Privacy Policy

EPI Health Limited ("EPI", "we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website at epihealth.co.uk (the "Site"), use our health intelligence platform (the "Platform"), or interact with our services (collectively, the "Services").

This Privacy Policy applies to information we collect through our Services and in email, text, and other electronic communications between you and EPI. Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access or use our Services.

1. Information We Collect

1.1 Information You Provide to Us

We collect information you provide directly to us, including:

• Account Information: Name, email address, password, and contact details when you create an account or join our waitlist.
• Health Information: Health data you choose to share through our conversational AI interface, including symptoms, medications, lifestyle factors, and health goals.
• Device Data: Information from connected health devices and wearables you choose to integrate, including continuous glucose monitors, fitness trackers, and sleep monitors.
• Communications: Information you provide when you contact us for support, participate in surveys, or communicate with healthcare practitioners through our Platform.
• Payment Information: Billing address and payment card details (processed securely through our payment processor).

1.2 Information We Collect Automatically

When you access or use our Services, we automatically collect certain information, including:

• Usage Information: Pages visited, features used, actions taken, and time spent on our Platform.
• Device Information: Hardware model, operating system, unique device identifiers, mobile network information, and browser type.
• Location Information: Approximate location based on IP address (we do not collect precise geolocation without your consent).
• Log Information: IP address, access times, browser type, and referring website addresses.

1.3 Information from Third Parties

We may receive information about you from third parties, including:

• Healthcare Providers: With your consent, medical records and clinical data from your healthcare team.
• Device Manufacturers: Health and activity data from integrated devices and applications.
• Laboratory Services: Test results from integrated laboratory providers.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Provision: To provide, maintain, and improve our Platform and deliver personalised health insights.
• Health Intelligence: To analyse your health data, identify patterns, and provide AI-powered recommendations.
• Communication: To send service updates, health insights, appointment reminders, and respond to your inquiries.
• Safety and Security: To detect, prevent, and address technical issues, fraud, and unauthorised access.
• Research and Development: To conduct aggregated and anonymised research to improve our algorithms and services.
• Legal Compliance: To comply with legal obligations and protect our rights and the rights of our users.

3. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Consent: For processing health data and providing personalised health services (Article 9(2)(a) GDPR).
• Contract: To perform our contract with you when providing our Services.
• Legitimate Interests: For business operations, security, and service improvements, balanced against your rights.
• Legal Obligations: To comply with applicable laws and regulations.
• Vital Interests: In rare cases where necessary to protect someone's life.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share your information in the following circumstances:

4.1 With Your Consent

• Healthcare Providers: With practitioners you explicitly authorise to access your health data.
• Family Members: With individuals you designate as authorised to access your information.

4.2 Service Providers

We work with carefully selected third-party service providers who assist us in operating our Platform:

• Cloud Infrastructure: Google Cloud Platform for secure data hosting and processing.
• Communication Services: Resend for email communications.
• Analytics: Privacy-compliant analytics tools to understand usage patterns.
• Payment Processing: Stripe for secure payment processing (we do not store payment card details).
• Security Services: Cloudflare for website security and performance.

4.3 Legal Requirements

We may disclose your information if required by law or if we believe such action is necessary to:

• Comply with legal obligations or respond to lawful requests from public authorities.
• Protect and defend our rights, property, or safety.
• Prevent or investigate possible wrongdoing in connection with the Services.
• Protect the personal safety of users or the public.

5. Data Security

We implement appropriate technical and organisational measures to protect your personal information, including:

• Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit.
• Access Controls: Role-based access control and multi-factor authentication.
• Regular Audits: Security assessments and penetration testing.
• Employee Training: Regular privacy and security training for all staff.
• Incident Response: Established procedures for detecting and responding to data breaches.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining the highest standards of data protection.

6. Your Rights and Choices

6.1 Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:

• Access: Request a copy of your personal data we hold.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data (subject to legal obligations).
• Restriction: Request that we limit processing of your data.
• Portability: Receive your data in a structured, machine-readable format.
• Object: Object to processing based on legitimate interests.
• Withdraw Consent: Withdraw consent for processing where consent is the legal basis.
• Complaint: Lodge a complaint with the Information Commissioner's Office (ICO).

6.2 Exercising Your Rights

To exercise any of these rights, please contact us at info@epinutri.com. We will respond to your request within 30 days. We may request additional information to verify your identity before processing your request.

7. Data Retention

We retain your personal information for as long as necessary to provide our Services and fulfil the purposes described in this Privacy Policy, unless a longer retention period is required by law. Specifically:

• Account Information: Retained for the duration of your account and 2 years after closure.
• Health Data: Retained for 7 years after last interaction to comply with medical record requirements.
• Usage Data: Anonymised or deleted after 2 years.
• Marketing Communications: Until you unsubscribe or withdraw consent.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for such transfers, including:

• Standard Contractual Clauses approved by the European Commission.
• Ensuring recipients are located in countries with adequate data protection laws.
• Implementing additional security measures for international transfers.

9. Children's Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect usage information. You can control cookies through your browser settings. Our use includes:

• Essential Cookies: Required for Platform functionality and security.
• Analytics Cookies: To understand how users interact with our Services.
• Preference Cookies: To remember your settings and preferences.

11. Third-Party Links

Our Services may contain links to third-party websites. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For significant changes, we will provide additional notice via email or through the Platform.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

14. Supervisory Authority

If you are located in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):