Privacy Policy
1. Introduction
ASOHP Ltd (trading as the Art and Science of Health Pensions, also referred to in this policy as “we”, “us” or “our”) is committed to protecting the privacy and security of the personal data of everyone who uses our platform and services.
This Privacy Policy explains what personal data we collect about you, why we collect it, how we use it, who we share it with, and what rights you have in relation to your personal data. It applies to all customers, prospective customers, and visitors to our website at asohp.co.uk.
We are the data controller for the personal data described in this policy. This means we are responsible for deciding how and why your personal data is processed. We take that responsibility seriously.
Please read this policy carefully. If you have any questions, contact us at privacy@asohp.co.uk.
2. About Us and Our Services
ASOHP Ltd is a health optimisation platform. We provide customers with a structured 12-month programme designed to assess and improve their long-term healthspan. Our services include biomarker blood testing, body composition analysis, cardiovascular fitness assessment, personalised coaching, and health data interpretation.
Because our services involve the collection and use of detailed health information, we process what is known as “special category data” under UK data protection law. This is a category of personal data that carries a higher level of legal protection. We handle this data carefully and only with your explicit consent.
3. Personal Data We Collect
3.1 Data you provide directly
When you register for an account and use our platform, we collect the following categories of personal data:
Identity data: your full name and date of birth
Contact data: email address
Account credentials: your username and password (stored securely)
Health and medical data: your responses to the ASOHP health questionnaire, including family medical history, current medical conditions, medications, weight, height, blood pressure readings, sleep patterns, exercise habits, and lifestyle information
Biomarker data: blood test results provided to us by our testing partner
Body composition data: DEXA scan results and VO2 max assessment results provided to us by our assessment partners
Coaching data: notes and observations recorded by your assigned ASOHP coach and medical reviewer during the programme
Communications: messages exchanged with ASOHP coaches and staff through the platform
3.2 Data collected automatically
When you use our website and platform, certain technical data is collected automatically:
Authentication data: session tokens and state data associated with your login, stored as secure cookies on your device
Technical data: your IP address, browser type, and device information, collected by our hosting infrastructure for security and performance monitoring purposes
3.3 Data we do not collect
We do not currently collect data from wearable devices or third-party health apps. If we introduce this functionality in future, we will update this policy and seek your explicit consent before doing so.
4. How We Use Your Personal Data
The table below sets out each purpose for which we process your personal data, the lawful basis we rely on, and the type of data involved.
Purpose
Lawful basis
Special category basis
Data type
Creating and managing your account
Contract (Article 6(1)(b) UK GDPR)
Not applicable
Identity, contact, credentials
Delivering the ASOHP health programme
Contract (Article 6(1)(b) UK GDPR)
Explicit consent (Article 9(2)(a) UK GDPR)
Health, biomarker, coaching data
Arranging and coordinating third-party assessments (blood tests, DEXA, VO2 max)
Contract (Article 6(1)(b) UK GDPR)
Explicit consent (Article 9(2)(a) UK GDPR)
Identity, contact, health data
Providing personalised health coaching and recommendations
Contract (Article 6(1)(b) UK GDPR)
Explicit consent (Article 9(2)(a) UK GDPR)
All health and assessment data
Sending transactional communications (booking confirmations, results notifications)
Contract (Article 6(1)(b) UK GDPR)
Not applicable
Identity, contact
Processing payments via Stripe
Contract (Article 6(1)(b) UK GDPR)
Not applicable
Identity, contact, payment data
Complying with legal obligations
Legal obligation (Article 6(1)(c) UK GDPR)
Not applicable
As required by law
5. Special Category Data
The health information you provide to ASOHP is classified as special category personal data under Article 9 of the UK GDPR. This includes information about your physical health, medical history, biomarkers, body composition, and cardiovascular fitness.
We process this data only based on your explicit and informed consent. You will be asked to provide this consent separately from the general Terms of Service acceptance, via a clearly worded consent statement presented at the point at which you complete the ASOHP health questionnaire. You may withdraw your consent at any time by contacting us at privacy@asohp.co.uk. Withdrawal of consent will not affect the lawfulness of processing that took place before the withdrawal, but it will mean we may be unable to continue delivering all or part of the programme.
Our Data Processors
We use a number of third-party service providers to help us deliver our platform and services. Where these providers process personal data on our behalf, they act as our data processors under written agreements that require them to handle your data securely and only for the purposes we instruct.
Our current data processors are:
7. Third Party Independent Controllers
As part of the ASOHP programme, your data will be shared with third party providers who carry out health assessments on your behalf. These providers are not our data processors. They independently determine how they process the personal data you provide to them and are each separately responsible for their own compliance with UK data protection law.
These independent controllers are:
Randox Laboratories Ltd — blood biomarker testing
ClinileLabs — clinical laboratory testing
MyVital Metrix — DEXA body composition scanning
BodyView — body composition and fitness assessment
Dr. Shwet Singh (sole trader) — medical review of biomarker and assessment results
ASOHP will share only the personal data necessary to coordinate your assessment with each provider. Each provider operates under their own privacy policy. We recommend you review the privacy policies of each provider before attending an assessment.
You select and engage your personal trainer directly. Where you select a personal trainer from the ASOHP-approved list, that trainer will be provided with your name, contact details, and the relevant assessment protocol. ASOHP-listed personal trainers are vetted before being added to our network. Where you choose to work with a personal trainer outside the ASOHP network, sharing your data with that individual is your responsibility and falls outside the scope of this policy.
8. Cookies
Our platform uses the following cookies, all of which are strictly necessary for authentication and secure access to your account. These cookies are set by ASOHP and do not require your consent under the Privacy and Electronic Communications Regulations (PECR).

We do not currently use analytics, advertising, or tracking cookies. If we introduce any non-essential cookies in future, we will update our Cookie Policy and obtain your consent before setting them.
9. How Long We Keep Your Data
We retain your personal data only for as long as necessary to deliver the programme and meet our legal obligations. Our retention periods are as follows:
Account and programme data: retained for 6 years from the end of your programme, in line with the Limitation Act 1980, to allow us to respond to any legal claims
Health and biomarker data: retained for 6 years from the date of collection, subject to any longer minimum period required by our laboratory partners
Financial and payment records: retained for 7 years in line with HMRC requirements
Marketing communications (where applicable): retained until you withdraw consent
When you delete your account, your personal data is permanently and irreversibly deleted from our live database (hard delete). Please note that database backup systems may retain a copy of your data for up to 24 hours following deletion, after which it is permanently removed from all systems.
Where you submit a Subject Access Request or exercise another data subject right, we retain a record of that request and our response for 3 years.
10. Your Rights
Under UK data protection law, you have the following rights in relation to your personal data:
Right of access: You have the right to request a copy of the personal data we hold about you. We will respond within one calendar month of receiving a valid request.
Right to rectification: You have the right to ask us to correct personal data that is inaccurate or incomplete.
Right to erasure: You have the right to ask us to delete your personal data where there is no legitimate reason for us to continue processing it. This right is subject to certain legal exceptions, including where we are required to retain data to comply with a legal obligation or defend a legal claim.
Right to restriction: You have the right to ask us to restrict processing of your personal data in certain circumstances, for example while the accuracy of data is being contested.
Right to data portability: Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.
Right to object: You have the right to object to processing of your personal data based on legitimate interests. You also have the right to object to processing for direct marketing purposes.
Right to withdraw consent: Where we rely on your consent to process special category health data, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of any processing that took place before withdrawal.
To exercise any of these rights, please contact us at privacy@asohp.co.uk. We will respond within one calendar month. In complex cases, we may extend this by a further two months, in which case we will notify you and explain the reason for the delay.
11. International Data Transfers
Some of our service providers are based or operate servers outside the United Kingdom. Where your personal data is transferred outside the UK, we ensure that appropriate safeguards are in place to protect your data.
Stripe processes payments through a UK/EU entity. No international transfer applies. Backblaze Inc. is based in the USA. The transfer mechanism for Backblaze is currently being confirmed and will be updated in this policy prior to go-live.
Transfers to Google LLC for transactional email delivery and OAuth sign-in are made under the UK-US Data Bridge and/or Standard Contractual Clauses.
Data hosted by Hetzner Online GmbH is stored in Germany. As an EU-based processor, Hetzner operates within a jurisdiction that the UK recognises as providing adequate protection under retained EU law.
No personal data is transferred to any country or territory that does not offer an adequate level of protection without appropriate safeguards being in place.
12. Data Security
We take the security of your personal data seriously. The technical and organisational measures we have in place include:
Encrypted transmission of data between your browser and our platform using TLS
Secure authentication cookies with the ‘Secure’ and ‘HttpOnly’ flags set
Account credentials are stored securely
Access to personal data restricted to authorised ASOHP staff and contractors only
Server infrastructure hosted by Hetzner Online GmbH in Germany. Note: multi-factor authentication is planned for implementation before full public launch and is not yet in place during the pre-launch testing phase.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
13. Complaints
If you are unhappy with the way we have handled your personal data, please contact us in the first instance at privacy@asohp.co.uk. We will investigate your complaint and respond within 30 days.
If you remain dissatisfied following our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection:
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data processing practices. When we make material changes, we will notify you by email or through a prominent notice on the platform before the changes take effect. The ‘effective date’ at the top of this policy will always reflect the date of the most recent version.
We encourage you to review this policy periodically.
15. Contact Us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
Email
privacy@asohp.co.uk
Postal address
ASOHP Ltd, 3A Evolution, Wynyard Business Park, Wynyard, Durham, TS22 5TB
Data Protection contact
[Rishi Singh]