Home » Privacy policy

Privacy policy

LOLU Limited (“LOLU”, “we”, “us”) is a registered company in New Zealand. We respect your privacy and handle personal information in accordance with the Privacy Act 2020 (NZ) and, where applicable, the Health Information Privacy Code 2020.

This Privacy Policy explains:

  • who we are;

  • what personal information we collect and why;

  • whether providing information is mandatory or optional;

  • how we store, use, share, and protect personal information;

  • how we handle de-identified (anonymised) data and before/after charts; and

  • your rights and how to complain.

If we make changes we consider important, we will post a notice on our website. Your continued use of our website and services after changes are posted means you accept the updated Privacy Policy.

Your use of our services is also subject to our Terms of Service and Cookie Policy (available on our website). 

1. Who we are

1.1 LOLU Limited (also referred to as “LOLU HEALTH” in branding) collects and is responsible for personal information about you when we provide products, nutrition programs, consultations, and education/training services.

1.2 This Privacy Policy applies to:

  • website visitors;

  • customers purchasing products;

  • clients receiving nutrition programs/consultations;

  • students enrolled in courses; and

  • collaborating practitioners (including dietitians/nutrition professionals).

2. Our privacy approach (minimisation, fairness, accuracy)

2.1 We only collect personal information that is reasonably necessary for our lawful functions and activities (for example, to sell and deliver products, administer programs/courses, manage bookings, provide support, and meet legal obligations).

2.2 We aim to collect, use, and disclose personal information fairly and transparently. Where personal information is used to provide services or make decisions about you, we take reasonable steps to keep it accurate, up to date, complete, relevant, and not misleading.

3. When providing information is required vs optional

3.1 Required information (generally):

To purchase goods, ship orders, provide consultations/programs, or enrol you in a course, we generally need certain basics such as your name, contact details, delivery address (for physical goods), and transaction details. For personalised nutrition services, we may also need relevant questionnaire information to deliver the service safely and appropriately.

3.2 Optional information (generally):

Some information is optional (for example, additional lifestyle context, optional measurements, extra feedback, certain device-generated wellness metrics, or participation in testimonials/case studies). If you choose not to provide optional information, you can usually still purchase products or access standard services, but the personalisation or depth of service may be limited.

3.3 Publication consent is optional:

Consent to publish de-identified outcomes (including before/after charts) is always optional and is not required for standard service delivery unless you voluntarily join a specific campaign or case study.

4. Where we collect personal information

We may collect personal information when you:

  • browse lolu.co.nz (including via cookies/analytics);

  • place an order, make an enquiry, or contact us (online, email, phone, or in person);

  • register for a program, course, assessment, or follow-up;

  • complete questionnaires, submit forms, upload results, or provide progress updates;

  • interact with our social media pages; or

  • participate in promotions, testimonials, or case studies (where applicable).

We may also receive information from third parties where appropriate, such as:

  • delivery/courier partners;

  • payment processors; and/or

  • practitioners involved in your care where you have authorised sharing.

5. What personal information we collect

The personal information we may collect includes:

5.1 Identity and contact information

Name, email, phone number, delivery/billing address, and communications with us.

5.2 Transaction and account information

Orders, invoices/receipts, payment status, support history, and (where used) account login details.

Payment note: We do not store full payment card numbers. Payment processing is handled by secure third-party payment providers, who may process payment information in accordance with their own privacy policies.

5.3 Program/course/consultation information

Questionnaire responses, goals, dietary preferences, lifestyle information, progress notes, and communications relevant to delivering the service.

5.4 Health information (sensitive information)

Where you choose to provide it and where necessary to deliver personalised services safely, we may collect health information, including (examples):

  • blood lipids (e.g., cholesterol measures, triglycerides);

  • hs-CRP and other inflammation-related indicators;

  • body composition metrics (e.g., body fat %, weight, waist);

  • cortisol curve or stress-hormone related information (if provided);

  • sleep scores and sleep-related patterns (if provided);

  • allergies/intolerances, medications, relevant history, and other health information you provide.

We treat health information with heightened care, restricted access, and additional controls.

5.5 Website usage and device information (cookies/analytics)

We may collect information about how you use our website (for example, pages viewed, approximate location, device/browser information, and interactions) through cookies and similar technologies. See Section 9 and our Cookie Policy. 

5.6 Practitioner information (where relevant)

For collaborating practitioners: name/contact details, professional information, and bank details where required for payments.

6. Why we collect and use personal information

We collect and use personal information to:

  • provide and administer products and services (orders, delivery, customer support);

  • deliver nutrition programs, assessments, consultations, follow-ups, and courses;

  • respond to enquiries and manage bookings;

  • maintain appropriate records for service delivery;

  • process returns, exchanges, store credits, and refunds in line with our published policies;

  • send service communications (e.g., confirmations, updates, program delivery);

  • send marketing communications where permitted and/or with your consent (opt-out anytime);

  • improve our products, services, and website (quality assurance and analytics);

  • meet legal and compliance obligations (record-keeping, accounting, disputes); and

  • protect our business and users (security and fraud prevention).

7. Health information boundaries (important)

7.1 Wellness support, not medical care: Our programs, consultations, content, and educational services are intended for general information, education, and wellness support. They are not a substitute for medical advice, diagnosis, or treatment.

7.2 Not medical claims: We do not use collected information to claim that our products or services prevent, diagnose, treat, cure, or prevent disease.

7.3 When to seek medical advice: If you have a medical condition, are pregnant or breastfeeding, are under 18, or take prescription medicines, you should consult your GP or qualified health professional before making significant changes or using supplements.

8. Consent and “informed consent”

8.1 Service delivery consent

When you provide personal information (including health information) for consultations or programs, you authorise us to use it to provide the relevant service.

8.2 Separate consent for publication/marketing

If we wish to use your information for public-facing purposes (e.g., testimonials, marketing, case studies, educational examples), we will seek separate, explicit informed consent where appropriate. This consent is optional and is not required to receive standard services unless the activity itself is a voluntary campaign you join.

8.3 What informed consent will include

Informed consent will clearly describe:

  • what data we will use (e.g., blood lipids, hs-CRP, body fat %, cortisol curve, sleep scores);

  • the purpose (e.g., education, demonstrating outcomes, marketing);

  • where it may appear (e.g., website, social media, posters, course materials);

  • whether we will publish it de-identified or identifiable (if ever);

  • expected duration; and

  • how you can withdraw your consent.

9. Cookies, analytics, and similar technologies

9.1 What cookies do: Cookies and similar technologies help websites function, remember preferences, understand usage, and (where enabled) measure marketing performance. Our Cookie Policy describes cookies used on our sites and third-party cookie scenarios (including when you share content via social networks). 

9.2 Types of cookies (general):

  • Strictly necessary cookies: Needed for basic site functions (e.g., cart/checkout).

  • Analytics/performance cookies: Help us understand how the site is used and improve it.

  • Marketing/advertising cookies (where enabled): Help measure and improve advertising relevance/performance.

9.3 How to manage cookies: You can typically control cookies through your browser settings (block/delete cookies). Please note that blocking some cookies may affect site functionality (including checkout).

 

10. De-identified (anonymised) data and before/after charts (public use)

Because we may demonstrate outcomes using before/after comparisons, this section explains how we do this responsibly.

10.1 What we may publish (only with consent and de-identification)

With your informed consent, we may publish de-identified outcomes such as:

  • aggregated results (e.g., average or range change in triglycerides or hs-CRP);

  • de-identified before/after charts or trend graphs (e.g., body fat %, lipids, hs-CRP, cortisol curve, sleep scores);

  • de-identified summaries for education or service improvement.

10.2 Our de-identification standard

Before publication, we will remove or mask direct identifiers, including (without limitation):

  • name, photo/face, voice;

  • date of birth, report numbers, test IDs, order IDs;

  • address, phone, email, social handles; and

  • any other details reasonably likely to identify you.

We will also take reasonable steps to reduce “re-identification by combination”, for example by:

  • using aggregated results where possible rather than single-person screenshots;

  • removing precise dates/times or rare unique details; and

  • avoiding publication where sample sizes are very small or the risk of re-identification is high.

De-identified status: Once information has been de-identified so that individuals are not reasonably identifiable, it may no longer be “personal information” under the Privacy Act. However, we will still take reasonable steps to minimise re-identification risk.

10.3 What we do not publish

Unless we have your explicit, separate permission, we do not publish:

  • full lab reports or documents that include identifiers;

  • images or files that could reasonably identify you; or

  • any identifiable health information.

10.4 Withdrawal of publication consent

You can withdraw your consent for public use at any time by emailing info@lolu.co.nz. After withdrawal, we will take reasonable steps to:

  • stop future publishing; and

  • remove the content from platforms we control (e.g., our website and our own social media accounts) where practicable.

Important: Withdrawal will not affect any publication or use that occurred before we received your withdrawal request. We may not be able to fully remove content that has been copied, cached, shared, reposted, or archived by third parties.

11. Marketing communications

We may send marketing communications where permitted by New Zealand law and/or with your consent. You can opt out at any time by using the unsubscribe link in our emails or contacting info@lolu.co.nz.

12. Who we share personal information with (third parties)

We may share personal information with trusted third parties where necessary to operate our business and provide services, including:

  • payment processors;

  • couriers and logistics partners;

  • IT, website hosting, cloud storage, email, and analytics providers;

  • course delivery platforms (if used);

  • professional advisers (legal/accounting) where necessary; and

  • regulators or law enforcement where required or authorised by law.

We require service providers to protect information and use it only for providing services to us.

13. Overseas storage and disclosures

Some service providers may store or process information outside New Zealand (e.g., cloud hosting, email, analytics). When we disclose information overseas, we take reasonable steps to ensure it is protected in a manner consistent with New Zealand privacy requirements. Where appropriate, we use contractual clauses or other safeguards to help ensure comparable protection, or we rely on another permitted method under the Privacy Act 2020.

14. Security

We use appropriate technical and organisational safeguards designed to protect personal information from loss, unauthorised access, use, modification, or disclosure. Access is limited to people who need it for legitimate business purposes and who are subject to confidentiality obligations.

No internet transmission or storage system can be guaranteed 100% secure. We take reasonable steps to protect your information, but cannot guarantee absolute security.

15. Privacy breaches

We maintain procedures to detect, assess, and respond to suspected privacy breaches. Where we are required to do so, we will notify affected individuals and the Office of the Privacy Commissioner as soon as practicable.

16. Retention

We keep personal information only for as long as necessary for:

  • delivering services to you;

  • maintaining appropriate business and financial records; and

  • resolving complaints or disputes and meeting legal obligations.

When no longer required, we take reasonable steps to delete, destroy, or de-identify information.

17. Children and young people

17.1 Our website and services are intended for people who can lawfully enter into transactions and make informed decisions about participation.

17.2 If you are under 18, you should use our services only with the involvement and consent of a parent or legal guardian, especially where health information is provided.

17.3 If we become aware that we have collected personal information from a person under 18 without appropriate guardian involvement, we may take reasonable steps to delete that information unless we are required or permitted by law to retain it.

18. Automated tools and recommendations 

We may use questionnaires, scoring tools, and software to help generate wellness insights or program recommendations (for example, summarising inputs or presenting trend visualisations). These tools are intended to support (not replace) professional judgement. If you have questions about a recommendation or result, you can contact us at info@lolu.co.nz.

19. Your rights

You may request access to, or correction of, the personal information we hold about you. To make a request, email info@lolu.co.nz. Please provide enough information to verify your identity and locate your records.

These rights are subject to exceptions under the Privacy Act 2020. If an exception applies, we will explain this where required.

20. How to complain

We welcome the opportunity to resolve concerns. If you have a question or complaint about our handling of personal information, please contact info@lolu.co.nz.

21. Updates to this Privacy Policy

We may update this Privacy Policy from time to time. The latest version will be published on our website with the updated “Last updated” date.

 

This Privacy Policy has been updated on 06 Sep 2023.