Privacy Policy
Last updated: April 2026
1. Who We Are
InnerMe is a UK-based functional blood testing service. This Privacy Policy explains how we collect, use, store and protect your personal data when you use our website and services. We are committed to handling your information responsibly and in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Information We Collect
We collect the following types of information when you create an account, place an order or use our services:
- Personal details: name, date of birth, gender, contact information
- Account credentials: email address and encrypted password
- Health information: blood test results and biomarker data generated through your tests
- Payment details: processed securely via Stripe — we do not store card data
- Usage data: pages visited, device type and browser information collected via cookies
3. How We Use Your Information
We use your information to:
- Process and fulfil your test orders
- Deliver your results securely to your dashboard
- Manage your account and provide customer support
- Send important transactional emails (order confirmations, results notifications)
- Comply with legal and regulatory obligations
- Improve our services and website experience
We do not use your health data for marketing purposes and we do not sell your data to any third parties.
4. Our Laboratory Partner
Your blood samples are analysed by Acculabs, our accredited UK laboratory partner. We share the minimum necessary information (name, date of birth, test request details) with Acculabs for the purpose of processing your sample. Acculabs operates under strict confidentiality obligations and UK GDPR compliance.
5. How Your Results Are Analysed
When your blood test results come back, two separate processes happen.
Your risk scores are calculated by clinical rules — not by language models. A separate analysis system applies thresholds, ranges, and risk-scoring logic that have been defined and signed off by qualified clinicians. The 0–100 risk scores you see, the way contributing markers are weighted, and any safety-critical alerts are all the output of these clinical rules. There is no machine learning, no statistical model, and no language model involved in producing the numbers.
Language models are used only to write the explanations. Once the clinical rules have produced your scores, we use a third-party language model — under a data-processing agreement that prohibits training on the data we send — to generate the plain-language educational text alongside each marker and risk score, and the trend narratives in your progress reports. The model describes results — it does not produce them.
Before any of your information leaves InnerMe's servers, your name, email, address, and date of birth are removed. Only your test measurements, your age, your biological sex, and the analysis context are sent. We keep an internal reference so we can match the analysis back to your account; this reference is meaningless outside InnerMe's systems.
Our analysis system does not log your test results, and the language model provider does not use the data we send to train its models. Your full identity remains within InnerMe at all times.
6. Data Security
We take the security of your personal and health data seriously. We apply industry-standard security measures including encrypted data storage, secure HTTPS connections and role-based access controls. Access to your results is restricted solely to your personal account.
7. Data Retention
We retain your account and test result data for as long as your account remains active. If you close your account, we will retain anonymised data for legitimate business and regulatory purposes and will securely delete your personally identifiable information within 30 days of your request.
8. Your Rights
Under UK GDPR, you have the right to:
- Access a copy of the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data (subject to legal obligations)
- Object to certain types of data processing
- Request restriction of processing in certain circumstances
- Lodge a complaint with the Information Commissioner's Office (ICO)
To exercise any of these rights, contact us at privacy@inner-me.org.
9. How Long We Keep Your Data
InnerMe retains your personal data only for as long as necessary to provide our services and meet our legal obligations under UK GDPR and applicable UK law.
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Health and biomarker data | 8 years from last activity | UK GDPR Article 9 + NHS guidelines |
| Financial and payment records | 7 years | HMRC statutory requirement |
| Account and profile data | Duration of account + 3 years after closure | UK GDPR legitimate interest |
| Marketing consent records | 3 years from last interaction | ICO guidance |
| Children's health data | Until age 25 (or 26 if treatment ended at 17) | NHS standard |
Accounts inactive for 8 years will be flagged for review and may be anonymised. You will be notified before any action is taken.
10. Your Right to Erasure
Under UK GDPR Article 17, you have the right to request deletion of your personal data. You can exercise this right directly from your account profile page.
When you request deletion, your account is scheduled for permanent erasure 30 days after your request. During this period you may cancel the request at any time. After 30 days, all personal data — including your name, email, address, date of birth, and contact details — will be permanently deleted.
Certain records may be retained in anonymised form to meet our legal obligations (for example, financial records required by HMRC for 7 years). These records will not be linked to your identity after deletion.
11. Cookies
We use essential cookies to maintain your login session and ensure the website functions correctly. We do not use tracking or advertising cookies. You can control cookie settings through your browser preferences.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a notice on our website. The latest version will always be available at this page.
13. Contact Us
For any privacy-related questions or requests, please contact us at privacy@inner-me.org.