General Data Protection Regulation (GDPR)
Last Updated: 24 Feb. 2026
At Lola Health Ltd, the privacy and security of your data is our top priority. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply to our processing of personal data, including special category health data. We are committed to full compliance with these regulations.
| Section | Details |
|---|---|
Data Controller |
Lola Health Ltd, a company registered in England and Wales (Company No. 15961806), with its registered office at 167-169 Great Portland Street, 5th Floor, London, W1W 5PF. VAT Registration: 480080705. |
ICO Registration |
Organisation: Lola Health Ltd Reference: ZB752885 |
Data Protection Contact |
For all data protection queries, rights requests, and complaints, contact our data protection team at mydata@lolahealth.com. Company Directors: Alexandru Bodea and Michael Vuong. |
Special Category Data |
As a health testing company, we process special category personal data (health data) under Article 9 of the UK GDPR. This includes blood test results, health questionnaire responses, wearable health data, and doctor review notes. We process this data on the basis of your explicit consent (Article 9(2)(a)) and where necessary for preventive or occupational medicine (Article 9(2)(h)). |
Lawful Basis of Processing |
Under Article 6 of the UK GDPR: • Consent — You consent to data processing when you create an account, purchase a test, and agree to our Terms & Conditions. • Contract — Processing is necessary to fulfil our contract with you (delivering blood test results, providing the Lola app service). • Legitimate Interest — We process data for service improvement, fraud prevention, and security purposes where our interests do not override your rights. • Legal Obligation — We retain certain data to comply with HMRC, clinical record-keeping, and other regulatory requirements. For full details, see our Privacy Policy. |
Your Rights |
Under the UK GDPR, you have the right to: • Access your personal data (Subject Access Request) • Rectify inaccurate personal data • Erase your personal data ("right to be forgotten") • Restrict processing of your personal data • Data portability — receive your data in a structured, machine-readable format • Object to processing based on legitimate interests or direct marketing • Withdraw consent at any time without affecting the lawfulness of prior processing To exercise any of these rights, email mydata@lolahealth.com or visit our DSAR page. We will respond within 30 days. |
Withdrawal of Consent |
You can withdraw consent at any time via the Lola mobile app (data deletion request) or by emailing mydata@lolahealth.com. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. |
Data Retention |
• Blood test results and doctor reviews: 8 years (clinical records guidance) • Customer account data: Duration of account + 3 years • Order and payment records: 7 years (HMRC requirements) • Health questionnaires: 8 years • Marketing consent logs: Duration of consent + 1 year • Wearable data: Duration of account (deleted on request) • Website analytics: Up to 26 months For the full retention schedule, see our Privacy Policy. |
Cookie Policy |
Cookie Policy |
Data Deletion |
You can request deletion of your data via the Lola mobile app or by contacting mydata@lolahealth.com. Website visitor data deletion can be requested at the same email address. Please note that some data may be retained where we have a legal obligation to do so (e.g., clinical records, tax records). |
Data Access / Portability |
Customers can access and download their data through the Lola mobile app. For a formal Subject Access Request or data portability request, email mydata@lolahealth.com or visit our DSAR page. |
Data Protection and Security |
Lola Health operates a secure, hybrid database architecture: a single-tenant database supports the Lola mobile app and customer test results, while Shopify hosts website-related order and customer data. Blood samples are processed by UKAS-accredited (ISO 15189) partner laboratories. We employ industry best practices including encryption at rest and in transit, access controls, and regular security assessments. |
Data Sharing with Partner Clinics |
When a customer uses a referral code from a Lola partner clinic, they agree that their results will be shared with the clinic for review. Lola doctors will not review the results in this case. This data-sharing is based on contract and consent, as outlined in our Terms & Conditions and Privacy Policy. |
Data Breach Notification |
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals without undue delay, in accordance with Articles 33 and 34 of the UK GDPR. |
Complaints |
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Tel: 0303 123 1113 Website: ico.org.uk/make-a-complaint We encourage you to contact us first at mydata@lolahealth.com so we can try to resolve your concern. |