Privacy Policy
Last updated: April 2026
1. Who We Are
InnerMe is a UK-based functional blood testing service. This Privacy Policy explains how we collect, use, store and protect your personal data when you use our website and services. We are committed to handling your information responsibly and in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Information We Collect
We collect the following types of information when you create an account, place an order or use our services:
- Personal details: name, date of birth, gender, contact information
- Account credentials: email address and encrypted password
- Health information: blood test results and biomarker data generated through your tests
- Payment details: processed securely via Stripe — we do not store card data
- Usage data: pages visited, device type and browser information collected via cookies
3. How We Use Your Information
We use your information to:
- Process and fulfil your test orders
- Deliver your results securely to your dashboard
- Manage your account and provide customer support
- Send important transactional emails (order confirmations, results notifications)
- Comply with legal and regulatory obligations
- Improve our services and website experience
We do not use your health data for marketing purposes and we do not sell your data to any third parties.
4. Our Laboratory Partner
Your blood samples are analysed by Acculabs, our accredited UK laboratory partner. We share the minimum necessary information (name, date of birth, test request details) with Acculabs for the purpose of processing your sample. Acculabs operates under strict confidentiality obligations and UK GDPR compliance.
5. How Your Results Are Analysed
When your blood test results come back, two separate processes happen.
Your risk scores are calculated by clinical rules — not by language models. A separate analysis system applies thresholds, ranges, and risk-scoring logic that have been defined and signed off by qualified clinicians. The 0–100 risk scores you see, the way contributing markers are weighted, and any safety-critical alerts are all the output of these clinical rules. There is no machine learning, no statistical model, and no language model involved in producing the numbers.
Language models are used only to write the explanations. Once the clinical rules have produced your scores, we use a third-party language model — under a data-processing agreement that prohibits training on the data we send — to generate the plain-language educational text alongside each marker and risk score, and the trend narratives in your progress reports. The model describes results — it does not produce them.
Before any of your information leaves InnerMe's servers, your name, email, address, and date of birth are removed. Only your test measurements, your age, your biological sex, and the analysis context are sent. We keep an internal reference so we can match the analysis back to your account; this reference is meaningless outside InnerMe's systems.
Our analysis system does not log your test results, and the language model provider does not use the data we send to train its models. Your full identity remains within InnerMe at all times.
6. Data Security
We take the security of your personal and health data seriously. We apply industry-standard security measures including encrypted data storage, secure HTTPS connections and role-based access controls. Access to your results is restricted solely to your personal account.
7. Data Retention
We retain your account and test result data for as long as your account remains active. If you close your account, we will retain anonymised data for legitimate business and regulatory purposes and will securely delete your personally identifiable information within 30 days of your request.
8. Your Rights
Under UK GDPR, you have the right to:
- Access a copy of the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data (subject to legal obligations)
- Object to certain types of data processing
- Request restriction of processing in certain circumstances
- Lodge a complaint with the Information Commissioner's Office (ICO)
To exercise any of these rights, contact us at privacy@inner-me.org.
9. How Long We Keep Your Data
InnerMe retains your personal data only for as long as necessary to provide our services and meet our legal obligations under UK GDPR and applicable UK law.
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Health and biomarker data | 8 years from last activity | UK GDPR Article 9 + NHS guidelines |
| Financial and payment records | 7 years | HMRC statutory requirement |
| Account and profile data | Duration of account + 3 years after closure | UK GDPR legitimate interest |
| Marketing consent records | 3 years from last interaction | ICO guidance |
| Children's health data | Until age 25 (or 26 if treatment ended at 17) | NHS standard |
Accounts inactive for 8 years will be flagged for review and may be anonymised. You will be notified before any action is taken.
10. Your Right to Erasure
Under UK GDPR Article 17, you have the right to request deletion of your personal data. You can exercise this right directly from your account profile page.
When you request deletion, your account is scheduled for permanent erasure 30 days after your request. During this period you may cancel the request at any time. After 30 days, all personal data — including your name, email, address, date of birth, and contact details — will be permanently deleted.
Certain records may be retained in anonymised form to meet our legal obligations (for example, financial records required by HMRC for 7 years). These records will not be linked to your identity after deletion.
11. Cookies and Analytics
Strictly necessary cookies. We use a small number of strictly necessary cookies to keep the website working — for example, to maintain your session when you are signed in, to remember whether you have provided cookie consent, and to protect against security threats. The website cannot operate without these. Under the Privacy and Electronic Communications Regulations (PECR), strictly necessary cookies do not require your consent.
Analytics cookies. On our public marketing pages we use Google Analytics 4 to understand how visitors find and use our website. This helps us improve the site. Analytics cookies are only set if you grant consent through the cookie banner that appears on your first visit. If you reject analytics cookies, none are set and no identifying data is sent to Google.
What Google Analytics collects. When enabled, Google Analytics collects pages visited and time spent on each, the website that referred you (if any), your approximate location based on your IP address (which is anonymised before storage), and the type of device and browser you are using. It does not collect your name, email, or any directly identifying information, and it does not collect any health, biomarker, or test result data.
Where analytics does and does not run. Google Analytics is loaded only on our public marketing pages. It is not loaded on your customer dashboard, your results pages, your account area, or any administrative pages. When you are signed in and viewing your own health information, no analytics data flows to Google.
Your choices. On your first visit a consent banner appears. You can choose Accept all, Reject all, or Manage preferences for granular control. Your choice is remembered for 12 months in line with UK Information Commissioner's Office guidance, after which the banner will reappear. To change your decision at any time before then, clear your browser's site data for InnerMe and the banner will reappear on your next visit.
Lawful basis. For analytics cookies, our lawful basis is your consent under Article 6(1)(a) UK GDPR and Regulation 6 PECR. For strictly necessary cookies, our lawful basis is our legitimate interest in operating the website (Article 6(1)(f) UK GDPR).
International transfers. Google Analytics processes data on servers operated by Google LLC, which may include servers outside the UK. Google has implemented Standard Contractual Clauses and the UK International Data Transfer Addendum as safeguards for transfers of personal data outside the UK and EEA. You can review Google's privacy practices at policies.google.com/privacy.
Questions. If you have any questions about our use of cookies, please contact our Data Protection Officer at privacy@inner-me.org.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a notice on our website. The latest version will always be available at this page.
13. Contact Us
For any privacy-related questions or requests, please contact us at privacy@inner-me.org.