Physiology First, a division of Pantheon Consulting SA (CHE-469.198.440), (“we,” “our,” or “us”) is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, and protect the information you share with us when you use our website (ph1st.com), engage our coaching services, or communicate with us.
We operate from Switzerland and our data handling practices comply with the Swiss Federal Act on Data Protection (FADP, effective 1 September 2023) and, where applicable to clients based in the European Union or United Kingdom, the EU General Data Protection Regulation (GDPR) and the UK GDPR.
| We handle some of the most sensitive personal data that exists — genetic information, blood chemistry, physiological monitoring data, and personal health narratives. We take this responsibility seriously, and our systems and processes are designed with privacy and confidentiality at their core. |
|---|
The data controller responsible for your personal data is:
Physiology First
A division of Pantheon Consulting SA | CHE-469.198.440
Val de Bagnes, Valais, Switzerland
Email: [email protected] (via Proton Mail)
Website: ph1st.com
For any data protection queries or to exercise your rights under this policy, please contact us at the email address above.
We collect different categories of personal data depending on how you interact with us. The principle of data minimisation applies throughout: we only collect data that is necessary for the purpose stated.
| Data Category | Details |
|---|---|
| Technical data | IP address, browser type, device type, operating system, pages visited, time spent on site. Collected via privacy-respecting analytics only. |
| Contact form data | Name, email address, phone number (if provided), and the content of your message. |
| Cookie data | Only strictly necessary cookies are used by default. Analytics or preference cookies require your explicit consent. See Section 12 for full cookie details. |
| Data Category | Details |
|---|---|
| Identity data | Name, title, employer (if voluntarily disclosed), contact details. |
| Communication data | Content of emails, messages, and call notes from initial consultations. |
| NDA records | Signed mutual confidentiality agreement. |
During an active coaching engagement, we collect and process the following categories of sensitive personal data. All data in this category is classified as sensitive personal data under the FADP and GDPR.
| Data Category | Details |
|---|---|
| Genetic data | Genetic testing reports including SNP analysis across fitness, nutrition, sleep and stress, methylation, and skin panels. Covers gene variants including COMT, MAOA, MAOB, MTHFR, VDR, and others. |
| Blood chemistry data | Comprehensive blood panel results covering HPA axis, methylation markers, thyroid function, inflammation, metabolic health, micronutrients, hormones, and sleep-related biomarkers. |
| Physiological monitoring data | Wearable device data including heart rate variability, recovery scores, sleep architecture, strain, respiratory rate, blood pressure readings, and real-time stress monitoring. |
| Cortisol test data | Morning cortisol test results used to assess HPA axis function and diurnal cortisol rhythm. |
| Health assessment data | 7-domain assessment covering Body & Energy, Brain & Nervous System, Sleep & Recovery, Nutrition & Substances, Mind & Identity, Relationships & Environment, and Work, Money & Purpose. |
| Session notes | Confidential notes from coaching sessions including topics discussed, observations, recommendations made, and referrals initiated. |
| Recovery protocols | Personalised lifestyle, nutrition, supplementation, and behavioural change protocols designed for the client. |
| Findings reports | Formal assessment documents integrating genetic, blood, and monitoring data with coaching observations. |
| Financial data | Invoicing details and payment records. We do not store credit card numbers or banking credentials directly. |
| Genetic and health data is the most sensitive category of personal data under both Swiss and EU law. We process this data only with your explicit informed consent, and it is subject to the highest level of security measures described in this policy. |
|---|
Under the FADP and GDPR, we must have a lawful basis for processing your personal data. The legal basis depends on the type of data and the purpose of processing.
| Processing Activity | Legal Basis |
|---|---|
| Providing coaching services (session notes, protocols, progress tracking) | Performance of a contract — processing is necessary to deliver the services you have engaged us to provide (FADP Art. 6; GDPR Art. 6(1)(b)). |
| Processing genetic data and blood results | Explicit consent — you provide specific, informed, freely given consent before we access, review, or interpret any genetic or health data (FADP Art. 6(7); GDPR Art. 9(2)(a)). |
| Processing wearable device data | Explicit consent — you actively choose to share your wearable data with us and can revoke access at any time. |
| Processing cortisol test results | Explicit consent — provided as part of your coaching agreement. |
| Sending you programme updates and session scheduling | Performance of a contract — necessary for service delivery. |
| Responding to enquiries via website or email | Legitimate interest — to respond to your request and provide information about our services (FADP Art. 6; GDPR Art. 6(1)(f)). |
| Maintaining financial records and invoicing | Legal obligation — Swiss tax and accounting regulations require retention of financial records (FADP Art. 6; GDPR Art. 6(1)(c)). |
| Website analytics | Consent — for non-essential analytics cookies (see Section 12). |
| Making clinical referrals when health or safety concerns arise | Vital interests and legitimate interest — to protect your health and safety, and to fulfil our duty of care as outlined in your coaching agreement (FADP Art. 6; GDPR Art. 9(2)(c)). |
| You have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. If you withdraw consent for genetic or health data processing, we will cease processing and securely delete the relevant data in accordance with Section 7 of this policy. |
|---|
We use your personal data exclusively for the following purposes:
1. Delivering coaching services — conducting assessments, interpreting test results in a coaching context, designing personalised recovery protocols, tracking progress, and adjusting programmes based on physiological data.
2. Clinical referrals — sharing relevant information with healthcare professionals when indicated, always with your knowledge and consent (except in cases of imminent risk to life, as outlined in your coaching agreement).
3. Communication — scheduling sessions, sending programme materials, responding to your questions, and providing post-programme follow-up where agreed.
4. Financial administration — invoicing, payment processing, and meeting tax and accounting obligations.
5. Improving our services — using anonymised, aggregated insights to improve our methodology. Individual data is never used for this purpose without explicit consent, and all data is fully anonymised before any such use.
6. Legal compliance — meeting our obligations under Swiss law, including data protection, tax, and professional liability requirements.
We will never use your data for marketing purposes without your explicit opt-in consent. We will never sell, rent, or trade your personal data to any third party. We will never use your data to create marketing testimonials, case studies, or public content without your specific written permission, and any such use would be fully anonymised.
We share your personal data only when necessary and only with the following categories of recipients:
| Recipient | Purpose & Safeguards |
|---|---|
| Your healthcare professionals (GP, specialist, therapist) | When a clinical referral is indicated and you have consented. We share only the specific information relevant to the referral. |
| Genetic testing provider | To facilitate your genetic profiling. We provide expertise and guidance to help facilitate the client's interaction with testing and monitoring partners. The client decides whether to proceed with testing and with which provider. We receive the resulting data solely under the client's explicit consent; the provider processes the underlying sample or device data under their own privacy policy. Where clients provide existing genetic data directly, that data is processed by us under this policy. |
| Laboratory services (blood testing) | To facilitate your blood panel testing. We provide expertise and guidance to help facilitate the client's interaction with testing and monitoring partners. The client decides whether to proceed with testing and with which provider. We receive the resulting data solely under the client's explicit consent; the provider processes the underlying sample or device data under their own privacy policy. |
| Wearable technology provider | To facilitate your continuous physiological monitoring. We provide expertise and guidance to help facilitate the client's interaction with testing and monitoring partners. The client decides whether to proceed with testing and with which provider. We receive the resulting data solely under the client's explicit consent; the provider processes the underlying sample or device data under their own privacy policy. |
| Practice management platform | For scheduling, session notes, and client records. The platform is GDPR-compliant and data is stored on encrypted servers. We have a Data Processing Agreement in place. |
| Cloud storage provider | For encrypted storage of client files. Swiss-hosted, GDPR-compliant, with end-to-end encryption. |
| Video conferencing platform | For remote sessions. We use a Signal, providing end-to-end encrypted video calls. |
| Professional advisors | Our accountant (for financial records only) and legal counsel (if needed for contract or compliance matters). |
| Regulatory authorities | Only if required by law or to protect vital interests. |
| We will never share your data with your employer, your colleagues, family members, or any other party without your explicit written consent. The existence of your coaching engagement is itself confidential, as outlined in our mutual NDA. |
|---|
All client data is stored within Switzerland or the European Economic Area using the following infrastructure:
1. Client files and records — Proton Drive (Swiss-based, end-to-end encrypted). End-to-end encryption; zero-knowledge architecture where available.
2. Email communications — Proton Mail (Swiss-based, end-to-end encrypted). Servers located in Switzerland.
3. Instant messaging — Signal (end-to-end encrypted, no data retained on servers).
4. Practice management — GDPR-compliant platform with encrypted data at rest and in transit. Data Processing Agreement in place.
5. Video sessions — Signal video calls with end-to-end encryption. Sessions are not recorded unless you provide explicit consent.
We do not store data on personal devices without encryption. All devices used for client work are password-protected with full-disk encryption enabled.
We implement the following technical and organisational measures to protect your data:
1. Encryption — all client data is encrypted at rest and in transit using industry-standard encryption (AES-256 or equivalent).
2. Access control — client data is accessible only to the practitioner. No employees, contractors, or associates have access unless explicitly authorised and bound by confidentiality agreements.
3. Authentication — multi-factor authentication on all platforms storing client data.
4. Device security — full-disk encryption, automatic screen lock, remote wipe capability on all devices.
5. Data minimisation — we collect only what is necessary and do not retain data beyond the periods stated below.
6. Breach protocol — in the event of a data breach, we will notify the Federal Data Protection and Information Commissioner (FDPIC) and affected individuals as soon as possible, and within 72 hours of becoming aware of the breach.
We retain your data only as long as necessary for the purpose for which it was collected, or as required by law.
| Data Category | Retention Period | Storage Location | Deletion Method |
|---|---|---|---|
| Coaching session notes | 3 years from end of engagement | Encrypted Swiss cloud storage | Secure digital deletion with verification |
| Genetic reports | Duration of engagement + 1 year, or until you request deletion | Encrypted Swiss cloud storage | Secure digital deletion; original data held by the testing provider under their policy |
| Blood panel results | Duration of engagement + 1 year, or until you request deletion | Encrypted Swiss cloud storage | Secure digital deletion |
| Wearable data summaries | Duration of engagement + 1 year | Encrypted Swiss cloud storage | Secure digital deletion; source data remains in your wearable provider account |
| Cortisol test results | Duration of engagement + 1 year | Encrypted Swiss cloud storage | Secure digital deletion |
| Findings reports & protocols | 3 years from end of engagement | Encrypted Swiss cloud storage | Secure digital deletion |
| Communication records (email) | 3 years from end of engagement | Proton Mail (Swiss servers) | Account-level deletion |
| Financial records | 10 years from transaction date | Swiss accounting system | Deletion after statutory period |
| NDA / signed agreements | 3 years after confidentiality obligations expire | Encrypted Swiss cloud storage | Secure digital deletion |
| Website analytics | 26 months | Privacy-respecting analytics platform | Automatic expiry |
| You may request early deletion of any data at any time (see Section 8). The only exceptions are financial records where Swiss law requires a minimum 10-year retention, and any data that we are legally obligated to retain. |
|---|
Under the FADP and GDPR, you have the following rights regarding your personal data. We are committed to making it straightforward for you to exercise these rights.
You have the right to request confirmation of whether we process your personal data, and if so, to receive a copy of that data along with information about how it is processed, the purposes of processing, and the categories of recipients. We will respond to access requests free of charge within 30 days.
You have the right to request correction of any inaccurate personal data we hold about you, and to have incomplete data completed. We will action rectification requests promptly and confirm the changes to you.
You have the right to request deletion of your personal data. We will delete your data without undue delay unless we are legally required to retain it (e.g., financial records for tax purposes) or the data is needed for the establishment, exercise, or defence of legal claims. Upon deletion, we will confirm in writing that the data has been removed from all our systems.
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as PDF or CSV). This includes your genetic reports, blood panel results, wearable data summaries, session notes, Findings Reports, and recovery protocols. You may request that we transmit this data directly to another service provider where technically feasible.
You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data, where processing is unlawful but you do not want deletion, or where you have objected to processing pending verification of legitimate grounds.
You have the right to object to the processing of your personal data where we rely on legitimate interest as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Where processing is based on your consent (particularly for genetic data, blood results, and physiological monitoring data), you have the right to withdraw that consent at any time. We will cease processing the relevant data promptly. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
We do not make any decisions based solely on automated processing that produce legal or similarly significant effects on you. All interpretation of your data is conducted personally by the practitioner within a coaching context.
To exercise any of these rights, contact us at [email protected]. We will verify your identity before processing any request. We will respond within 30 days. If we cannot fulfil your request (for example, due to legal retention requirements), we will explain the reason clearly.
| We will never charge you for exercising your rights, and we will never penalise you for doing so. If you are unsatisfied with our response, you have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) or, for EU/UK residents, with your local supervisory authority. |
|---|
Your data is stored and processed in Switzerland. Switzerland has been recognised by the European Commission as providing an adequate level of data protection under the GDPR (adequacy decision confirmed 15 January 2024). This means data transfers between Switzerland and the EU/EEA do not require additional safeguards.
If any data processing requires transfer to a country outside Switzerland or the EU/EEA (which is not currently anticipated), we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or transfer to a country with an adequate level of data protection as recognised by the Swiss Federal Council or the European Commission.
We will inform you before any international transfer takes place.
Certain services you use as part of your engagement are provided by third parties who act as independent data controllers. This means they process your data under their own privacy policies, not ours. These include:
1. Genetic testing provider — processes your genetic sample and produces reports under their own privacy policy. You decide whether to proceed and with which provider; we receive your reports under your explicit consent.
2. Blood testing laboratory — processes your blood sample and produces results under their own privacy policy. You decide whether to proceed and with which provider; we receive your results under your explicit consent.
3. Wearable technology provider — collects and processes your physiological data through their device and platform under their own privacy policy. You decide whether to use a wearable device and share data with us; we receive that data under your explicit consent.
We encourage you to review the privacy policies of these providers. We are happy to discuss how these services interact with your data during our engagement.
Our services are designed exclusively for adults. We do not knowingly collect or process personal data from anyone under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will delete it immediately.
Our website (ph1st.com) uses cookies as follows:
Strictly Necessary Cookies
These are essential for the website to function and cannot be disabled. They do not collect personal data for marketing purposes.
Analytics Cookies
If you consent, we use privacy-respecting analytics (such as Plausible, Fathom, or equivalent) to understand how visitors use our site. These tools do not use personal identifiers, do not track users across sites, and do not share data with advertising platforms. You can opt out at any time via the cookie consent banner.
No Marketing or Advertising Cookies
We do not use marketing cookies, advertising trackers, social media pixels, or any form of cross-site tracking. We do not participate in advertising networks or retargeting.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
1. Notify the FDPIC — as soon as possible, and provide details of the nature of the breach, the data affected, the likely consequences, and the measures taken to address it.
2. Notify you directly — if the breach is likely to result in a high risk to your rights and freedoms, we will inform you without undue delay, explaining what happened, what data was affected, and what steps we are taking.
3. Document the breach — all breaches are recorded in our internal breach register regardless of severity.
For EU/UK-based clients, notification to the relevant supervisory authority will be made within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
We may update this Privacy Policy from time to time to reflect changes in our services, technology, legal requirements, or best practices. When we make material changes, we will notify active clients directly via email before the changes take effect. The current version will always be available on our website with the effective date clearly stated.
We encourage you to review this policy periodically. Your continued use of our services after notification of changes constitutes acceptance of the updated policy.
If you are unsatisfied with how we handle your personal data or respond to a rights request, you have the right to lodge a complaint with the relevant supervisory authority:
Switzerland
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, CH-3003 Bern
www.edoeb.admin.ch
European Union
The supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
United Kingdom
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
www.ico.org.uk
We would appreciate the opportunity to resolve any concerns directly before you escalate to a supervisory authority. Please contact us first and we will do our best to address your concern promptly.
For any questions about this Privacy Policy, to exercise your data rights, or to raise a concern about how we handle your data:
Email: [email protected]
Postal: Physiology First (a division of Pantheon Consulting SA), Val de Bagnes, Valais, Switzerland
We aim to respond to all enquiries within 7 working days and to all formal rights requests within 30 days.
Document version: 1.0
Effective date: 18 February 2026
Next review date: 18 February 2027
Approved by: B. Slater