We are ABR Health Ventures Ltd trading as Calibre. Questions about our privacy policy? Email privacy@getcalibre.com

• We run getcalibre.com, app.getcalibre.com, and the Calibre mobile app

• We only serve adults

• We arrange diagnostic blood tests through our CQC-registered partner DocTap, and provide a personalised health assessment and plan

• We ask for your explicit consent to process your health data. You can withdraw consent at any time (but we then can’t provide the service)

• We use essential, analytics, and marketing/advertising cookies and respect Do Not Track / GPC signals

• We primarily store data in the UK and aim to keep it within the UK/EEA. Where data is processed outside these regions (e.g. by service providers), appropriate safeguards are in place in line with applicable data protection laws

• Your rights include access, correction, and deletion

Who we are

Data Controller: ABR Health Ventures Ltd (trading as “Calibre”)

Registered address: WSM, Connect House, 133-137 Alexandra Road, Wimbledon, London, SW19 7JY

Company number: 16333644 registered in England and Wales

Contact: privacy@getcalibre.com

What this policy covers

This policy applies to getcalibre.com, app.getcalibre.com, and the Calibre mobile app (together, the “Service”).

Not medical advice

Calibre is a health and preventative wellbeing service. We arrange diagnostic blood tests through DocTap Ltd, a CQC-registered clinical provider, whose clinicians are responsible for the clinical review and sign-off of your results. Calibre does not itself hold a CQC registration and does not provide medical diagnosis or treatment for existing conditions. If you have or suspect a medical condition, contact your GP. In an emergency, call 999.

Who can use the Service

We only serve adults. We do not knowingly collect data from anyone under the age of 18. If you believe a minor has provided data, contact us and we’ll delete it.

The data we collect, why we collect it, and our legal bases

We only collect the data needed to run the Service.

Account data What: Name, email, password or SSO Why: Provide and manage your account; communicate about the Service Legal basis: Contract (to provide the Service)

Contact details What: Phone number, address Why: Provide the Service; support communications Legal basis: Contract (to provide the Service)

Payments What: Payment data processed by our third party payment provider (we don’t see card numbers) Why: Take payments; prevent fraud Legal basis: Contract (to provide the Service)

Support & feedback What: Messages via app/site, forms, surveys Why: Provide support; improve the Service Legal basis: Contract and/or Consent

Health data (special category) What: Health history, symptoms, wellbeing info you enter in the web/app Why: Provide health assessment and personalised health plan; personalise content Legal basis: Explicit Consent

Contact details shared with DocTap What: Your phone number and email address Why: Shared with DocTap Ltd so they can contact you about your appointment and communicate directly with you about your diagnostic blood test (including if your results require urgent clinical attention) Legal basis: Contract (to provide the Service)

Health background summary shared with DocTap What: Summary of relevant medical history Why: Provided to DocTap before your appointment to support clinical interpretation of your results Legal basis: Explicit Consent

Research data What: survey responses, interview notes, feedback collected during optional research activities, and where applicable recorded calls/transcripts. Why: to improve Calibre's service and user experience. Legal basis: Consent (separate opt-in). Retained only for the duration of the research project unless you agree otherwise.

Device & technical What: IP address, browser/user agent, OS, screen size Why: Analytics and product improvement Legal basis: Consent

Usage/analytics What: Pages viewed, clicks, session replay (via PostHog) Why: Understand usage; improve the Service Legal basis: Consent

Location (coarse) What: Approximate location from IP Why: Personalise content Legal basis: Consent

Marketing preferences What: Newsletter/notification sign-up status Why: Communicate when we have relevant marketing Legal basis: Consent

Your consent to health data

Because health data is sensitive, we will ask you to give explicit consent before you use the Service. You can withdraw consent at any time by emailing privacy@getcalibre.com. If you withdraw consent, we won’t be able to deliver the Service and will delete your health data unless we need to keep some of it to meet legal obligations.

Cookies and similar tech

We use three categories of tracking technologies across our website, and to a more limited extent within our app:

• Essential cookies and tech, which are necessary to run the Service.

• Analytics cookies and tech (Google Analytics 4, PostHog), which help us understand how the Service is used and improve it. Used only where you've given consent.

• Marketing and advertising cookies and tech (Meta Pixel, Google Ads), which help us measure the effectiveness of our advertising. Used only where you've given consent.

We also use server-side tracking via the Meta Conversions API, configured through Google Tag Manager to send event data (including hashed identifiers such as your email address) to Meta (via the Conversions API) for advertising attribution. Server-side tracking processes personal data even though it doesn't involve cookies in your browser, and we only carry it out where required consent has been obtained via your cookie preferences.

In addition, certain event data (such as waitlist sign-ups) may be sent to PostHog via Google Tag Manager for product analytics purposes.

Where you sign up for an account or otherwise provide your details, we may link your website activity with your account information to better understand how users interact with our Service and to measure the effectiveness of our marketing.

Our consent banner lets you accept or decline analytics and marketing separately. We respect Do Not Track (DNT) and Global Privacy Control (GPC) signals: if enabled, we won't set analytics or marketing cookies, and we won't send server-side advertising data.

Cookie lifetimes: analytics and marketing cookies are kept no longer than 13 months; essential cookies only as long as needed

Research and Service Improvement

We may invite you to take part in optional research activities (surveys, interviews, feedback sessions). Participation is voluntary with your consent and has no effect on your use of the Service if you decline or withdraw.

• Interviews may be conducted via Google Meet and recorded. Recordings are stored in Google Workspace after your consent

• Direct identifiers are stored in a locked-down Google Drive folder with restricted access.

• Pseudonym mappings are tracked in a Google Sheet in the same locked-down folder.

• Pseudonymised outputs (e.g., transcripts with identifiers removed) may be shared more broadly within the Calibre team for analysis, stored in a separate Google Drive folder, and processed using tools such as Notion and AI tools.

• Survey responses are pseudonymised from collection and stored in Tally and Google Sheet

At the point of each research activity, we'll tell you what data is collected, how it's used, who has access, and how long it's retained. Retention periods vary by activity and are defined in the relevant consent form.

Legal basis: Consent. You can withdraw research consent at any time by emailing privacy@getcalibre.com, separately from any other consents you've given.

Who processes your data for us (processors)

In order to provide our services to you, we use a number of trusted third-party providers. We may share your data with these parties where we have a lawful basis to do so. This may include where the sharing is necessary to deliver our services to you, where you have given consent, or where we are required to meet legal or regulatory obligations.

Third parties with whom we may share your data include:

• Clinical and service partners (e.g. DocTap Ltd) – To manage appointments, clinical interactions, and aspects of your care journey (independent data controller for appointment and clinic data; see DocTap's privacy notice at doctap.co.uk/privacy-policy)

• Payment providers (e.g. Stripe) – To process payments securely.

• Communication providers (e.g., Wati) – To send you messages, updates, and reminders via email or messaging platforms. Where data is transferred internationally, this is carried out under EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).

• Advertising partners (e.g. Meta, Google Ads) – To measure the effectiveness of our marketing and advertising (used only with your consent where required).

• Survey and research tools (e.g. Tally) – To collect feedback and conduct optional research surveys.

• Analytics providers – To understand how our website and services are used and improve performance (used only with your consent where required).

• Integration partners – To connect wearable devices and import relevant health data.

• AI and data processing providers – To support analysis and improvement of our services.

• IT service providers and technical support partners – To maintain and support our systems and infrastructure.

• Professional advisers and regulators – Including lawyers, auditors, and regulatory authorities where required.

How we keep your data safe

We use industry-standard safeguards, including:

• Encryption in transit and at rest

• Access controls and least-privilege access

• Regular backups and vulnerability management

No method is 100% secure, but we work very hard to protect your data.

Where we store data and international transfers

We primarily store data in the UK and seek to limit transfers outside the UK/EEA. Where such transfers occur, they are carried out in accordance with applicable data protection laws and subject to appropriate safeguards. We only transfer Personal Data to entities in third countries that have been held to provide an adequate level of protection for Personal Data, or where contractual terms have been adopted to meet the legal requirements for such transfers.

How long we keep data (retention)

We keep your personal data only as long as needed to provide the Service and meet our legal obligations. If you ask us to delete your data, we’ll do so unless we need to keep some of it for legal, regulatory, or security reasons. For example, payment records may be kept for statutory periods.

Your rights

You can:

• Access the personal data we hold about you

• Correct inaccurate data

• Delete your data (where applicable)

To exercise these rights, email privacy@getcalibre.com. We’ll ask you to verify your identity via our support process. If we can’t meet a request, we’ll explain why.

Complaints

If you’re unhappy with how we handle your data, please contact us at privacy@getcalibre.com. You can also complain to the Information Commissioner's Office (ICO), the UK supervisory authority.

Third-party links

Our Service may link to third-party sites or services (for example, payment or messaging providers). Their privacy practices are their own - please check their policies.

Changes to this policy

We may update this policy from time to time. If we make material changes, we’ll notify you by email and update the “Last updated” date above.

Contact us

Please direct questions, requests, or complaints to privacy@getcalibre.com.