Privacy Policy

This Privacy Policy is written in accordance with:

• •The UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR).
• •The Data Protection Act 2018.
• •The Privacy and Electronic Communications Regulations (PECR).
• •Applicable US state privacy laws, including but not limited to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and similar laws in other states as of 2025.

Lifestack Ltd
78 York Street London,
England
W1H 1DP

Email: privacy@lifestack.health

You may also contact us to exercise your data protection rights or ask questions about this Privacy Policy or to identify your jurisdiction for applicable rights (e.g. if you are an EU or US resident).

We collect and process the following categories of data:

• •Identity & Contact Data: Name, email address, and any contact details you provide.
• •Health & Wellness Data (Special Category Data): Health routines, preferred supplements, exercise information (speed, weights), supplement intake (dosage, timing), and related wellness-tracking data.
• •Content Data: Posts, articles, comments, reviews, personal logs, or other user-generated content (including any shared via Verified User features, such as affiliate promotions).
• •Usage Data: Device data, log data, settings, in-app events, page interaction analytics, crash diagnostics.
• •Technical Data: IP address, browser type, operating system, device identifiers.
• •Communications Data: Preferences for marketing, responses to communications, opt-in/opt-out records.
• •Marketing and Cookies Data: Information from cookies, trackers, or similar technologies, subject to your consent where required (see Section 4).

We process your data only where permitted by law. We use your personal data for the following purposes:

• •To create, maintain, and manage your user account.
• •To provide and optimise App and Website functionality.
• •To personalise recommendations (e.g., articles, wellness routines, supplement stacks), including through automated processing where we have obtained your consent (which you agree to) or it is necessary for our services (with safeguards against solely automated decisions producing legal effects).
• •To provide customer support and respond to user enquiries.
• •To send optional personalised communications to users who have shown interest (with a clear opt-out).
• •To develop, test, and improve the App and website, including analytics and research.
• •To ensure platform safety, integrity, and security in line with our content moderation obligations under the Online Safety Act 2023 and equivalent laws.
• •To comply with our legal, regulatory, and contractual obligations.
• •For Verified Users: to facilitate affiliate sales, revenue sharing, and related services as described in the Verified User Terms.

We rely on the following lawful bases:

• •Consent: Required for processing special category data (e.g. health data). Users must provide explicit consent.
• •Contractual Necessity: To deliver the services you request as part of your user agreement.
• •Legitimate Interests: For improving platform functionality, preventing fraud, and ensuring security - only where your rights do not override our interests.
• •Legal Obligation: To comply with UK and EU regulatory requirements.

For US residents under applicable state laws: We process data with your consent for sensitive information (e.g. health data) and provide opt-out rights as detailed in Section 9.

We do not sell your personal data (including under the broad definitions in US state laws, such as CCPA).

We may share your personal data with:

• •Cloud service providers (e.g., AWS): For secure hosting and data storage.
• •External software consultants: Some may operate outside the UK and access data under strict contractual protections.
• •Payment processors or affiliate partners (for Verified Users), bound by similar protections.

All third parties are bound by:

• •Data Processing Agreements (DPAs).
• •UK GDPR-compliant SCCs and Addendums or equivalent for EU/US transfers.
• •Confidentiality and security obligations.

We may also share anonymized or aggregated data for research or analytics, which is not personal data.

Where data is transferred outside the UK or EU, we ensure:

• •Use of UK International Data Transfer Addendums (IDTA).
• •EU Standard Contractual Clauses (SCCs).
• •Additional technical and organisational safeguards, including for transfers to the US (e.g. via certified providers or binding corporate rules where applicable).

These measures ensure your personal data remains protected regardless of location.

We retain your personal data for a maximum of 6 years, unless a shorter period is appropriate or required by law (e.g., for aggregated/anonymized data used in research, which may be retained longer but stripped of identifiers).

You may request deletion at any time. The App provides a built-in account deletion tool that removes all associated data, in line with the termination provisions in our General Terms.

In the event that information you post is interacted with by other users, it may not be possible for us to erase all of the information you have posted but we will comply with applicable local laws and regulations as far as removal of personally identifiable information.

You have the following rights:

• •Right of Access – Request a copy of your data.
• •Right to Rectification – Correct inaccurate or incomplete data.
• •Right to Erasure – Request deletion of your data.
• •Right to Restrict Processing – Limit how we use your data.
• •Right to Object – Object to certain processing activities.
• •Right to Data Portability – Transfer your data to another provider.
• •Right to Withdraw Consent – Withdraw your consent at any time.

For EU residents: These align with EU GDPR Articles 15-22.

For US residents (under laws like CCPA/CPRA): In addition, you have the right to know categories/sources of data collected, opt-out of any "sale" or sharing for targeted advertising (though we do not sell data), limit use of sensitive data, and non-discrimination for exercising rights. Requests are verified and responded to within 45 days (extendable). We do not use data for financial incentives.

You may exercise these rights by contacting us at privacy@lifestack.health.

Lifestack is not intended for individuals under 18. We do not knowingly process data belonging to children. If such data is identified, it is deleted immediately.

For US users, we comply with the Children's Online Privacy Protection Act (COPPA) and do not collect data from those under 13 without verifiable parental consent (which we do not seek, as the platform is adults-only).

We implement state-of-the-art security measures including:

• •Encryption in transit and at rest
• •Access controls and authentication systems
• •Regular vulnerability testing and audits
• •Secure development practices (DevSecOps)

We continuously evaluate and improve our security posture, conducting Data Protection Impact Assessments (DPIAs) for high-risk processing like health data.

If a breach occurs that risks your rights or freedoms, we will notify you and the ICO (or equivalent EU supervisory authority) in accordance with legal requirements. Users are contacted by email within 72 hours where required.

If you are unhappy with how we handle your data, please contact us first.

You also have the right to complain to the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Website: ico.org.uk
Helpline: 0303 123 1113

For EU residents: You have the right to complain to your local supervisory authority (e.g., via edpb.europa.eu).

For US residents: You have the right to complain to your state Attorney General or relevant enforcer (e.g., California AG for CCPA).

We may update this Privacy Policy from time to time. Any updates will be published on this page with a revised effective date and notified to you via email or in-app where changes materially affect your rights.