xlr8well Logo

Privacy Policy

xlr8well is committed to protecting your privacy and handling your personal data — especially health data — with the highest care.

Last updated: 24 May 2026 · Version 1.0

Quick Reference

Data Controllerxlr8well Ltd · Dubai, UAE & Tyne and Wear, UK
Data Protection Officerdpo@xlr8well.life
Legal Basis (health data)Explicit consent · Art. 9(2)(a) GDPR
Your RightsAccess · Erasure · Portability · Rectification · Objection

1. Who We Are

xlr8well Ltd ("xlr8well", "we", "us") is an at-home healthcare and wellness platform operating in Dubai, UAE and Tyne and Wear, United Kingdom. We are the data controller responsible for your personal information.

Contact: privacy@xlr8well.life
702 Yes Business Tower, Al Barsha 1, Dubai, UAE
DHA License: 88987544

2. Personal Data We Collect

We collect different types of data depending on how you use our services:

2.1 Account & Identity Data

  • Full name, email address, phone number, date of birth
  • Emirates ID or passport number (for DHA-required identity verification)
  • Billing and delivery address
  • Account credentials (stored securely via Firebase Authentication)

2.2 Health & Medical Data (Special Category)

⚠ Article 9 GDPR This is sensitive data and is processed only with your explicit consent.

  • Biomarker and blood test results
  • Medical history, symptoms, diagnoses you share with us
  • Biological age assessments and health scores
  • Medication and supplement details
  • Physiotherapy and treatment records
  • Mental health information you voluntarily provide

2.3 Booking & Transaction Data

  • Service bookings, visit schedules, and appointment history
  • Payment information (processed by Stripe — we do not store card numbers)
  • Order history and invoices

2.4 Technical & Usage Data

  • IP address (anonymised where possible), browser type, device type
  • Pages visited, time on site, clicks (analytics only with your consent)
  • Language and location preferences (stored locally in your browser)

3. How and Why We Use Your Data

PurposeLegal Basis
Providing healthcare and wellness servicesContract performance · Explicit consent (health data)
Booking management and schedulingContract performance
Sending appointment confirmations and resultsContract performance · Legitimate interest
Processing paymentsContract performance
Improving our services and platformLegitimate interest
Analytics (usage patterns)Consent
Marketing and retargeting adsConsent
Legal and regulatory compliance (DHA)Legal obligation
Fraud prevention and securityLegitimate interest

4. Cookies and Tracking

We use cookies and similar technologies. You can manage your preferences at any time via our cookie banner or by clicking .

4.1 Necessary Cookies (always active)

  • Firebase Auth — session authentication
  • wellness-cart — your shopping cart contents
  • xlr8_language — your language preference
  • xlr8_location_preference — UAE/UK selection
  • xlr8_consent — records your cookie preference

4.2 Analytics Cookies (consent required)

  • Analitas (analitas.com) — anonymised site usage data. No personal data is transferred.

4.3 Marketing Cookies (consent required)

  • Google Ads (AW-17941784265) — conversion tracking and retargeting. Subject to Google's Privacy Policy

5. Third Parties We Share Data With

We only share data with third parties where necessary:

Google Firebase USA/EU

Database, authentication, and file storage

Legal basis: Data Processing Agreement · Standard Contractual Clauses

Stripe USA/EU

Payment processing

Legal basis: Data Processing Agreement

Google Ads / Google Analytics USA/EU

Marketing and analytics (consent only)

Legal basis: Consent

Analitas EU

Site analytics (consent only)

Legal basis: Consent

Dubai Health Authority (DHA)UAE

Regulatory reporting obligations

Legal basis: Legal obligation

We never sell your data to third parties.

6. How Long We Keep Your Data

Health and medical records10 years (DHA regulatory requirement)
Account dataDuration of account + 2 years after deletion request
Booking and transaction records7 years (financial/tax obligations)
Analytics data13 months maximum (then anonymised)
Marketing consent records3 years
Cookie consent records1 year
Customer communications3 years

7. Your Rights Under GDPR

If you are in the UK or EEA, you have the following rights:

📋 Right to Access

Request a copy of all data we hold about you (Subject Access Request).

✏️ Right to Rectification

Correct inaccurate or incomplete personal data.

🗑️ Right to Erasure

Request deletion of your data ("right to be forgotten"). Some data may be retained for legal reasons.

📦 Right to Portability

Receive your data in a structured, machine-readable format.

🚫 Right to Object

Object to processing based on legitimate interest or for direct marketing.

⏸️ Right to Restrict

Ask us to pause processing while a dispute is resolved.

🔄 Right to Withdraw Consent

Withdraw consent at any time without affecting prior processing.

🏛️ Right to Complain

Lodge a complaint with the ICO (UK) or your local supervisory authority.

Exercise your rights

Submit a request via our Data Subject Rights page or email dpo@xlr8well.life. We will respond within 30 days.

8. Special Category: Health Data

⚠ Important — Sensitive Data

Health and medical data is classified as "special category" data under Article 9 GDPR and is given the highest level of protection.

We process health data exclusively on the basis of your explicit consent. This means:

  • You must actively consent before we store any health information about you
  • Health data is stored in Firebase (EU data centres) with encryption at rest and in transit
  • Only DHA-licensed clinical staff and our authorised engineers can access health records
  • Health data is never used for marketing purposes
  • You can request deletion at any time (subject to the 10-year DHA retention requirement)

9. Data Security

  • All data is transmitted over HTTPS (TLS 1.2+)
  • Firebase (our database provider) is ISO 27001 certified and uses AES-256 encryption at rest
  • Role-based access controls — staff see only the data relevant to their role
  • Passwords are never stored in plain text (Firebase Authentication manages credentials)
  • Payment card data is handled exclusively by Stripe (PCI DSS Level 1 compliant)
  • We conduct security reviews and access audits regularly

In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours as required by Article 33 GDPR.

10. Children's Privacy

Our services are not directed at children under 16. We do not knowingly collect personal data from minors without explicit parental or guardian consent. If you become aware that a child under 16 has provided us personal data without consent, please contact us immediately at privacy@xlr8well.life.

11. International Data Transfers

We operate in the UAE and UK. Some of our service providers (including Google Firebase) process data outside the EEA. Where this occurs, we ensure adequate safeguards are in place:

  • EU Standard Contractual Clauses (SCCs) with all US-based processors
  • Adequacy decisions where applicable
  • UK IDTA (International Data Transfer Agreement) for UK transfers

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and display a notice on our website. The "last updated" date at the top reflects the most recent revision. Continued use of our services after changes constitutes acceptance of the updated policy.

13. Contact Us

General Privacy Enquiries

privacy@xlr8well.life

Data Protection Officer

dpo@xlr8well.life

UK Supervisory Authority

Information Commissioner's Office (ICO)

Exercise Your Rights

Data Subject Rights Request