Privacy Policy

Last updated: 2026-01-07

1. Introduction

Welcome to Noyu. This Privacy Policy explains how PROJECT 120 LTD ("Noyu", "we", "us") collects, uses, and protects your personal information when you use our Platform and Services.

We are committed to protecting your privacy and handling your data transparently. This policy is written in plain English so you can understand exactly what happens to your information.

2. Key definitions

  • Platform - Noyu's website at noyu.health and any related mobile applications, dashboards, software, and APIs.
  • Member - The individual who creates an account and uses the Services.
  • Health Data - Special category personal data relating to your physical or mental health, including blood test results, biomarkers, vital signs, and wearable device metrics.
  • Member Content - Any data or content you upload or connect to the Platform, including Health Data, questionnaire responses, and wearable feeds.

3. Who we are and how to contact us

PROJECT 120 LTD - 3rd Floor, 86-90 Paul Street, London, England, EC2A 4NE, United Kingdom.

Company number: 16584137

For privacy questions, email hello@noyu.health.

4. What data we collect

We collect information in several categories:

Account data

Name, email address, date of birth, biological sex, ethnicity, address, and phone number. We collect this directly from you when you register.

Health data

Blood test results, biomarkers, height, weight, and vital signs. This is collected from laboratory partners who process your samples.

Wearable data

Health and fitness data from connected devices and apps. This is only collected if you choose to connect a wearable device or health app (such as Apple Health, Garmin, or Oura) via our integration partner Terra. We may collect:

  • Sleep data - duration, sleep stages (light, deep, REM), sleep efficiency, and sleep-related heart rate
  • Activity data - steps, distance, calories burned, active minutes, and workout details
  • Heart data - heart rate, resting heart rate, and heart rate variability (HRV)
  • Body data - weight and height (if available from your device)
  • Fitness metrics - VO2 max and other cardiorespiratory indicators

Questionnaire data

Your responses to lifestyle and health questionnaires, including information about your habits, goals, and health history. You provide this directly through the Platform.

Usage data

Page views, feature usage, and interactions with the Platform. This is collected automatically through our analytics tools.

Payment data

Payment status and transaction records. Card details are processed and stored by our payment provider Stripe - we do not store your full card number.

We do not knowingly collect data from anyone under 18. The Platform requires you to confirm you are at least 18 years old when registering.

5. Why we process your data and our lawful bases

Under UK GDPR, we need a lawful basis to process your personal data. Here is how we use your information and the legal grounds:

To provide our Services

Creating your account, displaying your health data, generating insights, and managing your membership.
Lawful basis: Contract (Article 6(1)(b))

To process your Health Data

Analysing your blood test results, wearable metrics, and questionnaire responses to provide personalised insights.
Lawful basis: Explicit consent (Article 9(2)(a))

To process payments

Handling subscription payments and maintaining billing records.
Lawful basis: Contract; Legal obligation

To improve our Platform

Analysing usage patterns to fix bugs, improve features, and develop new functionality. Health Data used for this purpose is anonymised or aggregated.
Lawful basis: Legitimate interests (Article 6(1)(f))

To send you updates

Service notifications, health insights, and occasional marketing communications (you can unsubscribe at any time).
Lawful basis: Legitimate interests; Consent for marketing

To comply with legal obligations

Responding to legal requests and maintaining required records.
Lawful basis: Legal obligation (Article 6(1)(c))

6. How we use your Member Content

  • Service delivery - Displaying your health data, generating insights, and providing personalised recommendations.
  • Platform improvement - Training our algorithms on de-identified or aggregated data to improve our insights.
  • Research - We may create anonymised statistics (for example, "40% of members had low vitamin D levels") - this will never identify you personally.
  • AI-generated insights - When generating AI-assisted insights, we de-identify your data before processing. Your name and contact details are never sent to AI systems.

We take the protection of your Health Data seriously. We do not:

  • Use your Health Data for advertising or marketing purposes
  • Sell your Health Data to advertising platforms, data brokers, or information resellers
  • Share your identifiable Health Data with third parties for their advertising or data mining purposes

7. Who we share your data with

We share your data with the following categories of recipients, all of whom are bound by appropriate data protection agreements:

Laboratory partners

To process your blood samples and provide results. They receive only the information needed to perform the tests.

Stripe (payments)

Processes card payments securely. Card data is stored in their EU data centres.

Neon (database)

Hosts our database infrastructure in EU/UK data centres.

Vercel (hosting)

Hosts our website and application infrastructure.

PostHog (analytics)

Provides product analytics to help us understand how the Platform is used and improve it.

Terra (wearables)

Connects wearable device data from Apple Health, Garmin, Oura, and other providers if you choose to link them.

AI providers (insights)

We use third-party AI services to generate health insights. Data sent for AI processing is de-identified - your name and contact details are not included in AI requests.

Regulatory authorities

Only where required by law or to protect safety.

8. International transfers

We primarily host and process data in the United Kingdom and European Union. Where we need to transfer data outside of the UK (for example, to service providers in the US), we use appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the UK Government or rely on adequacy decisions where applicable.

9. Cookies and tracking

We use cookies and similar technologies on our Platform:

  • Essential cookies - Required for the Platform to function (authentication, security). These are always active.
  • Analytics cookies - Help us understand how you use the Platform. These are only set with your consent.

You can manage your cookie preferences through your browser settings or our cookie banner.

10. Data retention

We retain your data for as long as necessary to provide the Services and fulfil the purposes described in this policy, or as required by law. Specifically:

  • Account and Health Data - Retained while your account is active and for a reasonable period afterwards to allow you to return to the service. Health records may be retained longer where required for clinical or legal purposes.
  • Usage and analytics data - Retained in identifiable form for up to 24 months, then anonymised or deleted.
  • Payment records - Retained as required by tax and accounting regulations.

When you delete your account, we will delete or anonymise your personal data within a reasonable timeframe, except where we are required to retain it by law.

11. Your rights

Under UK GDPR, you have the following rights:

  • Access - Request a copy of the personal data we hold about you.
  • Rectification - Ask us to correct inaccurate or incomplete data.
  • Erasure - Request deletion of your personal data in certain circumstances.
  • Restriction - Ask us to limit how we use your data.
  • Portability - Receive your data in a portable format.
  • Objection - Object to processing based on legitimate interests.
  • Withdraw consent - Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, email hello@noyu.health. We will respond within one month.

12. Data security

We take the security of your data seriously and implement appropriate technical and organisational measures:

  • All data is encrypted in transit using TLS
  • Data is encrypted at rest in our databases
  • Access to personal data is restricted on a need-to-know basis
  • We use secure authentication and access controls
  • Regular security reviews and updates

No system is 100% secure, but we work hard to protect your data and will notify you promptly if a breach occurs that affects your rights.

13. Accessibility

We aim to make our Platform accessible to everyone, including those with disabilities, in accordance with WCAG 2.1 AA standards. If you have difficulty accessing any part of the Platform or this Privacy Policy, please contact us at hello@noyu.health so we can help.

14. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 30 days before they take effect. Continued use of the Platform after that date means you accept the updated policy.

15. Complaints

If you have concerns about how we handle your data, please contact us first at hello@noyu.health. We will do our best to resolve your concerns.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

16. Contact us

If you have any questions about this Privacy Policy, please contact us at:
Email: hello@noyu.health

PROJECT 120 LTD
3rd Floor, 86-90 Paul Street
London, EC2A 4NE
United Kingdom