We take your privacy seriously. Please read this policy to learn how we treat your personal data.
Effective: 17th January 2022Archived versions
Table of Contents
- What personal data we collect
- How we share your Personal Data
- Tracking tools, advertising and your rights to opt-out
- Data security and retention
- Personal data of children
- Your rights as a European Union Data Subject
- California resident rights
- Other state law privacy rights
- How to contact us
What personal data we collect
Categories of Personal Data we collect
This list details the categories of Personal Data that we collect and have collected over the past 12 months as well as data we subsequently process:
This is information about you that we use to manage your account, for example your name, address, email address and telephone number. We use this data to:
Manage your account.
Decide whether particular state laws apply, for example to allow us to decide whether we need to involve a physician in collecting certain samples.
Enable testing (such as blood tests) where some personal information is required for the service to be provided with physician oversight.
To input relevant information into our analysis, for example your geographical location.
We need this information in order to deliver the service to you which means that you will not be able to sign up to an account without providing it.
We use your email address, telephone number, first name, last name, birth date, zip code, and country to improve our use of Facebook advertising, see the “Facebook” section below.
We may also use your email address, in order to send you emails for the following purposes:
Providing you with information about our products or services.
Keeping in touch with you about the app and its performance as well as about new versions of the app or similar apps we may develop.
Sending you updates on our latest developments and scientific discoveries.
Inviting you to register for webinars we host in relation to our research.
How long we keep this data for
We delete this information when your ZOE account is closed. If your subscription ends, your account will remain active (and have access to your previous results) until closed. Please see our terms of service for more information about this.
The laboratories who conduct testing (such as blood tests) will hold information for longer depending on state and federal laws and data used to assess eligibility may be kept for at least 3 years.
Where you have opted in to participate in Research you may be asked to use devices for measuring physiological data (such as blood sugar monitors). The manufacturer and/or distributor of such devices use data management systems and software to transfer data from the devices (sensor and/or reader) to Zoe. This may require us to set up an account on your behalf with these manufacturers and/or distributors to facilitate the transfer of data. Where possible we will use an anonymous code to replace your personal details (name, email, phone number, full address) when sharing information with such manufacturers and/or distributors so that your physiological data on their systems is de-identified/anonymised. These manufacturers/distributors will hold this information until your account is deleted.
Self-reported Health Information
This is information such as height, weight, what you eat, and pre-existing health conditions. We use this data to:
Determine your eligibility for our services or scientific research studies.
Facilitate testing of Samples (see below) by third party laboratories we partner with.
Input relevant information into our analysis, for example what you eat.
Allow us to carry out general scientific research
The laboratories who conduct testing (such as blood tests) will hold information for longer depending on the locally applicable laws but in general data used to assess eligibility is usually kept for at least 3 years.
These are biological samples, such as blood samples, that you have sent to third party labs for testing. We do not receive the samples ourselves, only the Test Results (see below). The laboratories are under contract to us and are required by those contracts not to share information about you with any third party except subcontractors who are essential to the carrying out of their work and who are also bound to confidentiality in the same way.
The laboratories will keep samples for different lengths of time depending on state and federal law. How long a sample is kept may depend on factors such as whether a test is successful or not. If you want further information about this, please contact the individual laboratories.
These are the results we receive back from the laboratories that have analyzed your Samples, or - if applicable - from devices that measure your physiological data (such as a blood sugar sensor), possibly via intermediate data management systems managed by the manufacturer/distributors of the devices, and which facilitate the transfer of the data from the devices to ZOE. An example of a Test Result is the concentration of glucose in your blood.
We keep this data for as long as you have an account with ZOE, but we will delete it if you specifically request it. The laboratories will keep Test Results for different lengths of time depending on state and federal law, and could be kept on file for up to 11 years. Some laboratories only receive anonymised/de-identified samples, others require some personal details to conduct the tests. Device manufacturers/distributors hold anonymised/de-identified Test Result data in their data management systems which are used to transfer the data from the sensors to ZOE.
Device & Browser Data
We process this data in order to:
Locate errors in our systems or problems our systems may be facing with other systems (such as compatibility with a web browser)
Improve the functioning of our Service
Prevent fraud or other criminal activity
This information is automatically sent to us – although there are technical ways you can prevent us from receiving this information (for example by changing the information your browser supplies to us) – the way in which browser and app software works means it is inevitable that we process it.
We routinely delete our web server logs after 90 days, unless we are aware of any serious problem that requires investigation (for example fraud or a hostile attack to our systems), in which case we may preserve any information necessary for that investigation for as long as it is needed. Once the investigation is concluded, we will delete the data.
We may also include information linked to you in any URL (web link) that we share with you. We use this to enable us to present personalised information to you when you visit our website.
For example, if you fill in an initial health quiz and have the results of that quiz emailed to you. The email contains a link that allows you to create an account. That link will contain additional information that will allow us to associate the answer to the health quiz, with your account. If we do it this way, it will save you having to enter the information again.
When we make use of Facebook tools — see the Facebook section below - your browser may make a web connection to Facebook which will include information sent automatically by your browser.
This is information that is necessary in order for payments to be processed by our third party payment processor. For example the amount of the payment, payment card type, payment card number, and your billing address.
For your security our payment processor only shares the last 4 digits of your payment card number with us.
We retain this data as long as necessary to comply with our legal obligations under tax and corporate law. As soon as we no longer need the information, we delete it.
Where you directly correspond with us (such as sending us an email, online chat message, or call us) we will process information about you concerned with that correspondence, including your email and our responses. We keep that information for as long as necessary to deal with the correspondence – for example if you have made a complaint, as long as needed to deal with the complaint – and then for a further 6 years, in case we need it to defend or establish a legal claim.
Scientific Research Studies
Our purposes for using Personal Data
We have explained specific reasons for processing categories of personal data above. Our core purpose is research into diet, into health and into the link between the two. For those purposes we process your self-reported health information, samples (processed on our behalf by third parties), Test Results and some customer information.
We may process any of the information you provide us for the purposes of providing support and assistance in using the Service.
We may also process your personal information if we are legally required to do so in circumstances where this cannot be reasonably resisted.
We will not collect additional categories of Personal Data or use the Personal Data we collected for different purposes without providing you notice.
How we share your Personal Data
We do not share Personal Data with anyone else, other than with:
Our group (ZOE Global Ltd, based in the UK, and ZOE Inc, based in the United States).
Others carrying out research into diet and/or health including academic research organizations (such as universities) and pharmaceutical companies, for example to assist in the development of new medications. When we do this an anonymous code will always be used to replace your personal details (name, email, phone number, and full address).
Laboratories engaged by ZOE to carry out tests. These laboratories may use physicians to sign off on authorization on behalf of customers to conduct tests in certain jurisdictions that restrict the sale of direct-to-consumer lab tests without physician authorization. ZOE will share any information that is necessary to obtain an authorization (including self-reported health information and other Test Results) with these laboratories and their physicians.
Contractors providing us services we use for processing Personal Data, which include:
Hosting, technology and communication providers.
Security and fraud prevention consultants.
Support and customer service vendors.
Our professional advisors, such as if we need to consult an attorney for legal advice. In all cases these will be advisors under a professional duty of confidence.
All of your Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices.
Data that is not Personal Data
We may convert Personal Data into anonymous data, that is data which can no longer be linked with identifiable individuals, for example by aggregation of data about multiple individuals. We may create aggregated, de-identified or anonymized data from the Personal Data we collect, including by removing information that makes the data personally identifiable to a particular user.
For example, we use your self-reported health information, Test Results and some of your Customer information to improve our models of the interaction of diet and health. The models we create have no individual information about you, being the aggregation of data from many individuals.
We may use such anonymous data and share it with third parties for our lawful business purposes, including to analyze, build and improve the Service and promote our business, provided that the data remains anonymous. We do not delete anonymous data on any particular timetable. You may assume that we could keep it indefinitely.
Tracking tools, advertising and your rights to opt-out
We advertise our services in a number of places. One of those is Facebook. In order to make sure that our adverts reach the most appropriate people, we use two of Facebook’s “Business Tools”: Facebook Pixel and Conversions API.
For Facebook Pixel, we include a small script on our web page, which causes your browser to send a message to Facebook whenever it is loaded. Facebook will receive:
Information automatically transmitted by your browser (such as IP address and the version of browser you are using)
Your ZOE customer ID (which will be meaningless to Facebook) and a “Facebook browser ID” which is a number intended to be unique to your browser stored in a cookie called “_fbp”.
A “hashed” version of your email address, telephone number, first name, last name, birth date, zip code, and country. Facebook will not be able to convert these back into your original data, but if you have told Facebook these pieces of information, Facebook will recognise you.
We also include scripts in the webpage that will cause your browser to send a message to Facebook when a page is viewed and if you make a purchase. In both cases, Facebook will receive the same information as for Facebook Pixel (see above) and for the purchase it will know that you have made a purchase and for how much.
Conversions API works in almost the same way except that we send the information directly to Facebook, rather than the information being sent by your browser.
For the purposes of the GDPR, we and Facebook Ireland, are joint controllers of at least some of this information. Facebook makes use of some of this information for its own purposes. For further information on how Facebook Ireland processes personal data, including the legal basis Facebook Ireland relies on and the ways to exercise Data Subject rights against Facebook Ireland, can be found in Facebook Ireland's Data Policy at https://www.facebook.com/about/privacy.
Our legal agreement with Facebook governing this processing may be found at https://m.facebook.com/legal/technology_terms. Since the processing is covered by the GDPR, it incorporates a document Facebook calls the “Controller Addendum”, which may be found at https://www.facebook.com/legal/controller_addendum.
Since we are joint controllers (both Facebook and we determine the purposes and means of the processing of your data) we are required by the GDPR to agree on which of us is responsible for particular obligations under the GDPR. The Controller Addendum does that. In particular:
It requires us to give you some of the information in this section.
We and Facebook Ireland have agreed that Facebook Ireland is responsible for enabling Data Subjects' rights under Articles 15-20 of the GDPR with regard to the personal data stored by Facebook Ireland after we have stopped processing it jointly with them.
Facebook gives you some control over the way it targets advertising (see: https://www.facebook.com/help/568137493302217 for instructions) and there are a number of organisations that allow you to opt out of advertising more generally, for example: http://www.aboutads.info/choices and http://www.youronlinechoices.eu/.
See under section 7 below for more information about your rights. If any of the above is unclear, we would be happy to answer questions about it.
Our purpose in using your data in this way is to make sure we do not wastefully advertise to people who are unlikely to be interested in our products. Our legal basis for doing so is our legitimate interest in promoting our services.
You can subscribe to our mailing lists to get the latest updates on our scientific discoveries or information about our products without creating a ZOE account and we will use the data you provide us with for these purposes.
We process this data because you have consented to us doing so.
If you do not wish to receive emails from us regarding this information, then you can opt out by clicking “unsubscribe from this list” at the bottom of our email.
If you unsubscribe from our mailing lists, we will need to keep just enough information on file to make sure we respect your preferences in the future.
If you are a ZOE customer, we may email you to invite you to answer some questions regarding our products or services or share feedback with you from customer surveys, interviews or focus groups.
Data security and retention
We seek to protect your Personal Data from unauthorized access, use and disclosure using appropriate physical, technical, organizational and administrative security measures based on the type of Personal Data and how we are processing that data. You should also help protect your data by appropriately selecting and protecting your password and/or other sign-on mechanism; limiting access to your computer or device and browser; and signing off after you have finished accessing your account. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the internet or storing data is completely secure.
The periods for which we retain individual categories of Personal Data are explained under the heading “Categories of Personal Data we collect”, but in some cases we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation.
Personal data of children
As noted in our Terms of Service, we do not knowingly collect or solicit Personal Data about children under 18 years of age (or under 19 years of age if they live in Alabama or Nebraska). If you are a child under the age of 18, please do not attempt to register for or otherwise use the Service or send us any Personal Data.
If we learn we have collected Personal Data from a child under 18 years of age, we will delete that information as quickly as possible. If you believe that a child under 18 years of age may have provided Personal Data to us, please contact us at firstname.lastname@example.org.
Your rights as a European Union Data Subject
Our headquarters, at ZOE Ltd, are in the United Kingdom. As a result, you are protected by the United Kingdom’s General Data Protection Regulation ("GDPR"), regardless of your citizenship or where you live in the world. You may have additional rights under the GDPR with respect to your Personal Data, as outlined below.
For this section, we use the terms “Personal Data” and “processing” as they are defined in the GDPR, but “Personal Data” generally means information about a person, and “processing” generally covers actions that can be performed in connection with data such as collection, use, storage, amendment, deletion and disclosure. ZOE will be the controller of your Personal Data processed in connection with the Service.
Personal Data We Collect
The “Categories of Personal Data We Collect” section above details the Personal Data that we collect from you.
Personal Data Use and Processing Grounds
The “Our Purposes for Using Personal Data” section above explains the purposes for which we process your Personal Data.
We will only process your Personal Data if we have a lawful basis under the GDPR for doing so. Lawful bases for processing include:
Consent: Except for the specific situations explained below, we process your customer information, self-reported health information; samples and Test Results by consent. You may withdraw your consent at any time and we will stop processing your Personal Data in this way.
Contractual Necessity: In order to be able to perform our contract, we need to collect customer information we have marked as required and all payment information.
Compliance with a legal obligation: As explained above, we will sometimes have to process personal data in order to comply with a legal obligation imposed on us. Where those obligations are imposed by UK law, that law will provide us with a lawful ground for processing.
Legitimate Interest: We process the following categories of Personal Data when we believe it is in our legitimate interest to do so and we do not believe that your rights of freedoms will be unduly interfered with by our processing:
Device data is justified by our legitimate interest in maintaining a reliable and secure system, free from errors and external security threats.
Where we are required to process personal data due to a legal obligation in the United States of America, we believe that justifies our processing your data. We believe your rights and freedoms are protected by a combination of US law and the contract between our UK parent company and our US subsidiary.
All information about your health, which we would normally be forbidden from processing by the GDPR, is processed by us because you have consented to us doing so.
Sharing Personal Data
The “How We Share Your Personal Data” section above details how we share your Personal Data with third parties.
Data Subject Rights
You have certain rights with respect to your Personal Data, including those set forth below. For more information about these rights please see the UK Information Commissioner’s guide to data subject rights. To submit a request to exercise any of these rights, or to ask for more information, please email us at email@example.com or www.joinzoe.com/dpo.
Some of the rights below apply only in specific circumstances. In other situations, we may not be able to fully comply with your request, for example if it would be impossible or would involve a disproportionate effort; or if it jeopardizes the rights of others; but in those circumstances, we will still respond to notify you of such a decision. In some cases, we may also need you to provide us with additional information, which may include Personal Data, if necessary to verify your identity and the nature of your request.
Access: You can request more information about the Personal Data we hold about you and request a copy of such Personal Data.
Rectification: If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data.
Erasure: In some situations you may have a right to request that we erase some or all of your Personal Data from our systems.
Withdrawal of Consent: If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data, if such use or disclosure is necessary to enable you to utilize some or all of our Service.
Portability: You can ask for a copy of your Personal Data in a machine-readable format. You can also request that we transmit the data to another controller where technically feasible.
Objection: You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes, such as for direct marketing purposes.
Restriction of Processing: You can ask us to restrict further processing of your Personal Data.
Right to File Complaint: You have the right to lodge a complaint about ZOE’s practices with the UK’s Information Commissioner.
Our Data Protection Officer is contactable at firstname.lastname@example.org.
International Transfers of Personal Data
In providing the Service, we will transfer Personal Data between the USA and the UK and vice versa. Because the protection of Personal Data is very different in the USA from the UK, the GDPR requires us to put in place safeguards which will ensure that your GDPR rights continue to be respected in the USA.
Our current starting point is that ZOE Ltd and ZOE Inc sign “standard contractual clauses”, approved by the European Commission, which requires ZOE Inc to comply with high standards of data protection and which gives data subjects rights to sue ZOE Inc for a failure to do so. We will also take any other steps we believe to be necessary to ensure that your Personal Data is protected.
In carrying out research, we will transfer Personal Data between our US and UK branches. As we have explained, we may also share Personal Data with commercial and non-commercial organizations carrying out research into diet and/or health. Such organizations could be based in any part of the world and so, we may transfer your data to any country where we consider that the safeguards we put in place are sufficient to give you proper protection.
The safeguard we use will usually involve ZOE Ltd signing “standard contractual clauses” with the third party, in the same way as data transfers to ZOE Inc are protected (see above) and, for each transfer, carrying out an assessment of the destination country’s legal system and consider whether, for that transfer, additional protection is needed. Sometimes the other country will be one, such as Argentina, which the UK has officially accepted as having adequate protection for Personal Data, so no special safeguard will be needed.
If, in the future, there are alternative means of giving you equivalent protection to the GDPR when we transfer data outside the UK, for example of statutory codes of practice are approved for our use, then we may use those methods instead of any described above, but in all cases we will satisfy ourselves that your Personal Data will be protected.
California resident rights
If you are a California resident, you have the rights set forth in this section. Please see the “Exercising your rights” section below for instructions regarding how to exercise these rights. Please note that we may process Personal Data of our customers’ end users or employees in connection with our provision of certain services to our customers. If we are processing your Personal Data as a service provider, you should contact the entity that collected your Personal Data in the first instance to address your rights with respect to such data.
You have the right to request certain information about our collection and use of your Personal Data over the past 12 months. In response, we will provide you with the following information:
The categories of Personal Data that we have collected about you.
The sources from which that Personal Data was collected.
The business or commercial purpose for collecting or selling your Personal Data.
The categories of third parties with whom we have shared your Personal Data.
The specific pieces of Personal Data that we have collected about you.
If we have disclosed your Personal Data to any third parties for a business purpose over the past 12 months, we will identify the categories of Personal Data shared with each category of third party recipient. If we have sold your Personal Data over the past 12 months, we will identify the categories of Personal Data sold to each category of third party recipient.
You have the right to request that we delete the Personal Data that we have collected about you. Under the California Consumer Privacy Act (CCPA), this right is subject to certain exceptions: for example, we may need to retain your Personal Data to provide you with the Service or complete a transaction or other action you have requested. If your deletion request is subject to one of these exceptions, we may deny your deletion request.
Exercising your rights
To exercise the rights described above, you or your Authorized Agent (defined below) must send us a request that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Data (we will use our existing authentication practices (your username and password) as the mechanism for verifying your identity, or if such information is unavailable then we will use alternative validation data to verify your identity to a reasonable degree of certainty), and (2) describes your request in sufficient detail to allow us to understand, evaluate and respond to it. Each request that meets both of these criteria will be considered a “Valid Request.” We may not respond to requests that do not meet these criteria. We will only use Personal Data provided in a Valid Request to verify your identity and complete your request. You do not need an account to submit a Valid Request.
We will work to respond to your Valid Request within 45 days of receipt. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request.
You may submit a Valid Request using the following methods:
You may also authorize an agent (an “Authorized Agent”) to exercise your rights on your behalf. To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf, and we may request a copy of this written permission from your Authorized Agent when they make a request on your behalf.
Personal Data sales opt-out and opt-In
We will not sell your Personal Data, and have not done so over the last 12 months.
We will not discriminate against you for exercising your rights under the CCPA. We will not deny you our goods or services, charge you different prices or rates, or provide you a lower quality of goods and services if you exercise your rights under the CCPA. However, we may offer different tiers of our Service as allowed by applicable data privacy laws (including the CCPA) with varying prices, rates or levels of quality of the goods or services you receive related to the value of Personal Data that we receive from you.
Other state law privacy rights
California resident rights
Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to contact us to prevent disclosure of Personal Data to third parties for such third parties’ direct marketing purposes; in order to submit such a request, please contact us at:
Your browser may offer you a “Do Not Track” option, which allows you to signal to operators of websites and web applications and services that you do not wish such operators to track certain of your online activities over time and across different websites. Our Service does not support Do Not Track requests at this time. To find out more about “Do Not Track,” you can visit www.allaboutdnt.com.
Nevada resident rights
If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties who intend to license or sell that Personal Data. You can exercise this right by contacting us at email@example.com or www.joinzoe.com/dpo with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account. Please note that we do not currently sell your Personal Data as sales are defined in Nevada Revised Statutes Chapter 603A.
How to contact us:
You may use the following information to contact our Data Protection Officer and our European Union-Based Member Representative: