Legal

Privacy Policy

Effective date: 29 May 2025

Terms of Service Cookie Policy

Joint Controllers: 29 Performance and NSK Pharma Limited (Company No. 15233641) are joint controllers for health and diagnostic data.

For meal prep and general enquiries, the sole controller is 29 Performance.
Contact: 29performance@gmail.com

40. Introduction & Who We Are

40.1 29 Performance ("we", "us", "our") is committed to protecting and respecting your privacy. This policy explains how we collect, use, and share personal data when you use our website, purchase our products or services, or interact with us.

40.2 For health and diagnostic services (phlebotomy, blood testing, CGM, health assessments), 29 Performance and NSK Pharma Limited (Company No. 15233641) act as joint data controllers. For all other purposes (meal prep orders, marketing, general contact), 29 Performance is the sole controller.

40.3 Our website is www.29performance.co.uk. Our primary contact email is 29performance@gmail.com.

40.4 This policy applies to personal data we hold about customers, website visitors, and anyone who contacts us. It should be read together with our Terms of Service and Cookie Policy.

41. What Personal Data We Collect

Identity & Contact

Name, email address, phone number, delivery address, date of birth (where required for age-restricted services).

Order & Transaction Data

Details of products and services purchased, order history, delivery preferences, and payment confirmation (we do not store full payment card details — these are handled by our payment processor).

Health & Diagnostic Data

Where you book a blood test, health assessment, or use a CGM device: your blood test results, health metrics (grip strength, blood pressure, SpO₂, CGM readings), and any other health-related data collected during your appointment.

Technical & Usage Data

IP address, browser type and version, device type, pages visited, time and duration of visits, and referring URLs — collected via cookies and similar technologies (see our Cookie Policy).

Marketing & Communications

Your preferences for receiving marketing from us and records of communications.

Research & Performance Data (optional)

Where you separately consent: pseudonymised or anonymised data used for research, product development or AI model improvement. This is never a condition of using our services.

42. How & Why We Use Your Data

We process your personal data on the following lawful bases:

  • Contract performance — to fulfil your orders, deliver meals, manage your account, and provide the services you have booked.
  • Legal obligation — to comply with food safety, allergen labelling, healthcare regulation, tax, and accounting obligations.
  • Legitimate interests — to operate and improve our website and services, prevent fraud, respond to enquiries, and carry out general business administration, where our interests are not overridden by your rights.
  • Consent — for optional marketing communications and for any research or AI-development use of health data. You may withdraw consent at any time.
  • Vital interests / substantial public interest — in exceptional circumstances, to protect your health or safety, or to comply with public health obligations.

43. Who We Share Your Data With

We share your data only where necessary:

  • London Medical Laboratory (LML) — your name, date of birth and contact details, together with your sample, to enable laboratory analysis and reporting.
  • Payment processors (Wix Checkout / Square) — to process your payments securely.
  • Delivery partners — your name and delivery address, to arrange delivery of your order.
  • IT and platform providers — providers who host our website, order portal, or systems (subject to strict data processing agreements).
  • CGM manufacturers (Dexcom / Abbott) — minimum necessary data to enable CGM device setup and data transmission, where applicable.
  • Regulatory and legal authorities — where required by law, court order or regulatory obligation.

We do not sell your personal data. We do not share your data with third parties for their own marketing purposes.

44. Health Data

44.1 Health data (including blood test results and other diagnostic measurements) is special category data under UK GDPR. We collect and process it only where you have given explicit consent and/or where it is necessary for the provision of health services.

44.2 Health data is held separately from general customer data and subject to stricter access controls.

44.3 We will not use your health data for any secondary purpose (such as research or AI model development) unless you have given a separate, freely-given, explicit consent via our standalone Data Use Consent Form. Refusing this consent has no effect on the services you receive.

44.4 The data controller for health data is NSK Pharma Limited (jointly with 29 Performance).

45. Data Retention

We keep your personal data only for as long as necessary for the purposes for which it was collected, taking into account legal, regulatory and operational requirements.

  • Order and transaction records — 7 years from the date of transaction (UK accounting and tax law).
  • Identifiable health & diagnostic data — 7 years from the date of the appointment or last service interaction, or longer where required by healthcare regulations.
  • Pseudonymised health data — reviewed annually; retained while there is a legitimate operational or research purpose under a valid consent.
  • Anonymised data — may be retained indefinitely as it no longer constitutes personal data.
  • Marketing data — until you withdraw consent or opt out.
  • Website usage data — as set out in our Cookie Policy.

When data is no longer required, it is securely deleted or anonymised.

46. Your Rights

Under UK GDPR, you have the following rights (subject to certain exemptions):

  • Access — to request a copy of the personal data we hold about you.
  • Rectification — to ask us to correct inaccurate or incomplete data.
  • Erasure — to ask us to delete your data where we no longer have a lawful basis to hold it.
  • Restriction — to ask us to limit how we use your data while a dispute is resolved.
  • Portability — to receive data you have provided to us in a structured, machine-readable format.
  • Object — to object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent — to withdraw any consent you have given at any time, without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at 29performance@gmail.com. We will respond within one calendar month. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

47. Security, Transfers & Changes to This Policy

Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or alteration. These include access controls, encryption in transit, and regular review of our security practices.

International Transfers

We aim to keep personal data within the UK and European Economic Area. Where data is transferred to countries outside the UK without an adequacy decision, we ensure appropriate safeguards are in place (such as UK Standard Contractual Clauses).

Third-Party Links

Our website may contain links to third-party websites. We are not responsible for their privacy practices and encourage you to read their own privacy policies.

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via our website or by email where appropriate. The effective date at the top of this page will always reflect the latest version.