Privacy Policy | Personally

Personally

www.personallyhealth.com

Effective Date: February 2026

Last Updated: 9th February 2026

1. Introduction

Supplement Technology Inc, a Delaware corporation with its principal place of business in Boulder, Colorado, USA ("Personally," "we," "us," or "our"), is a subsidiary of Supplement Technology Limited, a company incorporated in England and Wales. Supplement Technology Limited does not provide Products or Services to consumers and assumes no customer-facing obligations under these Terms. All Products, Services, and customer relationships are provided exclusively by Supplement Technology Inc.

Personally is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our mobile application, or purchase our personalized supplement products.

We collect and process health-related information to create truly personalized supplement formulations tailored to your individual needs. Given the sensitive nature of this data, we have implemented robust privacy protections designed to comply with applicable requirements under the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Washington My Health My Data Act (MHMD), the Texas Medical Privacy Act, and other applicable US state privacy laws.

Important Notice: We do not provide medical advice, diagnosis, or treatment, and our products are not intended to diagnose, treat, cure, or prevent any disease. The health information you provide is used solely to personalize your supplement formulation based on your stated goals and preferences.

Please read this Privacy Policy carefully. By accessing or using our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. Privacy disputes are governed by the dispute resolution provisions in our Terms of Service.

2. Information We Collect

2.1 Personal Information You Provide

We collect information that you voluntarily provide when using our services, including:

Identity Information - Full name - Date of birth - Gender

Contact Information - Email address - Telephone number - Postal address (billing and shipping)

Account Information - Username and password - Account preferences - Communication preferences

Payment Information - Credit or debit card details (processed securely through our payment processor) - Billing address - Transaction history

2.2 Health and Biometric Information

To create your personalized supplement formulations, we collect the following health-related information through our questionnaire and, where applicable, direct submission:

Lifestyle Data - Diet and nutrition habits - Exercise frequency and type - Sleep patterns - Stress levels - Alcohol and caffeine consumption - Smoking status

Health History - Current medications and supplements - Known allergies and sensitivities - Medical conditions (as disclosed by you) - Family health history (optional)

Biometric Data - Height and weight - Blood work results (where provided by you) - Other biomarkers you choose to share

Health Goals - Wellness objectives - Areas of concern (metabolic, cardiovascular, cognitive, mood, immune, hormonal, joint health, longevity)

This information constitutes “sensitive personal information” under CCPA/CPRA, “consumer health data” under the Washington My Health My Data Act, and “special category data” under GDPR. We process this data only with your explicit consent and solely for the purpose of creating and improving your personalized supplement formulations.

2.3 Information Collected Automatically

When you access our website or application, we automatically collect:

Device Information - Device type and operating system - Browser type and version - Unique device identifiers

Usage Information - Pages visited and time spent - Features used - Referring URLs - Clickstream data

Location Information - IP address - General geographic location (country, region, city)

Cookies and Similar Technologies - Session cookies (essential for site functionality) - Preference cookies (to remember your settings) - Analytics cookies (to understand how our services are used)

3. How We Use Your Information

3.1 Primary Purposes

We use your information for the following purposes:

Product Personalization - Analyzing your questionnaire responses and health data - Generating your personalized supplement formulation using our proprietary algorithm - Adjusting your formulation monthly based on updated information

Order Fulfillment - Processing and shipping your subscription orders - Managing your account and subscription preferences - Providing customer support

Communication - Sending order confirmations and shipping notifications - Delivering monthly pre-shipping notifications (required for subscription compliance) - Responding to your inquiries - Sending service-related announcements

3.2 Secondary Purposes (With Your Consent)

Marketing Communications - Promotional emails about new products or services - Educational content about health and wellness - Special offers and discounts

You may opt out of marketing communications at any time by clicking the unsubscribe link in any email or contacting us directly.

Product Improvement - Aggregated, de-identified analysis to improve our algorithms - Research and development for new product features - Quality assurance and service optimization

3.3 Legal Bases for Processing (GDPR)

For individuals in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your data under the following legal bases:

• Consent: For processing health data and special category data, and for marketing communications

• Contract Performance: To fulfill our subscription agreement and provide our services

• Legitimate Interests: For fraud prevention, security, and service improvement (where these interests do not override your rights)

• Legal Obligation: To comply with applicable laws and regulations

4. Disclosure of Your Information

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf:

Manufacturing Partners - Our Boulder, Colorado manufacturing facility receives only the information necessary to produce your personalized formulation (formulation specifications, shipping address)

Payment Processors - Process payments securely; we do not store complete payment card details

Shipping Carriers - Receive name and address for delivery purposes only

Technology Providers - Cloud hosting and data storage services - Customer relationship management platforms - Email service providers

All service providers are contractually bound to protect your information and use it only for the specific services they provide to us. Where service providers may access health-related information, we require contractual protections comparable to those required under applicable privacy laws.

4.2 Legal Requirements

We may disclose your information when required by law, including:

• Responding to lawful requests from public authorities

• Complying with court orders or legal process

• Protecting our rights, privacy, safety, or property

• Enforcing our terms of service

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

4.4 No Sale or Sharing of Personal Information

We do not sell your personal information.

We do not share your personal information for cross-context behavioral advertising.

For California residents: We have not sold or shared personal information in the preceding 12 months, as those terms are defined under the CCPA/CPRA.

5. Data Retention

We retain your information for as long as necessary to provide our services and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law or explicitly requested by you. Specific retention periods include:

Account Information: Retained while your account is active and for 3 years following account closure for legal and compliance purposes

Health and Biometric Data: Retained while your subscription is active. Following cancellation, we will delete this data within 30 days unless you request continued retention for reorder purposes or a longer period is required by applicable law.

Transaction Records: Retained for 7 years as required for tax and accounting compliance

Marketing Preferences: Retained until you withdraw consent or request deletion

Website Analytics: Aggregated data retained indefinitely; individual session data retained for 14 months

Upon request or at the end of the applicable retention period, we will securely delete or anonymize your information unless retention is required by law.

6. Your Privacy Rights

6.1 Rights for All Users

Regardless of your location, you have the right to:

• Access: Request a copy of the personal information we hold about you

• Correction: Request that we correct inaccurate or incomplete information

• Deletion: Request that we delete your personal information, subject to legal retention requirements

• Opt-Out: Unsubscribe from marketing communications at any time

6.2 Additional Rights for EEA, UK, and Swiss Residents (GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, you also have the right to:

• Data Portability: Receive your data in a structured, commonly used, machine-readable format

• Restriction: Request that we limit how we use your data

• Object: Object to processing based on legitimate interests

• Withdraw Consent: Withdraw consent at any time (without affecting the lawfulness of processing before withdrawal)

• Lodge a Complaint: File a complaint with your local data protection authority

For UK residents: The supervisory authority is the Information Commissioner’s Office (ICO), ico.org.uk

6.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you

• Right to Delete: Request deletion of your personal information, with certain exceptions

• Right to Correct: Request correction of inaccurate personal information

• Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell or share your data)

• Right to Limit: Limit the use and disclosure of sensitive personal information to what is necessary for the services

• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

Categories of Personal Information Collected: Identifiers, personal records, characteristics of protected classifications, commercial information, biometric information, internet activity, geolocation data, professional information, and inferences

Categories of Sensitive Personal Information Collected: Health information, precise geolocation (if enabled), racial or ethnic origin (if voluntarily provided)

Purpose for Collection: To provide personalized supplement products and related services

Retention: As described in Section 5

No Sale or Sharing: We have not sold or shared personal information in the preceding 12 months

To exercise your California privacy rights, submit a request using the methods described in Section 10.

6.4 Additional Rights for Washington Residents (My Health My Data Act)

If you are a Washington resident, you have specific rights under the Washington My Health My Data Act regarding your consumer health data:

• Right to Know: Request confirmation of whether we are collecting, sharing, or selling your consumer health data

• Right to Access: Request a list of all third parties and affiliates with whom we have shared your consumer health data, to the extent required and technically feasible under applicable law, and an active email or other online mechanism for contacting those third parties

• Right to Withdraw Consent: Withdraw your consent for the collection and sharing of your consumer health data at any time

• Right to Delete: Request deletion of your consumer health data

Consent Requirements: We obtain your affirmative, voluntary consent before collecting or sharing your consumer health data. You may withdraw this consent at any time.

Geofencing: We do not use geofencing technology to identify or track consumers based on their proximity to healthcare facilities.

To exercise your Washington privacy rights, submit a request using the methods described in Section 10.

6.5 Additional Rights for Texas Residents (Texas Medical Privacy Act)

If you are a Texas resident, you have rights under the Texas Medical Privacy Act (Texas Health and Safety Code Chapter 181) regarding your health information. We will not disclose your health information without your authorization except as permitted by law. You have the right to:

• Request access to your health information

• Request correction of your health information

• Receive notice of our privacy practices

• File a complaint if you believe your rights have been violated

To exercise your Texas privacy rights, submit a request using the methods described in Section 10.

6.6 Rights Under Other US State Privacy Laws

Residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Utah, and Virginia have similar rights under their respective state privacy laws. Contact us to exercise these rights.

7. Enhanced Health Data Privacy Practices (Non-HIPAA)

7.1 Our Commitment to Health Data Protection

We recognize the sensitive nature of the health information you share with us. Although we are a supplement manufacturer and not a healthcare provider, health plan, or healthcare clearinghouse, we have voluntarily implemented enhanced privacy and security practices to provide you with strong protection for your health-related data.

Nothing in this section creates rights or obligations under the Health Insurance Portability and Accountability Act (HIPAA), nor should this notice be interpreted as a HIPAA Notice of Privacy Practices. We are not a HIPAA covered entity or business associate.

7.2 How We Protect Your Health Information

Administrative Safeguards - Designated privacy and security officials - Workforce training on privacy and security policies - Access controls based on job function - Incident response procedures for any suspected breach

Physical Safeguards - Secure facilities with access controls - Workstation and device security policies - Proper disposal of physical records

Technical Safeguards - Encryption of health data in transit and at rest - Unique user identification and authentication - Automatic session timeout - Audit controls and activity logging

7.3 Minimum Necessary Principle

We apply the minimum necessary principle: we access, use, and disclose only the minimum amount of health information needed to accomplish the intended purpose.

7.4 Vendor Agreements

Where we engage service providers who may access health-related information, we require contractual protections that impose confidentiality obligations and restrict their use of your data to the specific services they provide to us.

7.5 Your Health Information Rights

You have the right to:

• Request a copy of your health information

• Request corrections to your health information

• Request restrictions on how we use your health information (though we may not be able to agree to all restrictions)

• Receive a summary of data disclosures we have made for business purposes

8. International Data Transfers

8.1 Transfer Mechanisms

We are a UK-based company with manufacturing operations in the United States. Your information may be transferred to, stored, and processed in countries outside your country of residence.

For transfers from the EEA, UK, or Switzerland to the United States or other countries, we rely on:

• Standard Contractual Clauses approved by the European Commission

• UK International Data Transfer Agreement addendum where applicable

• Adequacy decisions where available

• Your explicit consent for sensitive personal data transfers

8.2 Safeguards

Regardless of where your data is processed, we implement appropriate technical and organizational measures to ensure protection consistent with this Privacy Policy and applicable law.

9. Data Security

We implement reasonable and appropriate security measures to protect your personal information, including:

• TLS/SSL encryption for data in transit

• AES-256 encryption for data at rest

• Regular security assessments and penetration testing

• Multi-factor authentication for system access

• Regular software updates and security patches

• Employee background checks and confidentiality agreements

• Incident response and breach notification procedures

While we strive to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

9.1 Breach Notification

In the event of a data breach affecting your personal information:

• We will notify affected individuals within 72 hours of becoming aware of the breach (or as required by applicable law)

• We will notify relevant supervisory authorities as required

• We will provide information about the nature of the breach, data affected, and steps being taken

10. How to Exercise Your Rights

To exercise any of your privacy rights, you may:

Email: privacy@personallyhealth.com

Post: Data Protection Officer, Supplement Technology Inc, 4699 Nautilus Crt, Unit 504, Boulder, CO 80301.

Website: Submit a request through your account settings.

10.1 Verification

To protect your information, we will verify your identity before responding to requests. You may be asked to provide:

• Email address associated with your account

• Order number or other account identifiers

• Additional information to confirm your identity

10.2 Authorized Agents

You may designate an authorized agent to make requests on your behalf. We will require proof of your authorization and still verify your identity directly.

10.3 Response Times

We will respond to your request within:

• GDPR requests: One month (extendable by two months for complex requests)

• CCPA/CPRA requests: 45 days (extendable by an additional 45 days)

• Washington MHMD requests: 45 days (extendable by an additional 45 days)

• Other requests: As required by applicable law, typically within 30 days

11. Children’s Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information.

12. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party sites you visit.

13. Cookie Policy

13.1 What Are Cookies

Cookies are small text files placed on your device when you visit a website. They help the site remember your preferences and understand how you use the site.

13.2 Cookies We Use

Strictly Necessary Cookies Required for the website to function; cannot be disabled - Session management - Shopping cart functionality - Security features

Functional Cookies Remember your preferences - Language settings - Account preferences - Recently viewed products

Analytics Cookies Help us understand how visitors use our site - Google Analytics (anonymized IP) - Usage patterns and page views

Marketing Cookies (only with your consent) - Track effectiveness of marketing campaigns - Personalize advertisements on other platforms

13.3 Managing Cookies

You can manage your cookie preferences through:

• Our cookie consent banner when you first visit

• Your browser settings

• Our cookie preference center (accessible via footer link)

Note that disabling certain cookies may affect website functionality.

13.4 Do Not Track

We honor “Do Not Track” browser signals and the Global Privacy Control (GPC) signal.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

• We will update the “Last Updated” date at the top of this policy

• We will provide notice through email or a prominent notice on our website

• For significant changes affecting your rights, we will seek your consent where required

We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our privacy practices, please contact us:

Data Protection Officer

Supplement Technology Inc

Email: privacy@personallyhealth.com

Phone: (720) 350 0429

Address: 4699 Nautilus Crt, Unit 504, Boulder, CO 80301

15.1 Complaints

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority:

• UK: Information Commissioner’s Office (ICO) - ico.org.uk

• EU: Your local Data Protection Authority

• California: California Privacy Protection Agency - cppa.ca.gov

• Washington: Washington State Attorney General - atg.wa.gov

16. Accessibility

We are committed to ensuring this Privacy Policy is accessible. If you need this policy in an alternative format, please contact us.

17. Dispute Resolution

Any disputes arising from or relating to this Privacy Policy, including disputes arising under state privacy statutes such as the CCPA/CPRA, Washington My Health My Data Act, or Texas Medical Privacy Act, shall be resolved in accordance with the dispute resolution provisions set forth in our Terms of Service, including any applicable arbitration and class action waiver provisions.

Appendix A: Information for California Residents

This section provides additional disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA).

Categories of Personal Information Collected in the Past 12 Months