Privacy Policy

1. Introduction

Theorem Metabolic Limited ("we", "us", "our") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our phlebotomy and blood testing services.

We are registered in England and Wales and operate in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

Theorem Metabolic Limited is the data controller responsible for your personal data.

3. Information We Collect

3.1 Personal Identification Data

• Full name
• Date of birth
• Home address
• Email address
• Telephone number

3.2 Special Category (Health) Data

• Blood test results and biomarker data
• Medical history relevant to testing
• Current medications
• GP details (where provided)
• Fasting status for relevant tests

3.3 Technical Data

• IP address and browser type
• Device information
• Website usage data via cookies

4. How We Use Your Data

We process your personal data for the following purposes:

• Service Delivery: To perform phlebotomy services, process blood samples, and deliver test results
• Communication: To contact you about appointments, results, and service updates
• Legal Compliance: To meet our regulatory and legal obligations
• Quality Assurance: To improve our services and maintain clinical standards
• Billing: To process payments and maintain financial records

5. Legal Basis for Processing

We process your data under the following legal bases:

• Consent: For health data processing and marketing communications
• Contract: To fulfil our service agreement with you
• Legal Obligation: To comply with healthcare regulations and tax laws
• Legitimate Interest: For service improvement and fraud prevention

6. Data Sharing

6.1 Laboratory Partners

We share your samples and necessary identification data with UKAS-accredited laboratories for analysis. These laboratories are bound by strict confidentiality agreements and data protection obligations.

6.2 Healthcare Professionals

With your explicit consent, we may share results with your GP or other healthcare providers.

6.3 We Do NOT

• Sell your personal data to third parties
• Share data with marketing companies
• Transfer data outside the UK/EEA without appropriate safeguards

7. Data Retention

We retain your data for the following periods:

• Health Records: 8 years from the date of service (in line with NHS guidelines)
• Consent Forms: 8 years from the date of consent
• Financial Records: 7 years (HMRC requirements)
• Marketing Data: Until consent is withdrawn
• Website Analytics: 26 months

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

• Encrypted data transmission (SSL/TLS)
• Secure, access-controlled storage systems
• Staff confidentiality training
• Regular security assessments
• Physical security at our premises

9. Your Rights

Under UK GDPR, you have the following rights:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data (subject to legal retention requirements)
• Restriction: Limit how we process your data
• Portability: Receive your data in a structured format
• Objection: Object to certain processing activities
• Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at info@theorem.fit. We will respond within 30 days.

10. Cookies

Our website uses cookies to improve your experience. We use:

• Essential Cookies: Required for website functionality
• Analytics Cookies: Help us understand how visitors use our site

You can manage cookie preferences through your browser settings.

11. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113

12. Changes to This Policy

We may update this Privacy Policy periodically. Any significant changes will be communicated via email or website notice. The "Last Updated" date at the top indicates when this policy was last revised.