ASOHP — Invest in your health before you need to logo

Privacy Policy

1. Introduction

ASOHP Ltd (trading as the Art and Science of Health Pensions, also referred to in this policy as “we”, “us” or “our”) is committed to protecting the privacy and security of the personal data of everyone who uses our platform and services. This Privacy Policy explains what personal data we collect about you, why we collect it, how we use it, who we share it with, and what rights you have in relation to your personal data. It applies to all customers, prospective customers, and visitors to our website at asohp.co.uk. We are the data controller for the personal data described in this policy. This means we are responsible for deciding how and why your personal data is processed. We take that responsibility seriously. Please read this policy carefully. If you have any questions, contact us at privacy@asohp.co.uk.

2. About Us and Our Services

ASOHP Ltd is a health optimisation platform. We provide customers with a structured 12-month programme designed to assess and improve their long-term healthspan. Our services include biomarker blood testing, body composition analysis, cardiovascular fitness assessment, personalised coaching, and health data interpretation. Because our services involve the collection and use of detailed health information, we process what is known as “special category data” under UK data protection law. This is a category of personal data that carries a higher level of legal protection. We handle this data carefully and only with your explicit consent.

3. Personal Data We Collect

3.1 Data you provide directly When you register for an account and use our platform, we collect the following categories of personal data: Identity data: your full name and date of birth Contact data: email address Account credentials: your username and password (stored securely) Health and medical data: your responses to the ASOHP health questionnaire, including family medical history, current medical conditions, medications, weight, height, blood pressure readings, sleep patterns, exercise habits, and lifestyle information Biomarker data: blood test results provided to us by our testing partner Body composition data: DEXA scan results and VO2 max assessment results provided to us by our assessment partners Coaching data: notes and observations recorded by your assigned ASOHP coach and medical reviewer during the programme Communications: messages exchanged with ASOHP coaches and staff through the platform

3.2 Data collected automatically

When you use our website and platform, certain technical data is collected automatically: Authentication data: session tokens and state data associated with your login, stored as secure cookies on your device Technical data: your IP address, browser type, and device information, collected by our hosting infrastructure for security and performance monitoring purposes

3.3 Data we do not collect

We do not currently collect data from wearable devices or third-party health apps. If we introduce this functionality in future, we will update this policy and seek your explicit consent before doing so.

4. How We Use Your Personal Data

The table below sets out each purpose for which we process your personal data, the lawful basis we rely on, and the type of data involved. Purpose Lawful basis Special category basis Data type Creating and managing your account Contract (Article 6(1)(b) UK GDPR) Not applicable Identity, contact, credentials Delivering the ASOHP health programme Contract (Article 6(1)(b) UK GDPR) Explicit consent (Article 9(2)(a) UK GDPR) Health, biomarker, coaching data Arranging and coordinating third-party assessments (blood tests, DEXA, VO2 max) Contract (Article 6(1)(b) UK GDPR) Explicit consent (Article 9(2)(a) UK GDPR) Identity, contact, health data Providing personalised health coaching and recommendations Contract (Article 6(1)(b) UK GDPR) Explicit consent (Article 9(2)(a) UK GDPR) All health and assessment data Sending transactional communications (booking confirmations, results notifications) Contract (Article 6(1)(b) UK GDPR) Not applicable Identity, contact Processing payments via Stripe Contract (Article 6(1)(b) UK GDPR) Not applicable Identity, contact, payment data Complying with legal obligations Legal obligation (Article 6(1)(c) UK GDPR) Not applicable As required by law

5. Special Category Data

The health information you provide to ASOHP is classified as special category personal data under Article 9 of the UK GDPR. This includes information about your physical health, medical history, biomarkers, body composition, and cardiovascular fitness. We process this data only based on your explicit and informed consent. You will be asked to provide this consent separately from the general Terms of Service acceptance, via a clearly worded consent statement presented at the point at which you complete the ASOHP health questionnaire. You may withdraw your consent at any time by contacting us at privacy@asohp.co.uk. Withdrawal of consent will not affect the lawfulness of processing that took place before the withdrawal, but it will mean we may be unable to continue delivering all or part of the programme.

Our Data Processors

We use a number of third-party service providers to help us deliver our platform and services. Where these providers process personal data on our behalf, they act as our data processors under written agreements that require them to handle your data securely and only for the purposes we instruct. Our current data processors are:

7. Third Party Independent Controllers

As part of the ASOHP programme, your data will be shared with third party providers who carry out health assessments on your behalf. These providers are not our data processors. They independently determine how they process the personal data you provide to them and are each separately responsible for their own compliance with UK data protection law. These independent controllers are: Randox Laboratories Ltd — blood biomarker testing ClinileLabs — clinical laboratory testing MyVital Metrix — DEXA body composition scanning BodyView — body composition and fitness assessment Dr. Shwet Singh (sole trader) — medical review of biomarker and assessment results ASOHP will share only the personal data necessary to coordinate your assessment with each provider. Each provider operates under their own privacy policy. We recommend you review the privacy policies of each provider before attending an assessment. You select and engage your personal trainer directly. Where you select a personal trainer from the ASOHP-approved list, that trainer will be provided with your name, contact details, and the relevant assessment protocol. ASOHP-listed personal trainers are vetted before being added to our network. Where you choose to work with a personal trainer outside the ASOHP network, sharing your data with that individual is your responsibility and falls outside the scope of this policy.

8. Cookies

Our platform uses the following cookies, all of which are strictly necessary for authentication and secure access to your account. These cookies are set by ASOHP and do not require your consent under the Privacy and Electronic Communications Regulations (PECR).
Article image
We do not currently use analytics, advertising, or tracking cookies. If we introduce any non-essential cookies in future, we will update our Cookie Policy and obtain your consent before setting them.

9. How Long We Keep Your Data

We retain your personal data only for as long as necessary to deliver the programme and meet our legal obligations. Our retention periods are as follows: Account and programme data: retained for 6 years from the end of your programme, in line with the Limitation Act 1980, to allow us to respond to any legal claims Health and biomarker data: retained for 6 years from the date of collection, subject to any longer minimum period required by our laboratory partners Financial and payment records: retained for 7 years in line with HMRC requirements Marketing communications (where applicable): retained until you withdraw consent When you delete your account, your personal data is permanently and irreversibly deleted from our live database (hard delete). Please note that database backup systems may retain a copy of your data for up to 24 hours following deletion, after which it is permanently removed from all systems. Where you submit a Subject Access Request or exercise another data subject right, we retain a record of that request and our response for 3 years.

10. Your Rights

Under UK data protection law, you have the following rights in relation to your personal data: Right of access: You have the right to request a copy of the personal data we hold about you. We will respond within one calendar month of receiving a valid request. Right to rectification: You have the right to ask us to correct personal data that is inaccurate or incomplete. Right to erasure: You have the right to ask us to delete your personal data where there is no legitimate reason for us to continue processing it. This right is subject to certain legal exceptions, including where we are required to retain data to comply with a legal obligation or defend a legal claim. Right to restriction: You have the right to ask us to restrict processing of your personal data in certain circumstances, for example while the accuracy of data is being contested. Right to data portability: Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format. Right to object: You have the right to object to processing of your personal data based on legitimate interests. You also have the right to object to processing for direct marketing purposes. Right to withdraw consent: Where we rely on your consent to process special category health data, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of any processing that took place before withdrawal. To exercise any of these rights, please contact us at privacy@asohp.co.uk. We will respond within one calendar month. In complex cases, we may extend this by a further two months, in which case we will notify you and explain the reason for the delay.

11. International Data Transfers

Some of our service providers are based or operate servers outside the United Kingdom. Where your personal data is transferred outside the UK, we ensure that appropriate safeguards are in place to protect your data. Stripe processes payments through a UK/EU entity. No international transfer applies. Backblaze Inc. is based in the USA. The transfer mechanism for Backblaze is currently being confirmed and will be updated in this policy prior to go-live. Transfers to Google LLC for transactional email delivery and OAuth sign-in are made under the UK-US Data Bridge and/or Standard Contractual Clauses. Data hosted by Hetzner Online GmbH is stored in Germany. As an EU-based processor, Hetzner operates within a jurisdiction that the UK recognises as providing adequate protection under retained EU law. No personal data is transferred to any country or territory that does not offer an adequate level of protection without appropriate safeguards being in place.

12. Data Security

We take the security of your personal data seriously. The technical and organisational measures we have in place include: Encrypted transmission of data between your browser and our platform using TLS Secure authentication cookies with the ‘Secure’ and ‘HttpOnly’ flags set Account credentials are stored securely Access to personal data restricted to authorised ASOHP staff and contractors only Server infrastructure hosted by Hetzner Online GmbH in Germany. Note: multi-factor authentication is planned for implementation before full public launch and is not yet in place during the pre-launch testing phase. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

13. Complaints

If you are unhappy with the way we have handled your personal data, please contact us in the first instance at privacy@asohp.co.uk. We will investigate your complaint and respond within 30 days. If you remain dissatisfied following our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection:

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data processing practices. When we make material changes, we will notify you by email or through a prominent notice on the platform before the changes take effect. The ‘effective date’ at the top of this policy will always reflect the date of the most recent version. We encourage you to review this policy periodically.

15. Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
Email privacy@asohp.co.uk Postal address ASOHP Ltd, 3A Evolution, Wynyard Business Park, Wynyard, Durham, TS22 5TB Data Protection contact [Rishi Singh]