your sample is processed
From wearable providers	Sleep, heart rate, recovery, activity data	After you grant permission via OAuth
Automatically from your device	Technical data, cookies	When you visit our website or use the dashboard
From our payment processor	Payment confirmation (no card details)	When you complete a purchase

We never purchase personal data from third parties or data brokers.

4. Legal Basis for Processing

Under UK GDPR, we must have a valid legal basis for processing your personal data. Here is each basis we rely on:

4.1 Explicit Consent — UK GDPR Article 9(2)(a)

Applies to: All health data processing (blood results, wearable data, health insights, Overall Status)

Health data is classified as special category data under UK GDPR. We can only process it with your explicit consent, which we collect:

At registration (health data processing consent)
At checkout (lab testing consent — sharing data with our laboratory partner)
When connecting a wearable (wearable data sharing consent)

You can withdraw consent at any time — see Section 6.

4.2 Contract Performance — UK GDPR Article 6(1)(b)

Applies to: Account creation, order fulfilment, payment processing, kit delivery, customer support

We process this data because it is necessary to fulfil the contract between you and Omniwo (i.e., delivering the blood testing service you purchased).

4.3 Legitimate Interest — UK GDPR Article 6(1)(f)

Applies to: System security, fraud prevention, anonymised analytics, service improvement

We have a legitimate business interest in keeping our platform secure and improving our service. We have conducted a Legitimate Interest Assessment (LIA) and are satisfied that these interests do not override your rights.

4.4 Legal Obligation — UK GDPR Article 6(1)(c)

Applies to: Tax records (7-year retention), consent record keeping, breach notification compliance

UK law requires us to keep certain financial and accountability records for a minimum period.

5. How We Use Your Data

Purpose	Data Used	Legal Basis
Create and manage your account	Name, email, DOB, gender, password	Contract
Process and fulfil your blood test order	Name, DOB, gender, address, panel selection	Contract + Explicit Consent (health)
Deliver blood test results to your dashboard	Biomarker values, reference ranges, status indicators	Explicit Consent
Generate health insights and interpretations	Blood results, (optionally) wearable data	Explicit Consent
Calculate Overall Status	Aggregate of your biomarker results	Explicit Consent
Display wearable data on your dashboard	Sleep, HR, HRV, recovery, activity	Explicit Consent
Process payments	Email, order details (Stripe handles card data)	Contract
Send order and results notifications	Email address, push notification token	Contract
Send marketing communications	Email address	Explicit Consent (marketing opt-in)
Send urgent health alerts (SMS)	Phone number	Explicit Consent (SMS opt-in)
Generate GP share reports	Blood results (no wearable data in GP reports)	Explicit Consent
Improve our service	Anonymised usage analytics	Legitimate Interest
Prevent fraud and ensure security	Hashed IP address, auth logs	Legitimate Interest
Comply with legal obligations	Financial records, consent records	Legal Obligation

We will never use your health data for:

Advertising or ad targeting
Selling to third parties
Insurance or employment screening
Any purpose you have not explicitly consented to

6.1 Types of Consent We Collect

Consent Type	When Collected	Required?	Can Be Withdrawn?
Health data processing	Registration	Yes — cannot use service without it	Yes — triggers data deletion
Lab testing data sharing	Checkout	Yes — cannot fulfil orders without it	Yes — cannot place new orders
Wearable data sharing	Wearable connection	No — wearable is optional	Yes — raw data deleted immediately, sync stops
Marketing communications	Registration / Settings	No — optional	Yes — unsubscribe any time
SMS alerts	Settings → Notifications	No — optional	Yes — via settings or SMS STOP

6.2 How to Withdraw Consent

You can withdraw any consent at any time through:

Dashboard: Settings → Privacy → Manage Consents
Email: Contact privacy@omniwo.com
Marketing emails: Click "Unsubscribe" in any email
SMS: Reply STOP to any SMS message

What happens when you withdraw consent:

Health data consent withdrawn: Your account and all health data will be deleted within 30 days.
Wearable consent withdrawn: Wearable sync stops immediately. Raw wearable data (daily metrics, OAuth tokens) is deleted immediately. Anonymised, aggregated data that can no longer identify you (e.g., population-level statistics) may be retained for service improvement purposes.
Marketing consent withdrawn: You will be removed from marketing lists immediately. Transactional emails (order confirmations, results notifications) will continue as they are based on your contract with us.

6.3 Consent Records

We keep a detailed, immutable record of every consent you give or withdraw. Each record includes:

The exact text shown to you at the time of consent
Timestamp of your consent action
Whether you granted or withdrew consent
The consent version number

Consent records are retained for 7 years after the consent action (for accountability under UK GDPR Article 5(2)), even if you delete your account. These records are anonymised after account deletion.

We share your data with the following categories of third-party service providers, only for the purposes listed:

Third Party	Role	Data Shared	Purpose	Legal Basis	Location	Transfer Mechanism
Our CQC-registered laboratory partner	Blood test processing	Name, DOB, gender, address, panel codes	Blood test processing & fulfilment	Contract + Explicit Consent	United Kingdom	No transfer (same country)
Wearable device providers	Wearable data provider	OAuth authentication only	Retrieving your wearable data	Explicit Consent	European Union / United States (varies by provider)	UK-EU adequacy decision / Standard Contractual Clauses (SCCs)
Stripe	Payment processor (PCI DSS Level 1)	Email, payment details	Payment processing	Contract	EU / United States	Stripe DPA + SCCs
Our email service partner	Transactional & marketing emails	Name, email	Email delivery	Contract (transactional) / Consent (marketing)	United States	SCCs in DPA
Our SMS partner	Urgent health alerts	Phone number	Urgent health alerts only	Explicit Consent	United States	SCCs in DPA
Our cloud infrastructure partner	Platform hosting	All data (hosted on provider infrastructure)	Platform hosting & infrastructure	Contract	United Kingdom (`europe-west2`)	No transfer (same region)

7.1 Wearable Provider Data Collection Disclosure

When you connect a wearable device to Omniwo, the wearable device manufacturers (such as your wearable device manufacturer) may collect data about how Omniwo accesses their API (such as API request frequency and data types accessed). This data is collected by the wearable providers for their own business purposes, in accordance with their respective privacy policies. By connecting your wearable device, you acknowledge this data collection by the device manufacturer.

We will never:

Sell your personal data to any third party
Share your health data with insurers, employers, or advertisers
Allow third parties to use your data for their own purposes beyond what is listed above

Each third party with access to personal data has a Data Processing Agreement (DPA) in place that meets UK GDPR Article 28 requirements.

8. International Data Transfers

Your data is primarily stored in the United Kingdom (cloud infrastructure, europe-west2 region — London).

When data is transferred outside the UK, we use the following safeguards:

Destination	Providers / Categories	Safeguard
European Union	Wearable device providers (wearable data)	UK-EU adequacy decision (the UK recognises the EU as providing adequate data protection)
United States	Wearable device providers (wearable data), Stripe (payments), our email and SMS partners	Standard Contractual Clauses (SCCs) incorporated into Data Processing Agreements

For US transfers, we have also:

Completed Transfer Impact Assessments (TIAs) for each provider
Implemented supplementary measures (encryption in transit via TLS 1.2+, data minimisation)
Confirmed that no US government access requests have been received by these providers relating to Omniwo data

9. Data Retention

We keep your data only as long as necessary for the purposes described in this policy.

Data Category	How Long We Keep It	What Happens After
Your account profile	As long as your account is active + 30 days	Permanently deleted
Blood test results	As long as your account is active + 30 days	Permanently deleted
Health insights	As long as your account is active + 30 days	Permanently deleted
Wearable raw data	While wearable is connected — deleted immediately on disconnection	Permanently deleted
Wearable OAuth tokens	While wearable is connected	Deleted immediately on disconnection
GP share reports (PDF)	90 days	Automatically deleted
Data export files	7 days	Automatically deleted
Notifications	90 days	Automatically deleted
Order & payment records	7 years (UK tax/accounting law)	Anonymised after 7 years
Consent records	7 years (GDPR accountability)	Anonymised after 7 years
HL7 lab archives	7 years (clinical compliance)	Anonymised after 7 years
Audit logs	3 years	Anonymised or deleted

If you delete your account:

All personal health data is permanently deleted within 30 days
Financial records required by law are anonymised and retained for the legally required period
Consent records are anonymised and retained for 7 years (for our accountability obligations)
We send you a confirmation email after deletion is complete

10. Your Rights

Under UK GDPR, you have the following rights:

10.1 Right of Access (Article 15)

You can request a copy of all personal data we hold about you. We will provide this in a machine-readable format (JSON) and a human-readable format (CSV) within 30 days (target: within 24 hours).

How: Dashboard → Settings → Export My Data, or email privacy@omniwo.com

10.2 Right to Rectification (Article 16)

You can correct any inaccurate personal data at any time.

How: Dashboard → Profile → Edit your details directly

10.3 Right to Erasure / "Right to Be Forgotten" (Article 17)

You can request that we delete all your personal data. This will permanently delete your account and all associated health data.

How: Dashboard → Settings → Delete My Account, or email privacy@omniwo.com

Exceptions: We may retain anonymised financial and consent records as required by law (see Section 9).

10.4 Right to Data Portability (Article 20)

You can request your data in a portable, machine-readable format to transfer to another service.

How: Dashboard → Settings → Export My Data (provides JSON + CSV download)

10.5 Right to Restrict Processing (Article 18)

You can request that we temporarily stop processing your data while we resolve a dispute or verify your request.

How: Email privacy@omniwo.com

10.6 Right to Object (Article 21)

You can object to processing based on legitimate interest. For marketing communications, you can opt out at any time.

How: Dashboard → Settings → Notification Preferences, or email privacy@omniwo.com

10.7 Rights Related to Automated Decision-Making (Article 22)

Omniwo does not make any automated decisions that produce legal or similarly significant effects. The Overall Status indicator and health insights are informational only — they are not medical diagnoses, and no decisions about your healthcare are made automatically.

How to Exercise Your Rights

Method	Details	Response Time
Self-service	Dashboard → Settings	Immediate (for most actions)
Email	privacy@omniwo.com	Within 30 days
Post	Data Protection, Omniwo Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ	Within 30 days

We will verify your identity before processing any request. We will never charge a fee for exercising your rights (unless requests are manifestly unfounded or excessive).

11. Data Security

We take the security of your data seriously. Key measures include:

Encryption at rest: All data stored on our cloud infrastructure is encrypted using AES-256 encryption
Encryption in transit: All data transfers use TLS 1.2+ encryption
User isolation: Each user can only access their own data (enforced at database level via security rules)
Access controls: Role-based access, principle of least privilege
Audit logging: All data access is logged for monitoring and accountability
Secret management: All API keys and credentials are stored in a secure secret manager, never in code
Regular security assessments: Vulnerability scanning and penetration testing
Incident response: Documented procedures for detecting, responding to, and reporting security incidents

For full details of our security architecture, contact privacy@omniwo.com.

12. Cookies

We use cookies on our website. For full details of what cookies we use, why, and how to manage them, please see our Cookie Policy.

Summary: We use strictly necessary cookies (for login and checkout), optional analytics cookies (anonymised, with your consent), and optional marketing cookies (only with your explicit consent). We never store health data in cookies.

13. Children's Data

Omniwo's services are designed for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18.

We verify age at registration through a date of birth check. If we discover that we have collected data from a person under 18, we will delete it immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

We will update the "Last updated" date at the top of this page
For significant changes, we will notify you by email and/or through a notice on our website
Previous versions will be archived and available on request

Your continued use of our service after changes take effect constitutes acceptance of the updated policy.

15. Complaints & Contact

Contact Us

If you have any questions about this Privacy Policy or how we handle your data:

Method	Details
Email	privacy@omniwo.com
Post	Data Protection, Omniwo Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Data Protection Officer	Islam Khusnetdinov (privacy@omniwo.com)

Complaints

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Detail	Information
Website	ico.org.uk
Phone	0303 123 1113
Address	Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We recommend contacting us first so we can try to resolve your concern directly.

Version: 1.1

Last updated: March 2026

Jurisdiction: United Kingdom (UK GDPR + Data Protection Act 2018)