Privacy Policy

How EPINUTRI (Codenutri Ltd) collects, uses and protects your personal data.

Last updated: 26 May 2026Version: DRAFT-1.1
On this page

Privacy at a glance

This summary explains the key points about how EPINUTRI uses your information. For full details, please read the complete Privacy Policy below.

Who we are
EPINUTRI is a digital health platform providing functional nutrition and clinical decision-support services. We are responsible for looking after your personal data when you use our websites and services.

What information we collect
We collect information such as your name and contact details, account information, and technical data about how you use our website. If you use EPINUTRI for health support, we also collect health and lifestyle information (for example, symptoms, test results and nutrition data) so that you and your practitioner can use the platform effectively.

Why we collect it
We use your information to run your account, support practitioners in providing care, improve our services, keep our systems secure, and (if you choose) send you updates and marketing. We only collect what we need, and we only use it where we have a lawful reason to do so under data protection law.

Our legal bases
Most of the time we process your data because it is necessary to provide our services to you, or because we have a legitimate interest in running and improving EPINUTRI safely and effectively. For health information, we rely mainly on the legal basis that it is needed for health or social care purposes, and we apply extra safeguards. In some situations we may also ask for your explicit consent.

Who we share it with
If you are working with a practitioner or clinic through EPINUTRI, we share your relevant information with them so they can provide your care. We also use trusted service providers (for example, hosting, email and analytics) who help us run the platform. They must keep your information secure and can only use it on our instructions. We do not sell your data.

Where your data is stored
We mainly store your data in the UK or EEA. If we need to use providers outside these areas, we make sure there are appropriate safeguards in place, such as approved contracts, to protect your information.

How long we keep it
We keep your information only for as long as necessary for the reasons we collected it, including to meet our legal and clinical obligations. When it is no longer needed, we will securely delete it or anonymise it.

Your rights
You have rights over your data, including the right to access it, ask us to correct it if it is wrong, ask us to delete it in some cases, limit or object to how we use it, and, in some situations, receive a copy in a usable format. If we rely on your consent (for example, for certain marketing or optional uses of health data), you can withdraw that consent at any time.

Contact and complaints
If you have any questions or concerns about how we use your information, or if you want to exercise your rights, please contact us at privacy@epinutri.com. You also have the right to complain to the Information Commissioner's Office (ICO) if you are unhappy with how we handle your data. Details are available at www.ico.org.uk.

1. Who we are

EPINUTRI ("we", "us", "our") is a digital health platform providing functional nutrition and clinical decision-support services. We act as a "data controller" for personal data we collect and use about patients, platform users, and practitioners when they access our websites, apps and services.

Codenutri Ltd (trading as EPINUTRI)

Company number: 17062603 (England and Wales)
Registered address: 14 Balmoral Road, Liverpool, L6 8NE, United Kingdom
Email (general): support@epinutri.com
Email (privacy / data protection): privacy@epinutri.com

If we appoint a Data Protection Officer (DPO) or specific UK GDPR representative, we will provide their contact details here.

2. Scope of this notice

This Privacy Policy explains how we collect, use, share and protect personal data in connection with:

  • Visitors to our websites (including epinutri.com and related domains)
  • Users of the EPINUTRI platform, including patients and other end-users
  • Practitioners, clinics and other professionals using our services
  • Individuals who contact us, sign up for marketing, or interact with us in other ways

It does not cover the privacy practices of independent practitioners or clinics using EPINUTRI in their own businesses, who are data controllers in their own right.

3. The data we collect

We collect the following categories of personal data, depending on how you interact with us.

Identification and contact data

  • Name, title, date of birth
  • Email address, phone number, postal address
  • Account login details (username, password or authentication tokens)

Health and lifestyle data (special category data)

  • Medical history, symptoms, diagnoses, medications and treatment plans
  • Laboratory test results and biomarkers
  • Nutrition, diet, supplement and lifestyle information
  • Questionnaires, forms and health assessments completed on the platform
  • Practitioner notes and care plans recorded in EPINUTRI

Practitioner and clinic data

  • Professional qualifications, registration numbers and specialisms
  • Clinic name, address and contact details
  • Information about your use of our services as a practitioner

Technical and usage data

  • IP address, device identifiers, browser type and settings
  • Log files, time zone, operating system and version
  • Usage information about how you navigate and use our websites and apps

Marketing and communication data

  • Preferences for receiving marketing and communications
  • Records of communications, including enquiries, feedback or complaints

We may collect data directly from you, from practitioners who use our platform to provide you with care, from diagnostic laboratories and other healthcare providers, and from your device or browser when you use our services.

4. Purposes and lawful bases for processing

We only use your personal data where we have a lawful basis under UK GDPR, and for special-category health data we also rely on a specific Article 9 condition. The table below sets out our main processing activities.

PurposeData usedLawful basis (Art. 6)Special category basis (Art. 9)Typical retention
Provide EPINUTRI services to you (create and manage accounts, deliver assessments, generate reports, support communication between you and your practitioner)Identification, contact, health and lifestyle, practitioner dataPerformance of a contract with you or steps at your request to enter into a contractProvision of health or social care and healthcare management (Art. 9(2)(h))Life of account + retention period in line with legal and clinical requirements
Support practitioners and clinics in providing care, including clinical documentation and workflowsHealth and lifestyle, practitioner data, identificationLegitimate interests in operating a clinical platform and supporting safe care; and/or performance of a contractProvision of health or social care and healthcare management (Art. 9(2)(h))Life of account + retention period in line with legal and clinical requirements
Safety, security and fraud prevention (e.g. monitoring for misuse, protecting systems and data)Identification, technical and usage dataLegitimate interests in securing our services and preventing fraud (Art. 6(1)(f))Where health data is involved: substantial public interest or healthcare management, as applicableLogs retained for 12 months; security records for 6 years
Analytics, service improvement and product development (e.g. understanding usage, improving features)Technical and usage data, sometimes pseudonymised health and lifestyle dataLegitimate interests in understanding and improving our services (Art. 6(1)(f)), with safeguardsWhere possible we use anonymised or aggregated data not subject to UK GDPR; where not, we rely on Art. 9(2)(h) or explicit consent where requiredAnalytics data retained for 26 months
Marketing communications (e.g. newsletters, webinars, product updates)Contact and marketing preference dataConsent (Art. 6(1)(a)) for electronic direct marketing, or legitimate interests where permitted by lawNot applicable (we do not use special category data for direct marketing)Until you withdraw consent or after 3 years of inactivity
Regulatory, legal and compliance purposes (e.g. responding to requests, enforcing agreements)Any relevant categoryLegal obligations (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f))Where applicable, establishment, exercise or defence of legal claims (Art. 9(2)(f))As required by law and limitation periods

If we intend to use your data for any new purpose, we will update this notice and, where required, seek your consent before doing so.

5. Special category (health) data

Most data processed on the EPINUTRI platform is health data, which is treated as "special category data" under UK GDPR and requires extra protection.

We process health data primarily to support the provision and management of health and nutrition-related services, including functional medicine assessments, and do so under Article 9(2)(h) UK GDPR with appropriate professional and confidentiality safeguards.

Where we rely on your explicit consent for particular uses of your health data (for example, certain research or product-development activities not strictly necessary for care), you may withdraw that consent at any time by contacting us, and we will stop that processing unless another lawful basis applies.

6. Cookies and similar technologies

Our websites and apps use cookies and similar technologies to:

  • Make the site and platform work (e.g. security, session management, load balancing)
  • Remember your preferences and improve your experience
  • Analyse how our sites and services are used, so we can improve them

Strictly necessary cookies (for authentication, payments, security and error monitoring) load without consent under PECR Regulation 6(4). Where required, we will ask for your consent before setting non-essential cookies and give you options to manage your preferences.

For more detailed information about the cookies we use and how to control them, please see our Cookie Policy, which forms part of this Privacy Policy.

7. How long we keep your data

We keep personal data only for as long as reasonably necessary for the purposes explained in this notice, and to meet legal, regulatory, clinical and reporting requirements.

In particular:

  • Account and health-record data linked to care are typically kept whilst your account is active and then for a further period (for example, 7 to 10 years) in line with professional, clinical or legal retention standards
  • Practitioner and clinic records are retained for as long as needed to provide services and manage our relationship, and then for a further period to meet legal and audit requirements
  • Marketing data is retained until you opt out or until a defined period of inactivity (for example, 3 years)
  • Audit logs and order records are retained for 6 years in line with HIPAA audit-trail requirements and UK tax and accounting obligations
  • Technical logs and analytics data are kept for shorter periods necessary for security, diagnostics and service improvement
  • Session data uses a 30-minute time-to-live (TTL) and is automatically purged

When data is no longer needed, we will delete or anonymise it securely.

8. How we share your data

We do not sell your personal data. We may share personal data in the following limited circumstances:

  • Practitioners and clinics: If you are a patient using EPINUTRI with a practitioner or clinic, your health and lifestyle data, assessments and related information will be available to that practitioner or clinic to deliver your care.
  • Service providers (processors): We use carefully selected third-party providers to host our platform, store data, send communications, provide analytics and support our operations. These providers act as "processors" on our behalf, must follow our instructions, and are bound by appropriate data processing and security agreements. Key providers include Google Cloud Platform (hosting, europe-west2 London region, BAA signed), Stripe (payment processing, PCI DSS Level 1), Firebase (authentication), Sentry (error monitoring, no PHI) and Resend (email delivery).
  • Dispensary suppliers: When fulfilling dispensary orders, we share only the minimum necessary data with supplier partners and logistics providers: recipient name, delivery address, product SKUs, quantity and order reference. We do not share patient ID, email address, date of birth, health context or practitioner identity with suppliers.
  • Professional advisers and insurers: We may share limited information with our legal, financial and insurance advisers when necessary for their services.
  • Legal and regulatory requirements: We may disclose data where necessary to comply with laws, court orders, regulatory obligations, or to establish, exercise or defend legal claims.

Where we share data with other independent controllers, such as practitioners running their own practice or diagnostic laboratories, they will provide their own privacy information explaining how they use that data.

9. International transfers

All primary data is stored in Google Cloud Platform europe-west2 (London). Some of our service providers may be located outside the UK and European Economic Area (EEA) or may store data in other countries.

Where personal data is transferred outside the UK/EEA, we ensure that one of the following safeguards is in place:

  • The destination country has been recognised as providing an adequate level of data protection by the UK Government
  • We have entered into UK-approved standard contractual clauses or equivalent contractual safeguards with the recipient
  • Another appropriate safeguard or exemption applies under UK data protection law

You can contact us for more information about the specific safeguards used for international transfers.

10. How we protect your data

We take appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These measures include:

  • Access controls and role-based permissions
  • Encryption in transit (TLS) and at rest where appropriate
  • Secure development practices and code review
  • Staff training on data protection and security
  • Regular backups and security monitoring
  • Tamper-evident audit logging with SHA-256 hash chains for clinical actions

Whilst no system can be completely secure, we continually assess and improve our security controls to protect your information.

11. Children's data

EPINUTRI is primarily designed for adult users and practitioners. If we support the processing of health data relating to children or young people, this will typically be managed through a practitioner or responsible adult and will comply with applicable laws and guidance.

We do not knowingly collect personal data directly from children under 16. If we become aware that we have collected personal data directly from a child in circumstances where parental or guardian consent was required and not obtained, we will take steps to delete that data promptly.

12. Automated decision-making and profiling

EPINUTRI may use algorithms or rules to help interpret health data, support risk assessment or generate personalised nutrition and lifestyle insights. These tools are designed to support, not replace, clinical judgement, and decisions with legal or similarly significant effects about your care should always involve appropriate human review by you and your practitioner.

We do not carry out solely automated decision-making that produces legal or similarly significant effects on individuals without human involvement. If that changes, we will update this notice and explain your rights in relation to such processing.

13. Your data protection rights

Under UK data protection law, you have the following rights in relation to your personal data, subject to certain conditions and exceptions:

  • Right to be informed about how we use your data (this notice is part of that)
  • Right of access to your personal data and to obtain a copy
  • Right to rectification of inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") in certain circumstances
  • Right to restrict processing in certain circumstances
  • Right to object to processing based on our legitimate interests or for direct marketing
  • Right to data portability, allowing you to obtain and reuse your personal data for your own purposes (we support export in FHIR R4 format for health data)
  • Rights in relation to automated decision-making, including profiling, where this has legal or similarly significant effects

Where we rely on consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.

You can exercise your rights by contacting us using the details in section 15. We may need to verify your identity before responding to some requests and will normally respond within one calendar month.

If your data is also held by a practitioner or clinic as their own medical record, you may need to exercise some rights directly with them as a separate controller.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, how we process personal data, or legal requirements.

When we make material changes, we will take appropriate steps to bring them to your attention, such as by updating the "Last updated" date, posting a notice on our website, or contacting you directly by email at least 14 days before the changes take effect.

We encourage you to review this page periodically to stay informed about how we handle your information.

15. How to contact us and your right to complain

If you have any questions about this Privacy Policy, how we use your personal data, or wish to exercise your rights, please contact us at:

Data Protection Lead

Email: privacy@epinutri.com
Postal address: Codenutri Ltd, 14 Balmoral Road, Liverpool, L6 8NE, United Kingdom

If you are not satisfied with our response, you also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: www.ico.org.uk

The ICO's website explains how to raise a concern and what information you should provide.

Questions about this policy?

Email support@epinutri.com or write to Codenutri Ltd, 14 Balmoral Road, Liverpool, L6 8NE.

We use strictly necessary cookies for the site to function (authentication, payments, security). We also use analytics cookies to understand how the site is used, but only with your permission. You can change your preferences at any time via the “Cookie preferences” link in the footer.