PRIVACY POLICY
This Policy describes the types of information we may collect from you or that you may provide (“Personal Information”) on the atomicretreats.com website (“Website” or “Service”).
Effective date: January 2024
Atomic Retreats Ltd. ("Atomic Retreats," "we," "our," or "us") operates longevity protocols and a digital concierge service from our head office in London, United Kingdom. “Atomic Retreats Group” means Atomic Retreats Ltd. and any wholly‑owned subsidiaries that process your personal data.
We collect the following categories of data: • Identification data – name, postal address, email, phone number, passport/ID details.
• Health and wellness data – medical history, laboratory results, medication list, allergies, dietary requirements, hormone profiles, fertility records (special‑category data under GDPR and “Protected Health Information” or PHI under HIPAA).
• Biometric data – facial scans for touch‑less check‑in, body‑composition metrics, wearable‑device streams (all strictly opt‑in).
• Transaction data – bookings, purchases, tokenised payment‑card details.
• Device and usage data – IP address, browser type, mobile‑app events and cookie identifiers collected from our digital channels. We obtain data directly from you, automatically through our technology, and from authorised third parties such as clinicians, travel agents or corporate wellness partners.
• Arrange and deliver customized longevity programmes, diagnostics and concierge services.
• Personalise nutrition, movement and therapy plans.
• Send marketing messages where we have consent or another lawful ground; you can opt out at any time.
• Conduct pseudonymised research and analytics without creating automated decisions that have legal or similar effects.
• Meet legal, regulatory and security obligations, including incident response, fraud prevention and audit reporting.
We process data only when at least one legal ground applies: consent; performance of a contract; compliance with a legal obligation; or legitimate interests pursued by us or a third party that are not overridden by your rights. Health‑related information is processed under Article 9(2)(h) GDPR (provision of health services) and under the HIPAA provisions for treatment, payment and health‑care operations (45 CFR §164.506). Marketing communications rely on Article 6(1)(a) consent or Article 6(1)(f) legitimate interest, depending on jurisdiction.
Your data are stored primarily in Amazon Web Services eu‑central‑1 (Frankfurt, Germany). A read‑only mirror in Azure UK South (London) or Azure UAE North (Dubai) is activated only on written instruction from the client.
• UK transfers rely on the European Commission’s adequacy decision (renewed until 27 December 2025) with the 2021 Standard Contractual Clauses (SCCs) as a fallback.
• UAE transfers use the SCCs, a Transfer‑Impact Assessment and strong technical controls (AES‑256 at rest, TLS 1.3 in transit).
• All cross‑border movements of PHI are covered by executed HIPAA Business‑Associate Agreements (BAAs) with each sub‑processor.
We employ required, functional and advertising cookies, pixels and similar tools. EEA and UK visitors see a consent banner on their first visit. You can manage preferences via our Cookie Settings link, send a Global Privacy Control signal or adjust browser settings to block non‑essential cookies. If you don’t see the banner it means that we have disabled cookie usage by our marketing teams.
Atomic Retreats runs an ISO 27001‑aligned information‑security programme and meets the HIPAA Security Rule. Controls include FIPS‑validated AES‑256 encryption, zero‑trust network segmentation, immutable audit logs, quarterly penetration tests, annual SOC 2 Type II audit and continuous configuration monitoring.
• Medical records and other PHI are retained seven years after the end of your stay, satisfying medical‑record laws.
• Booking and billing data remain ten years to meet tax and accounting rules.
• Marketing‑consent records last until you withdraw consent or three years of inactivity.
Where no statutory or contractual obligation exists, data are erased or returned within 30 days of contract termination; earlier deletion can be honoured on request if permitted by law.
If you use our services through a corporate wellness partner, clinic or other entity that has a bespoke data‑processing agreement with us, that agreement governs our handling of your personal data and prevails over any conflicting statement in this policy.
GDPR / UK‑GDPR rights: access, rectification, erasure, restriction, objection, data portability and withdrawal of consent. HIPAA rights: access to PHI, request amendment, accounting of disclosures, request restrictions and confidential communications. To exercise any right, email us at the addresses below. Every marketing email provides an “unsubscribe” link.
Atomic Retreats has appointed a HIPAA Privacy Officer and a HIPAA Security Officer. We maintain a log of disclosures of PHI, execute BAAs with all downstream service providers, conduct annual HIPAA risk assessments, and follow the HIPAA Breach Notification Rule (45 CFR §164.400) to notify affected individuals, the U.S. Department of Health & Human Services and, where required, the media within required time frames.
We keep a GDPR Article 30 Record of Processing Activities, perform Data Protection Impact Assessments where processing is likely to result in high risk, and have appointed a Data Protection Officer. Our lead supervisory authority is the UK Information Commissioner’s Office (ICO), and we have appointed an EU Article 27 representative. We refresh staff training annually and review all third‑party processing agreements at least once per year.
Our services are not directed to anyone under eighteen (18) years of age, and we do not knowingly collect personal data from children.
• Data Protection Officer: dpo@atomicretreats.com
• HIPAA Privacy Office: hipaa‑privacy@atomicretreats.com
• EU Article 27 representative: You may lodge a complaint with the UK ICO or your local supervisory authority.
We will post any update here at least thirty (30) days before it takes effect and will seek renewed consent where required by law.
The Price List is available at the Clinic Reception