CATO HEALTH - Privacy Policy

Effective Date: 18th March 2026

1. Introduction: Our Commitment to Your Privacy

At Cato Health, we are committed to transparency and clarity, especially in how we handle your personal information. We understand that trusting a company with your data is a significant decision, particularly when it comes to health and wellness. This Privacy Policy explains, in plain English, exactly how we collect, use, store, and share any personal information you provide through our website, mobile application, and other services (collectively, our "Service").

Our commitment to you:

Data Controller

Cato Health ("Cato Health," "we," "us," or "our") is a brand name of Cato Longevity Limited, a company registered in England and Wales under company number 16812178, with its registered office at 11A Fulham Park Road. We are the data controller for the personal data described in this Privacy Policy.

ICO Registration

Cato Health (Cato Longevity Limited) is registered with the Information Commissioner's Office (ICO) under registration number Z7436918.
View our ICO registration on the official ICO website

Data Protection Officer

If you have any questions about this Privacy Policy or our data practices, you can contact our Data Protection Officer at:

Email: info@cato.health
Post: Data Protection Officer, Cato Longevity Limited, 11A Fulham Park Road, London SW6 4LH

2. Summary of Key Points

3. What Information We Collect

We collect only what we need to provide and improve our Service. Depending on the specific Plan you purchase or features you enable, this may include the following categories:

Account Information

Health and Wellness Data (Special Category Data)

AI Health Intelligence Companion Interactions

Service Usage Information

Communications

Data We Receive from Third Parties

Where you connect third-party devices or services to your Cato Health account, we receive data from those providers as described above. We may also receive data from our laboratory partners when your blood tests are processed. In all cases, we will inform you about what data we receive and how it is used before or at the time of collection.

4. How We Use Your Information

The content below sets out each purpose for which we process your personal data, the categories of data involved, and the legal basis we rely on:

Legitimate Interests Assessment

Where we rely on legitimate interests as a legal basis, we have carried out a balancing test to ensure our interests do not override your rights and freedoms. Our legitimate interests include: maintaining and improving the security of our Service, understanding how members use the Service to develop new features, training our internal AI models using de-identified data, and marketing our services to existing members. You have the right to object to processing based on legitimate interests at any time (see Section 13).

5. Explicit Consent for Health Data

Health data (including blood biomarker results, wearable data, questionnaire responses, and any health records you upload) is classified as "special category data" under Article 9 of the UK GDPR. This type of data requires additional protection.

We process your health data on the basis of your explicit consent, which we request separately and clearly during the account creation process. Your consent is:

Withdrawing Consent

You may withdraw your consent to health data processing at any time by contacting info@cato.health. Withdrawal of consent does not affect the lawfulness of any processing carried out before the withdrawal.

Important: Because processing your health data is essential to the core functionality of our Service, withdrawing consent will prevent us from delivering the Service and will result in the termination of your Plan. In these circumstances, we will provide a pro-rata refund for any unused portion of your Plan Period, as set out in our Terms of Service.

6. Third-Party AI Models

No Training of Third-Party Models

We want to be clear: your personal health and wellness data will not be used to train third-party AI models. When we use third-party AI infrastructure (such as enterprise-grade foundation models), our agreements with these providers explicitly prohibit the use of your data for training their general models.

This means your health information, conversations with our AI, and data from any connected sources remain protected. They are used solely to generate insights for you and are never incorporated into a provider's public knowledge base or model training sets.

We regularly audit our AI provider agreements to ensure these protections remain in place.

7. Data Protection Impact Assessments

Given the sensitive nature of the health data we process, we have conducted Data Protection Impact Assessments (DPIAs) in accordance with Article 35 of the UK GDPR. Our DPIAs cover:

We review and update our DPIAs whenever there is a significant change to our processing activities, and make them available to the ICO upon request.

8. How We Keep Your Information Secure

We implement appropriate technical and organisational measures to protect your personal data, including:

Technical Measures

Organisational Measures

No method of electronic transmission or storage is completely secure. While we strive to protect your personal information using commercially appropriate means, we cannot guarantee its absolute security. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, in accordance with Article 34 of the UK GDPR.

9. Who Has Access to Your Data

We restrict access to your personal data based on role and necessity. The following teams may access your data:

Team Data They Can Access Purpose
Clinical team Health and wellness data, AI-generated recommendations To review and sign off on lifestyle recommendations before they are delivered to you
Customer support Account information, relevant health data, communications To provide assistance and resolve technical issues with your active services
Development team Technical logs, de-identified health information System maintenance, integration stability, and feature improvement
AI and Data Science team Aggregated or de-identified data only Model training, service improvement, and research (where consented)
Management / Compliance Aggregated reports, compliance records Regulatory compliance, reporting, and governance

All staff with access to personal data are subject to confidentiality obligations and have received data protection training.

10. How Long We Keep Your Information

We retain your information only for as long as necessary for the purposes for which it was collected, or as required by law. The specific retention periods are:

Data Category Retention Period Justification
Account information Duration of Plan + 30 days To enable data export after Plan ends. After 30 days, data is deleted or anonymised unless you request reactivation.
Health and wellness data (blood results, wearable data, uploads) Duration of Plan + 30 days To provide long-term trend analysis during your Plan and allow data export after it ends.
AI interaction data Duration of Plan + 30 days To maintain context for personalised coaching. De-identified data may be retained longer for model improvement.
Service usage and analytics data Rolling 24-month period To support service improvements, troubleshooting, and feature development.
Communications (support, complaints) Up to 6 years from date of communication To comply with the Limitation Act 1980 (6-year period for contractual claims) and to support ongoing customer service.
Payment records 7 years from transaction date To comply with HMRC record-keeping requirements.
De-identified / aggregated research data Indefinite Cannot be linked back to you. Used for ongoing service and research improvement.

When personal data is no longer required, it is securely deleted or irreversibly anonymised. We conduct regular reviews of retained data to ensure compliance with these retention periods.

11. Who We Share Your Information With

We do not sell your personal data. We may share your information with the following categories of recipients:

Service Providers (Data Processors)

These organisations process data on our behalf, under our instructions and subject to written data processing agreements:

Independent Controllers

These organisations receive data from us and determine their own purposes and means of processing:

Diagnostic Services

For laboratory or diagnostic testing specifically, we share personal details such as your name, date of birth, address, and test requests with our laboratory partners to facilitate sample collection and processing. This sharing is necessary to perform our contract with you.

Legal and Regulatory Disclosures

We may disclose your personal data where required to do so by law, regulation, or court order, or where disclosure is necessary to protect our legal rights, enforce our Terms of Service, or protect the safety of our users or others.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will provide you with notice before your personal data is transferred and becomes subject to a different privacy policy.

12. Automated Decision-Making and Profiling

Our Service uses AI and automated processing to generate personalised health insights and recommendations based on your data. This constitutes profiling under the UK GDPR.

How it works

Our AI analyses data from your blood biomarkers, wearable devices, lifestyle questionnaire, and interactions with the platform to generate health scores, identify trends, and provide personalised recommendations. These recommendations are reviewed by qualified clinicians before being delivered to you.

Your rights

Under Article 22 of the UK GDPR, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Because our AI-generated recommendations are reviewed by a qualified clinician before delivery, they do not constitute solely automated decision-making. However, you always have the right to:

To exercise these rights, contact info@cato.health.

13. Your Rights

Under UK data protection law (the UK GDPR and Data Protection Act 2018), you have the following rights regarding your personal data:

Right What This Means
Access Request a copy of the personal data we hold about you. We will provide this within one month of your request.
Rectification Ask us to correct any inaccurate or incomplete personal data.
Erasure Request deletion of your personal data in certain circumstances (e.g., when data is no longer needed for the purpose it was collected, or you withdraw consent).
Restriction Ask us to temporarily limit how we process your data (e.g., while we verify accuracy or assess an objection).
Data Portability Request your data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) so you can transfer it to another provider.
Objection Object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.
Withdraw Consent Withdraw your consent for health data processing at any time. Note: this will prevent us from delivering the Service (see Section 5).
Automated Decisions Request human review of decisions made through automated processing (see Section 12).
Complain Lodge a complaint with the ICO if you believe your data protection rights have been violated.

How to Exercise Your Rights

To exercise any of these rights, email info@cato.health. We will respond within one calendar month. If your request is complex or we receive a high volume of requests, we may extend this by a further two months, but we will inform you within the first month.

We will not charge a fee for most requests. However, if your request is manifestly unfounded or excessive (for example, if you make repetitive requests), we may charge a reasonable fee or refuse the request, in accordance with the UK GDPR.

We may need to verify your identity before processing your request, to protect the security of your personal data.

Right to Complain

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first at info@cato.health.

14. International Data Transfers

Our operations are primarily based in the United Kingdom. However, some of our service providers may process personal data outside of the UK. Where this occurs, we ensure appropriate safeguards are in place, including:

The following categories of service providers may process data outside the UK:

You can request further details about the specific safeguards we have in place by contacting info@cato.health.

15. Cookies and Similar Technologies

We use cookies and similar technologies to enhance your experience, improve our Service, and understand how it is used. For detailed information about the specific cookies we use, their purposes, and how to control them, please see our Cookie Policy, available on our website.

16. Children's Privacy

Our Service is not directed to, and is not intended for use by, anyone under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at info@cato.health, and we will take steps to delete it promptly.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or best practices.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

18. Contact Information

For any questions about this Privacy Policy or our data practices:

Data Protection Officer: info@cato.health
Post: Data Protection Officer, Cato Longevity Limited, 11A Fulham Park Road, London SW6 4LH

Information Commissioner's Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113

We are committed to working with you to obtain a fair resolution of any complaint or concern about your privacy.



arrow_upward