Effective Date:
1. Introduction and Data Controller
My BlueZoneLife ("myBZL", "we", "us", "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy sets out the basis on which any personal data, including sensitive health-related information, we collect from you, or that you provide to us, will be processed by us.
1.1. Data Controller:
For the purposes of the UK GDPR, the data controller is [Insert Full Legal Name of Company] of [Insert Registered Address in the UK].
1.2. Contact Details:
You may contact our Data Protection Point of Contact regarding this policy or any data protection matters at:
Email:
Address:
2. Data We Collect
We collect and process various types of personal data, including Special Category Data (data revealing health status), to provide our Services.
2.1. Identity and Contact Data: Name, email address, postal address, telephone number, date of birth, and account login details.
2.2. Financial Data: Payment card details (processed by a secure third-party payment processor) and payment history.
2.3. Service Usage Data: Information about how you use our website, application, and platform, including IP address, browser type, operating system, and unique device identifiers.
2.4. Special Category Data (Health Data):
This is sensitive personal data that requires enhanced protection. We collect this data when you use our data storage platform or coaching services. This includes:
Biomarker Data: Results from laboratory tests or diagnostics (e.g., blood panel results, genetic markers).
Lifestyle Tracking Data: Information on sleep, diet, stress levels, hydration, and mental well-being.
Wearable Integration Data: Data synchronised from third-party wearable devices (e.g., heart rate, steps, activity levels, movement patterns).
Coaching Notes: Records of your health goals, progress, training and nutrition plans, and accountability feedback.
2.5. Marketing and Communications Data: Your preferences in receiving marketing from us and our third parties and your communication preferences.
3. Lawful Basis and Purpose for Processing
We will only process your personal data where we have a valid lawful basis under UK GDPR. The purposes and lawful bases for processing your data are:
| Data Type | Purpose of Processing | Lawful Basis (UK GDPR Article 6) | Lawful Basis (UK GDPR Article 9 – Special Category Data) |
|---|---|---|---|
| Special Category Data (Health Data) | To provide the requested DIY, Mentor, or Concierge Services, including personalised coaching plans, data analysis, and storage. | Contract (to fulfil the Terms of Business) | Explicit Consent (Article 9(2)(a)) |
| Identity & Contact Data | To manage your account, communicate with you, and process your subscription. | Contract (to provide the Services) & Legitimate Interests (for administrative efficiency) | Not Applicable |
| Financial Data | To process payments for the Services. | Contract (to receive payment) | Not Applicable |
| Service Usage Data | To monitor and improve our website, app, and Services functionality. | Legitimate Interests (to ensure security and functionality of our platform) | Not Applicable |
Note on Explicit Consent: For processing your Special Category Data (health information), we rely on your Explicit Consent as a specific condition for processing this data. This consent is obtained at the point of service sign-up and data submission. You have the right to withdraw this consent at any time, but this may mean we are unable to continue providing you with services that rely on that data (e.g., Mentor or Concierge Plans).
4. How We Share Your Personal Data
We may disclose your personal data to the following categories of recipients:
4.1. Internal Sharing: Your data is shared with myBZL personnel (e.g., coaches, administrative staff) only as necessary to provide the Services you have purchased.
4.2. Third-Party Service Providers: We use third-party processors to handle essential business functions. These may include:
IT and system administration services.
Secure cloud storage and hosting providers (e.g., for storing your health data).
Payment processors (for securely handling subscription fees).
All third-party service providers are required to take appropriate security measures and process your data only for specified purposes and in accordance with our instructions.
4.3. Legal and Regulatory: We may disclose your personal data if required to do so by law, court order, or governmental regulation, or to protect the rights, property, or safety of myBZL, our customers, or others.
5. International Transfers
We store your personal data primarily within the UK/EEA. However, some of our third-party service providers (e.g., cloud hosting or software providers) may be based outside the UK/EEA.
Whenever we transfer your personal data out of the UK/EEA, we ensure a similar degree of protection is afforded to it by implementing at least one of the following safeguards:
Transferring to countries deemed to provide an adequate level of protection by the UK Government.
Using specific contracts approved for use in the UK (Standard Contractual Clauses), which give personal data the same protection it has in the UK.
6. Data Retention and Security
6.1. Data Retention: We will retain your personal data only for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Generally, we will retain your data for the duration of your relationship with us and for a period thereafter as required by regulatory obligations.
6.2. Data Security: We have implemented appropriate security measures, including technical and organisational steps, to prevent your personal data from being accidentally lost, used, accessed, altered, or disclosed in an unauthorised way.
7. Your Legal Rights (Data Subject Rights)
Under UK GDPR, you have the following rights in relation to your personal data:
Right to be Informed: The right to be informed about how your data is being used (which is the purpose of this policy).
Right of Access: The right to request a copy of the personal data we hold about you (a Subject Access Request).
Right to Rectification: The right to have any inaccurate or incomplete data corrected.
Right to Erasure (‘Right to be Forgotten’): The right to request that we delete or remove your data where there is no compelling reason for its continued processing.
Right to Restrict Processing: The right to ‘block’ or suppress the processing of your personal data in certain circumstances.
Right to Data Portability: The right to obtain your personal data in a structured, commonly used, and machine-readable format.
Right to Object: The right to object to us processing your personal data where we are relying on a legitimate interest.
Rights in relation to Automated Decision Making and Profiling: We do not currently use automated decision-making or profiling that would have a significant effect on you.
To exercise any of these rights, please contact us using the details provided in Section 1.2.
8. Complaints to the Supervisory Authority
If you are not satisfied with our response to any data protection concerns, you have the right to lodge a complaint with the UK's supervisory authority for data protection, the Information Commissioner’s Office (ICO).
ICO Contact Details: https://ico.org.uk/make-a-complaint/
9. Changes to This Privacy Policy
We may update this policy from time to time. The latest version will always be posted on our website and/or app. We will notify you of any material changes by email or through a notice on the Services before the change becomes effective.