Welcome to The Good Mood Co, where we strive to provide a safe and secure platform for our users to access sensitive health information. We understand the importance of protecting your privacy and the confidentiality of your personal health data. This privacy policy outlines our commitment to safeguarding your information and ensuring that it is used only for the purposes for which you have provided it. We take the responsibility of handling your health data very seriously, and we are committed to complying with all applicable privacy laws and regulations. We encourage you to read this privacy policy carefully to understand how we collect, use, and protect your personal information.

Privacy Policy

Effective Date: 25 November 2025

This Privacy Policy explains how The Good Mood Co Ltd and The Good Mood Co UG (haftungsbeschränkt) (together, “The Good Mood Co”, “we”, “us”, “our”) collect, use, store, and protect your personal data when you use the TGMC App, our website, memberships, health checks, or otherwise interact with us.

We process personal data in accordance with:

• the EU General Data Protection Regulation (GDPR),
  
  
• the UK GDPR and Data Protection Act 2018, and
  
  
• the German Federal Data Protection Act (BDSG).
  
  

We encourage you to read this policy carefully.

1. Who Is Responsible for Your Data

The Good Mood Co Ltd (United Kingdom)

• Incorporated in England & Wales, Company No. 12470788
  
  
• Primary controller for TGMC app accounts, memberships, website, cloud storage, and digital services
  
  
• Manages cloud infrastructure hosted on Google Cloud Platform (GCP) in Germany
  
  

The Good Mood Co UG (haftungsbeschränkt) (Germany)

• HRB 135269, Frankfurt am Main
  
  
• Independent controller for German customers who purchase Heilpraktiker / naturopathic services, including laboratory tests and associated health services under the Heilpraktikergesetz
  
  
• These services are exempt from VAT under §4 Nr. 14 UStG
  
  

Where you purchase a German health service, certain data (e.g., lab results) may be accessed by both entities where necessary for service delivery.

2. What Data We Collect

We only collect data necessary to provide, secure, and improve our services.

Identity & Contact Data

• Name
  
  
• Email address
  
  
• Postal address
  
  
• Date of birth
  
  
• Phone number
  
  
• Gender or sex (if provided)
  
  

Account & Profile Data

• Login details
  
  
• Preferences
  
  
• Lifestyle inputs
  
  
• Health and wellbeing goals
  
  
• Pregnancy status (for relevant calculations)
  
  
• Ethnicity (used only for body composition–related calculations such as BMI)
  
  
• Assessment and questionnaire responses
  
  

Health Data (Special Category Data)

Processed only with your explicit consent:

• Biomarker and laboratory results
  
  
• Self-reported symptoms or conditions
  
  
• Physiological measurements
  
  
• Health assessments and scores
  
  
• Interpretation of lab results (UG services)
  
  
• Naturopathic treatment details (Germany only)
  
  

Uploaded Content

• Lab reports (PDF, image, or photo)
  
  
• Other health documents you voluntarily upload
  
  

Transaction Data

• Purchase history
  
  
• Subscription information
  
  
• Invoices
  
  
• Delivery information for health kits (if applicable)
  
  

Payment Data

• Processed securely via Stripe
  
  
• The Good Mood Co does not store full card numbers
  
  

Device & Usage Data

Collected via your device and Firebase Analytics:

• Device type, operating system, browser
  
  
• IP address (shortened / pseudonymised by Firebase)
  
  
• Session identifiers
  
  
• Screen navigation events
  
  
• Feature usage
  
  
• Scroll depth
  
  
• Crash logs
  
  
• App performance metrics
  
  

We Do Not Use Apple HealthKit or Google Fit

The TGMC App currently does not import data from Apple Health or Google Fit.

3. How We Use Your Data & Legal Bases

We process your data only for specific, legitimate purposes under GDPR Articles 6 and 9.

To provide and personalise the TGMC App

(e.g., calculate biomarker insights, generate personalised recommendations)

Legal basis:

• Explicit consent (health data)
  
  
• Contract performance (account functionality)
  
  

To provide German Heilpraktiker services

(e.g., processing, obtaining, and interpreting lab results)

Legal basis:

• Explicit consent (health data)
  
  
• Provision of healthcare services (UG only)
  
  

To process payments

Legal basis: Contract performance

To communicate with you

(e.g., onboarding emails, reminders, support responses)
Legal basis:

• Contract performance
  
  
• Legitimate interests (service notifications)
  
  

To improve app performance and security

(e.g., crash logs, analytics, debugging)

Legal basis: Legitimate interests
Special-category health data is not used for analytics.

To process pseudonymised biomarker data using OpenAI

We may send limited, pseudonymised biomarker and laboratory data to OpenAI (OpenAI, L.L.C. and its affiliates) to structure, classify, or interpret laboratory values.

Before transmission:

• All direct identifiers (name, date of birth, email, address, account data) are removed
  
  
• No information that can directly identify you is shared
  
  
• Only biomarker-related text and values remain
  
  

OpenAI processes this data solely to provide the requested analysis and does not use it to train its models.

Legal basis:

• Explicit consent (special-category data)
  
  
• Legitimate interests (service optimisation)
  
  

To comply with legal obligations

(e.g., medical recordkeeping for UG, accounting, tax)

Legal basis: Legal obligation

4. Profiling & Automated Processing

The TGMC App uses algorithms to:

• calculate biomarker patterns
  
  
• generate personalised insights
  
  
• identify potential imbalances
  
  
• produce health-span–related scores
  
  

This constitutes profiling under GDPR.
It does not produce legal or similarly significant decisions.
You may request human review at any time.

5. Data Sharing

We share data only when necessary and only with trusted partners.

Service Providers (Processors)

• Google Cloud Platform (Germany) — hosting
  
  
• Stripe — payments
  
  
• Firebase Analytics & Crashlytics — performance, diagnostics
  
  
• OpenAI — pseudonymised biomarker processing
  
  
• Email delivery services — transactional communications
  
  

Partner Laboratories

If you purchase a health check, we share only the minimum data required to process your laboratory analysis.

Certain laboratories may need limited identifiers in rare cases involving critical or abnormal results, to ensure appropriate medical action.

No Sale of Data

We do not:

• sell data
  
  
• share data for advertising
  
  
• share unidentified health data with third-party advertisers
  
  

6. International Data Transfers

Your data is primarily stored in Germany on GCP.

Where transfers outside the EU/UK are necessary (e.g., Stripe, OpenAI), we use approved safeguards such as:

• Standard Contractual Clauses (SCCs)
  
  
• Adequacy decisions
  
  
• Robust technical and organisational measures
  
  

7. Data Retention

TGMC Ltd (App)

• Account data: retained until account deletion
  
  
• Biomarker data: deleted immediately upon account deletion
  
  
• Diagnostic & usage data (e.g., analytics, crash logs): 24 months
  
  
• Marketing data: retained until consent withdrawal
  
  

TGMC UG (Germany – Heilpraktiker Services Only)

• Medical and naturopathic service records: 10 years, as required by clinical documentation standards
  
  

8. Your Rights

Under GDPR, you may request:

• Access
  
  
• Correction
  
  
• Deletion
  
  
• Restriction
  
  
• Portability
  
  
• Withdrawal of consent
  
  
• Objection (where applicable)
  
  

Upon deleting your TGMC account, all app-related data is erased except where legal obligations (e.g., German medical recordkeeping, tax laws) require retention.

To exercise your rights, email: contact@thegoodmoodco.com

You may also lodge a complaint with your local data protection authority.

9. Security Measures

We protect your data using industry-grade safeguards:

• Encryption in transit and at rest
  
  
• Pseudonymisation of health data
  
  
• Role-based access controls
  
  
• Multi-factor authentication
  
  
• Logging and monitoring
  
  
• Secure coding practices
  
  
• Regular audits and penetration testing
  
  
• Disaster recovery procedures
  
  
• Vendor due diligence
  
  

10. Children’s Privacy

Our services are not intended for individuals under 18.
We do not knowingly collect data from minors.
If such data is discovered, it will be deleted promptly.

11. Updates to This Policy

We may update this policy to reflect changes in our services, technology, or legal requirements.
The updated version will be posted with its new effective date.

If changes materially broaden our use of your existing data, we will notify you and provide choices where required by law.