Privacy policy

Privacy Policy

Last Updated: 19 February 2026

Effective Date: 19 February 2026


1. Introduction

Vitall Check Ltd ("we", "us", "our", or "Vitall Check") is committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information, including special category personal data (sensitive health information), when you use our services or visit our website at https://vitallcheck.co.uk (the "Website").

Our Services: We provide clinical-grade at-home blood testing kits with laboratory analysis performed by UKAS-accredited partner laboratories. We process your biological samples and provide you with lab-verified results, Insight Reports, and personalised health action plans.

Data Controller: Vitall Check Ltd is the data controller responsible for your personal data. Our address and contact details are provided in Section 14 below.


2. Information We Collect

2.1 Personal Data You Provide

When you purchase our testing kits or use our services, we collect:

  • Identity Data: Full name, date of birth, gender
  • Contact Data: Email address, postal address, telephone number, mobile phone number (where provided, including for SMS notifications and SMS marketing if you opt in)
  • Payment Data: Billing address, payment method details (processed securely by our payment provider)
  • Account Data: Username, password, account preferences
  • Marketing Preferences: Your communication preferences and consent records (including SMS and email consent records where applicable)

2.2 Special Category Data (Health Data)

We collect and process Special Category Data (special category personal data) relating to your health, including:

  • Biological Samples: Blood samples you provide via our testing kits
  • Test Results: Laboratory analysis results from your blood samples
  • Health Information: Information about your health status, symptoms, lifestyle factors, medications, and medical history that you voluntarily provide in questionnaires or communications
  • Biometric Data: Data derived from the analysis of your biological samples

This includes blood test results and other health-related information (together, "Health Data").

Legal Basis for Processing Special Category Data:

Under Article 9(2) of the UK GDPR, we process your Health Data primarily based on:

  • (a) Explicit Consent: where you provide explicit, informed consent for us to process your Health Data (including generating and presenting your results and Insight Report); and

In addition, under Article 6 of the UK GDPR, we process personal data (including the processing required to deliver the service) based on:

  • Performance of a Contract: processing is necessary to perform our contract with you (for example, to arrange analysis of your sample and provide you with your results and the related service features you have purchased).

We only process blood test results and health-related information with your explicit consent and/or where it is necessary to fulfil the service you have requested (Performance of a Contract). You have the right to withdraw your consent at any time by contacting us (see Section 13).

2.3 Technical and Usage Data

When you visit our Website, we automatically collect:

  • Technical Data: IP address, browser type and version, device type, operating system, time zone settings
  • Usage Data: Pages visited, time spent on pages, click data, referring website, search terms
  • Cookie Data: Information collected through cookies and similar tracking technologies (see Section 9)

2.4 Data from Third Parties

We may receive personal data about you from:

  • Partner Laboratories: UKAS-accredited laboratories that analyse your samples and provide test results
  • Payment Processors: Shopify Payments and other payment service providers
  • Analytics Providers: Google Analytics and similar services
  • Delivery Services: Royal Mail and courier companies

3. How We Use Your Information

3.1 Purposes of Processing

We use your personal data for the following purposes:


3.2 Marketing Communications

With your consent, we may send you marketing communications by email and SMS (where you have provided your mobile phone number), including:

  • Newsletters and health tips
  • Information about new tests and services
  • Special offers and promotions
  • Educational content about health and wellness

SMS consent is separate from email consent. Opting in (or out) of one channel does not automatically opt you in (or out) of the other.

You can opt out of email marketing communications at any time by clicking the "unsubscribe" link in any email or contacting us directly. You can opt out of SMS marketing at any time by replying STOP to any message.


4. Data Sharing and Disclosure


SMS Privacy Disclosure

We collect your mobile phone number (where you provide it) to send you SMS/text messages, including:

  • Order and service updates (for example, order confirmations, delivery updates, and important service notifications); and
  • Marketing messages are only sent if you have opted in to receive SMS marketing.

We will not share your mobile information with third parties or affiliates for marketing or promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

Opt-out: You can opt out of SMS messages at any time by replying STOP to any message.

Message and data rates may apply, and message frequency varies.

4. Data Sharing and Disclosure

4.1 UKAS-Accredited Partner Laboratories

We share your biological samples and relevant personal data (name, date of birth, test order details) with our UKAS-accredited partner laboratories for the purpose of sample analysis. This includes sharing Health Data with these laboratories for analysis and reporting, where required to deliver the services you have requested.

These laboratories:

  • Operate to NHS-grade standards (ISO 15189 accreditation)
  • Act as data processors under written contracts that comply with UK GDPR
  • Are located in the United Kingdom
  • Are contractually prohibited from using your data for any purpose other than providing laboratory services to us
  • Maintain strict security and confidentiality measures

4.2 Service Providers (Data Processors)

We engage trusted third-party service providers who process personal data on our behalf:

  • E-commerce Platform: Shopify Inc. (website hosting, payment processing, order management)
  • Payment Processors: Shopify Payments, Stripe, PayPal
  • Delivery Services: Royal Mail, DPD, and other courier companies
  • Email Service Providers: For sending transactional and marketing emails
  • Cloud Storage Providers: Secure storage of customer data and test results
  • IT Support and Security Services: System maintenance and cybersecurity

All service providers are carefully selected and required to:

  • Process data only on our instructions
  • Maintain appropriate technical and organisational security measures
  • Comply with UK GDPR requirements
  • Sign Data Processing Agreements with us

4.3 Legal and Regulatory Disclosures

We may disclose your personal data when required by law or to:

  • Comply with legal obligations, court orders, or regulatory requests
  • Protect the rights, property, or safety of Vitall Check, our customers, or the public
  • Detect, prevent, or address fraud, security issues, or technical problems
  • Enforce our Terms and Conditions

4.4 Business Transfers

If Vitall Check is involved in a merger, acquisition, asset sale, or bankruptcy, your personal data may be transferred to the successor entity. We will notify you of any such change and the choices you may have.

4.5 We Do Not Sell Your Data

We never sell, rent, or trade your personal data to third parties for their marketing purposes.


5. International Data Transfers

Some of our service providers (e.g., Shopify, cloud storage providers) may process data outside the United Kingdom. When we transfer your personal data internationally, we ensure appropriate safeguards are in place:

  • Adequacy Decisions: Transfers to countries recognised by the UK Government as providing adequate data protection (e.g., EEA countries under the UK-EEA adequacy agreement)
  • Standard Contractual Clauses (SCCs): UK International Data Transfer Agreement or UK Addendum to EU SCCs
  • Binding Corporate Rules or Certification Schemes: Where applicable

Your health data and biological samples are only processed within the United Kingdom by our UKAS-accredited partner laboratories.


6. Data Security

We implement robust technical and organisational measures to protect your personal data from unauthorised access, loss, misuse, or disclosure:

6.1 Technical Measures

  • Encryption: Data is encrypted in transit (TLS/SSL) and at rest
  • Secure Access Controls: Multi-factor authentication and role-based access
  • Firewall Protection and Intrusion Detection Systems
  • Regular Security Updates and Patch Management
  • Secure Data Centres: ISO 27001-certified cloud infrastructure

6.2 Organisational Measures

  • Staff Training: All employees receive data protection and confidentiality training
  • Confidentiality Agreements: Staff and contractors sign confidentiality agreements
  • Access Restriction: Access to personal data is limited to authorised personnel on a need-to-know basis
  • Data Processing Agreements: All third-party processors sign compliant DPAs
  • Regular Security Audits and Risk Assessments

6.3 Data Security for Lab Results (Health Data)

Because lab results and related Health Data are particularly sensitive, we apply additional controls designed to protect your test results and Insight Report information, including:

  • Encryption: Health Data (including lab results) is encrypted in transit (TLS/SSL) and at rest
  • Secure Portals/Accounts: Results are made available via secure user accounts/portals with authenticated access, and access is restricted to authorised personnel and systems on a need-to-know basis
  • Access Logging and Monitoring: We use appropriate logging and monitoring to help detect unauthorised access to systems containing Health Data

6.4 Sample Security

  • Biological samples are handled in accordance with laboratory safety standards
  • Samples are anonymised where possible during laboratory processing
  • Samples are securely disposed of after analysis in accordance with clinical waste regulations

While we take all reasonable precautions, no internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security, but we will notify you promptly of any data breach that poses a risk to your rights and freedoms.


7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected or to comply with legal obligations.


After the retention period expires, we will securely delete or anonymise your personal data. You may request earlier deletion (subject to legal obligations) by contacting us.


8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

8.1 Right of Access (Subject Access Request)

You can request a copy of the personal data we hold about you, including your test results and Insight Reports.

8.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data in certain circumstances (e.g., data no longer necessary, consent withdrawn).

Important (medical records/test results): We may not be able to delete certain Health Data, such as medical records and blood test results immediately where we are required (or reasonably need) to retain them for a specific period, for example for clinical audit purposes, meeting professional standards, handling complaints, or establishing, exercising, or defending legal claims. Where erasure is not possible, we will securely retain the data and restrict access to it.

8.4 Right to Restrict Processing

You can request that we limit how we use your data in certain situations (e.g., while disputing accuracy).

8.5 Right to Data Portability

You can request a copy of your personal data in a structured, machine-readable format to transfer to another service provider.

8.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

8.7 Right to Withdraw Consent

Where we process your data based on consent (including health data), you can withdraw your consent at any time. This will not affect the lawfulness of processing before withdrawal.

8.8 Right Not to be Subject to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects.

8.9 How to Exercise Your Rights

To exercise any of these rights, please contact us using the details in Section 14. We will respond within one month (extendable by two months for complex requests).

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your data appropriately:

ICO Contact:

  • Website: https://ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

9. Cookies and Tracking Technologies

We use cookies and similar technologies (including pixels, tags, SDKs, local storage, and similar identifiers) to enhance your experience on our Website, keep the Website secure, enable core features (like checkout), understand how the Website is used, and (where applicable) deliver more relevant advertising.

9.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. Cookies and similar technologies can:

  • remember your preferences;
  • keep you signed in (where applicable);
  • enable shopping cart and checkout functionality;
  • help us understand Website performance and usage; and
  • help measure and improve marketing campaigns.

9.2 Types of Cookies We Use

We use the following categories of cookies:

  • Strictly Necessary / Essential Cookies: Required for the Website to function (e.g., page navigation, secure areas, shopping cart, fraud prevention, checkout, and payment processing). These cookies cannot be switched off in our systems, though you can block them in your browser (which may cause parts of the Website not to work).
  • Analytics / Performance Cookies: Help us understand how visitors use the Website (e.g., page views, navigation paths, errors) so we can improve performance and user experience (for example, using Google Analytics or similar tools).
  • Functional Cookies: Allow the Website to remember choices you make (such as language, region, or other preferences) and provide enhanced features.
  • Marketing / Advertising Cookies: Used to deliver relevant advertisements and measure the effectiveness of our marketing campaigns. These cookies may be set by third-party advertising partners or by us.

9.3 Third-Party Cookies

Some cookies and similar technologies may be set by third parties when you use our Website (for example, analytics providers, payment providers, or advertising partners). These third parties may collect information about your online activities over time and across different websites.

9.4 Shopify and E-Commerce Cookies

Our Website is hosted on Shopify. Shopify and its partners may set cookies to enable core store functionality (such as checkout and fraud prevention) and to provide analytics and advertising features, depending on your settings and the services we enable.

9.5 Your Choices and How to Manage Cookies

You can manage cookies in several ways:

  • Browser settings: Most browsers let you block or delete cookies and configure cookie preferences. Please note that blocking essential cookies may prevent the Website from functioning properly (including the ability to place orders).
  • Cookie banners/preference tools (where available): If we use a cookie consent banner or preference centre, you can use it to manage non-essential cookies (such as analytics and marketing cookies).
  • Opt-outs for analytics/ads: Some third-party providers offer opt-out tools (for example, Google provides a Google Analytics opt-out browser add-on in certain cases).

9.6 Do Not Track

Some browsers offer a “Do Not Track” (DNT) setting. Because there is no common industry standard for how to respond to DNT signals, we do not respond to DNT signals in a uniform way.

9.7 Updates to This Cookies Section

We may update this section from time to time to reflect changes in the cookies we use, our technology, or legal requirements. We encourage you to review it periodically.


10. Children's Privacy

Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from children under 18 without verifiable parental consent. If you believe we have inadvertently collected data from a child, please contact us immediately, and we will delete it.


11. Third-Party Websites

Our Website may contain links to third-party websites (e.g., health information resources, social media). We are not responsible for the privacy practices of these external sites. Please review their privacy policies before providing any personal data.


12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. We will notify you of significant changes by:

  • Posting the updated policy on our Website with a new "Last Updated" date
  • Sending an email notification to registered customers (for material changes)
  • Requesting renewed consent where required by law

We encourage you to review this Privacy Policy periodically. Continued use of our services after changes constitutes acceptance of the updated policy.


13. How We Obtain Your Consent

13.1 Explicit Consent for Health Data

When you purchase a testing kit, you will be asked to provide explicit consent for us to process your health data by:

  1. Reading and acknowledging this Privacy Policy
  2. Checking a clearly labelled consent box during checkout
  3. Confirming your consent when submitting your sample

Your consent covers:

  • Collection and analysis of your biological sample
  • Generation of test results and Insight Reports
  • Storage of your health data
  • Use of anonymised data for service improvement (if separately consented)

13.2 Withdrawal of Consent

You may withdraw your consent at any time by:

  • Emailing us at privacy@vitallcheck.co.uk
  • Logging into your account and updating your privacy preferences
  • Calling our customer service team

Important: Withdrawing consent will not affect test results already generated. However, we will cease further processing of your health data and delete it in accordance with our retention policy (unless we are required to retain it for legal reasons).


14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your data, please contact us:

Data Protection Contact:

Vitall Check Ltd
Email: privacy@vitallcheck.co.uk
Address: Daniels Farm, Wash Road, Essex, SS15 4AZ

We aim to respond to all enquiries within 5 working days.


By using our services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal data as described herein.