Partner Data Sharing Agreement

Last Updated: 23 June 2026

Status and acceptance. This Data Sharing Agreement ("Agreement") forms part of, and is incorporated into, the Lola Health Partner Terms and Conditions. By registering for, or continuing to use, the Lola Health Partner Portal, the Partner agrees to this Agreement. Where the Partner has signed a separate executed copy of this Agreement with Lola Health, that signed copy prevails in the event of conflict.

Parties

(1) Lola Health Ltd, company no. 15961806, registered office 167-169 Great Portland Street, 5th Floor, London W1W 5PF ("Lola Health"); and

(2) the Partner — the organisation or individual that has registered for, or uses, the Lola Health Partner Portal,

each a "Party" and together the "Parties".

Background

(A) Lola Health provides at-home diagnostic testing and related services.

(B) The Partner has a relationship with certain individuals ("Patients") to whom it provides clinical care or non-clinical wellness services, as applicable to the Partner's tier.

(C) Where a Patient gives explicit consent, Lola Health shares that Patient's results with the Partner.

(D) Each Party processes the Shared Data as an independent controller. This Agreement sets out their respective responsibilities.

1. Definitions

"Data Protection Laws": the UK GDPR, the Data Protection Act 2018, and all applicable data protection legislation. "Shared Data": the personal data (including special category health data) disclosed by Lola Health to the Partner under this Agreement, as described in Schedule 1. "Permitted Purpose": as described in Schedule 1. The terms "controller", "processor", "personal data", "special category data", "processing", "personal data breach", and "data subject" have the meanings in the UK GDPR.

2. Status of the Parties

2.1 Each Party is an independent controller in respect of its own processing of the Shared Data; neither is a processor for the other.

2.2 The Parties are not joint controllers; each independently determines the purposes and means of its own processing.

2.3 Each Party is individually responsible for its own compliance with Data Protection Laws.

3. Lawful basis and transparency

3.1 Lola Health is responsible for ensuring it has an Article 6 basis, an Article 9 condition, and has satisfied the common law duty of confidentiality, for disclosing the Shared Data to the Partner. It does so on the basis of the Patient's explicit consent.

3.2 The Partner is responsible for establishing its own Article 6 basis and Article 9 condition for its processing of the Shared Data for the Permitted Purpose, and for providing its own privacy information to Patients.

3.3 Each Party shall maintain a record of processing activities for its processing of the Shared Data.

4. Partner warranties and undertakings

The Partner warrants and undertakes that it:

(a) (clinical partners) is and remains registered with the Care Quality Commission for any regulated activity it carries on, and that its personnel hold and maintain applicable professional registration and indemnity insurance;

(b) (non-clinical partners) is not a regulated healthcare provider, will not represent itself as one, and will not provide medical diagnosis or treatment on the basis of the Shared Data;

(c) is authorised to enter into this Agreement and to process the Shared Data;

(d) maintains a privacy notice covering its processing of the Shared Data;

(e) will process the Shared Data only for the Permitted Purpose for which the Patient consented, and for no other purpose.

5. Security

5.1 Each Party shall implement technical and organisational measures appropriate to the risk of processing special category data, protecting the Shared Data against accidental or unlawful destruction, loss, alteration, and unauthorised disclosure or access.

5.2 Each Party shall ensure personnel authorised to process the Shared Data are bound by confidentiality.

6. Personal data breach

6.1 Each Party shall notify the other without undue delay, and in any event within 24 hours, of becoming aware of a personal data breach affecting the Shared Data, with sufficient detail for the other to meet its obligations.

6.2 The Parties shall cooperate to investigate, mitigate, and where required notify the ICO and affected Patients.

7. Data subject rights

7.1 Each Party is responsible for responding to Patient rights requests in respect of its own processing.

7.2 The Parties shall provide each other reasonable assistance in responding to such requests.

8. Sub-processing and onward sharing

8.1 The Partner may engage processors provided it imposes UK GDPR Article 28-compliant terms and remains responsible for their compliance.

8.2 The Partner shall not share the Shared Data with any further controller without the Patient's explicit consent and a lawful basis.

9. International transfers

9.1 Neither Party shall transfer the Shared Data outside the UK except under a lawful transfer mechanism.

10. Retention and deletion

10.1 Each Party retains the Shared Data only as long as necessary for the Permitted Purpose or as required by law.

10.2 On termination, or on withdrawal of the Patient's consent, the Partner shall cease processing and securely delete or return the affected Shared Data, save where retention is legally required (e.g. clinical record-keeping, which applies to clinical partners; non-clinical partners must delete).

11. Audit and records

Each Party shall keep records demonstrating compliance and, on reasonable request, provide the information necessary to demonstrate compliance with this Agreement.

12. Indemnity and liability

12.1 The Partner shall indemnify Lola Health against losses, fines, claims and costs arising from the Partner's breach of this Agreement or Data Protection Laws, or its misuse of the Shared Data.

12.2 Liability for fines, penalties or liabilities arising from a Party's failure to comply with Data Protection Laws is excluded from any liability cap, consistent with the Partner Terms and Conditions.

13. Term and termination

13.1 This Agreement takes effect when the Partner first uses the Partner Portal and continues while any partner connection is active.

13.2 Either Party may terminate on 30 days' notice; Lola Health may suspend or terminate immediately on breach or where required to protect Patients or comply with law.

13.3 Obligations that by their nature survive termination (confidentiality, security of received data, deletion) continue.

14. Governing law

England and Wales; exclusive jurisdiction of its courts.

Schedule 1 — Details of the data sharing

Data subjects: Patients who have given explicit consent to share with the Partner.

Categories of Shared Data: Clinical partners (self-reviewing or Lola-reviewed) — full test results, including special category health data and identifiers. Non-clinical partners — full test results, with data minimisation satisfied by the Patient's heightened explicit consent to share that scope.

Special category data: health data (UK GDPR Article 9).

Permitted Purpose: Clinical partners — provision of healthcare, clinical review and follow-up. Non-clinical partners — the specific non-clinical service the Patient engaged the Partner for.

Duration: while the connection is active and consent subsists.

Security measures: the technical and organisational measures recorded by the Partner at onboarding and maintained for the duration of the Agreement.

Questions: [email protected]. Lola Health Ltd is registered in England and Wales (Company No. 15961806), registered office 167-169 Great Portland Street, 5th Floor, London W1W 5PF.