Privacy Policy

Privacy Policy

Last updated: 1 November 2025

HolistiCare (“HolistiCare”, we, us, or our) is committed to protecting personal data and complying with UK GDPR (and EU GDPR, as applicable) and related laws. This Privacy Policy explains how HolistiCare collects, uses, shares, and protects personal data. It applies to all users of HolistiCare’s services – including the clinics/coaches who subscribe to our white-label AI longevity platform (B2B customers and Data Controllers), their patients/clients whose data we process (patients are data subjects), and visitors to our website holisticare.io. We store data in the UK and operate under UK law. For data processed on behalf of clinics (who are Data Controllers), HolistiCare is a data processor – we handle personal data only on the clinic’s instructions and under contract. When we collect data directly from a person (such as website visitors or marketing contacts), HolistiCare is the data controller for those data. Our UK address is [HolistiCare Ltd, London] (incorporated in England and Wales).

Information We Collect

HolistiCare may collect the following categories of personal data:

  • Identity and Contact Data: name, email address, phone number, postal address, account credentials, and other identifiers. For website visitors, this includes information you submit in forms or emails.

  • Personal Profile and Usage Data: account profile information (usernames, photos), customer identifiers, purchase or service subscription data, and customer support correspondence.

  • Health and Sensitive Data: information about health and lifestyle as provided by clinics or their patients. This includes health records, lab results, biometric or genetic data, lifestyle inputs (e.g. diet, exercise habits), wearable device data, and other health-related information. Such data are special category (sensitive) under GDPR and are given extra protection.

  • Technical Data: details of your internet connection, device, and browsing (e.g. IP address, browser type, time zone, cookies, log data, usage analytics).

  • Marketing and Communications Data: preferences for receiving marketing (email, advertising), and any personal data included in marketing campaigns (for example, name/email used in newsletters or ads).

We collect data when you provide it directly (e.g. when signing up, filling forms, uploading data), when it is collected by devices or integrations (e.g. lab results uploaded to our system, or data from a connected wearable), and via cookies and tracking technologies when you use our website or platform.

How We Use Your Information

We use personal data to operate and improve our platform and services, as follows:

  • Service Delivery and Contract Fulfillment: We process personal data to provide and maintain the AI longevity platform to our clinic and coach customers (their end users’ data). This includes setting up accounts, managing subscriptions, and enabling clinics to deliver services (health coaching, reports, etc.) to their patients. These uses are necessary to perform our contract with the clinics/coaches.

  • Clinic Instructions: For patient data collected through clinics, we act on the clinics’ instructions and do not use patient data for any other purpose. The clinics (as Controllers) decide how health and personal data are used in patient care. As a processor, we safeguard that data per the clinic’s policies and GDPR requirements.

  • Website and Platform Improvements: We analyze usage and performance of our website and platform to improve features, security, and user experience. We use analytics tools (e.g. Google Analytics) to track site usage (this can be done on the basis of legitimate interest when cookies are involved). These analytics help us monitor traffic patterns, detect errors, and optimize our services.

  • Security and Legal Compliance: We monitor and log activities on our systems to detect and prevent fraud, unauthorized access, or abuse. We keep security logs and audit trails as required by law (e.g. financial records, anti-fraud rules, or healthcare regulations). This legal obligation (Article 6(1)(c) basis) justifies retaining certain data (like access logs) even after an account ends.

  • Marketing and Communications: We may use contact data (email, name) to send service-related communications (e.g. account updates) and, with your consent, promotional messages about our services. Marketing communications (newsletters, event invitations, or targeted ads) are sent only with your explicit consent, which you can withdraw anytime. We also use data (with consent) for personalized advertising via Google Ads and Meta Ads. Advertising is considered “direct marketing” under the GDPR, so it requires consent. You can opt out or manage ad settings via cookie controls.

Note: HolistiCare does not sell personal data to third parties. We only share data as described in “Data Sharing and Subprocessors” below.

Cookies and Tracking

Our website and platform use cookies and similar tracking technologies. Some are strictly necessary (e.g. to keep you logged in or remember basic preferences), while others are optional (analytics, advertising cookies). In all cases:

  • We provide clear information about the cookies we use and their purposes.

  • We comply with UK & EU law (PECR): we obtain your consent before storing or reading any non-essential cookies on your device. You can manage your cookie preferences (accept or reject non-essential cookies) via the banner or your browser settings.

  • We use Google Analytics to collect anonymized site usage data. We rely on legitimate interest for essential tracking (strictly necessary cookie for analytics), but non-essential analytics (behavioral, cross-site) are enabled only if you opt in.

  • We may use session recording and heatmap tools (e.g. Microsoft Clarity) to improve site usability. These recordings capture mouse movements and clicks for a browsing session. We treat this data as anonymous and only activate it with user consent. You can opt out by disabling tracking cookies.

  • We use advertising cookies for Google Ads and Meta (Facebook) Ads. These track your visits and actions (e.g. page views, purchases) to serve relevant ads. Under GDPR/PECR, we require consent for this tracking. You may refuse marketing cookies and still use our site (except the personalized ad functions).

For more information about cookies and how to disable them, please see [ICO’s guidance on cookies] and adjust your browser settings.

Legal Basis for Processing

Under UK GDPR Article 6, we must have a lawful basis for each type of processing. HolistiCare relies on the following bases:

  • Consent (Article 6(1)(a)): Where you have given explicit permission. We use consent for marketing communications (newsletters, promotions, ads) and non-essential cookies/trackers. You can withdraw consent at any time (e.g. by unsubscribing from emails or changing cookie settings).

  • Performance of a Contract (Article 6(1)(b)): When processing is necessary to fulfill our contract with the clinic or coach. This covers most platform services – e.g. creating user accounts, managing subscriptions, integrating with healthcare devices or labs, and delivering reports to patients. We also rely on contract to take steps at a user’s request before joining (e.g. setting up a trial).

  • Legal Obligation (Article 6(1)(c)): When required by law. For example, we retain financial or tax records for statutory periods, and maintain security/audit logs or records of consent as needed by regulation or law enforcement.

  • Legitimate Interests (Article 6(1)(f)): For internal analytics, fraud prevention, and improving our services. We use aggregated and pseudonymized analytics to enhance security and performance. We ensure that these interests are balanced against individual privacy. Users can object to certain processing (especially direct marketing) at any time.

If we process special category data (health, biometric, genetic, etc.), we also meet an Article 9 condition in addition to Article 6. Typically, this will be one of: explicit consent, or processing necessary for healthcare purposes or scientific research under applicable law. We always take care to meet GDPR’s strict requirements for sensitive data.

Data Security

We implement appropriate technical and organizational measures to safeguard personal data. These include:

  • Encryption: Data is encrypted in transit (TLS) and at rest wherever feasible.

  • Access Controls: We limit access to personal data to only those employees or service providers who need it. All personnel are trained on data protection.

  • Secure Hosting: Our servers are located in the UK or other approved locations and meet high security standards (firewalls, intrusion detection, regular vulnerability testing).

  • Third-Party Security: We use reputable sub-processors (below) and ensure their compliance via contracts and audits.

  • Incident Management: We have procedures to detect and respond to data breaches or security incidents. Affected users and regulators will be notified as required by law.

Despite our efforts, no security is perfect. If you suspect misuse of your data, please contact us immediately (see Contact Us below).

Data Retention

We retain personal data only for as long as necessary for the purposes set out above or as required by law. For example:

  • Active Accounts: Personal data for active clinic accounts (and associated patient data) is kept while the account is active.

  • Former Accounts: When a clinic/account is closed, we delete or anonymize personal data unless we have a legal reason to keep it. We may retain data (e.g. billing records, tax info) for up to 6 years for compliance with financial regulations.

  • Security Logs: Logs and audit trails are kept for a limited period (typically 1–2 years) to comply with legal obligations or internal security policies.

  • Backups: We may retain encrypted backups for disaster recovery, purging personal identifiers periodically.

In all cases, we regularly review our data holdings and securely erase data that is no longer needed in accordance with GDPR and our retention schedule. You may also request deletion of your data (see Your Rights below).

Data Sharing and Subprocessors

We share personal data only in the ways described below:

  • With Clinics/Controllers: Patient personal and health data is shared back to the clinic or coach to whom the patient belongs. Clinics decide how that data is used for care. Patients should refer to their clinic’s own privacy policy for details of patient data usage.

  • With Third-Party Service Providers: We use trusted subprocessors to help operate our services. This includes cloud hosting providers, email and messaging services, analytics, customer support tools, payment processors, and others. Examples include Amazon Web Services, Google Cloud, Microsoft Azure, Stripe/Payment gateways, SendGrid/Mailchimp, Hotjar, etc. These subprocessors are bound by contract to protect data and only process it as we instruct. We only engage subprocessors with our clients’ approval (per Article 28 of UK GDPR).

  • With Affiliates and Partners: If a clinic integrates HolistiCare with other health services or apps (for example, connecting to a lab or device), data may flow to those parties as authorized by the patient or clinic. HolistiCare will have contracts and safeguards in place for any shared data.

  • Legal Requirements and Business Transfers: We may disclose personal data to government, regulatory, or law enforcement agencies if required (e.g. to comply with a court order or investigation). If HolistiCare is involved in a merger or sale, personal data may be transferred to a successor entity (subject to confidentiality and legal protections).

We do not sell personal data to marketers. Any sharing for marketing purposes requires your consent. You have choices: you can refuse cookies, opt out of marketing lists, or revoke consent at any time via cookie settings or email unsubscribe.

International Data Transfers

HolistiCare stores and processes data primarily in the UK. If any personal data is transferred outside the UK or European Economic Area (EEA) – for example, if a subprocessor stores data in another country – we do so only in compliance with UK GDPR requirements. The UK GDPR allows transfers to countries with an adequate level of protection (UK adequacy list includes EU/EAA, among others) or under specific safeguards. Where necessary, we use the UK Government’s International Data Transfer Agreement (IDTA) or standard contractual clauses to ensure that data stays protected. We also rely on the UK-US Data Privacy Framework for approved transfers to US service providers. In all cases, transfers are done with appropriate legal safeguards to protect your data’s privacy and rights.

Your Rights

Under UK GDPR (and EU GDPR, where applicable), you have the following rights with respect to your personal data:

  • Right to be Informed: You have the right to clear information about how your data is used (this policy is an example).

  • Right of Access: You can request a copy of personal data we hold about you (“Subject Access Request”).

  • Right to Rectification: You can ask us to correct inaccurate or incomplete data we hold about you.

  • Right to Erasure: You can request deletion of your personal data in certain cases (e.g. data no longer needed, or processing based on consent that is withdrawn).

  • Right to Restrict Processing: You can ask us to suspend processing of your data while a dispute is resolved.

  • Right to Data Portability: You can request a machine-readable copy of certain personal data you provided, to transfer to another service.

  • Right to Object: You can object to processing based on legitimate interests or direct marketing (including profiling for ads). We will stop if we have no overriding legal reason to continue.

  • Right to Withdraw Consent: For processing based on consent (marketing, cookies), you can withdraw consent at any time; this will not affect processing already carried out lawfully.

  • Rights Related to Automated Decisions: If any decisions are made solely by automated means (including profiling), you have the right to request human intervention or express your views.

To exercise any of these rights, please contact us at mona@holisticare.io. We aim to respond to legitimate requests within 30 days, as required by law.

If you are unsatisfied with our response or believe your data is not handled properly, you have the right to lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner’s Office (ICO). You can contact the ICO at https://ico.org.uk. Data subjects in the EU may contact their local data protection authority. HolistiCare would appreciate the opportunity to address your concerns first, so please contact us before filing a complaint.

HIPAA Compliance for US Data

For any HolistiCare service involving Protected Health Information (PHI) in the United States (e.g. if a US-based clinic subject to HIPAA uses our platform), we are mindful of HIPAA requirements. HIPAA is the US healthcare privacy law that protects PHI. PHI includes any individually identifiable health information – for example, medical histories, lab results, mental health conditions, and health plan or billing data. HolistiCare implements technical and administrative safeguards (such as access controls, encryption, breach response) in line with HIPAA’s Security and Privacy Rules. When acting as a HIPAA Business Associate for a US clinic, we enter into business associate agreements that require us to comply with HIPAA rules. In essence, HolistiCare treats health data with the high level of security required by both GDPR and HIPAA, coordinating with the clinic (the HIPAA-covered entity) to ensure compliance.

Changes to This Policy

HolistiCare may update this Privacy Policy from time to time (for example, to reflect new services or legal changes). We will post the updated policy on this page with a new “Last updated” date. We encourage you to review this page periodically. Your continued use of our services after changes are posted means you accept the updated policy.

Contact Us

If you have any questions about this Privacy Policy or privacy practices, please contact HolistiCare at:

  • Email: mona@holisticare.io

You can also use the contact form on our website. We will respond to all inquiries or requests as soon as reasonably practicable. Thank you for trusting HolistiCare with your personal data.