Privacy Policy
Last updated: February 2026
Syara Health Ltd (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains how we collect, use, store, and share your personal data when you use our website and services.
We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data We Collect
Account information
When you create an account we collect your name, email address, date of birth, and delivery address.
Health data (special category data)
When you order a blood test, we collect and process health-related data including your blood test results, biomarker values, medical questionnaire responses, and any health goals you set within the platform. Health data is classified as special category data under UK GDPR Article 9 and is processed only with your explicit consent, which we obtain before collecting any sample.
Payment information
Payment is processed by Stripe. We do not store your full card details. Stripe acts as an independent data controller for payment data. See Stripe's privacy policy.
Usage data
We collect anonymised analytics data (pages visited, device type, browser) to improve our service. We use cookies only where necessary for functionality and analytics.
2. How We Use Your Data
- To fulfil your blood test orders and deliver results
- To generate AI-powered wellness insights and suggestions based on your blood test results (see Section 5)
- To track your biomarker trends over time within HealthOS
- To communicate with you about your orders and account
- To improve our services through anonymised, aggregated analysis
3. Lawful Basis for Processing
| Data type | Lawful basis |
|---|---|
| Account & order data | Contract performance (Art. 6(1)(b)) |
| Health / biomarker data | Explicit consent (Art. 9(2)(a)) |
| AI-generated insights | Explicit consent (Art. 9(2)(a)) |
| Analytics | Legitimate interest (Art. 6(1)(f)) |
| Marketing emails | Consent (Art. 6(1)(a)) |
4. Data Processors & Sharing
We share your data only with the following categories of processor:
- UKAS-accredited laboratory partners – to analyse your blood samples and return results. Labs act as data processors under our instructions.
- Cloud infrastructure (AWS) – to host and store your data securely within the UK/EEA.
- Payment processor (Stripe) – to process payments securely.
- AI services – see Section 5 below.
We never sell your personal or health data to third parties.
5. AI Processing & Automated Decision-Making
We use artificial intelligence to generate wellness insights and suggestions based on your blood test results. This processing involves:
- Sending your biomarker values (not your name or contact details) to AI service providers for analysis
- Generating personalised nutrition, supplement, and lifestyle suggestions
- Identifying trends and patterns across your test history
AI-generated insights are general wellness suggestions only and do not constitute medical advice, diagnosis, or treatment. You should always consult your GP or a qualified healthcare professional before acting on any suggestion.
No solely automated decisions with legal or similarly significant effects are made about you. All AI outputs are supplementary information for your consideration.
6. International Data Transfers
Your core personal and health data is stored within the UK/EEA. Where AI processing involves transferring biomarker data to providers outside the UK (e.g. US-based AI APIs), we ensure adequate safeguards are in place including Standard Contractual Clauses (SCCs) approved by the ICO, and we minimise the data transferred to only what is necessary for analysis.
7. Data Retention
| Data type | Retention period |
|---|---|
| Account information | Duration of account + 2 years |
| Blood test results | Duration of account + 7 years |
| AI-generated insights | Duration of account + 2 years |
| Order & payment records | 7 years (legal requirement) |
| Analytics data | 26 months (anonymised) |
When you delete your account, we remove your personal data within 30 days, except where we are legally required to retain it (e.g. financial records).
8. Your Rights
Under UK GDPR, you have the right to:
- Access your personal data (Subject Access Request)
- Rectify inaccurate data
- Erase your data (“right to be forgotten”) – we will delete your account and associated health data, subject to legal retention requirements
- Restrict processing in certain circumstances
- Port your data to another service in a structured, machine-readable format
- Withdraw consent at any time for health data processing and AI insights, without affecting the lawfulness of processing before withdrawal
- Object to processing based on legitimate interest
- Complain to the Information Commissioner's Office (ICO) at ico.org.uk
To exercise any of these rights, contact us at privacy@syarahealth.com.
9. Data Security
We protect your data with encryption at rest and in transit (TLS 1.2+), role-based access controls, and regular security reviews. Health data is subject to additional encryption and access restrictions.
10. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by email or through the platform. Continued use of our services after changes constitutes acceptance of the updated policy.
11. Contact Us
Syara Health Ltd
Email: privacy@syarahealth.com