The short version: We collect only the health information you actively provide through our intake forms. We use it solely to deliver your clinical programme. We do not sell it, share it with advertisers, or use it for any purpose other than your care. You have full rights over your data at any time. Contact us at stephen@detective-health.com with any questions or requests.
Detective Health is operated by Stephen Duncan Nutrition, a sole trader based in Edinburgh, Scotland. The data controller for all personal data processed through this website and its associated clinical tools is:
Stephen Duncan
Stephen Duncan Nutrition / Detective Health
Edinburgh, Scotland
Email: stephen@detective-health.com
Website: detective-health.com
This Privacy Policy applies to the detective-health.com website, all intake forms and clinical tools hosted on the platform, the Test, Don't Guess book purchase via Gumroad, and any direct email communication with us.
We collect personal and health data only when you actively provide it — through our intake questionnaires, contact forms, or direct communication. We do not collect data passively beyond standard server logs.
| Type of Data | What We Collect | Why We Collect It |
|---|---|---|
| Identity | Name, date of birth, email address | To identify you as a client and communicate about your programme |
| Health Data | Symptom responses, health history, lifestyle factors, laboratory test results, questionnaire responses | To deliver functional medicine clinical assessment and programme recommendations — this is the core purpose of the service |
| Biometric | Height, weight, blood pressure (if provided) | Clinical context for health assessment |
| Lifestyle | Diet, exercise, sleep, stress, supplement use | Clinical context for programme design |
| Purchase Data | Email address and purchase confirmation (via Gumroad for book purchases) | To confirm your purchase and deliver your digital product |
| Communication | Emails and messages you send to us | To respond to your enquiries and support your programme |
| Technical | Standard server/access logs (IP address, browser type, pages visited) via Netlify hosting | Site security and performance — not used to identify individuals |
Health data is special category data under GDPR. We process it on the basis of your explicit consent, which you provide when you submit any intake form or engage with our clinical services.
We rely on the following legal bases under UK GDPR:
Explicit Consent (Article 9(2)(a)): For processing special category health data submitted through our intake forms and clinical tools. You may withdraw consent at any time by contacting us.
Contract Performance (Article 6(1)(b)): For processing data necessary to deliver the clinical programme or service you have engaged with us for.
Legitimate Interests (Article 6(1)(f)): For technical server logs used to maintain site security and performance. We have assessed that these interests do not override your rights.
Intake form submissions are processed through Netlify Forms, which stores form data on Netlify's servers (US-based, with EU/UK data protection safeguards). Form notification emails are delivered to a private email account accessible only to Stephen Duncan.
Client programme data may also be held in Practice Better, a HIPAA and GDPR-compliant practice management platform used to deliver your programme.
Book purchases are processed through Gumroad, which operates its own privacy policy for payment and transaction data. We receive only your email address and purchase confirmation — we do not receive payment card details.
We implement the following security measures: HTTPS encryption on all data in transit across detective-health.com, security headers (Content Security Policy, HSTS, X-Frame-Options) to protect against common web vulnerabilities, and access to health data restricted to Stephen Duncan only.
We do not: sell your data to any third party · share your data with advertisers · use your data for any purpose other than delivering your clinical programme · run advertising pixels or tracking scripts on this site · store payment card details
We retain client health records for 8 years from the date of last contact, in line with UK healthcare practitioner record-keeping guidance. After this period, data is securely deleted.
Intake form submissions from individuals who do not proceed to a clinical programme are retained for 12 months and then deleted.
Purchase records from Gumroad are retained for the period required under UK tax legislation (currently 6 years).
You may request deletion of your data at any time. Where we are required by law to retain certain records, we will inform you of this.
| Service | Purpose | Data Shared |
|---|---|---|
| Netlify | Website hosting and form processing | Form submissions, server logs |
| Practice Better | Client programme management | Name, health history, programme notes |
| Gumroad | Digital product delivery (book) | Email address, purchase data |
| Randox / Regenerus Labs / Nordic Labs | Laboratory testing (TDG programme clients only) | Name, date of birth, test requisition data |
| Google Fonts | Typography (no cookies, no tracking) | IP address (standard CDN request only) |
| Anthropic API (via Cloudflare Worker) | AI-powered clinical analysis tools (practitioner-facing only) | De-identified clinical data entered by practitioner into analysis tools |
We do not use Google Analytics, Facebook Pixel, or any other behavioural tracking or advertising technology on detective-health.com.
You have the following rights regarding your personal data. To exercise any of these rights, contact us at stephen@detective-health.com. We will respond within 30 days.
Detective-health.com does not use tracking cookies, advertising cookies, or analytics cookies. The only cookies that may be set are strictly necessary functional cookies from Netlify for form submission processing. These are not used for tracking or advertising purposes and do not require your consent under UK law.
We do not use a cookie consent banner because we have no non-essential cookies to consent to.
Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at stephen@detective-health.com and we will delete it promptly.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and notify affected individuals without undue delay. We maintain an internal record of any data breaches, their causes, and the remedial action taken.
We may update this Privacy Policy from time to time. Material changes will be communicated to active clients by email. The current version is always available at detective-health.com/privacy.html. The "last updated" date at the top of this page indicates when changes were last made.
For any questions, concerns, or requests relating to your data or this Privacy Policy, please contact us:
Data Controller: Stephen Duncan
Practice: Stephen Duncan Nutrition / Detective Health
Email: stephen@detective-health.com
Website: detective-health.com
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113