Privacy Policy

1. Who We Are

Mind Bio Hackingâ"¢ is a trading name of Bio Healthcare Group ("we", "us", "our"). We provide a human performance programme combining biological testing, continuous wearable monitoring, and personalised coaching services to clients in the United Kingdom, United States, and United Arab Emirates.

Data Controller / Business: Bio Healthcare Group
Privacy enquiries: privacy@mindbiohack.com
General contact: info@mindbiohack.com

2. Jurisdictions & Applicable Law

We operate across three regions and are committed to compliance with the applicable data protection legislation in each:

Where laws in your jurisdiction provide greater rights or protections than those described in this policy, those additional rights apply to you. If you are uncertain which laws apply to you, please contact privacy@mindbiohack.com.

3. Data We Collect

Personal Information

• Full name, email address, telephone number, date of birth, and country of residence
• Billing and payment information (processed via secure third-party payment processors — we do not store card details)
• Communication records between you and your BioHealthcare Coachâ"¢
• Programme preferences, goals, and lifestyle context shared during onboarding and coaching

Health and Biological Data (Special Category / Sensitive Data)

• Blood biomarker results — hormones, metabolism, inflammation, and all panel outputs
• Gut microbiome sequencing results
• DNA profile and genetic data
• Body composition data — muscle, fat, bone density, hydration
• Continuous BioBodyTrack™ data — HRV, sleep architecture, SpO₂, stress scoring, temperature, and all sensor outputs
• Menstrual cycle data (For Her programme participants)
• Mental health context shared within the coaching relationship

Technical and Usage Data

• IP address, browser type, and device information
• Pages visited, time on site, and navigation patterns (anonymised analytics)
• Cookie data — see our Cookie Policy

4. How We Use Your Data

• To deliver and manage your programme — testing, monitoring, coaching, and strategy development
• To enable your BioHealthcare Coachâ"¢ to review your biological data and provide personalised guidance
• To process payments and manage your programme account
• To communicate with you about your programme, results, and appointments
• To improve our services through anonymised, aggregated analysis
• To comply with legal obligations in each jurisdiction
• To send programme-relevant updates where you have provided consent

We do not sell your data. We do not use your biological data for commercial profiling. We do not share your data with advertisers.

5. Lawful Basis for Processing

🇬🇧 United Kingdom (UK GDPR)

• Contract performance — processing necessary to deliver your programme
• Explicit consent — required for all Special Category health and biological data
• Legitimate interests — for security, fraud prevention, and service improvement
• Legal obligation — where required by law

🇺🇸 United States (CCPA / State Laws)

• We process your personal information for business purposes as defined under the CCPA
• California residents have specific rights — see Section 9 (Your Rights)
• We do not sell personal information as defined under the CCPA
• For health information that may be subject to HIPAA, appropriate safeguards are applied

🇦🇪 United Arab Emirates (PDPL)

• Processing is conducted on the basis of contractual necessity and explicit consent for sensitive personal data
• We maintain a Personal Data Record as required under the UAE PDPL
• Sensitive personal data (including health and biometric data) is processed only with your explicit consent

6. Data Sharing

• Clinical laboratory partners — for processing biological samples (under data processing agreements)
• BioBodyTrack™ platform — for wearable data processing and storage
• Payment processors — for secure payment handling (PCI DSS compliant)
• IT and cloud infrastructure providers — for secure, compliant data storage
• Specialist referral partners — only with your explicit prior consent

We never sell, rent, or trade your personal or biological data to third parties.

7. International Data Transfers

As we operate across the UK, USA, and UAE, your data may be transferred between these jurisdictions in the course of delivering your programme. All such transfers are conducted with appropriate safeguards:

• UK to USA: Standard Contractual Clauses (SCCs) or equivalent approved transfer mechanisms
• UK to UAE: Appropriate safeguards as required under UK GDPR for transfers to countries not deemed adequate
• USA to UAE and vice versa: Contractual data protection obligations with all receiving parties

We do not transfer biological or health data to countries that do not offer equivalent protections without your explicit consent and appropriate legal safeguards in place.

8. Data Retention

• Programme data: Duration of programme plus 7 years (UK/UAE) or as required by applicable US state law
• Biological and health data: Duration plus 7 years unless earlier deletion is requested
• Payment records: 7 years in accordance with financial regulations across all jurisdictions
• Marketing consent records: Until withdrawal of consent plus 3 years
• Website analytics: Anonymised, retained up to 26 months

9. Your Rights

🇬🇧 UK (UK GDPR) Rights

• Access, rectification, erasure, restriction, portability, and objection
• Withdraw consent at any time for consent-based processing
• Lodge a complaint with the Information Commissioner's Office: ico.org.uk

🇺🇸 US (CCPA / State Law) Rights

• Right to know — what personal information we collect and how we use it
• Right to delete — request deletion of your personal information
• Right to opt out — of any sale of personal information (we do not sell personal information)
• Right to non-discrimination — for exercising your CCPA rights
• Right to correct — inaccurate personal information (CPRA)
• California residents may submit requests to: privacy@mindbiohack.com

🇦🇪 UAE (PDPL) Rights

• Right to access your personal data and obtain a copy
• Right to correct inaccurate or incomplete personal data
• Right to request destruction of personal data in certain circumstances
• Right to withdraw consent for sensitive personal data processing
• Right to lodge a complaint with the UAE Data Office

To exercise any of these rights in any jurisdiction, contact us at privacy@mindbiohack.com. We respond within 30 days (UK/UAE) or 45 days (USA) as required by applicable law.

10. Security

We implement appropriate technical and organisational measures to protect your personal and biological data — including encryption at rest and in transit, strict access controls, and regular security assessments. Our service providers are contractually required to maintain equivalent standards.

In the event of a data breach, we will notify affected individuals and the relevant regulatory authority in each jurisdiction within the required timeframes: 72 hours (UK ICO), without undue delay (UAE Data Office), and as required by applicable US state law.

11. Cookies

Please see our full Cookie Policy for details of the cookies we use and how to manage your preferences.

12. Contact & Updates

For all privacy-related queries, requests, or concerns across all regions:
Email: privacy@mindbiohack.com
General: info@mindbiohack.com

This policy is reviewed and updated periodically. The current version date is shown at the top of this page. Continued use of our services following a material update constitutes acceptance of the revised policy.