DEPH LABS LTD PRIVACY POLICY — ENGNE APP

Last Updated: 14 May 2026

Company No. 16613109 | Registered in England & Wales | Unit 10 Fairfield Industrial Estate, Gwaelod-Y-Garth, Cardiff, Wales, CF15 8LA

Quick-Reference Summary

This layered summary is for convenience only. The full policy below is the binding document.

1. Who We Are

DEPH LABS LTD ("DEPH LABS", "we", "us", "our") is a private limited company incorporated in England and Wales, company number 16613109. Our registered office is at Unit 10 Fairfield Industrial Estate, Gwaelod-Y-Garth, Cardiff, Wales, CF15 8LA.

We operate www.deph.uk and a mobile application (the “App”) marketed under the product name “Engne” — the World’s First Male-Only Epigenetic Performance and Longevity Platform. Engne is a product name of DEPH LABS LTD. The Engne app is distributed on the Apple App Store and Google Play Store by Ummu Hub Ltd (Company No. 16624424), registered in England and Wales, which is the registered developer account holder for both stores. DEPH LABS LTD owns and operates the Engne app and is solely responsible for all services, content, data processing, and the legal obligations set out in this Privacy Policy. We are a personalised wellness platform for men, combining DNA and epigenetic testing, performance and longevity supplement formulations, and an AI health coach to deliver biology-led, personalised wellness insights calibrated specifically for male genetics and physiology.

DEPH LABS is not a medical device, does not provide medical advice, and is not a regulated healthcare service. Nothing on our platform constitutes medical advice, clinical assessment, diagnosis, or treatment. If you have health concerns — including concerns about hormonal health, hair loss, cardiovascular health, or any medical condition — always consult a qualified healthcare professional.

We are the data controller of your personal information under:

• the UK General Data Protection Regulation ("UK GDPR") and Data Protection Act 2018 ("DPA 2018"), as amended by the Data (Use and Access) Act 2025 ("DUAA 2025");
• the EU General Data Protection Regulation ("EU GDPR") where applicable to users in the European Economic Area;
• the California Consumer Privacy Act 2018 as amended by the California Privacy Rights Act 2020 ("CCPA/CPRA") where applicable to California residents;
• Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and Quebec Law 25 where applicable to Canadian residents; and
• Australia's Privacy Act 1988 and Australian Privacy Principles where applicable to Australian residents.

Data protection lead: privacy@deph.uk

We are not required to appoint a Data Protection Officer (DPO) under UK GDPR Article 37. We have designated our Head of Legal as our data protection lead, responsible for oversight of this policy and our data protection compliance programme. Our Head of Legal also acts as our Privacy Officer for the purposes of PIPEDA and Quebec Law 25.

For full details of how to delete your account and all associated data, see Section 11a of this policy or visit www.deph.uk/pages/engne-app-account-deletion-process.

2. Changes to This Privacy Policy

We review this Privacy Policy at least annually and whenever our practices or applicable law materially change. We will notify you of significant changes by updating the "Last Updated" date, displaying a notice on our website or App, and/or emailing you if the change materially affects your rights. Where a change requires fresh consent (for example, a new use of genetic or epigenetic data), we will obtain that separately before proceeding.

3. Personal Information We Collect and How We Collect It

The personal information we collect depends on how you interact with us. The most sensitive data we handle — genetic and epigenetic data — is generated from your saliva sample and processed by our laboratory partner. We explain each category in full below.

3.1 Information You Provide Directly

• Contact details: name, email address, telephone number, and postal address.
• Account credentials: username, password, and security settings.
• Order and billing details: billing/shipping address and payment confirmation. Full card numbers are processed by our PCI DSS-compliant payment processor and never stored by us.
• Health and lifestyle profile: information you voluntarily provide when setting up your account or completing our wellness quiz, including your performance goals, age, health objectives, and lifestyle factors.
• Hormonal and androgenic data: information about testosterone levels, hair loss patterns, or androgenic symptoms, where you choose to provide this.
• Support communications: any information you include when contacting us for help.

3.2 Saliva Sample and DNA / Epigenetic Data

This is the most sensitive category of data we process. Your saliva sample contains your DNA and is collected via a physical test kit we send to you. The sample is analysed by our laboratory partner. What we receive back is digital genetic and epigenetic data — not the physical sample itself.

From your saliva sample, our laboratory partner generates:

• DNA / Genetic data: your fixed genetic profile, analysed across traits relevant to the testing categories you have selected (Performance, Fitness, Longevity, Hair Health, Hormonal Health). This includes genetic markers relating to muscle power, bone density, nutrient metabolism, testosterone response, androgenic sensitivity, injury risk, cardiovascular health, and more.
• Epigenetic data: analysis of your DNA methylation patterns, which reflect how your lifestyle and environment are influencing your gene expression. This includes your Biological Age score, Male Hormonal Age, Heart Age, Wellness & Inflammation Score, MethylGuard score, Epi Vitality score, and Longevity Pathways assessment.

Both genetic data and epigenetic data are special category data under UK/EU GDPR. We process this data only on the basis of your explicit consent (Article 9(2)(a)). See Section 5 for details of your rights to withdraw that consent.

Important: Your saliva sample is a physical biological specimen. After analysis by the laboratory, the sample is destroyed in accordance with the laboratory's protocols and applicable biological waste regulations. We do not retain your physical sample. You may request details of our laboratory partner's sample retention and destruction policy by contacting us.

3.3 Male-Specific Health Data

Because Engne is specifically designed for men's health and performance, we collect and process certain categories of health data that relate specifically to male biology. All of the following is treated as special category health data and processed only with your explicit consent:

• Testosterone markers and androgenic sensitivity indicators derived from genetic and epigenetic analysis.
• Hair follicle genetic data and androgenic alopecia risk scoring.
• Male hormonal pattern data, where inferred from genetic markers or provided by you.
• Cardiovascular and metabolic health indicators relevant to male physiology.
• Performance and recovery metrics, where relevant to your stated goals.

This data is used solely to personalise your wellness insights, supplement recommendations, and AI coaching to your specific biology and performance goals. It is never used for advertising and is never shared with third parties for commercial purposes.

3.4 Engne AI Health Coach Data

Our AI health coach ("Engne AI") provides wellness-oriented guidance using male health context, your wellness profile, and the messages you send to the AI coach. When you interact with Engne AI, we process:

• Your first name, so the AI can address you.
• Your date of birth and gender, where needed to personalise wellness content.
• Your stated performance goals, wellness profile, hormonal data, and any health objectives or concerns you share in conversation.
• The text of any message you send to Engne AI and the wellness content being personalised.
• Your conversation history with Engne AI, to enable personalised and contextually relevant responses.

Third-party AI provider: The Engne AI features are powered by the Gemini API provided by Google (Google LLC / Google Ireland Limited, "Google"). To generate personalised content, we send Google a limited set of data: your first name, your date of birth, your gender, the text of any message you send the AI coach, and the wellness content being personalised.

We do not send Google your raw DNA sequence or identifiable genetic results linked to your name. Google processes this data as our processor under its API data-processing terms, does not use it to train its models, and does not use it for its own purposes. This data may be processed on Google's servers outside the UK, subject to the safeguards in Section 11.

Engne AI provides wellness-oriented guidance. It does not provide medical diagnoses, clinical recommendations, or treatment plans. See Section 13 for our full disclaimer.

Explicit Consent Screen: Before Engne AI features are activated, you are presented with a specific consent screen clearly explaining: (a) that Engne AI is powered by Google Gemini API; (b) that Google is the recipient of the limited personal data described in this Section 3.4; (c) that this data is used to generate personalised wellness guidance; (d) that this is not medical advice; and (e) that you may withdraw consent at any time. This consent is separate from your agreement to our general Terms of Service and is required before AI coaching features are activated.

3.5 Supplement and Order Data

When you purchase supplements — including our Performance, Longevity, Hair Health, and Hormonal Support formulations — we process:

• Order details: products purchased, quantities, and order history.
• Delivery information: shipping address and delivery preferences.
• Payment confirmation: transaction reference (not full card numbers — these are handled by our payment processor).
• Supplement usage data: if you log supplement use within the App, we use this to track consistency and adjust recommendations over time.

3.6 Re-Test and Subscription Data

If you purchase a Re-Test Kit to track changes in your biological age over time, or if you hold a subscription, we process data about your testing history to enable comparison between test results and track progress over time.

3.7 Usage and Technical Data

When you use our website or App, we automatically collect limited technical data including IP address and approximate location, browser/device type, pages visited, App feature interactions, and crash diagnostics. See Section 17 for our cookie policy.

3.8 Third-Party Data

• Payment processors (e.g. Stripe): transaction confirmation and fraud signals. Full card data never reaches our servers.
• Shipping partners: delivery status updates for physical kit and supplement orders.
• Analytics providers: aggregated, pseudonymised usage data.

4. Special Category Data — Genetic, Epigenetic, and Health Data

The following categories of data we process are classified as special category data under UK/EU GDPR and receive the highest level of legal protection:

• Genetic data (Article 4(13) UK/EU GDPR): data resulting from specific technical processing of biological characteristics, uniquely identifying you.
• Biometric data used for unique identification (Article 4(14)).
• Health data (Article 4(15)): data concerning physical or mental health, including all hormonal, androgenic, hair health, cardiovascular, and epigenetic data we process.

We process all special category data only on the basis of your explicit consent under Article 9(2)(a) UK/EU GDPR. This means:

• We present a clear, granular, plain-language consent request before activating each data processing purpose.
• Consent is freely given and specific — you can consent to some purposes but not others.
• You can withdraw consent at any time without detriment. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.
• On withdrawal, we stop processing the relevant data and, absent another legal basis, delete it within 30 days.

DEPH LABS is not a medical device, does not provide medical advice, and is not a regulated healthcare service. If you have health concerns, always consult a qualified healthcare professional.

5. Legal Bases for Processing

We process your personal information only where a lawful basis exists under UK/EU GDPR:

Where we rely on legitimate interests, we have completed a balancing test confirming our interests are not overridden by your rights. You may request a copy by contacting us.

6. How We Use Your Personal Information

6.1 Providing DNA and Epigenetic Testing

• Sending you a test kit containing a saliva collection tube and instructions.
• Arranging for the return of your sample to our laboratory partner for processing.
• Receiving your genetic and epigenetic results from the laboratory and displaying them in your account.
• Generating your personalised reports across your selected testing categories (Performance, Fitness, Longevity, Hair Health, Hormonal Health).
• Enabling Re-Test functionality: comparing new epigenetic results against your baseline to track biological age change over time.

6.2 Personalising Supplement Recommendations

• Using your DNA results and epigenetic data to recommend the supplement formulation best matched to your biology and performance goals.
• Adjusting supplement recommendations as your goals or life stage evolve.
• Identifying specific nutrient deficiencies or sensitivities indicated by your genetic profile to inform dosing and ingredient selection.

6.3 Engne AI Health Coach

• Providing personalised wellness guidance via Engne AI, powered by Google Gemini API and prompted with male health context.
• Enabling contextually relevant responses by using the limited personal data described in Section 3.4, your wellness profile, and the messages you send to the AI coach.
• Answering questions about your wellness objectives, supplement protocols, hormonal patterns, and performance goals.

Engne AI guidance is for general wellness and informational purposes only. See Section 13 for our full disclaimer.

6.4 Managing Your Account and Orders

• Creating and maintaining your account.
• Processing and fulfilling orders for test kits and supplements.
• Sending shipping confirmations, test result notifications, and account alerts.
• Providing customer support.

6.5 Research and Service Improvement (Anonymised Only)

We may use fully anonymised, aggregated data — which cannot identify any individual — to improve the accuracy of our genetic algorithms, enhance our epigenetic models, and develop new wellness insights. This data cannot be linked back to you. We do not use identifiable genetic or epigenetic data for research without separate, specific consent.

6.6 Marketing

• We may send marketing emails about our products and services. Opt out at any time via the unsubscribe link or by emailing privacy@deph.uk.
• We never use your genetic, epigenetic, hormonal, or hair health data for marketing targeting.

7. Family Member Implications of Genetic Data

Genetic data is unique in that it is partially shared with your biological relatives. Your DNA results may reveal information about traits, health predispositions, or characteristics that are also present in your family members who have not consented to testing.

We take the following approach:

• We do not use your genetic data to infer or generate information about third parties, including your relatives.
• We do not contact your relatives on the basis of your data.
• We do not share your genetic data with your relatives or with any party who could use it to identify your relatives.
• We do not use your genetic data for ancestry or familial matching services.
• We do not sell or license your genetic data to any third party.

If you have concerns about the family implications of genetic testing, please contact us at privacy@deph.uk before submitting your sample.

8. How We Share Your Personal Information

We do not sell your personal information. We do not share your genetic, epigenetic, hormonal, or health data with advertisers, insurers, employers, or data brokers under any circumstances.

8.1 Laboratory Partner (Sample Processing)

Your saliva sample is sent to our specialist laboratory partner for DNA and epigenetic analysis under Article 28 UK GDPR. Our laboratory partner:

• Processes your sample solely for the purpose of generating your test results.
• Is bound by a written Data Processing Agreement prohibiting any other use of your data.
• Destroys your physical sample after analysis in accordance with applicable protocols.
• Operates under appropriate accreditation standards for genetic testing laboratories.

You may request the name and accreditation details of our laboratory partner by contacting us at privacy@deph.uk.

8.2 Other Service Providers (Data Processors)

We share personal information with carefully selected service providers who process data strictly on our behalf, under written Article 28-compliant Data Processing Agreements. Categories include:

• Cloud hosting and infrastructure providers.
• Payment processors (PCI DSS compliant; full card data never reaches us).
• Shipping and logistics providers (for physical kit and supplement delivery).
• Customer support software providers.
• Email delivery providers.
• Analytics and crash-reporting providers (pseudonymised data only).
• IT security and fraud prevention services.

8.3 Legal and Regulatory Disclosure

We may disclose personal information where required by applicable law, court order, or regulatory authority. We notify you where legally permitted and disclose only the minimum information necessary.

8.4 Business Transfers

If DEPH LABS undergoes a merger, acquisition, or sale of assets, personal information may transfer as part of that transaction. We will notify you before your data becomes subject to a materially different privacy policy, and will honour your rights throughout. Genetic and epigenetic data will only transfer to a successor who agrees to be bound by obligations no less protective than those in this policy.

8.5 With Your Explicit Consent

We share your personal information with any other third party only where you have given clear, specific, informed, and freely given consent for that specific purpose.

8.6 AI Service Provider (Google Gemini)

We use Google's Gemini API to generate personalised wellness content and power the Engne AI coach. The limited personal data described in Section 3.4 is processed by Google strictly on our behalf under an Article 28-compliant data-processing agreement, is not used to train Google's models, and is not used by Google for any independent purpose.

9. Security of Your Data

Given the sensitivity of genetic, epigenetic, and health data we process, we implement robust technical and organisational security measures, including:

• Encryption of all data in transit using TLS 1.2 or higher.
• Encryption of genetic, epigenetic, and health data at rest using AES-256 or equivalent.
• Pseudonymisation of genetic data at laboratory level — your sample is identified by a unique ID, not your name, during laboratory processing.
• Strict, role-based access controls — staff and contractors access only the data necessary for their specific role.
• Regular security testing and vulnerability assessments.
• A documented incident response plan tested regularly.

In the event of a personal data breach likely to result in high risk to your rights and freedoms, we will notify you without undue delay (Article 34 UK GDPR) and notify the ICO within 72 hours (Article 33 UK GDPR).

10. Data Retention

When data is no longer needed, it is securely deleted or irreversibly anonymised. Anonymised data (which cannot identify you) may be retained indefinitely for statistical and service improvement purposes.

For the full account deletion procedure — including in-app deletion steps, what happens to in-progress orders and active subscriptions, and your rights under CCPA, Canadian, and Australian law — see Section 11a of this policy.

11. International Transfers and EEA Users

11.1 Transfers Outside the UK / EEA

We ship test kits and supplements to customers worldwide. Our laboratory partner, Google as our AI service provider for Gemini API, and some other service providers may operate outside the UK or EEA. Where personal data is transferred outside these regions, we ensure appropriate safeguards, which may include: UK International Data Transfer Agreements (IDTAs), the UK Addendum to EU Standard Contractual Clauses, EU Standard Contractual Clauses, or transfer to a country covered by an adequacy decision. The EU-UK adequacy decision was renewed on 19 December 2025 and runs to 27 December 2031.

11.2 EU GDPR Representative (Article 27)

DEPH LABS is established in the United Kingdom and offers Services to users across the EEA. We are therefore subject to the EU GDPR in addition to the UK GDPR for EEA-based users. In accordance with Article 27 of the EU GDPR, we are in the process of appointing a designated EU representative. Until that appointment is formalised, EEA-based users may direct all EU GDPR-related enquiries directly to us at privacy@deph.uk.

11.3 California Residents — CCPA/CPRA

California residents have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate personal information, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising these rights.

We do not sell or share your personal information as defined under CCPA/CPRA. Your genetic data and health data are sensitive personal information under CCPA/CPRA — we collect and process them only to provide the Services you have requested and do not use them to infer characteristics beyond what is necessary for those Services.

California residents may submit deletion requests via privacy@deph.uk (subject: "CCPA Deletion Request"), via the in-app deletion flow, or at www.deph.uk/pages/engne-app-account-deletion-process. Authorised agents may submit requests with written proof of authorisation. We respond within 45 calendar days.

11.4 Canadian Residents — PIPEDA and Quebec Law 25

Canadian residents have rights under PIPEDA to access and challenge the accuracy of their personal information. Quebec residents have additional rights under Law 25 including the right to deletion, the right to data portability, and the right to a destruction certificate confirming that their personal information has been destroyed.

To request a destruction certificate, include "Destruction Certificate Required" in your deletion request email to privacy@deph.uk. We will provide the certificate within 30 days of deletion completion. Our Privacy Officer for PIPEDA and Law 25 purposes is contactable at privacy@deph.uk.

French language: Cette politique est disponible en francais sur demande — veuillez contacter privacy@deph.uk.

11.5 Australian Residents — Privacy Act 1988

Australian residents' personal information is handled in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (as amended by the Privacy and Other Legislation Amendment Act 2024). Your genetic data and health data constitute sensitive information under the Privacy Act. We collect and handle sensitive information only with your consent and only for the primary purpose for which it was collected. We do not use or disclose sensitive information for secondary purposes without your consent.

Under APP 11.2, we take reasonable steps to destroy or de-identify personal information that is no longer needed. Our account deletion process satisfies this obligation. Australian residents may submit deletion requests to privacy@deph.uk (subject: "Australian Privacy Act Deletion Request") or at www.deph.uk/pages/engne-app-account-deletion-process. Unresolved complaints may be directed to the Office of the Australian Information Commissioner at oaic.gov.au.

11a. Account Deletion and Your Right to Erasure

You have the right to delete your Engne account and all associated personal data at any time. This section explains how to do it, what gets deleted, and what happens to your active subscription and any in-progress orders.

11a.1 How to Delete Your Account

Three methods are available — all trigger the same deletion process:

In-app (recommended): Settings > Account > Delete Account. Confirm by entering your password and tapping Confirm Delete. You will receive email confirmation within 24 hours.

Web: Log in at www.deph.uk > Account Settings > Privacy & Data > Delete My Account and All Data. Also accessible without logging in at www.deph.uk/pages/engne-app-account-deletion-process.

Email: Email privacy@deph.uk with subject "Account Deletion Request". Include your name and registered email address. We may verify your identity before proceeding.

iOS native flow: On iOS 16 and above, you may also initiate deletion via Settings > [Your Name] > Engne > Delete Account in your Apple ID settings.

Android native flow: On Android 12 and above, you may also initiate deletion via Google Play Store > Profile > Manage Apps & Device > Engne > Delete Account.

11a.2 What Gets Deleted

Within 30 calendar days of your request, the following is permanently deleted:

11a.3 What Is Retained After Deletion

A small category of data must be retained for legal compliance only and is not used for any commercial purpose:

We do not sell, share, or disclose your personal data to third parties for commercial purposes — including following account deletion.

11a.4 Active Subscriptions

Requesting account deletion automatically initiates cancellation of your active subscription. You do not need to cancel separately. Your subscription access continues until the end of your current billing period. No further charges are made after your deletion request is received.

App Store and Play Store subscribers: Cancellation must also be confirmed in your Apple ID or Google account settings. DEPH LABS cannot unilaterally cancel a subscription billed through Apple or Google. We will remind you of this in your deletion confirmation email.

11a.5 In-Progress Test Kit Orders

If you have submitted a saliva sample currently being processed by the laboratory, we will contact you within 5 working days to confirm whether you want us to (a) complete analysis and deliver results before deletion, or (b) halt processing where possible. If we do not hear from you within 10 working days we will default to option (a).

11a.6 Physical Saliva Sample

Your physical saliva sample is held by our laboratory partner and is destroyed after analysis as standard protocol regardless of account deletion. Account deletion does not and cannot recall a sample already in the laboratory's possession.

11a.7 Partial Deletion — Consent Withdrawal Without Account Closure

You can withdraw consent for specific processing activities without deleting your account:

• Withdraw Engne AI access to your genetic data: Settings > Privacy > Engne AI Data Access > Withdraw Consent.
• Withdraw all special category data processing: email privacy@deph.uk — subject "Full Consent Withdrawal".
• Unsubscribe from marketing: click unsubscribe in any marketing email or email privacy@deph.uk.

11a.8 Deletion Timelines

11a.9 Complaints Regarding Deletion

If we are unable to fulfil your deletion request we will explain why in writing within 30 days. You may escalate to:

• UK: Information Commissioner's Office — ico.org.uk/make-a-complaint | 0303 123 1113
• EU/EEA: your local supervisory authority — edpb.europa.eu
• California: California Privacy Protection Agency — cppa.ca.gov
• Canada: Office of the Privacy Commissioner — priv.gc.ca | Quebec: Commission d'acces a l'information — cai.gouv.qc.ca
• Australia: Office of the Australian Information Commissioner — oaic.gov.au

12. Automated Decision-Making

Our platform uses algorithms and AI to generate wellness insights, biological age scores, supplement recommendations, and coaching guidance from your data. We are transparent about how this works:

• DNA results are generated by our laboratory partner using validated genetic analysis methodology applied to your saliva sample.
• Epigenetic scores (including Biological Age, Male Hormonal Age, Heart Age, MethylGuard, Epi Vitality, Wellness & Inflammation Score) are generated by applying validated epigenetic algorithms — including established biological clock models — to your methylation data.
• Supplement recommendations are generated by matching your genetic markers and epigenetic profile to our formulation database.
• Engne AI responses are generated by a third-party large language model (Google's Gemini API), prompted with male health context and using the limited personal data in Section 3.4 to personalise responses.

All outputs are for wellness and informational purposes only. They do not produce legal or similarly significant effects on you and are not medical diagnoses.

Under Article 22A UK GDPR (as amended by DUAA 2025), where automated processing involves special category data, explicit consent is required and safeguards must be in place. You provide this consent when you purchase a test kit and create an account. You may request human review of any automated output by contacting privacy@deph.uk. We will respond within one month.

13. Important — Not Medical Advice

DEPH LABS is not a medical device, is not regulated by the MHRA or any healthcare regulator, and does not provide medical advice, clinical assessment, diagnosis, or treatment. Our DNA results, epigenetic scores, biological age assessments, supplement recommendations, and AI coaching are for general wellness and informational purposes only and have no clinical diagnostic validity. Nothing on our platform should be used as a substitute for professional medical advice. If you have health concerns, always consult your GP or a qualified healthcare professional. In a medical emergency, call 999.

This applies specifically to:

• Hormonal Health category test results: Our Hormonal Health epigenetic category — including Male Hormonal Age and androgenic sensitivity scoring — is not a testosterone test and does not diagnose hypogonadism or any endocrine condition. Consult a GP or endocrinologist for clinical hormonal assessment.
• Hair Health scores: Our Hair Health epigenetic scoring is not a clinical diagnosis of androgenic alopecia and must not be used to make decisions about medical hair loss treatment or prescription medication.
• Heart Age score: Our Heart Age epigenetic score is not a diagnosis of heart disease and must not be used to inform decisions about cardiac medication or treatment.
• Biological Age scores: wellness metrics derived from epigenetic algorithms — not a clinical assessment of your health status.
• Supplement recommendations: intended to support general wellness. Not prescriptions and do not replace medical dietary advice.
• Engne AI coaching: a wellness tool, not a clinician. Does not have access to your full medical history.

14. Formal Data Protection Complaints Process

Implemented in compliance with the Data (Use and Access) Act 2025 (effective June 2026). We have adopted this process now.

Step 1 — Contact Us: Email privacy@deph.uk — subject "Data Protection Complaint". Include your name, account email, and a description of your concern. We acknowledge within 5 working days.

Step 2 — Investigation: We investigate and provide a written response within 30 calendar days. Complex matters may extend to 60 days with advance notice.

Step 3 — Internal Review: If unsatisfied, reply requesting escalation to a senior team member. We escalate within 10 working days.

Step 4 — Supervisory Authority: ICO: ico.org.uk/make-a-complaint | 0303 123 1113 | Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. EEA users: edpb.europa.eu.

15. Your Data Protection Rights

These rights apply to all personal information we control, including your genetic, epigenetic, and health data.

To exercise any right: email privacy@deph.uk. We may verify your identity before responding. You may designate an authorised agent.

16. Children's Privacy

Our Services are designed for adult men aged 18 and over. We do not permit persons under 18 to hold their own independent accounts. Our testing algorithms, epigenetic models, and AI coaching features are calibrated specifically for adult male biology — results and recommendations are not validated for use by minors. If you believe a minor has created an account independently, contact privacy@deph.uk and we will promptly delete any such data.

17. Cookies and Tracking Technologies

For marketing cookies and third-party trackers, we use a PECR/DUAA 2025-compliant consent banner with granular opt-in controls at the point of first visit. You can update preferences at any time via the cookie settings link in the website footer. We honour the Global Privacy Control (GPC) signal — a GPC signal is treated as a valid opt-out of all non-essential cookies for that browser/device.

18. Contact Us

This Privacy Policy was last reviewed and approved on 14 May 2026. © 2026 DEPH LABS LTD. All rights reserved.

Registered in England and Wales, company number 16613109.