Privacy Policy

1. What this Privacy Policy covers 

This Privacy Policy covers how we treat Personal Data that we gather and subsequently process when you access or use our Service. “Personal Data” means any information that identifies or relates to you and also includes information referred to as “personally identifiable information” or “personal information” under applicable privacy or data protection laws. This Privacy Policy does not cover the practices of companies we don’t own or control or people we don’t manage. 

2. What personal data we collect 

2.1 Categories of Personal Data we collect 

This section is about the categories of Personal Data that we collect and have collected over the past 12 months as well as data we subsequently process. We use your data for different purposes, and we have split this section up so it is clear what our reason for collecting each category of data is. 

2.1.1 Customer Information 

This is information about you that we collect in order to manage your account, for example your name, address, email address and telephone number. We use this data to: 

• Generally operate an account for you (eg by referring to your name or using your email to permit you to login). 

We need this information in order to deliver our Service to you. For reference: this means our GDPR “legal basis” is article 6(1)(b) “necessary for the performance of a contract”. But, having collected it, we also use it for other purposes that are discussed in more detail in their own section: 

• We may use some of this information to improve our analysis of your self-reported health information, for example your geographical location. If so, we treat it in the same way as other information in the same category. 

2.1.1.1 Emails  

We may also use your email address, in order to send you emails for the following purposes: 

• Providing you with information about our products or services. 
• Keeping in touch with you about the app and its performance as well as about new versions of the app or similar apps we may develop. 
• Sending you updates on our latest developments and scientific discoveries. 
• Inviting you to register for webinars we host in relation to our research. 

Our legal basis for doing so is our legitimate interest in promoting our services. For more information, see the “User Research” and “Mailing Lists” sections below. 

2.1.1.2 How long do we keep customer information for? 

We keep this information for a period of 6 years after the end of your subscription. Keeping it for this length of time allows us to recognize you if you wish to subscribe again, and is also necessary for us in case we need to resolve any legal disputes that might arise. 

2.1.2 Self-reported Health Information 

This is information such as height, weight, what you eat, or any pre-existing health conditions, that you contribute to us by inputting the information into our website or the app. 

We use this data to: 

• Determine your eligibility for our services or scientific research studies.  
• Input relevant information into our analysis, for example what you eat. 
• Allow us to carry out general scientific research. 

2.1.3 Test Results 

These are the results we receive back from the laboratories that have analyzed your samples, or – if applicable – from devices that measure your physiological data (such as a blood sugar sensor), possibly via intermediate data management systems managed by the manufacturer/distributors of the devices, and which facilitate the transfer of the data from the devices to COMPASS. An example of a Test Result is the concentration of glucose in your blood.  

We keep this data for as long as you have an account with COMPASS, but we will delete it if you specifically request it. The laboratories will keep Test Results for different lengths of time depending on locally applicable law, and could be kept on file for up to 11 years. Some laboratories only receive anonymized/de-identified samples, others require some personal details to conduct the tests. Device manufacturers/distributors hold anonymized/de-identified Test Result data in their data management systems which are used to transfer the data from the sensors to COMPASS. 

2.1.4 Device & Browser Data 

Everyone: If you visit our website, or use our app, then we will also collect information about you. Some of this information is sent directly by your device to us, for example: your IP address, the type of browser you are using, the make of your mobile phone and the contents of cookies we set. We also use third party analytics providers such as Google Analytics, who collect similar information and then supply us with further analysis derived from it. 

We process this data in order to: 

• Locate errors in our systems or problems our systems may be facing with other systems (such as compatibility with a web browser) 
• Improve the functioning of our Service 
• Prevent fraud or other criminal activity 

This information is automatically sent to us – although there are technical ways you can prevent us from receiving this information (for example by changing the information your browser supplies to us) – the way in which browser and app software works means it is inevitable that we process it. 

We routinely delete our web server logs after 90 days, unless we are aware of any serious problem that requires investigation (for example fraud or a hostile attack to our systems), in which case we may preserve any information necessary for that investigation for as long as it is needed. Once the investigation is concluded, we will delete the data. 

Customers and quiz: We also extract IP address and device data that we receive at the time you make a purchase or interact with our quiz. We use this in order to help us understand more about our customers – for example where we are receiving orders from – to enable us to do a better job of marketing; and also in case we need to troubleshoot an order or detect fraud. We delete this data after seven days. 

Our legal basis for collecting and using device and browser data is our legitimate interests in running and improving a commercial service over the Internet, and in providing a better quality of service than we would otherwise be able to if we were not analyzing device and browser data. 
 
URLs we share: We may also include information linked to you in any URL (web link) that we share with you. We use this to enable us to present personalized information to you when you visit our website.  

For example, if you fill in an initial health quiz and have the results of that quiz emailed to you. The email contains a link that allows you to create an account. That link will contain additional information that will allow us to associate the answer to the health quiz with your account. If we do it this way, it will save you having to enter the information again. 

2.1.5 Payment Information 

This is information that is necessary in order for payments to be processed by our third party payment processor. For example the amount of the payment, payment card type, payment card number, and your billing address.  

For your security our payment processor only shares the last 4 digits of your payment card number with us. 

We retain this data as long as necessary to comply with our legal obligations under tax and corporate law. As soon as we no longer need the information, we delete it. 

2.1.6 Correspondence 

Where you directly correspond with us (such as sending us an email, online chat message, or call us) we will process information about you concerned with that correspondence, including your email and our responses. We keep that information for as long as necessary to deal with the correspondence – for example if you have made a complaint, as long as needed to deal with the complaint – and then for a further 6 years, in case we need it to defend or establish a legal claim. 

2.1.7 Scientific Research Studies 

You may, from time to time, be invited to participate in one or more scientific research studies. Participation is entirely voluntary and subject to an additional sign up process, which is managed by an ethics review board. This privacy policy may not accurately describe the data processing carried out during such a research study but if that is the case, the information you receive before participating in the study will explain any differences. 

2.2 Our purposes for using Personal Data 

We have explained specific reasons for processing categories of personal data above. Our core purpose is research into diet, into health and into the link between the two. For those purposes we process your self-reported health information, samples (processed on our behalf by third parties), Test Results and some customer information. 

We may also process any of the information you provide us for the purposes of providing support and assistance in using the Service. 

We may also process your personal information if we are legally required to do so in circumstances where this cannot be reasonably resisted. 

We will not collect additional categories of Personal Data or use the Personal Data we collected for different purposes without providing you notice. 

3. How we share your Personal Data 

We share information about you only with the following: 

• Laboratories engaged by COMPASS to carry out tests. These laboratories may use physicians to sign off on authorization on behalf of customers to conduct tests in certain jurisdictions that restrict the sale of direct-to-consumer lab tests without physician authorization (which include most US states). COMPASS will share any information that is necessary to obtain an authorization (including self-reported health information and other Test Results) with these laboratories and their physicians. 
• Others carrying out research into diet and/or health including academic research organizations (such as universities) and pharmaceutical companies, for example to assist in the development of new medications. When we do this an anonymous code will always be used to replace your personal details (name, email, phone number, and full address). 
• Providers of physical devices used to obtain physiological information – for example a continuous glucose monitor. 
• Delivery and fulfillment providers we use to send you goods, such as the test kit, and to transport samples 
• Contractors providing us services we use for processing Personal Data, which include: 

• Hosting, technology and communication providers. 
• Security and fraud prevention consultants. 
• Analytics providers.  
• Support and customer service vendors. 
• Payment processors. 

• Our professional advisors, such as if we need to consult an attorney for legal advice. In all cases these will be advisors under a professional duty of confidence. 

Business Transfers 

All of your Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices. 

Data that is not Personal Data 

We may convert Personal Data into anonymous data, that is data which can no longer be linked with identifiable individuals, for example by aggregation of data about multiple individuals. We may create aggregated, de-identified or anonymized data from the Personal Data we collect, including by removing information that makes the data personally identifiable to a particular user.  

For example, we use your self-reported health information, Test Results and some of your customer information to improve our models of the interaction of diet and health. The models we create have no individual information about you, being the aggregation of data from many individuals.  

We may use such anonymous data and share it with third parties for our lawful business purposes, including to analyze, build and improve the Service and other future products and services, and promote our business, provided that the data remains anonymous. We do not delete anonymous data on any particular timetable. You may assume that we could keep it indefinitely.   

4. Data security and retention 

We seek to protect your Personal Data from unauthorized access, use and disclosure using appropriate physical, technical, organizational and administrative security measures based on the type of Personal Data and how we are processing that data. You should also help protect your data by appropriately selecting and protecting your password and/or other sign-on mechanism; limiting access to your computer or device and browser; and signing off after you have finished accessing your account. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the internet or storing data is completely secure. 

The periods for which we retain individual categories of Personal Data are explained under the heading “Categories of Personal Data we collect”, but in some cases we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. 

5. California resident rights 

If you are a California resident, you have the rights set forth in this section. Please see the “Exercising your rights” section below for instructions regarding how to exercise these rights. Please note that we may process Personal Data of our customers’ end users or employees in connection with our provision of certain services to our customers. If we are processing your Personal Data as a service provider, you should contact the entity that collected your Personal Data in the first instance to address your rights with respect to such data. 

If there are any conflicts between this section and any other provision of this Privacy Policy and you are a California resident, the portion that is more protective of Personal Data shall control to the extent of such conflict. If you have any questions about this section or whether any of the following rights apply to you, please contact us at support@compass-health.ai. 

5.1 Access 

You have the right to request certain information about our collection and use of your Personal Data over the past 12 months. In response, we will provide you with the following information: 

• The categories of Personal Data that we have collected about you. 
• The sources from which that Personal Data was collected. 
• The business or commercial purpose for collecting or selling your Personal Data. 
• The categories of third parties with whom we have shared your Personal Data. 
• The specific pieces of Personal Data that we have collected about you. 

If we have disclosed your Personal Data to any third parties for a business purpose over the past 12 months, we will identify the categories of Personal Data shared with each category of third party recipient. If we have sold your Personal Data over the past 12 months, we will identify the categories of Personal Data sold to each category of third party recipient. 

5.2 Deletion 

You have the right to request that we delete the Personal Data that we have collected about you. Under the California Consumer Privacy Act (CCPA), this right is subject to certain exceptions: for example, we may need to retain your Personal Data to provide you with the Service or complete a transaction or other action you have requested. If your deletion request is subject to one of these exceptions, we may deny your deletion request. 

5.3 Exercising your rights 

To exercise the rights described above, you or your Authorized Agent (defined below) must send us a request that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Data (we will use our existing authentication practices (your username and password) as the mechanism for verifying your identity, or if such information is unavailable then we will use alternative validation data to verify your identity to a reasonable degree of certainty), and (2) describes your request in sufficient detail to allow us to understand, evaluate and respond to it. Each request that meets both of these criteria will be considered a “Valid Request.” We may not respond to requests that do not meet these criteria. We will only use Personal Data provided in a Valid Request to verify your identity and complete your request. You do not need an account to submit a Valid Request. 

We will work to respond to your Valid Request within 45 days of receipt. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request. 

You may submit a Valid Request using the following methods: 

• Email us at: support@compass-health.ai  
• Portal for data access and erasure requests only: https://compass-health.ai/privacy 

You may also authorize an agent (an “Authorized Agent”) to exercise your rights on your behalf. To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf, and we may request a copy of this written permission from your Authorized Agent when they make a request on your behalf. 

5.4 Personal Data sales opt-out and opt-In 

We will not sell your Personal Data, and have not done so over the last 12 months. 

We Will Not Discriminate Against You for Exercising Your Rights Under the CCPA 

We will not discriminate against you for exercising your rights under the CCPA. We will not deny you our goods or services, charge you different prices or rates, or provide you a lower quality of goods and services if you exercise your rights under the CCPA. However, we may offer different tiers of our Service as allowed by applicable data privacy laws (including the CCPA) with varying prices, rates or levels of quality of the goods or services you receive related to the value of Personal Data that we receive from you. 

6. Other privacy rights 

California resident rights 

Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to contact us to prevent disclosure of Personal Data to third parties for such third parties’ direct marketing purposes; in order to submit such a request, please contact us at support@compass-health.ai. 

Your browser may offer you a “Do Not Track” option, which allows you to signal to operators of websites and web applications and services that you do not wish such operators to track certain of your online activities over time and across different websites. Our Service does not support Do Not Track requests at this time. To find out more about “Do Not Track,” you can visit www.allaboutdnt.com. 

Nevada resident rights 

If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties who intend to license or sell that Personal Data. You can exercise this right by contacting us at support@compass-health.ai with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account. Please note that we do not currently sell your Personal Data as sales are defined in Nevada Revised Statutes Chapter 603A. 

7. Changes to this Privacy Policy 

We’re constantly trying to improve our products and services, which includes collecting new kinds of data or carrying out new analyses on that data, so the information on this page may need to change from time to time. 

8. How to contact us: 

If you have any questions or comments about this Privacy Policy, the ways in which we collect and use your Personal Data or your choices and rights regarding such collection and use, please do not hesitate to contact us at support@compass-health.ai.  

To submit a data access or erasure request, please go to https://compass-health.ai/privacy