Privacy Policy
Last updated: 3 April 2026
1. Who We Are
LifeLab Core is operated by LifeLab Ltd ("LifeLab", "we", "us", or "our"), a company registered in England and Wales. When we refer to "LifeLab Core", "we", "us", or "our" in this policy, we mean LifeLab Ltd as the data controller. Our contact details are available on our Contact page.
We are committed to protecting your personal data and processing it in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all other applicable data protection legislation.
2. What Data We Collect
We collect and process the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Identity data | Name, username, account ID | You, via Manus OAuth |
| Contact data | Email address, phone number | You, directly |
| Delivery data | Postal address for supplement delivery | You, during onboarding |
| Health preference data | Chosen supplement category (Energy, Sleep, Immunity) | You, during onboarding |
| Transaction data | Order history, Stripe payment reference IDs | Generated by platform use |
| Employment data | Employer name, employee status, onboarding progress | Your employer, via invite |
| Technical data | IP address, browser type, session cookies | Automatically collected |
| Usage data | Pages visited, features used, time on platform | Automatically collected |
We do not collect or store full payment card details. All payment processing is handled by Stripe, Inc., which is PCI-DSS Level 1 certified. We store only Stripe-issued reference identifiers (customer ID, subscription ID, payment intent ID) to link transactions to your account.
3. Legal Basis for Processing
We process your personal data on the following lawful bases under UK GDPR:
Contract performance (Article 6(1)(b))
To create and manage your account, process orders, deliver supplements, manage subscriptions, and provide the LifeLab Core platform.
Legitimate interests (Article 6(1)(f))
To improve our platform, detect fraud and abuse, send transactional notifications (order confirmations, shipping updates), and provide customer support. We have assessed that these interests are not overridden by your rights.
Legal obligation (Article 6(1)(c))
To comply with financial record-keeping requirements, respond to lawful requests from regulatory authorities, and meet our obligations under UK tax law.
Consent (Article 6(1)(a))
To set non-essential analytics cookies and send marketing communications, where you have provided explicit consent. You may withdraw consent at any time.
4. Data Sharing
We share your personal data only with the following categories of third parties, all bound by appropriate data processing agreements:
- Stripe, Inc. — payment processing and subscription management (US, with Standard Contractual Clauses)
- Resend, Inc. — transactional email delivery (US, with Standard Contractual Clauses)
- Manus — authentication and platform infrastructure
- Your employer — if you joined via a corporate invite, your employer can see your name, email, onboarding status, and chosen supplement category
- Delivery partners — your name and postal address are shared with our fulfilment and courier partners solely to deliver your order
We do not sell, rent, or trade your personal data to any third party for marketing purposes.
5. Data Retention
We retain your personal data for as long as your account is active and for a period of 7 years thereafter, in accordance with UK financial record-keeping requirements. Health preference data (your chosen supplement category) is deleted within 30 days of account closure. You may request earlier deletion subject to the conditions in Section 7 below.
6. Cookies
We use the following categories of cookies:
- Strictly necessary cookies — session authentication cookies required for the platform to function. These cannot be disabled.
- Analytics cookies — anonymous usage data to understand how the platform is used and improve it. Only set with your consent.
- Payment cookies — set by Stripe during the checkout process. Only active during a payment session.
You can manage your cookie preferences at any time using the cookie consent banner displayed on this site.
7. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access — to receive a copy of the personal data we hold about you
- Right to rectification — to correct inaccurate or incomplete data
- Right to erasure — to request deletion of your data ("right to be forgotten"), subject to legal retention obligations
- Right to restriction — to restrict processing of your data in certain circumstances
- Right to data portability — to receive your data in a structured, machine-readable format
- Right to object — to object to processing based on legitimate interests
- Right to withdraw consent — to withdraw consent at any time where processing is consent-based
To exercise any of these rights, please contact us via our Contact page. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include encrypted data transmission (TLS), hashed authentication tokens, role-based access controls, and regular security reviews. No internet transmission is completely secure and we cannot guarantee absolute security.
9. International Transfers
Some of our third-party service providers (Stripe, Resend) are based in the United States. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK Information Commissioner's Office.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified to registered users by email at least 14 days before they take effect. The date at the top of this page reflects the most recent revision. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
11. Contact Us
For any questions about this Privacy Policy, to exercise your data rights, or to report a data protection concern, please contact our Data Protection Officer via our Contact page or email [email protected].