Privacy Policy

1. Who We Are

Kids BioCare™ is a trading name of Bio Healthcare Group Ltd, a company registered in England and Wales. We are the data controller responsible for your personal information.

Registered Address: Broadgate Tower, London, United Kingdom
Email: privacy@kidsbiocare.com
Data Protection Officer: dpo@kidsbiocare.com

We are registered with the Information Commissioner's Office (ICO) under the Data Protection Act 2018 and comply with the UK General Data Protection Regulation (UK GDPR).

2. Data We Collect

We collect the following categories of personal data when you use our services:

2.1 Identity and Contact Data

• Full name, date of birth, gender
• Email address, phone number, postal address
• Account login credentials (email and encrypted password)

2.2 Transactional Data

• Purchase history, programme selections, payment records
• Billing information (processed securely via our payment provider — we do not store card details)

2.3 Usage Data

• How you interact with our website and BioHealthcare Hub™ — pages visited, features used, time spent
• Device type, browser, IP address, and approximate location (via IP)

2.4 Communications Data

• Messages sent through our contact form or by email
• Consultation notes and follow-up correspondence
• Marketing preferences and newsletter subscription status

3. Health & Biological Data (Special Category)

The health and biological data we may collect includes:

• Blood biomarker test results (including iron, Vitamin D, thyroid markers, hormones, metabolic markers, and all other tested biomarkers)
• NGS gut microbiome sequencing data — species profiles, diversity scores, functional pathway results
• DNA insights and genetic variant data (where applicable)
• EatIQ™ IgG food sensitivity test results
• Health history information shared during consultation or onboarding
• Pregnancy status, stage, and birth history (where provided)
• Baby and child biological data collected as part of family programmes
• Consultation notes, clinical observations, and action plans from your GI biomedical doctor

We never sell, rent, or commercially exploit your health or biological data. Your genomic and microbiome data is never used for research without your separate, explicit, opt-in consent.

4. How We Use Your Data

We use your personal data for the following purposes:

• Providing our testing services — processing your samples, generating reports, and delivering results through BioHealthcare Hub™
• Clinical consultations — enabling your GI biomedical doctor to review your results and provide personalised guidance
• Account management — creating and maintaining your BioHealthcare Hub™ account, tracking longitudinal results, and managing follow-up testing
• Customer support — responding to your enquiries and resolving any issues with your service
• Service improvement — using anonymised, aggregated data (never individual identifiable data) to improve our testing programmes and clinical protocols
• Legal compliance — maintaining records as required by applicable law, including health data retention obligations
• Marketing communications — sending you relevant updates and offers (only with your consent, and you can withdraw at any time)

We do not use your health or biological data for advertising, profiling for commercial purposes, or any purpose not listed above.

5. Legal Basis for Processing

Under UK GDPR, we rely on the following legal bases:

• Explicit consent (Article 6(1)(a) and Article 9(2)(a)) — for the collection and processing of all health and biological Special Category data, and for marketing communications. You may withdraw consent at any time.
• Contractual necessity (Article 6(1)(b)) — for identity, contact, and transactional data required to provide the services you have purchased.
• Legal obligation (Article 6(1)(c)) — where we are required by law to retain records (for example, health data retention requirements under UK clinical laboratory regulations).
• Legitimate interests (Article 6(1)(f)) — for usage data collected to improve website security and service quality, where this does not override your interests or rights.

6. Sharing Your Data

We share your personal data only in the following limited circumstances:

• ISO 15189-accredited laboratories — your biological samples are processed by accredited partner laboratories under strict data processing agreements. They receive only the minimum data necessary and are prohibited from using your data for any other purpose.
• BioHealthcare Hub™ infrastructure — your results are stored on secure cloud infrastructure operated by Bio Healthcare Networks™ under a data processing agreement.
• GI biomedical doctors — your results are shared with your assigned specialist doctor for the purpose of your consultation. Doctors are bound by professional confidentiality obligations and our data processing agreements.
• Payment processors — transactional data is processed by PCI-DSS compliant payment providers. We never store full card details.
• Legal and regulatory authorities — where required by law, court order, or regulatory obligation.

We never sell your personal data to third parties. We do not share your data with advertisers, data brokers, or any commercial third party for marketing purposes.

7. Data Retention

We retain your data for the following periods:

• Health and biological data (test results, consultation records): 8 years from the date of testing, in accordance with UK clinical record retention guidelines, unless you request deletion earlier and there is no legal obligation to retain.
• Account and identity data: For the duration of your account, plus 2 years after account closure.
• Financial and transactional records: 7 years, as required by HMRC regulations.
• Marketing preferences: Until you withdraw consent or unsubscribe.

When data reaches the end of its retention period, it is securely deleted or anonymised. Anonymised data (from which you cannot be identified) may be retained indefinitely for service improvement and research purposes.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access — you may request a copy of all personal data we hold about you (a Subject Access Request).
• Right to rectification — you may request correction of inaccurate or incomplete data.
• Right to erasure — you may request deletion of your personal data, subject to any legal retention obligations.
• Right to restriction — you may request that we limit the processing of your data in certain circumstances.
• Right to data portability — you may request your data in a structured, machine-readable format.
• Right to object — you may object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent — where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Rights in relation to automated decision-making — we do not make legally significant decisions about you using solely automated means.

To exercise any of these rights, contact our Data Protection Officer at dpo@kidsbiocare.com. We will respond within one calendar month. You also have the right to lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113.

9. International Data Transfers

Where data is processed outside the UK or European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the ICO
• Adequacy decisions recognising equivalent data protection standards
• Binding Corporate Rules within the Bio Healthcare Networks™ group

Our laboratory partners and cloud infrastructure providers may operate in the USA, EU, and UAE. In each case, we have assessed the transfer and applied the appropriate safeguard mechanism.

10. Security Measures

We implement technical and organisational measures appropriate to the sensitivity of the data we process, including:

• End-to-end encryption of health and biological data in transit (TLS 1.3) and at rest (AES-256)
• Role-based access controls — your health data is accessible only to your assigned clinical team
• ISO 15189-accredited laboratory partners with independently audited security standards
• Regular penetration testing and vulnerability assessment of BioHealthcare Hub™
• Staff training on data protection and confidentiality obligations
• Incident response procedures — in the event of a data breach affecting your rights, we will notify you and the ICO within 72 hours of becoming aware

11. Children's Data

Kids BioCare™ provides biological testing for babies and children as part of its core family service. Where we process data relating to a child under the age of 16, we require explicit consent from a parent or legal guardian.

Child health and biological data is subject to the same or higher level of security and access controls as adult health data. It is never shared with third parties for any commercial purpose.

Our website and BioHealthcare Hub™ are not directed at children. We do not knowingly collect personal data from children under 16 for account registration purposes — all accounts must be created by an adult parent or guardian.

12. Cookies

Our website uses cookies and similar tracking technologies. For full details of the cookies we use, why we use them, and how to manage your preferences, please see our Cookie Policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology, or applicable law. When we make material changes, we will notify you by email (if you have an account) and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

14. Contact Us & Data Protection Officer