Data Protection & Privacy Policy

1. Compliance with Data Protection Laws

Both Parties agree to comply with all applicable data protection and privacy laws, including but not limited to:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • Other relevant privacy regulations governing the collection, processing, and sharing of personal data

The Company shall ensure that all nutrition services, including data processing activities, comply with its internal data protection policies and governance framework.

2. Data Ownership & Processing Roles

  • The Company acts as the Data Controller for all personal data collected in relation to the Nutrition Services and is solely responsible for determining how that data is processed, stored, and used in accordance with its own data governance policies.

  • The Partner does not process or control any customer personal data related to Nutrition Services.

  • The Partner shall not have access to, store, or use personal data collected by the Company, unless explicitly required for agreed-upon reporting or operational purposes, and only in compliance with data protection laws.

3. Collection & Use of Personal Data

The Company shall collect, store, and process personal data solely for delivering Nutrition Services, including but not limited to:

  • Customer registration and service access.

  • Personalized nutrition coaching, health recommendations, and support.

  • Customer engagement, program participation, and usage tracking.

  • Service optimization and analytics (aggregated and anonymized where applicable).

The Company shall ensure that all personal data is processed lawfully, fairly, and transparently, in line with its privacy policies.

4. Customer Consent & Transparency

  • The Company shall obtain all necessary customer consents for data collection, processing, and usage before delivering Nutrition Services.

  • The Company shall provide a clear privacy notice to customers explaining:

    • What personal data is collected.

    • How it is used and processed.

    • The customer’s rights under applicable privacy laws.

    • How they can withdraw consent or request data deletion.

  • The Partner is not responsible for obtaining or managing customer consent, as the Company directly governs all data-related interactions with customers.

5. Data Security & Protection Measures

The Company shall implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption and secure storage of sensitive data.

  • Access control and authentication mechanisms to prevent unauthorized access.

  • Regular security audits and compliance checks to mitigate risks.

  • Incident response protocols to handle data breaches effectively.

The Company shall ensure that all employees, agents, or third-party service providers handling personal data are bound by strict confidentiality agreements and adhere to security best practices.

6. Data Sharing & Transfers

  • The Company shall not share personal data with the Partner, except where explicitly required for service reporting, operational analytics, or regulatory compliance.

  • If any data sharing occurs, it must:

    • Be limited to the minimum necessary information.

    • Follow secure data transfer mechanisms.

    • Comply with all applicable data protection regulations.

  • If personal data needs to be transferred outside the UK or EEA, the Company shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or other approved mechanisms.

7. Data Retention & Deletion

  • The Company shall retain personal data only for as long as necessary to fulfill its contractual and legal obligations.

  • Upon termination of services or when the data is no longer required, the Company shall securely delete or anonymize the data in accordance with its data retention policy.

  • Customers shall have the right to request access, correction, deletion, or restriction of their personal data, which the Company will handle per its internal privacy policy.

8. Data Breach Notification & Liability

  • In the event of a personal data breach affecting customers, the Company shall:

    • Notify relevant authorities within 72 hours (if legally required).

    • Inform affected individuals if the breach poses a significant risk to their rights.

    • Take immediate corrective action to mitigate risks.

  • The Company shall be solely responsible for any regulatory fines, penalties, or liabilities resulting from non-compliance with data protection laws related to Nutrition Services.

9. Audit Rights & Compliance Monitoring

  • The Company shall maintain detailed records of data processing activities.

  • The Partner may request limited audits or compliance reports to confirm the Company’s adherence to applicable data protection laws, provided such requests are reasonable and do not compromise security.

10. Governing Policies & Updates

  • The Company’s Data Protection & Privacy Policy shall govern all customer data collection and processing.

  • Any updates to data protection laws that materially impact this Agreement shall be discussed and mutually agreed upon before implementation.