Privacy Notice

Glenhurst Holdings Limited (trading as Arlen Health)

Last Updated: [Insert Date]

1. Introduction

Glenhurst Holdings Limited, trading as Arlen Health (“Arlen Health”, “we”, “our” or “us”), is committed to protecting and respecting your privacy.

This Privacy Notice explains how we collect, use, store and protect your personal information and health information when you engage with our services, visit our website, participate in an assessment programme, or otherwise interact with us.

Arlen Health acts as a data controller in relation to the personal data described in this notice unless otherwise stated.

2. Who We Are

Data Controller

Glenhurst Holdings Limited
Trading as Arlen Health

For any privacy-related questions, requests or concerns, please contact:

Email: hello@arlenhealth.com

3. Information We Collect

Depending on the services you use, we may collect:

Personal Information

• Name

• Date of birth

• Email address

• Telephone number

• Postal address

• Occupation

• Employer details (where participating through a corporate programme)

• Emergency contact information

Health and Assessment Information

• Health questionnaires

• PAR-Q responses

• Medical history information voluntarily provided by you

• Current medications and supplements

• Lifestyle information

• Exercise and training history

• Sleep, recovery and wellbeing information

• Nutrition information

• Physical assessment results

• Blood test results

• Biomarker data

• Health reports and dashboards

• Coaching notes and programme records

Technical Information

When using our website or participant dashboard, we may collect:

• IP address

• Device information

• Browser information

• Login activity

• Dashboard access activity

• Security and audit log information

4. How We Collect Information

We collect information:

• Directly from you

• Through onboarding forms and questionnaires

• Through consultations and assessments

• Through physical testing and health assessments

• Through laboratory testing providers

• Through healthcare professionals involved in programme delivery

• Through our website and participant dashboard

• Through communications with you

5. How We Use Your Information

We use your information to:

• Deliver health and performance assessment services

• Produce reports, dashboards and recommendations

• Arrange appointments and assessments

• Provide coaching and support services

• Communicate with you about your programme

• Improve our services

• Maintain records

• Comply with legal and regulatory obligations

• Protect the security and integrity of our systems

• Respond to enquiries, complaints and requests

6. Special Category Health Data

Health information is classified as special category personal data under UK GDPR.

Where we process health information, we do so because:

• You have requested assessment, coaching or related services;

• Processing is necessary for the provision of health-related services;

• Processing is necessary for establishing, exercising or defending legal claims; or

• You have provided explicit consent where required.

7. Our Lawful Bases for Processing

Depending on the circumstances, our lawful bases include:

Article 6 UK GDPR

• Performance of a contract

• Legitimate interests

• Compliance with legal obligations

• Consent (where required)

Article 9 UK GDPR (Health Data)

• Explicit consent

• Provision of health-related services

• Preventive or occupational health purposes where applicable

8. Who We Share Information With

We only share information where necessary for programme delivery, legal compliance or service provision.

This may include:

Endura Health Limited (trading as ThanksDoc)

Where GP consultations are provided through Endura Health Limited trading as ThanksDoc, relevant information may be shared for the purpose of arranging and delivering GP services.

GP consultation services are provided independently by Endura Health Limited and the relevant clinician.

Inuvi Diagnostics Limited

Where laboratory testing is undertaken through Inuvi Diagnostics Limited and its collection partners, relevant information may be shared for:

• Test ordering

• Sample collection

• Laboratory analysis

• Reporting

Healthcare Professionals

We may share information with:

• General practitioners

• Physiotherapists

• Nutrition professionals

• Other practitioners involved in your programme

where necessary and appropriate.

Corporate Clients

Where your assessment is provided through your employer, Arlen Health will not routinely share your personal health information, blood results or medical information with your employer unless:

• You have provided consent; or

• We are legally required to do so.

Employers may receive anonymised, aggregated or programme-level information that does not identify individual participants.

Service Providers

We may use carefully selected service providers to support our operations, including providers of:

• CRM systems

• Secure cloud hosting

• Database services

• Email delivery services

• Website hosting

• Business administration systems

These providers are required to process information only in accordance with applicable data protection laws.

9. International Transfers

Some of our technology providers may process information outside the United Kingdom.

Where information is transferred internationally, we take appropriate steps to ensure suitable safeguards are in place in accordance with UK GDPR requirements.

These safeguards may include:

• International Data Transfer Agreements (IDTAs)

• UK Addendum to Standard Contractual Clauses

• Adequacy regulations

• Contractual safeguards with service providers

10. Data Security

We take appropriate technical and organisational measures to protect personal information.

These measures include:

• Role-based access controls

• Password protection

• Encrypted communications

• Session management controls

• Secure hosting environments

• Audit logging and monitoring

• Restricted staff access

No system can be guaranteed to be completely secure. However, we take reasonable steps to protect information against unauthorised access, loss, misuse or disclosure.

11. Data Retention

We retain personal information only for as long as necessary for:

• Delivery of services

• Compliance with legal obligations

• Handling complaints or disputes

• Legitimate business purposes

Retention periods may vary depending on the nature of the information and applicable legal requirements.

When information is no longer required, it will be securely deleted or anonymised.

12. Your Rights

Under UK GDPR you may have the right to:

• Access your personal information

• Correct inaccurate information

• Request deletion of information

• Restrict processing

• Object to processing

• Request data portability

• Withdraw consent where processing is based on consent

Requests can be submitted to:

hello@arlenhealth.com

13. Complaints

If you are unhappy with how your information has been handled, please contact us first so that we can try to resolve the issue.

You also have the right to complain to the Information Commissioner’s Office (ICO).

Information Commissioner’s Office

Website: https://ico.org.uk

Telephone: 0303 123 1113

14. Changes to this Notice

We may update this Privacy Notice from time to time.

The latest version will always be available through our website and participant communications.

Glenhurst Holdings Limited
Trading as Arlen Health