Veros Health
How we collect, use, and protect your personal and health information
UK GDPR Compliant Last updated: 24.04.2026Veros Health Ltd ("Veros Health", "we", "us", "our") is a health technology company registered in England and Wales. We provide at-home blood testing services, connecting you with clinic-based blood draws, accredited laboratory analysis, and clinician-reviewed results delivered via our mobile application.
Veros Health is the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
We are registered with the Information Commissioner's Office (ICO). Our ICO registration number is: CSN5824802.
Our registered address is: 53 Orchard Street, Bedford, United Kingdom, MK42 7JD.
Identity & Contact Data
Health & Biometric Data (Special Category)
Transaction & Payment Data
Technical & Usage Data
Communication Data
Data We Do Not Collect
We do not knowingly collect data from children under 18 years of age. We do not collect payment card numbers directly — all payment processing is handled by our third-party processor, Stripe.
| Purpose | Data Used |
|---|---|
| Create and manage your account | Identity, contact, login credentials |
| Process and fulfil your test order | Identity, contact, transaction, health data |
| Deliver blood draw appointment booking to partnered clinics | Identity, contact, order details |
| Transmit samples to accredited laboratories for analysis | Pseudonymised identity, health data |
| Provide clinician-reviewed results and health insights in the app | Health data, biomarker results |
| Process payments | Transaction data (via Stripe) |
| Send order confirmations, result notifications, and service updates | Identity, contact, usage data |
| Respond to support enquiries | Identity, contact, communication data |
| Improve our services through aggregated, anonymised analysis | Anonymised/aggregated technical and usage data |
| Comply with legal and regulatory obligations (e.g. CQC, ICO) | All categories as required |
| Send marketing communications (only with your consent) | Identity, contact, usage data |
Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:
| Lawful Basis | When We Rely on It |
|---|---|
| Contract (Art. 6(1)(b)) | Processing necessary to provide our service — account creation, test fulfilment, delivering results, processing payments |
| Legal obligation (Art. 6(1)(c)) | Compliance with CQC, ICO, HMRC, and other legal/regulatory requirements |
| Legitimate interests (Art. 6(1)(f)) | Fraud prevention, security, improving our services using anonymised data, and direct communications about similar services |
| Consent (Art. 6(1)(a)) | Marketing communications; any use of your data beyond what is strictly necessary for service delivery |
Blood test results and health information are classified as special category data under Article 9 UK GDPR, which attracts the highest level of legal protection. We only process this data under the following conditions:
Explicit Consent (Art. 9(2)(a))
Before you use our service, we will ask for your explicit, informed consent to process your health data. You have the right to withdraw this consent at any time, though doing so will mean we are unable to provide our core service to you.
Provision of Health Care (Art. 9(2)(h))
Processing is necessary for the purposes of preventive or occupational medicine, the assessment of your working capacity, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems — under the responsibility of a registered health professional.
Substantial Public Interest (Schedule 1, DPA 2018)
Where applicable, we may process special category data under conditions relating to health care purposes and occupational health purposes under the Data Protection Act 2018.
We apply strict access controls to health data. Only authorised personnel and partner clinicians who require access for service delivery may access your health information.
We never sell your personal data. We share data only where necessary for service delivery or legal compliance, with the following categories of recipients:
Clinic Partners
To facilitate your blood draw appointment, we share your name, contact details, and order reference with our clinic network. Clinics act as data processors under a written data processing agreement.
Accredited Laboratories
Your sample is sent to an accredited diagnostic laboratory for analysis. We share a pseudonymised identifier and the required test panels. Laboratories are bound by confidentiality obligations and data processing agreements.
Registered Clinicians
Results are reviewed by qualified clinicians before being returned to you. Clinicians access your results on a need-to-know basis and are subject to professional confidentiality obligations and data processing agreements.
Technology Service Providers
Regulatory Authorities
We may disclose your data to the ICO, CQC, HMRC, or law enforcement agencies where required by law or regulatory obligation.
Professional Advisers
Our legal, financial, and insurance advisers may access limited data where necessary for professional advice, under strict confidentiality obligations.
All third-party processors are subject to written Data Processing Agreements (DPAs) and are required to implement appropriate technical and organisational measures to protect your data.
| Data Type | Retention Period | Reason |
|---|---|---|
| Health records & test results | 8 years from last interaction (or age 25 if user was a minor) | NHS/clinical records guidance and CQC requirements |
| Account data | Duration of account + 2 years | Contract and legitimate interests |
| Transaction & payment records | 7 years | HMRC legal obligation |
| Support correspondence | 3 years | Legitimate interests (dispute resolution) |
| Marketing consent records | Until consent withdrawn + 1 year | Evidence of lawful processing |
| Website/app analytics (anonymised) | Up to 26 months | Service improvement |
After the applicable retention period, data is securely deleted or irreversibly anonymised. You may request earlier deletion subject to Section 8 and applicable legal obligations.
Under UK GDPR, you have the following rights in relation to your personal data:
| Your Right | What It Means |
|---|---|
| Right of Access | Request a copy of all personal data we hold about you (Subject Access Request) |
| Right to Rectification | Ask us to correct inaccurate or incomplete data |
| Right to Erasure | Request deletion of your data where there is no legitimate reason for us to retain it |
| Right to Restriction | Ask us to limit how we process your data in certain circumstances |
| Right to Portability | Receive your data in a structured, machine-readable format and transfer it elsewhere |
| Right to Object | Object to processing based on legitimate interests or for direct marketing purposes |
| Withdraw Consent | Withdraw consent at any time where processing is consent-based |
| Automated Decisions | Request human review of any solely automated decisions that significantly affect you |
To exercise any of these rights, please contact us using the details in Section 14. We will respond within one calendar month. We do not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive.
Our primary data processing operations are based in the United Kingdom. Where we work with third-party service providers who may process data outside the UK or the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:
You may request details of the specific safeguards in place for any international transfer by contacting us at the address in Section 14.
Our website and mobile application use cookies and similar tracking technologies to operate effectively and improve your experience. We use the following categories:
| Category | Purpose | Consent Required? |
|---|---|---|
| Strictly Necessary | Authentication, session management, security. Essential to operate the service. | No — essential |
| Functional | Remember your preferences (e.g. language, accessibility settings) | No — service quality |
| Analytics | Understand how users navigate our app and website (aggregated, anonymised) | Yes — on opt-in |
| Marketing | Measure effectiveness of campaigns (only if you consent) | Yes — on opt-in |
You can manage your cookie preferences at any time via our cookie settings panel on the website or through your browser settings. Note that disabling certain cookies may affect the functionality of our service.
Our services are intended for individuals aged 18 and over. We do not knowingly collect personal data from anyone under 18 years of age. If you believe a child has provided us with personal data without parental consent, please contact us immediately and we will take steps to delete that data.
If a parent or guardian wishes to purchase services on behalf of a minor under specific clinical circumstances, please contact us directly to discuss appropriate consent and data handling procedures.
We take the security of your personal and health data extremely seriously. Our technical and organisational measures include:
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay where required.
We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data processing practices. When we make material changes, we will:
We encourage you to review this policy periodically. Continued use of our services after changes take effect constitutes acceptance of the updated policy, except where we are required to obtain fresh consent.
For any questions about this Privacy Policy, to exercise your data rights, or to raise a concern about our data practices, please contact us:
| Organisation | Veros Health — Data Enquiries |
| privacy@veroshealth.co.uk | |
| Post | [Registered Address], United Kingdom |
| Response time | Acknowledged within 5 business days; full response within one calendar month |
ICO — Supervisory Authority
If you are not satisfied with our response or believe your data has been processed unlawfully, you may contact the Information Commissioner's Office:
Be the first to know.
You are on the list.
Your health story starts here.
We will be in touch soon.