1. Introduction
SPN Health Ltd ("SPN Health", "we", "us", "our") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have in relation to it.
This Privacy Policy applies to all users of our website at spn.health ("Site"), our application at app.spn.health ("App"), and all services we provide, including SPN Stride, Stride+, Performance Consultations, and any future services (collectively, the "Services"). It should be read alongside our Terms and Conditions, available at spn.health/terms-and-conditions.
SPN Health Ltd is the data controller for your personal data. We are registered in England and Wales with company number 16682238, and our registered address is Bartle House, Oxford Court, Manchester, United Kingdom, M2 3WQ.
If you have any questions about this Privacy Policy or how we handle your data, please contact us at jack@spn.health. We have not appointed a Data Protection Officer as we do not currently meet the threshold requiring one under UK GDPR. For all data protection queries, please use the contact details above.
2. What Data We Collect
3. Why We Collect It and Our Legal Basis
Under UK GDPR, we must have a lawful basis for processing your personal data. For special category data (such as your physiological test data), we need both a lawful basis and an additional condition under Article 9. The table below sets out the purposes for which we process your data, the lawful basis, and the additional condition where applicable.
3.1 To Deliver the Services You Have Purchased
This includes conducting your test (via our Testing Partner), analysing your CPET data, generating your results and cardiovascular age assessment, delivering your results via the App, and providing Performance Consultations.
Lawful basis: Contract performance (Article 6(1)(b)) — processing is necessary to fulfil the service you have paid for.
Special category condition (for physiological test data, health screening data, and consultation data): Explicit consent (Article 9(2)(a)) — obtained during the onboarding process before your test.
3.2 To Process Your Payment
Lawful basis: Contract performance (Article 6(1)(b)).
3.3 To Communicate With You About Your Account and Services
This includes sending you your results, service updates, booking confirmations, and responding to your enquiries.
Lawful basis: Contract performance (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)) — it is in both our interests that you receive timely information about the services you have purchased.
3.4 To Send You Marketing Communications
We may send you emails about SPN Health services, offers, and content. You can unsubscribe at any time using the unsubscribe link in any marketing email.
Lawful basis: Consent (Article 6(1)(a)) where you have opted in, or legitimate interests (Article 6(1)(f)) where you are an existing customer and we are marketing similar services (in accordance with the Privacy and Electronic Communications Regulations 2003, "soft opt-in").
3.5 To Improve Our Services and Develop Our Products
We use anonymised and aggregated data derived from the use of our Services to improve our platform and conduct internal research. This data cannot be used to identify you personally.
Lawful basis: Where data is truly anonymised, it falls outside the scope of UK GDPR. Where data is pseudonymised (but still linkable), we rely on legitimate interests (Article 6(1)(f)).
3.6 To Analyse Site and App Usage
We use analytics tools to understand how people use our Site and App, so we can improve the user experience.
Lawful basis: Consent (Article 6(1)(a)) for non-essential analytics cookies, and legitimate interests (Article 6(1)(f)) for aggregated, non-identifying usage analysis.
3.7 To Comply With Legal Obligations
We may need to process your data to comply with legal or regulatory requirements, such as tax, accounting, or data protection law.
Lawful basis: Legal obligation (Article 6(1)(c)).
4. Who We Share Your Data With
We do not sell your personal data. We share it only where necessary to deliver our Services or where required by law. We have data processing agreements in place with all third-party providers who process personal data on our behalf, in accordance with Article 28 UK GDPR. The categories of recipients are:
4.1 My Vital Metrics Ltd (Testing Partner)
Your CPET is conducted by our Testing Partner. When you book and attend a test, My Vital Metrics will collect your physiological test data at their facility and share it with us for analysis. This means that SPN Health receives your CPET data (as described in Section 2.3) from My Vital Metrics as a third-party source, rather than collecting it from you directly. My Vital Metrics operates under their own privacy policy, which you should review when booking your appointment.
4.2 Stripe (Payment Processor)
Stripe processes your payment card data on our behalf. Stripe is PCI-DSS compliant and does not share your payment details with us beyond the minimum required for transaction records. Stripe's privacy policy is available at stripe.com/privacy.
4.3 Google Cloud (Hosting and Infrastructure)
Your data is stored on Google Cloud servers located in the UK/EU region. Google Cloud acts as a data processor on our behalf and is subject to appropriate contractual safeguards.
4.4 PostHog (Analytics)
We use PostHog for product analytics to understand how users interact with our App and Site. PostHog may process technical and usage data including device information, pages visited, and feature interactions.
4.5 Kit (Email Marketing)
If you subscribe to our mailing list, waitlist, or marketing communications, your email address and name will be processed by Kit (formerly ConvertKit) to manage and deliver those communications. You can unsubscribe at any time.
4.6 Professional Advisors and Legal Compliance
We may share your data with professional advisors (such as lawyers or accountants) where necessary, or with law enforcement or regulators where required by law.
5. International Transfers
We aim to keep your personal data within the UK and European Economic Area (EEA). Where we use service providers based outside the UK/EEA (or whose infrastructure may process data outside the UK/EEA), we ensure that appropriate safeguards are in place, such as:
(a) The country has been deemed to provide an adequate level of data protection by the UK Government; or
(b) We have entered into the UK International Data Transfer Agreement or the EU Standard Contractual Clauses with the provider.
If you would like more information about the specific safeguards in place for any international transfer, please contact us.
6. How Long We Keep Your Data
We keep your personal data only for as long as necessary for the purposes for which it was collected. The retention periods are:
Account and identity data: For the duration of your account, plus 6 years after account closure (to comply with limitation periods under UK law).
Physiological test data (CPET results): For the duration of your account, plus 6 years after account closure. If you request deletion of your account, we will delete or anonymise your test data within 30 days, unless we are required to retain it for legal reasons.
Payment data: Transaction records are retained for 6 years to comply with HMRC requirements.
Health screening data: For the duration of your account, plus 6 years after account closure.
Consultation notes: For the duration of your account, plus 6 years after account closure.
Marketing and waitlist data: Until you unsubscribe or request deletion.
Technical and usage data: Retained in identifiable form for up to 24 months, after which it is anonymised or deleted.
Anonymised and aggregated data: Retained indefinitely as it is no longer personal data.
7. How We Protect Your Data
We take the security of your personal data seriously. Our measures include:
(a) Encryption of data in transit using TLS/SSL and at rest using industry-standard encryption;
(b) Access controls to limit who within SPN Health can access your personal data to those who need it to deliver the Services;
(c) Use of PCI-DSS compliant payment processing (Stripe) so that we never store your full card details;
(d) Data stored on Google Cloud infrastructure in the UK/EU region with enterprise-grade security;
(e) Regular review of our security practices.
No method of transmission or storage is 100% secure. While we take commercially reasonable steps to protect your data, we cannot guarantee absolute security. If a data breach occurs that poses a high risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours and, where required, notify you without undue delay.
8. Cookies
Our Site and App use cookies and similar technologies. Cookies are small files stored on your device that help us provide and improve our Services.
8.1 Essential Cookies
These are necessary for the Site and App to function and cannot be switched off. They include cookies for authentication, security, and basic functionality.
8.2 Analytics Cookies
We use analytics cookies (including through PostHog) to understand how visitors use our Site and App. These help us measure traffic, identify popular features, and improve the user experience. These cookies are set only with your consent.
8.3 Marketing Cookies
We use marketing cookies to deliver relevant advertising and measure the effectiveness of our marketing campaigns. These cookies are set only with your consent.
8.4 Managing Cookies
When you first visit our Site, you will be presented with a cookie banner that allows you to accept or reject non-essential cookies. You can change your cookie preferences at any time through your browser settings or by revisiting our cookie preferences on the Site.
9. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
Right of access: You can request a copy of the personal data we hold about you.
Right to rectification: You can ask us to correct any inaccurate or incomplete data.
Right to erasure: You can ask us to delete your personal data where there is no good reason for us to continue processing it. This is not an absolute right — we may need to retain some data for legal or contractual reasons.
Right to restrict processing: You can ask us to suspend processing of your data in certain circumstances, such as if you contest its accuracy.
Right to data portability: You can request your data in a structured, commonly used, machine-readable format and ask us to transfer it to another provider where technically feasible.
Right to object: You can object to processing based on legitimate interests. We must stop unless we can demonstrate overriding legitimate grounds. You can object to direct marketing at any time and we will stop immediately.
Right to withdraw consent: Where we rely on your consent to process data (including your explicit consent for health screening, physiological test, and consultation data), you can withdraw that consent at any time. This will not affect the lawfulness of processing carried out before withdrawal. If you withdraw consent for the processing of your health data, we will stop actively processing it and delete or anonymise it within 30 days, unless we have a separate legal obligation to retain it (such as for the defence of legal claims within the applicable limitation period). Because our core service depends on processing your health data, withdrawing consent means we will no longer be able to provide the Services to you and you will be entitled to a refund for any Services paid for but not yet delivered.
To exercise any of these rights, please contact us at jack@spn.health. We will respond within one calendar month of receiving your request, as required by UK GDPR. In complex cases or where we receive a large number of requests, we may extend this by a further two months and will inform you if so.
10. Children
Our Services are not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that data and close the associated account.
If you are a parent or guardian and believe your child has provided us with personal data, please contact us at jack@spn.health.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email to the address associated with your account. Your continued use of our Services after such changes constitutes acceptance of the updated policy. You can always find the current version at spn.health/privacy-policy.
12. Complaints
If you are unhappy with how we have handled your personal data, please contact us at jack@spn.health and we will do our best to resolve the issue.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
ICO website: ico.org.uk
ICO helpline: 0303 123 1113
ICO address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
13. Contact Us
If you have any questions about this Privacy Policy, please contact us at:
SPN Health Ltd Bartle House, Oxford Court, Manchester, United Kingdom, M2 3WQ