This privacy policy explains how we do so, in connection with our Website, our free or paid services (including our App and our personalized nutrition program (Personalized Nutrition Program)) (collectively our Services), our Daily30+ supplement or any other product we offer (Products), or if you otherwise interact with us (including when you sign up to receive our email updates or participate in our research studies (Studies)). For more information on whether and when this privacy policy applies to you, see the ‘Who does this apply to’ section. 

We have provided supplementary notices for residents of the United Kingdom (UK) and for residents of the United States (US). Please read the notice applicable to you, in addition to the main privacy policy.

If we provide any other privacy policy or notice (for example, sometimes we provide additional privacy information when you choose to partake in a Study), this privacy policy supplements them and is not intended to override them.

We keep our privacy policy under regular review and may update it from time to time – please check the most recent version of our privacy policy for the most up-to-date.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if the information we hold about you changes (for example, if you change your email address but would like to continue to receive emails from us).

1. Who is the controller of your data?

ZOE is made up of two different legal entities: 

• Zoe Limited, a company incorporated in the United Kingdom (registered address: 164 Westminster Bridge Road, London SE1 7RW)

• ZOE US Inc, a company incorporated in Delaware (address: 65 Shawmut Road, Unit 6, Canton MA 02021)

Zoe Limited is the controller of personal data, responsible for processing your data. The other ZOE entity may act as a processor from time to time, as would be usual within a group of companies. As between Zoe Limited and ZOE US Inc, there is a Data Sharing Agreement in place which includes the model clauses approved for this purpose. Please contact us if you would like more information on this.

To contact us, please see the ‘How can you exercise your rights or otherwise contact us’ section.

2. Who does this privacy policy apply to?

This privacy policy will apply to you if you are one of the following:

• Personalized Nutrition Program Member – If you are a Member of our paid-for Personalized Nutrition Program, with an account behind a login (Account)

• ZOE Website Users – If you visit or use our Website (even before signing up to any of our Services or purchasing our Products)

• ZOE App Users – If you have visited or used our App (whether or not you have set up an Account), including the free version 

• Products Customers – If you have purchased Daily30+ or any other physical product from us

• Science and Nutrition Updates Subscribers – If you have given us your email address to sign up to our Science and Nutrition updates

• Quiz Users – If you answer any of the questions in the ZOE Quiz (whether or not you purchase from us)

• Study Participants – If you choose to participate in any of any of our scientific research into diet and health, including our PREDICT study (Studies). You may have chosen to partake in PREDICT when you signed up to be a ZOE Member, or any other study separately.

• AskZOE Users – If you have used our AskZOE App (only available in the US)

• Menoscale Users – If you have used our Menoscale calculator on our Website

• ZOE Suppliers – If you (or the company you work for) are a supplier/vendor of ZOE

• Media Contacts – Individual media contacts including journalists and other media 'influencers' and individuals publishing information publicly on the Internet, including social media users, bloggers and web content writers.

This privacy policy does not cover the practices of third parties we don’t control or personal data collected in the context of job applications or employment with us. Neither does it cover our use of your data if you participated in our COVID study or any other study through our ZOE Health Study app (see the ZOE Health Study website for more details).

3. What data do we collect?

Personal data is any information about an individual from which that person can be identified. It includes information referred to as ‘personally identifiable information’ or ‘personal information’ which are terms used by other privacy or data protection laws. 

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

3.1 Type of personal data & what they include

Contact Data

Title, first name, last name, gender/pronouns, billing address, delivery address, email address and telephone numbers. If you interact with us through social media, this may include your social media user name. You provide us with this information, for example when you place an order with us or sign up to communications.

Demographic Data

Date of birth, gender, ethnicity, approximate location (not precise location) e.g. city/post code

Account Data

Your Account login details, Products/Services purchased, customer preferences. This is collected from your Account.

Self-Reported Health and Lifestyle Data

Information you choose to provide us in your Account, including height, weight, what you eat, pre-existing health conditions, recent antibiotic use, if you are pregnant, lifestyle information such as exercise and energy, results of blood tests you have had outside of the ZOE testing (if you have had blood tests recently and choose to share with us). Please see the relevant terms and privacy policies of the wearable devices for how they use your device data for their own purposes.

Test Data

These are the results we receive back from the laboratories that have analyzed your biological samples that you sent to them for testing (on our behalf).

These include

• From your finger prick sample: your blood fat and glucose levels 

• From your stool sample: your microbiome analysis (Analysis of stool samples includes the extraction and sequencing of DNA found in the samples. In a healthy person, almost all of this will be DNA relating to your microbiome – we use it to identify populations of bacteria in your gut. There may be some fragments of your own DNA included in this mix. These will be sequenced along with all other DNA fragments. We may not be able to identify that some fragments are human DNA; nor do we try to use information about your own DNA at present. In rare cases, for example where someone suffers from gastrointestinal bleeding, there may be more human DNA than usual.)

We do not receive the samples from the laboratories ourselves, only the test results.

Glucose Data

If you have chosen to include glucose monitoring in your testing, this is the concentration of glucose in your blood that we receive from the blood sugar sensor we send to you to use, during the time you wear the device. Abbott GmbH (Abbott), the supplier of the glucose monitor, provides us with this data through their app (but for them, your Glucose Data is linked to a random ID, instead of your name). Please see their terms and privacy policy for information about how they use your Glucose Data.

Personalized ZOE Scores

The personalized health and food scores we create for you based on information we have about you and your meals. These include your blood sugar control score, blood fat control score, microbiome health and scores on particular foods and meals you log in your Account. We do not retain those Personalized ZOE Scores and so they will not be available if you make a data subject request.

Photo Logging Data

The photos (which may include any metadata associated with the photos, including date, time and (precise) location you took the photo), that you take using our meal photo logging feature (Photo Logging). Please note that the Photo Logging is only intended for logging your meals, however we cannot control what you use the Photo Logging for. We will process any photos you take using Photo Logging but if we become aware that these are not photos of your meals, we may delete them.

Customer Support and Feedback Information

Details of customer service calls automatically collected (including talk time, location, agent who answered the call, recordings of calls); any information about queries and complaints you provide us (which could include Self-Reported Health and Lifestyle Information); customer support query records from our customer service platforms.

Device and Technical Data

Internet protocol (IP) address, browser type and version, time zone setting and location, operating system and platform, other technology on the devices you use to access our Website. This is collected automatically when you interact with our Website, App, communications or online adverts, sometimes via cookies or similar technologies  (some of which are from third parties) (see our Cookie Policy).

Customer Payment Data

Payment card details you provide our third party payment processor, or Klarna (if you choose one of their payment options). Our payment processors don’t disclose your card number to us, apart from the last 4 digits. Our payment processors, including Klarna, will use your information in accordance with their own privacy policies. Klarna will determine your eligibility for their services in accordance with their terms and privacy policy.

Usage/Analytics Data

Information about how you engage with us. This includes how you use the Website/App, which might include length of visit, page views, website navigation paths, timing, frequency and pattern of your Website/App use, and any other information about how you use our Website or our Products and Services (including if/when you make a purchase from us and how much it was, or if you start our ZOE Quiz). This is collected automatically when you interact with our Website, App, communications or online adverts, sometimes via cookies or similar technologies (some of which are from third parties) (see our Cookie Policy).

Study Data

The unique ID we (or our research partners) allocate you for Studies, so that we're not using your name, and any data you provide us as part of a Study you have chosen to participate in (details of such data collection will be given to you at the time you sign up)

Quiz Data

Information you provide us if you undertake our quiz, including height, weight, what you eat, pre-existing health conditions, recent antibiotic use, lifestyle information such as exercise and energy.

ZOE Communities Data

The information you share in groups (like Support Groups and Clubs) in the ZOE Communities feature. If you choose to create a public profile, other members can see your progression, how long you have been a ZOE member, meal plans, recipes and other elements of your ZOE journey. 

Menoscale Data

The information you provide if you use our Menoscale calculator, including menopause status, if taking HRT, menopause symptom questionnaire responses.

Supplier Data

Name of company, business unit/division, role within the company, information given on ZOE Supplier invoices, including bank account and payment details. You provide us with this information.

3.2 Personal data about children

As noted in our Terms of Service, we do not knowingly collect or solicit Personal Data about children under 18 years of age (or under 19 years of age if they live in Alabama or Nebraska). If you are a child under the age of 18, please do not attempt to register for or otherwise use our Services/purchase our Products or send us any personal data.

If we learn we have collected personal data from a child under 18 years of age, we will delete that information as quickly as possible. If you believe that a child under 18 years of age may have provided personal data to us, please contact us at dpo@joinzoe.com.

3.3 Data that is not personal data

Personal data does not include data that can no longer be linked with identifiable individuals, for example by aggregation of data about multiple individuals. We may create aggregated, de-identified or anonymized data from the Personal Data we collect, including by removing information that makes the data personally identifiable to a particular user. Where we de-identify personal data, we commit to maintain and use the deidentified information in deidentified form and not attempt to reidentify it.

We may use such anonymous data for our lawful business purposes, including to analyze, build and improve our Products/Services and other future products and services, and promote our business, provided that the data remains anonymous. We do not delete anonymous data on any particular timetable. You may assume that we could keep it indefinitely.

When we share personal data with certain third parties, we replace your personal details (name, email, phone number, and full address) with a random ID/code, so they will not be able to identify you. The data becomes de-identified once it’s under their control.

4. What do we use your personal data for (including the lawful bases we rely on)?

4.1 Lawful bases

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Consent. Where we have obtained your consent. Where our legal basis is consent, you have the right to withdraw consent to marketing at any time by contacting us. However, please note that if you do so, some of the aspects of the Service you receive from us may be impacted (for example, we can’t provide you with the Personalized Nutrition Program without your consent).

• Legitimate interests. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. The legitimate interests we rely on include:

  • Developing and improving our Services and Products

  • Determining eligibility for our Services

  • Recognizing you on our App where you have signed up on our Website or not yet opened an Account

  • Obtaining professional legal advice, gathering information/evidence and resolving issues with customers

  • Providing good customer service

  • Contracting with and managing our relationships with suppliers

  • Building and improving our Services and user experience

  • Managing our IT security, network and infrastructure

  • Managing our business operations effectively

  • Marketing our brand and Services to grow engagement and sales

  • Understanding our customer behavior and customer views to improve our Services and associated strategies

• Legal obligation. Where we need to comply with a legal obligation.

• Contract. Where we need to perform the contract we are about to enter into or have entered into with you, such as managing your Account and providing you with Services/supplying you with Products you have ordered.

4.2 If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, we can’t deliver our test kit or our Products to you if we don’t know your delivery address). We will notify you if this is the case.

4.3 Purposes for using your data

We have set out below a description of all the ways we may use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. On request, we will always provide an explanation as to how the processing for the new purpose is compatible with the original purpose. If we need to use personal data for an unrelated purpose, we will notify those concerned and we will explain the legal basis which allows us to do so.

We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out below. 

4.3.1 To open and maintain your Personalized Nutrition Program account and subscription

Who does this apply to? Personalized Nutrition Program Member, Products Customers

What types of data are we processing for this purpose? Contact Data; Account Data; Customer Payment Data

What is our GDPR lawful basis (UK/EU residents)? Article 6: Performance of contract

4.3.2. To provide you with our Personalized Nutrition Program, including determining your eligibility for the Personalized Nutrition Program, facilitating testing of samples, analyzing your information and provide you with the functionalities of the ZOE App (including providing you with the Personalized ZOE Scores and advising you what to eat), and integrating data between the Website and App

Who does this apply to? Personalized Nutrition Program Members

What types of data are we processing for this purpose? Contact Data; Demographics Data; Self-Reported Health and Lifestyle Data; Test Data; Glucose Data; Personalized ZOE Scores; Customer Payment Data; Account Data

What is our GDPR lawful basis (UK/EU residents)? Article 6: performance of a contract; legitimate interests; Article 9: Consent

4.3.3 To gain a better understanding of nutritional responses to food generally, in order to develop and improve your experience and our Services, including training our algorithm (wherever possible, we use pseudonymized data for this purpose)

Who does this apply to? Personalized Nutrition Program Members; PREDICT Study Participants; Quiz Users; ZOE App Users 

What types of data are we processing for this purpose? Contact Data; Demographics Data; Self-Reported Health and Lifestyle Data; Test Data; Glucose Data; Personalized ZOE Scores; ZOE Communities Data; Quiz Data; Photo Logging Data

What is our GDPR lawful basis (UK/EU residents)? Article 6: legitimate interests; Article 9: Consent

4.3.4 To supply you with physical goods (test kits and samples for the Personalized Nutrition Program or PREDICT studies; or your Daily30+ orders)

Who does this apply to? Personalized Nutrition Program Member (who have consented into PREDICT); PREDICT Study Participants; Products Customers

What types of data are we processing for this purpose? Contact Data; Account Data

What is our GDPR lawful basis (UK/EU residents)? Article 6: Performance of contract

4.3.5 Where you have consented, to carry out the Study/research (including determining your eligibility for such research, inviting you to participate, and sharing, in de-identified form, with partners such as universities) (we may provide you with separate privacy notices for Studies - please contact us if you would like us to re-send these to you)

Who does this apply to? Personalized Nutrition Program Member (who have consented into PREDICT); Study Participants; Menoscale Users

What types of data are we processing for this purpose? Study Data; Demographics Data; Self-Reported Health and Lifestyle Data; Test Data; Glucose Data; Menoscale Data

What is our GDPR lawful basis (UK/EU residents)? Article 6: Legitimate interests; Article 9: Consent

4.3.6 To recognize you via an anonymous account (if you haven’t yet registered for an Account) or register you with your App Account, and to allow you to use the App functions (including Photo Logging and food scores)

Who does this apply to? ZOE App Users

What types of data are we processing for this purpose? Contact Data; Device and Technical Data; Account Data; Photo Logging Data

What is our GDPR lawful basis (UK/EU residents)? Article 6: Performance of contract; legitimate interests

4.3.7 Providing you with our Menoscale service

Who does this apply to? Menoscale Users

What types of data are we processing for this purpose? Menoscale Data

What is our GDPR lawful basis (UK/EU residents)? Article 6: Legitimate interests; Article 9: Consent

4.3.8 To provide you with the ZOE App Community functionality, including being able to provide our coaching effectively

Who does this apply to? Personalized Nutrition Program Members (who use the ZOE Community)

What types of data are we processing for this purpose? ZOE Communities Data

What is our GDPR lawful basis (UK/EU residents)? Article 6: Legitimate interests; Article 9: Consent

4.3.9 To allow you to use the AskZOE app

Who does this apply to? AskZOE Users

What types of data are we processing for this purpose? Contact Data; Device and Technical Data; Photo Logging Data

What is our GDPR lawful basis (UK/EU residents)? Article 6: Legitimate interests

4.3.10 To provide you with customer support and quality assurance, and to manage our relationship with you, including sending you order updates, changes to our terms of service, receiving feedback and providing support on our Services and Products (including via our chatbot)

Who does this apply to? All users/customers (Services or Products)

What types of data are we processing for this purpose? Contact Data; Customer Support and Feedback Information

What is our GDPR lawful basis (UK/EU residents)? Article 6: Contract; Legitimate interests; legal obligation (transactional emails)

4.3.11 To carry out marketing (see the ‘Marketing and Communications’ section below): Direct marketing where you have not opted-out (including sending you ongoing science and nutrition emails, news and offers, inviting you to join our webinars, and maintaining our suppression list); Marketing through our social media channels; Marketing to referrals

Who does this apply to? Science and Nutrition Updates Subscribers; all users/customers (Services/Products); potential customers who have been referred

What types of data are we processing for this purpose? Contact Data; Device and Technical Data; details of purchases made; referral codes; Usage/Analytics Data

What is our GDPR lawful basis (UK/EU residents)? Article 6: Legitimate interests (if we’re legally required to, we will obtain your opt-in consent - see 'Marketing and Communications' section)

4.3.12 To carry out analytics and use feedback to develop and improve our Services, marketing, customer service, relationships and experiences

Who does this apply to? All users/customers (Services or Products)

What types of data are we processing for this purpose? Contact Data; Demographics Data; Device and Technical Data; Usage/Analytics Data; Photo Logging Data; testimonials and feedback

What is our GDPR lawful basis (UK/EU residents)? Article 6: Legitimate interests

4.3.13 To build, manage, maintain and improve our technology infrastructure, including our Website and App (including providing functionality, analyzing performance, troubleshooting and fixing errors and improving usability/effectiveness, managing security)

Who does this apply to? All users/customers (Services or Products)

What types of data are we processing for this purpose? Device and Technical Data

What is our GDPR lawful basis (UK/EU residents)? Article 6: Legitimate interests 

4.3.14 To manage our business and finance operations and administration (including auditing; internal communications between employees in the UK and US; preventing fraud; managing investors and driving the success of the company; accurate reporting and administration)

Who does this apply to? All customers (Services or Products); Study Participants

What types of data are we processing for this purpose? All data

What is our GDPR lawful basis (UK/EU residents)? Article 6: Legitimate interests; legal obligation 

4.3.15 To manage our relationship with suppliers

Who does this apply to? ZOE Suppliers

What types of data are we processing for this purpose? Supplier Data

What is our GDPR lawful basis (UK/EU residents)? Article 6: Contract; Legitimate interests

4.3.16 Influencer / affiliate management and monitoring coverage related to ZOE

Who does this apply to? Media Contacts, potential ZOE customers (who click on affiliate links)

What types of data are we processing for this purpose? Contact Data (affiliates); Device and Technical Data (potential customers); instagram posts etc of Media Contacts

What is our GDPR lawful basis (UK/EU residents)? Article 6: Legitimate interests

4.3.17 To investigate complaints/incidents with our Services and resolve legal disputes/claims

Who does this apply to? All users/customers (Services or Products)

What types of data are we processing for this purpose? All data

What is our GDPR lawful basis (UK/EU residents)? Article 6: Legitimate interests 

4.3.18 To ensure we are complying with data protection laws and responding to your requests (including on Cookies and data subject requests)

Who does this apply to? All users/customers (Services or Products); Study Participants

What types of data are we processing for this purpose? Contact Data; Device and Technical Data; any data requested via access request

What is our GDPR lawful basis (UK/EU residents)? Article 6: Legal obligation

5. How do we use cookies and similar technologies?

Our Services use cookies and similar technologies such as pixel tags, web beacons, clear GIFs and JavaScript (collectively, “Cookies”) to enable our servers to recognize your web browser, tell us how and when you visit and use our Website or Services, analyze trends, learn about our user base and operate and improve our Services. Cookies are small pieces of data – usually text files – placed on your computer, tablet, phone or similar device when you use that device to access our Services. We may also supplement the information we collect from you with information received from third parties, including third parties that have placed their own Cookies on your device(s). These third parties may also receive some information about you, and use this information for their own purposes (for example, see the ‘Social Media Advertising’ section below), but this will never include information about your health.

Most browsers have a 'Do Not Track' or ‘Global Privacy Control’ feature that lets you tell websites you don't want to have your online activities tracked. If you choose to activate these, our Marketing Cookies will be deactivated. Please note that if you do this, we don’t know who you are within our systems, and your opt-out will apply only to information collected through Cookies on the specific browser from which you opt-out. If you delete or reset your Cookies, or use a different browser or device, you will need to reconfigure your settings.

For more information about our use of Cookies, please see our Cookie Policy.

6. How do we manage marketing and communications (including your right to opt-out)?

If you complete the Quiz, use our Services or purchase our Products or have done in the past (and have not opted out of receiving marketing), we may contact you from time to time via email to communicate with you about our Products, Services, offers, promotions, rewards, and events offered by us, provide news and information that we think will be of interest to you (such as our ongoing science and nutrition emails), or invite you to provide feedback on our Products and Services.  Otherwise, if you subscribe to our mailing list you will receive these emails. We may also use push notifications to share these communications with you. We may also send these communications via SMS (if you’re in the US, we will only do this if you have opted-in).

We use your Contact Data to send you these communications. We may also use your Contact Data, Demographic Data, Account Data, Device and Technical Data or Usage/Analytics Data (but not including any sensitive personal information) to form a view on what we think may be of interest to you so that the communications we send are most relevant to you. We will never use data about your health (for example, your Self-Reported Health and Lifestyle Data) for marketing purposes.

6.1 Third Party Advertising

We may work with third parties such as Meta (Facebook and Instagram), TikTok and Google Ads to show you adverts for our Products and Services (Advertising Partners). To facilitate this, we may share Contact Data, your customer ID (meaningless to the Advertising Partner), Demographic Data, Device and Technical Data and Usage/Analytics Data. However, your name, email, and phone will be hashed. Hashed means using a code instead of your actual details – the Advertising Partner will not be able to convert these codes back to your original data, but if you have separately given them this information (e.g. if you have a Facebook account), they will be able to match the two sets of hashed data. This data is either collected and shared automatically using Cookies (see the ‘Cookies and similar technologies’ section above), or at our prompt via other tools. 

We only share your data for these purposes if you have consented to marketing Cookies or consented to your email being used for marketing purposes. We do not share any sensitive / special category data for marketing purposes (which includes information about your health).

This information may used for the following purposes:

1. To measure the effectiveness of our marketing campaigns – the Advertising Partners match the data with your actions if you have seen one of our ads (e.g. if you have visited our Website or purchased our Services/Products). This helps us analyze which ads or campaigns are most effective and informs our marketing strategy.

2. To help us identify the right audience for our ads – the Advertising Partners analyze the data, identify common characteristics, and then target ads to users with similar characteristics. This helps us show ads to people who are more likely to be interested in our Services/Products.

3. To show you ads and offers personalized and relevant to you – if you have separately given your data to the Advertising Partner, it will combine this with the data we share with it to identify you and show you ads that are relevant to you. For example, to remind you of a purchase you started but didn’t complete. 

If you are a UK or EU resident: For the purposes of the UK GDPR/GDPR, we are joint controllers with the Advertising Partners of at least some of this information (both the third party and we determine the purposes and means of the processing of your data). This is because the Advertising Partners make use of some of this information for their own purposes. 

For further information on how the Advertising Partners use personal data, including the legal bases they rely on and the ways to exercise your rights against them, please see their respective privacy policies. We also have an agreement with these third parties setting which of us is responsible for particular obligations under GDPR. Please contact us if you would like to see this or if you would like more information.

6.2 Opt-out and marketing preferences

You can always opt out of receiving emails by unsubscribing via the “unsubscribe” link contained in the email. You can opt out of push notifications by changing the settings on your device or in your Account. Opting out of these emails or notifications will not end the transmission of service-related emails that are necessary to your use of our service. 

You can opt out of receiving marketing SMS by replying "STOP" to any SMS notification you receive from ZOE.  This will stop ALL SMS notifications (including service-related notifications).

You can opt out of your personal data being used for marketing purposes by Advertising Partners by adjusting your preferences in the settings in your account with them. You can also opt out of our sharing of your data for those purposes by contacting us, or opting out of marketing Cookies and unsubscribing from marketing emails. Please note that opting out of data sharing for advertising purposes may not stop you from seeing ads, but it may make them less relevant to your interests.

There are also a number of organizations that allow you to opt out of advertising more generally, for example: http://www.aboutads.info/choices and http://www.youronlinechoices.eu/.

If you unsubscribe, we will need to keep just enough information on file to make sure we respect your preferences in the future. 

7. How might we disclose your personal data?

In addition to disclosing data to our group company in the US (ZOE US Inc) we may disclose your personal data to the parties set out below for the purposes set out in this privacy policy (or if the law otherwise allows it), who act on our behalf (as ‘processors’ of your data):

• Suppliers and service providers including hosting and other technology and communication providers, analytics providers, CRM, system administration services, security and fraud prevention consultants, support and customer service vendors and payment processors and other payment option providers.

• Delivery and fulfillment providers we use to send you goods, such as the test kit or our Products, and to transport samples.

• If you are a Personalized Nutrition Program Member, we disclose your personal data to the laboratories engaged by us to carry out your tests. These laboratories may use physicians to sign off on authorization on behalf of customers to conduct tests in certain jurisdictions that restrict the sale of direct-to-consumer lab tests without physician authorization (which include most US states). ZOE will disclose any information that is necessary to obtain an authorization (including Self-Reported Health and Lifestyle Data and Test Results) to these laboratories and their physicians.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow these third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. 

We may also disclose your personal data to the following parties who act as ‘controllers’ of your data (they determine the purposes/means of the processing):

• Where you have consented to participate in a Study or other research: third parties carrying out research into diet and/or health including academic research organizations (such as universities) and pharmaceutical companies (for example to assist in the development of new medications). When we do this a code will always be used to replace your personal details (name, email, phone number, and full address), so they will not be able to identify you. Sometimes these third parties will act as joint controllers of your data with us for the purposes of a Study.

• Where you have chosen continuous glucose monitoring and consented to the sharing of your data for this purpose: we disclose your Glucose Data with the glucose monitor device provider. For Abbott, your Glucose Data is linked to a random ID, instead of your name, so they will not be able to identify you. 

• Where you have consented to marketing Cookies or for us to use your email for marketing purposes: Advertising Partners, such as Meta (see ‘Marketing and Communications’ section above). We do not disclose any health data to our social media partners.

• User research partners who help us with user research on our Services/Products

• HM Revenue and Customs, regulators and other authorities who require reporting of processing activities in certain circumstances.

• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

• Auditors and professional advisers including lawyers, bankers, auditors and insurers. (In all cases these will be advisors under a professional duty of confidence.)

8. How do we keep your data secure?

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. 

You should also help protect your data by appropriately selecting and protecting your password and/or other sign-on mechanism; limiting access to your computer or device and browser; and signing off after you have finished accessing your account. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the internet or storing data is completely secure.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

9. How long do we keep your personal data for?

We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

For example, we keep information we use to provide you with our Services (including Customer Information, Test Results, self-reported health information, information from wearable devices) for as long as you have a subscription or account with us and for a period of 6 years after you end your subscription or close your account (as applicable). This is necessary for us to be able to resolve any legal disputes that may arise. Where you have opted in to participate in Research, we may retain your data for the duration of the Research (please note that our PREDICT3 study is intended to be long-term research). If you use the free version of our app, but you do not create an account within 30 days, we will delete the data we have (including Photo Logging Data, Food Scores, Device and Browser Data). We routinely delete our web server logs after 90 days, unless we are aware of any serious problem that requires investigation (for example fraud or a hostile attack to our systems), in which case we may preserve any information necessary for that investigation for as long as it is needed. Once the investigation is concluded, we will delete the data.

The laboratories that receive your Samples and provide us with Test Results will keep samples for different lengths of time depending on the requirements of the locally applicable law (for example, of your country or state). How long a sample is kept may depend on factors such as whether a test is successful or not.

10. What are your legal rights?

Under certain circumstances, you have rights under data protection laws in relation to your personal data. Note that in limited situations, we may not be able to comply with your request for specific legal reasons. If that is the case, we will still respond to notify you of such a decision. 

The rights in this section apply to you regardless of where you are resident. However, you may have additional rights, depending on where you are resident. These additional rights are set out in the Addendums below. Please read the applicable Addendum in addition to this Privacy Policy.

10.1 No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

10.2 What we may need from you

Only you or a personal legally authorized to act on your behalf may make a verifiable request relating to your personal data. We may need to request specific information from you to help us confirm your identity (or, if using someone to request on your behalf, your written permission to do so), and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. Please provide us with sufficient detail to allow us to understand, evaluate and respond to your request. If we do not have this, we may contact you to ask you for further information in relation to your request to speed up our response.

We will only use Personal Data provided in a request to verify your identity and complete your request. You do not need an account to submit a request.

10.3 Time limit to responding

We try to respond to all legitimate/verifiable requests within one month. In some US states, we may have slightly longer to respond to your requests (for example, 45 days for Californian residents). Occasionally it could take us longer if your request is particularly complex or you have made a number of requests.  In this case, we will notify you and keep you updated.

10.4 Your rights

You have the rights to:

• Request access to your personal data (commonly known as a data subject access request). You can request information about what personal data we process about you (including the purposes for collecting it, how and to whom we have disclosed it), to access this personal data and to receive a copy of it. Note that we do not retain your Personalized ZOE Scores, so we will not be able to provide you with these.

• Request correction of the personal data that we hold about you, if you believe that your personal data is inaccurate.

• Request erasure of your personal data. Please be aware that erasing some personal data may affect your experience using certain features of the Services that rely on historical data.

• Object to processing of your personal data. For example, if we process it for direct marketing.

• Request restriction of processing of your personal data, in some circumstances. For example, you have the right to request the restriction of your personal data if you contest the accuracy of your personal data and we need some time to verify such accuracy. 

• Request the transfer of your personal data to you or to a third party. 

11. How can you exercise your rights or otherwise contact us?

You can contact us or submit a request as follows:

• To access or erase your data: use our form at https://privacy.zoe.com/zoe. 

• To exercise any of your other rights, or to ask for more information about this privacy policy or our use of your data: email us at dpo@joinzoe.com. 

• For more general enquiries: please contact us at hello@joinzoe.com. 

UK ADDENDUM: Residents of the United Kingdom (UK) 

1. What are your legal rights?

In addition to the rights set out in the Privacy Policy, you have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. 

For more information about these rights please see the UK Information Commissioner’s guide to data subject rights. 

2. How do we manage international transfers? 

Many of our external third parties are based outside the UK so their processing of personal data will involve a transfer of data outside the UK. Our group company in the US (ZOE US Inc) also processes personal data as part of our intragroup operations.

Our processing of personal data is governed by the United Kingdom’s (UK) version of the GDPR (UK GDPR) and the Data Protection Act 2018. Whenever we transfer personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the safeguards permitted under the UK GDPR is used. 

These may include:

• Transfer to countries or organizations that have officially been deemed to provide an adequate level of protection for personal data by the ICO, which currently includes the EEA (see here for an up-to-date list)

• Transfers to companies which are certified under the UK’s data bridge for UK/US transfers (the Data Privacy Framework) 

• Using a specific contract approved by the EU/ICO - the EU Standard Contractual Clauses and the International Data Transfer Addendum. We use this contract for transfers to the US, where the recipient is not certified under the Data Privacy Framework, including to our US group company, ZOE Inc.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK. 

UNITED STATES (US) ADDENDUM: Residents of the US

Residents of California

1. What are your legal rights?

If you are a California resident, you have the rights set out in this section. Please see the [“Exercising your verifiable rights” and “Personal data sales and shares opt out” sections] below for instructions regarding how to exercise these rights. 

If you have any questions about this section or whether any of the following rights apply to you, please contact us at dpo@joinzoe.com.

2. Notice at collection

For residents of California, at or before the time of collection of your personal information, you have the right to receive notice of our data practices. 

For the categories of personal information and categories of sources from which personal information is collected, see the ‘What data do we collect’ section above. For the specific business and commercial purposes for collecting and using personal information, see the ‘What do we use your personal data for’ section above. For the categories of third parties to whom information is disclosed, see the ‘How we might disclose your personal data’ section above. For information on how long we retain information, see the ‘How long do we keep your personal data for’ section above.

Sales and Shares. Some of our disclosures of personal information may be considered a “sale” or “share” as those terms are specifically defined under California law. A “sale” is broadly defined to include a disclosure for something of value, and a “share” is broadly defined to include a disclosure for cross-context behavioral advertising. The categories of personal information that we collect, sell, or share for commercial purposes, and the categories of third parties to whom we sell or share your personal information to, are as set out in the ‘How we might disclose your personal data’ section above.We do not knowingly sell or share the personal information of minors under 16 years old who are California residents. 

Sensitive Data. Some of the personal information we collect may be considered sensitive personal information under California law. We collect, use, and disclose sensitive personal information only for the permissible business purposes for sensitive personal information under the CPRA or without the purpose of inferring characteristics about consumers. We do not ‘sell’ or ‘share’ (as defined by CPRA) sensitive personal information (except where you have given specific consent for us to share your data for scientific research purposes - this is never for money, but it still may be considered as ‘selling’ under the very specific definition in the CPRA. You can opt-out of this sharing at any time by contacting us). For the categories of sensitive personal information we collect, see the ‘What data do we collect’ section above, which we have further set out below using California-specific terms:

• Health information - this includes your test results and answers to our onboarding questionnaire.

• Account login details.

• Genetic data - the analysis of your stool samples, as part of the testing, includes the extraction and sequencing of DNA found in the samples. In a healthy person, almost all of this will be DNA relating to your microbiome – we use it to identify populations of bacteria in your gut. There may be some fragments of your own DNA included in this mix. These will be sequenced along with all other DNA fragments. We may not be able to identify that some fragments are human DNA; nor do we try to use information about your own DNA.

• Ethnicity - you provide us with this when you answer our onboarding questions. 

• Gender, which could include sexual orientation - you provide us with this when you answer our onboarding questions.

• Payment information - you provide our third party payment processor, or Klarna (if you choose one of their payment options), with your payment card details. Our payment processors don’t disclose your card number to us, apart from the last 4 digits. 

• Precise location - if you use our Photo Logging feature to take photos and log your meals, we may use the geo tag attached to these photos to improve the accuracy of our scoring.

3. Requests

In addition to the rights set out in the Privacy Policy, you have the right to exercise choice over your personal information as follows:

• Sales and Shares. You have the right to opt-out of selling or sharing your personal information to third parties. To exercise this right, see the ‘How can you exercise your rights or otherwise contact us’ section above. Alternatively, if you turn on a recognized opt-out preference signal such as Global Privacy Control in your browser or extension, this will deactivate our Marketing Cookies which will stop your data being collected by third parties through Cookies for marketing purposes. Please note that when you do this, we do not know who you are within our systems, and your opt-out will apply only to information collected through Cookies on the specific browser from which you opt out. If you delete or reset your Cookies, or use a different browser or device, you will need to reconfigure your settings. 

• Shine the Light. If you are a customer, you may request (i) a list of the categories of personal information disclosed by us to third parties during the immediately preceding calendar year for those third parties’ own direct marketing purposes; and (ii) a list of the categories of third parties to whom we disclosed such information. 

We Will Not Discriminate Against You for Exercising Your Rights Under the CCPA

We will not discriminate against you for exercising your rights under the CCPA. We will not deny you our goods or services, charge you different prices or rates, or provide you a lower quality of goods and services if you exercise your rights under the CCPA. However, we may offer different tiers of our Services as allowed by applicable data privacy laws (including the CCPA) with varying prices, rates or levels of quality of the goods or services you receive related to the value of Personal Data that we receive from you.

Residents of Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Jersey, New Hampshire, Oregon, Texas, Utah, and Virginia

1. Data Practices

Our practices regarding the collection, use, disclosure, and retention of your personal data are set out in the main Privacy Policy.

Some of our disclosures of personal data may be considered a “sale” under applicable law, which is often defined to include a disclosure for something of value. We also may process your personal data for purposes of targeted advertising. We do not process personal data for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers. 

Some of the personal data we collect may be considered sensitive personal data under applicable law. We collect sensitive personal data with your consent. For the categories of sensitive personal information we collect, see the ‘What data do we collect’ section above, which we have further set out below using US-specific terms:

• Health information - this includes your test results and answers to our onboarding questionnaire.

• Account login details.

• Genetic data - the analysis of your stool samples, as part of the testing, includes the extraction and sequencing of DNA found in the samples. In a healthy person, almost all of this will be DNA relating to your microbiome – we use it to identify populations of bacteria in your gut. There may be some fragments of your own DNA included in this mix. These will be sequenced along with all other DNA fragments. We may not be able to identify that some fragments are human DNA; nor do we try to use information about your own DNA.

• Ethnicity - you provide us with this when you answer our onboarding questions.

• Gender, which could include sexual orientation.

• Payment information - you provide our third party payment processor, or Klarna (if you choose one of their payment options), with your payment card details. Our payment processors don’t disclose your card number to us, apart from the last 4 digits. 

• Precise location - if you use our Photo Logging feature to take photos and log your meals, we may use the geo tag attached to these photos to improve the accuracy of our scoring.

2. Requests

You have the right to exercise choice over your personal data as follows:

2.1 Verifiable Requests

In addition to the rights set out in the Privacy Policy, you have the right to:

• If you are an Oregon resident, receive a list of the specific third parties to which we have disclosed personal data.

• If you are a Delaware resident, obtain a list of categories of third parties to which we have disclosed your personal data. 

2.2 Sales and Targeted Advertising

You have the right to opt-out of us selling your personal data or processing your personal data for purposes of targeted advertising. To exercise this right, see the ‘How can you exercise your rights or otherwise contact us’ section above.

Alternatively, if you turn on a recognized opt-out preference signal such as Global Privacy Control in your browser or extension, this will deactivate our Marketing Cookies which will stop your data being collected by third parties through Cookies for marketing purposes. Please note that when you do this, we do not know who you are within our systems, and your opt-out will apply only to information collected through Cookies on the specific browser from which you opt out. If you delete or reset your Cookies, or use a different browser or device, you will need to reconfigure your settings. 

2.3 Consent 

You have the right to revoke consent previously given to us for the processing of your personal data. To revoke consent, write to us at dpo@joinzoe.com. If you withdraw consent, you may not be able to receive certain services related to that consent.

3. Appealing our decisions

You have the right to appeal our decision in response to your request. To appeal, please contact us using the details in the ‘How you can exercise your rights or otherwise contact us’ section and specify what you wish to appeal. We will review and respond to your appeal in accordance with applicable law. If we deny your appeal, you may submit a complaint to your Attorney General as follows:

• For Colorado residents: https://coag.gov/file-complaint/

• For Connecticut residents: https://www.dir.ct.gov/ag/complaint/ 

• For Delaware residents: https://attorneygeneral.delaware.gov/fraud/cmu/complaint/ 

• For Iowa residents: https://www.iowaattorneygeneral.gov/for-consumers/file-a-consumer-complaint/complaint-form 

• For Montana residents: https://dojmt.gov/consumer/ 

• For Nebraska residents: https://www.nebraska.gov/apps-ago-complaints/ 

• For New Hampshire residents: https://www.doj.nh.gov/citizens/consumer-protection-antitrust-bureau/consumer-complaints

• For New Jersey residents: https://www.njconsumeraffairs.gov/Pages/Consumer-Complaints.aspx 

• For Oregon residents: https://justice.oregon.gov/consumercomplaints/  

• For Texas residents: https://oag.my.salesforce-sites.com/CPDOnlineForm 

• For Utah residents: https://attorneygeneral.utah.gov/contact/complaint-form/ 

• For Virginia residents: https://www.oag.state.va.us/consumercomplaintform

Residents of Nevada

1. What are your legal rights?

If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties who intend to license or sell that Personal Data. You can exercise this right by contacting us at dpo@joinzoe.com with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account. Please note that we do not currently sell your Personal Data as sales are defined in Nevada Revised Statutes Chapter 603A.