1. Who we are and how to contact us
This Privacy Policy describes how Smoov Shakes UK Limited ("Smoov", "we", "us", "our"), a company registered in England and Wales (Company number 15041314) with registered office at Elsley Court, 20-22 Great Titchfield Street, London, W1W 8BE, collects, uses, stores, and shares your personal data when you use The Founding 500 membership programme and related services.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Smoov is the Data Controller for the personal data described in this policy.
For any data protection enquiry — including subject access, erasure, rectification, withdrawal of consent, or to raise a complaint — contact us at privacy@smoovuk.com (monitored daily). General membership enquiries: people@smoovuk.com.
2. What data we collect
Account & membership data
- Name, email address, member ID
- Date of birth, postal address, phone number (where provided)
- Membership tier, sign-up date, renewal status
- RSVPs to events and journal interactions you make on the platform
Payment data
- Billing address and payment metadata. Card details are processed directly by Stripe and never stored on our servers.
Wearable data — Article 9 special category data (only with your explicit consent)
Wearable data is treated as Article 9 special category data (data concerning health) under UK GDPR. We process it only on the basis of your explicit consent given via a separately-ticked checkbox at sign-up.
If you choose to connect a wearable device — currently WHOOP or Oura, with Garmin, Fitbit, and Apple Watch on the roadmap — we receive read-only access to a defined set of metrics:
- Recovery — daily recovery score, HRV (heart rate variability), resting heart rate
- Sleep — sleep duration, efficiency, stages
- Strain & activity — daily strain score, calories, workout summaries
- Profile — your wearable user ID, first name, height, weight (used to calibrate recommendations)
We do not receive: GPS location, raw heart rate streams, ECG traces, blood oxygen continuous data, or any data you have not granted access to.
Biomarker data — Article 9 special category data (only if you opt in)
Where members elect to participate in our partnership with Healf for blood and biomarker testing, we receive only the result panel that you authorise to be shared with Smoov for personalised recommendation purposes. Biomarker results are also treated as Article 9 special category data and are processed only on the basis of your explicit consent.
Marketing preferences
- Whether you have opted in to Founding 500 updates and Members-Only Line news
- Date and time of your opt-in or unsubscribe
Technical data
- IP address and approximate geolocation
- Browser type and device information
- Login timestamps and session activity
- Error reports (sent to our error monitoring provider, Sentry, with personal identifiers stripped)
3. How we use your data
- Deliver the Founding 500 service — manage your membership, process payments, provide access to events, perks, and the member dashboard.
- Generate personalised smoothie protocols — combine your wearable data, biomarker results (if shared), and stated goals to recommend daily formulations.
- Communicate with you — magic-link login emails, transactional notifications, and member updates relevant to your account.
- Improve our service — anonymous and aggregated usage data is used to identify bugs, improve performance, and prioritise new features.
- Meet legal obligations — UK tax records, fraud prevention, and any legitimate regulatory request.
We will never sell your wearable data, biomarker data, or any other personal information to third parties. We will never share your data for advertising purposes.
4. Lawful basis for processing
Under UK GDPR, we rely on the following legal bases:
- Article 6(1)(b) — Contract. Account, membership, and payment data is necessary to deliver the service you have purchased.
- Article 6(1)(a) and Article 9(2)(a) — Explicit consent. Wearable data and biomarker data (Article 9 special category data) are processed only on the basis of your explicit, granular, separately-recorded consent given at sign-up. You may withdraw this consent at any time from your dashboard.
- Article 6(1)(f) — Legitimate interest. Technical data and error reports are processed to keep the service functional and secure. Where we rely on this basis we have weighed your rights and concluded the processing is proportionate and expected.
- Article 6(1)(c) — Legal obligation. Tax records and regulatory disclosures.
5. Your wearable data — additional safeguards
Because wearable data is Article 9 special category data, we apply additional safeguards beyond standard practice:
- Read-only access. We only request the minimum scopes required to generate recommendations. We cannot write to, alter, or delete data on your wearable account.
- Encrypted at rest. Your OAuth tokens are encrypted using AES-256-GCM before being written to our database. Even our engineers cannot read raw tokens from backups or database exports.
- Cached, not stockpiled. We cache only the most recent metrics needed to render your dashboard, refreshed every 6 hours. Historical data older than 30 days is purged automatically.
- Disconnect anytime. You can disconnect your wearable from the dashboard at any time. On disconnect we revoke our access at the wearable provider (where the provider supports revocation) and delete all cached data within 24 hours.
- Never resold or shared. Your wearable data is used only to generate recommendations for you. It is not shared with our partners (including Healf), advertisers, or any third party.
6. Who we share data with — processor list
We share data only with the limited set of vendors required to operate the service. All vendors are bound by written data processing agreements under Article 28 UK GDPR.
| Processor | What they handle | Where they process | Transfer safeguard |
|---|---|---|---|
| WHOOP, Inc. | Wearable data (recovery, sleep, strain, profile) for members who connect WHOOP | United States | UK International Data Transfer Agreement (UK IDTA) |
| Ouraring Inc. | Wearable data (sleep, readiness, activity, HRV) for members who connect Oura | United States / Finland | UK IDTA / UK Addendum to EU SCCs |
| Healf Limited | Address & DOB for biomarker test fulfilment; biomarker results returned to Smoov for members who opt in | United Kingdom | None required (UK) |
| Stripe Payments Europe, Limited | Payment processing, subscription management | Ireland (EU) with US sub-processors | UK Addendum to EU SCCs |
| Vercel Inc. | Application hosting, serverless functions | United States (with EU regions for some workloads) | UK IDTA |
| Turso (ChiselStrike, Inc.) | Encrypted database (libSQL), member records | United States (database hosted in eu-west-1) | UK IDTA |
| Resend, Inc. | Transactional email delivery (magic-link login, notifications) | United States | UK IDTA |
| Functional Software, Inc. (Sentry) | Error monitoring with personal identifiers stripped before transmission | United States | UK IDTA |
| Upstash, Inc. | Rate-limiting cache (no personal data stored) | United States / Ireland | UK IDTA / UK Addendum to EU SCCs |
For international transfers outside the UK we rely on the UK International Data Transfer Agreement (UK IDTA), the UK Addendum to the EU Standard Contractual Clauses, or — where the destination country has a UK adequacy decision — the adequacy decision itself.
7. How long we keep your data
- Active membership data — kept while you remain a member.
- Wearable cache — purged after 30 days.
- Wearable tokens — deleted within 24 hours of disconnect or consent withdrawal.
- Biomarker results — deleted within 24 hours of consent withdrawal.
- Cancelled membership data — kept for 6 years to satisfy UK tax law (Companies Act 2006 / HMRC retention), then deleted.
- Marketing communications data — deleted within 30 days of unsubscribe.
- Consent audit log — kept for 6 years to evidence compliance with UK GDPR Article 7(1).
8. Your rights under UK GDPR
You have the following rights, exercisable free of charge by emailing privacy@smoovuk.com. We will respond within one calendar month.
- Right of access — request a copy of the personal data we hold about you (Article 15).
- Right to rectification — correct inaccurate or incomplete data (Article 16).
- Right to erasure ("right to be forgotten") — request deletion of your data (Article 17).
- Right to restriction of processing — pause processing while a query is resolved (Article 18).
- Right to object to processing — including profiling and any processing based on legitimate interest (Article 21).
- Right to data portability — receive a portable copy in a machine-readable format (Article 20).
- Right to withdraw consent — at any time, including by disconnecting your wearable or withdrawing health-data consent from your dashboard (Article 7(3)).
- Right not to be subject to a decision based solely on automated processing (Article 22). The smoothie protocol generator is an automated process. You may request a human review of any protocol recommendation by emailing privacy@smoovuk.com.
Complaints to the regulator
If you are unhappy with how we have handled your data, you have the right to complain to the UK Information Commissioner's Office (ICO):
- Online: ico.org.uk
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would prefer the chance to resolve any concern first — please contact privacy@smoovuk.com.
9. Cookies
We use only essential cookies required to log you in (a session cookie) and to keep our forms secure (a CSRF token). We do not use advertising or analytics cookies that follow you around the web.
10. Children
The Founding 500 is not intended for individuals under 18. We do not knowingly collect data from minors. If you believe we have collected data from a minor, contact us at privacy@smoovuk.com and we will delete it.
11. Changes to this policy
If we materially change how we process your data, we will email you in advance of the change taking effect. The current version is always available at this URL. The version number and last-updated date are shown at the top. Older versions are available on request.
12. Contact
Smoov Shakes UK Limited
Company number 15041314
Registered office: Elsley Court, 20-22 Great Titchfield Street, London, W1W 8BE
privacy@smoovuk.com