PRIVACY POLICY Last Updated: April, 2026 1. Introduction Welcome to the Privacy Policy of ExoAnalytics Limited (“ExoAnalytics”, "Company", "we", "us", or "our"). We respect your privacy and are committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you use our services or our website, whether you are buying directly, reselling our services, managing a team, or simply making enquiries through our website. Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit. Who is this Policy for? This policy applies to three distinct categories:
  • Direct Customers (D2C): Individuals who purchase kits or services directly from our website for personal use.
  • Resellers (B2B): Commercial partners (e.g., gyms, nutritionists, clinics) who administer our tests to their clients ("End Users").
  • Sports Teams & Organisations (B2B): Professional clubs, federations, or performance organizations purchasing services for their squads ("Athletes").
Note: Our website is not intended for children and we do not knowingly collect data relating to children. 2. Our Role: Controller vs. Processor To ensure compliance with the UK GDPR, EU GDPR, and Data Protection Act 2018, it is important to understand our legal role in handling data based on your category:
  • If you are a Customer purchasing from us (D2C): ExoAnalytics is the Data Controller. We are directly responsible for your personal data.
  • If you are a Reseller or Sports Team or other business to business client (B2B): You (the Organisation) are the Data Controller responsible for collecting consent from your End Users or Athletes. ExoAnalytics acts as a Data Processor, analysing samples and data strictly on your instructions.
  • If you are an End User or Athlete: The organisation that arranged your test (e.g., your Gym, Performance Centre, or Team) is the Data Controller.
Note: While this policy describes how we handle your personal data and data security, End Users and Athletes should primarily refer to the Privacy Policy of their Gym or Team as they are ultimately responsible for the personal data of End Users and Athletes. 3. The Data We Collect We may collect, use, store, and transfer different kinds of personal data depending on your relationship with us: A. Identity & Contact Data
  • Collected from: Direct Customers, Resellers, and Team Administrators.
  • Legal Basis: Performance of a contract, or legitimate interest, in accordance with the table set out in section 4.
  • Data: include name, billing address, shipping address, email address, phone number, and job title.
B. Special Category Data (Health & Biometrics)
  • Collected from: Direct Customers, End Users (via Resellers), and Athletes (via Teams).
  • Legal Basis: We only process this data with Explicit Consent.
  • Data Types:
    • Samples: Breath samples for carbohydrate oxidation analysis.
    • Metabolic Data: such as breath-by-breath gas exchange data (e.g. VO2, VCO2). This data is collected via a standard metabolic mask (primary method) or optionally via the Calibre biometrics tracking device (alternative method).
    • Physiological Metrics: such as height, weight, age, gender, heart rate data.
    • Food diaries and other similar nutrition data.
    • Note: In order to provide you (or your Gym, Performance Centre, or Team) with our services, analyse your samples and process our Reports, we will need to process your health and biometric data. You have the right to withdraw your consent, however, we will not be able to continue analyse your samples or provide our Reports if we do not have your consent.
C. Technical & Usage Data
  • Collected from: Website visitors.
  • Legal Basis: Legitiate interest, in accordance with the table set out in section 4.
  • Data: IP address, browser type, and operating system. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.
4. How We Use Your Data We will only use your personal data when the law allows us to.
Purpose User Group Legal Basis for Processing
To register you as a customer/partner D2C / B2B (Resellers & Teams) Performance of a Contract
To process and deliver orders D2C / B2B (Resellers & Teams) Performance of a Contract
To analyse samples and generate Reports D2C / End Users / Athletes Explicit Consent
To manage our relationship with you All Performance of a Contract; Legal Obligation;
Legitimate Interest (to keep our records updated and manage our relationship with you)
For Research & Development (Improving algorithms using anonymised data) D2C / End Users / Athletes Legitimate Interest (Data is anonymised prior to R&D use) to study how customers use our products/services, to develop them and grow our business.
To administer and protect our business and our website
(including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)		 All (including any general users of our website) Legitimate Interest (running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise);
Legal Obligation
Content and Advertisements
(to deliver relevant website content and online advertisements to you and measure or understand the effectiveness of the advertising we serve to you)		 All (including any general users of our website) Legitimate Interest (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy).
We will not use your Special Category Data for this purpose.
Marketing communications
(make personalised suggestions and recommendations to you about goods or services that may be of interest to you based on your user, usage and technical data.)		 All (including any general users of our website) Legitimate Interest (to carry out direct marketing, develop our products/services and grow our business)
We will not use your Special Category Data for this purpose.
5. Data Sharing We do not sell your personal data. We may share your data with trusted third parties to provide our Services:
  • Service Providers: IT and system administration services (e.g., cloud storage providers).
  • Laboratory Partners: Third-party labs in the UK assisting with sample analysis (bound by strict confidentiality). Our laboratory partners will have access to your de-identified (coded) Special Category Data for the purpose of enabling us to provide you with our service including analysing samples and creating our Reports.
  • Calibre Biometrics (If applicable): If the optional Calibre device is used for your test, metabolic data may be processed via Calibre Biometrics' software/firmware before reaching us / our servers. Calibre will have access to your metaboloic data (see section 3b above) collected via the metabolic mask (which will be considered Special Category Data) for the purpose of recording and analysing your data which enables us to provide you with our service, including analysing samples and creating our Reports.
  • Professional Advisers: Lawyers, bankers, auditors, and insurers.
  • HM Revenue & Customs: Regulators and other authorities based in the UK or EU.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. 6. International Transfers We process data primarily within the UK. However, some external third parties may be based outside the UK.
  • Calibre Biometrics: If the Calibre device is used for a test, data may be transferred directly from the device to Calibre Biometrics in the USA for processing via the Calibre app, under their terms and privacy policy, before reaching us. No data is sent the other way to Calibre.
  • Safeguards: Whenever we transfer personal data out of the Ukor the European Economic Area (EEA), we ensure a similar degree of protection is afforded to it by ensuring specific contracts (such as the UK International Data Transfer Agreement/Addendum issued by the UK Information Commissioner’s Office, or as relevant Standard Contractual Clauses issued by the European Commission) are in use.
7. Data Security We have put in place appropriate security measures to prevent personal data from being accidentally lost, used, or accessed in an unauthorised way.
  • Samples are de-identified (coded) before being sent to laboratory partners.
  • Access to full Personal Data is limited to employees and partners who have a business need to know and are subject to a duty of confidentiality.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. Procedures are in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 8. Data Retention We will only retain personal data for as long as necessary to fulfill the purposes we collected it for.
  • Samples: Destroyed after analysis is complete (typically within 7 days).
  • Personal Data (Accounts): Retained for the duration of our relationship + 6 years (for tax/legal purposes).
  • Anonymised Data: We may keep anonymised metabolic data indefinitely for research and statistical purposes without further notice.
9. Your Legal Rights Under the data protection legislation, individuals have rights including:
  • Request access to personal data.
  • Request correction of personal data.
  • Request erasure of personal data ("Right to be forgotten").
  • Withdraw Consent at any time where we are relying on consent to process health data.
  • Object to any processing of personal data, where we are relying on a legitimate interest, or where we are processing personal data for direct marketing purposes.
  • Request transfer of personal data to a third party.
  • Request a restriction of processing personal data in some circumstances, which enables us to pause processing in certain events (such as, establishing accuracy of personal data, where the data is processed unlawfully but you do not want such data erased, where you need the personal data to bring or defend legal claims, or where we need to verify a legitimate ground to use personal data).
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. We may also require further information from you in order to confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. Note for B2B Clients: If you are an Athlete or an End User (Client of a Reseller), please contact your Team or Reseller directly to exercise these rights, as they are the Controller of your primary record and responsible for responding to your requests. We will not be able to process a request on behalf of the Controller. 10. Contact Details If you have any questions about this privacy policy or our privacy practices, please contact us: ExoAnalytics Limited (Company number: 16320424) Email: kris@exoanalyticsdata.com Postal Address: 9 Fir Tree Road, Fernhill Heath, Worcester, England, WR3 8RE You have the right to make a complaint to your local data protection authority. However, before doing so please make sure you have first made your complaint to us or asked us for clarification if there is something you do not understand. The ICO will expect you to have done this before reviewing your complaint. In the UK, the relevant data protection authority is: Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). In the EU, the relevant data protection authority will depend on where you are based, you can locate your data protection authority here: European Data Protection Board.