Privacy Policy

1. Introduction

Welcome to Health3 ("we," "us," or "our"). Your privacy is important to us. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our mobile application (the "App"). By using the App, you agree to the collection and use of information in accordance with this policy.

Note on HIPAA applicability: Health3 is a consumer wellness application and is not a "Covered Entity" or "Business Associate" under U.S. HIPAA, because we do not provide medical services, bill health plans, or engage with insurers. We instead protect your health information under GDPR, UK GDPR, CCPA/CPRA, and relevant state privacy laws.

2. Data Controller Information

• Company Name: Health3 AG
• Address: Wiesenstrasse 10A, Schlieren 8952, Switzerland
• Email: privacy@health3.app

3. Types of Data Collected

Within the app, we collect the following types of personal data:

• Health Biomarker Data: Common biomarkers measured with a blood test, as shared by you by using upload functionality within the App.
• Personal Identification Information: Email address, date of birth, gender, as shared by you by specifying profile details within the App.
• Usage Data (only if you opt in): When, and only when, you enable analytics under Settings → Analytics inside the App, we collect pseudonymous product analytics events: which screens you open, which buttons you tap, app and OS version, device platform, locale, and approximate country derived from your IP at the moment of collection. We also collect crash and error reports the App generates (truncated to 200 characters, no health content). The opt-in is off by default and you can switch it off again at any time from the same screen. Analytics data is processed by our sub-processor PostHog Inc. on EU infrastructure (Frankfurt); see "Data Sharing and Disclosure" below.

  Each event is attached to a pseudonymous identifier that is stable for your account (your Health3 user ID) so we can group activity from the same session and run cohort analyses. This identifier is not your name, email, or any directly identifying field; if you delete your account, the corresponding records are removed.

  We never record your screen, we never read or transmit the text you enter into the App, and we never include your lab values, biomarkers, reference ranges, journal entries, or any other health content in analytics events.

On our website, we collect the following types of data:

• Personal Data: When you interact with our website, we may collect personal information such as your name, email address, phone number, and any other information you provide voluntarily.
• Usage Data: We may automatically collect certain information about your visit to our website, such as your IP address, browser type, operating system, referral URLs, and pages you viewed.
• Cookies and Tracking Technologies: We use cookies and similar tracking technologies to track the activity on our website and hold certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. See our Cookie Policy for more details.
• Analytics Data (with your consent): We use Google Analytics 4 to understand how visitors use our website. This service collects anonymized information about:
  • Pages you visit and how long you spend on them
  • Your approximate geographic location (country and city level)
  • Device type, browser, and operating system
  • How you found our website (traffic source)
  Important: We anonymize IP addresses, do not collect personally identifiable information, and only enable analytics if you accept analytics cookies. Google Analytics data is processed by Google LLC under a Data Processing Agreement. You can opt out at any time via our Cookie Settings.

4. Purpose of Data Processing

We process your data for the following purposes:

• Providing Services: To deliver the App's functionalities, including tracking and analyzing health metrics, we process the biomarker data you share with us.
• Personalization: To customize your experience and provide tailored content. To provide most accurate and relevant information in area of reference ranges, we use your personal identifying information about date of birth and gender in order to show you the reference range relevant to you.
• Communication: To send you updates (including in-app or push notifications about new features or health insights, with your consent), newsletters, and to respond to inquiries.
• Compliance: To comply with legal obligations and protect our legal rights.
• App Maintenance: To help us address any technical issues with the App and its operations, we process the anonymised usage data.
• Website Management:
  • To provide, operate, and maintain our website and services.
  • To improve, personalize, and expand our website.
  • To understand and analyze how you use our website.

Lawful Bases for Processing (GDPR / UK GDPR Art. 6 & 9):

• Consent: Explicit consent for all health data processing and analytics cookies.
• Contractual Necessity: To perform our services under the Terms of Service (e.g., login, data display).
• Legal Obligation: Where retention or disclosure is required by law (e.g., tax, record-keeping).
• Legitimate Interests: For security, fraud prevention, and service improvement (with safeguards and right to object).

5. Consent Management

Where to find the analytics control: Open the App → tap Settings (gear icon) → expand "Analytics".

• Obtaining Consent: We obtain your explicit consent before collecting or processing your health data and before collecting any analytical cookies.
• Withdrawing Consent:
  • For analytics: open the App, go to Settings → Analytics, and switch the toggle off. Capture stops immediately and the analytics SDK's local cache (pseudonymous identifier and queued events) is cleared.
  • For all other processing: you may withdraw consent by deleting your account from within the App's profile screen, or by contacting us at privacy@health3.app.
  Withdrawal does not affect the lawfulness of processing prior to withdrawal.

6. Data Sharing and Disclosure

We may share your personal data with:

• Service Providers: Third-party companies that assist us in operating the App and providing services to you. These service providers act on our behalf under a Data Processing Agreement, are bound by confidentiality, and only use your data for the purposes we have described.
• Legal Requirements: Government authorities or law enforcement if required by law.

Sub-processor table (App):

Where a sub-processor is located outside the EU/EEA or Switzerland, transfers are protected by Standard Contractual Clauses or an equivalent safeguard.

The data is never sold to third-parties or shared for any commercial purpose. The data is not provided to third parties in any other fashion and for any other purpose than is detailed within the scope of this privacy policy.

We do not use third-party advertising networks and we do not sell your personal or health data to anyone.

International Data Transfers:

• Your sensitive health data is never transferred outside of the area associated with your account. For Swiss-based accounts, the sensitive data stays always in Switzerland. For accounts created in any of the jurisdictions of European Union (EU), the data is stored and processed in a data center based in one of the countries of the EU.
• Supplementary data is handled as follows:
  • In-App analytics (only if you opt in): processed by PostHog on EU infrastructure (Frankfurt). For EEA and Swiss accounts this means no extra-EU transfer occurs for in-App analytics.
  • Website analytics: handled by Google Analytics 4 (Google LLC) only if you accept analytics cookies. Google may transfer this data to the United States; for such transfers Standard Contractual Clauses apply.
  • Cross-platform messaging (push notifications, crash reporting, in-app purchase receipts) is processed by Apple, Google, and Firebase on their respective global infrastructure under their own privacy commitments.

7. Data Security Measures

We implement the following security measures:

• Encryption: Data encryption in transit and at rest using industry-standard protocols.
• Access Controls: Restricted access to personal data to authorized personnel only.
• Regular Audits: Periodic security assessments and vulnerability scans.

8. Data Retention Policy

• Retention Period: We retain your personal data as long as your account is active or as needed to provide services. Specific retention windows:
  • Account data and health content (biomarkers, journal entries, profile fields): for the lifetime of the account.
  • In-App analytics events (only created if you opt in): retained for up to 30 days, after which they are automatically deleted. You can request earlier deletion at any time.
  • Crash and error reports: up to 90 days.
  • In-App support chat history (Crisp): per Crisp's standard retention policy.
• Deletion: Upon your request or upon account deletion (which you can trigger from the App's profile screen), we delete or anonymise your personal data within 30 days unless retention is required by law. Deleting your account also clears the pseudonymous identifier we use for analytics, so future analytics events cannot be linked back to you.

9. User Rights

Under the GDPR and FADP, you have the following rights:

• Right of Access: You may obtain confirmation of whether your data is being processed and obtain access to your personal data.
• Right to Rectification: You may request modification of any inaccurate or incomplete personal data.
• Right to Erasure ("Right to be Forgotten"): You may request deletion of your personal data. If you have created an account, you can delete it at any time using the App's account settings. This will remove your personal data from our active systems (except for data we may need to retain to comply with legal obligations or for legitimate safety reasons). You may also request account deletion by contacting us at privacy@health3.app.
• Right to Restrict Processing: You may request limitation of the processing of your personal data.
• Right to Data Portability: You may ask to receive your personal data in a structured, commonly used format.
• Right to Object: You have the right to object to processing based on legitimate interests.
• Right Not to Be Subject to Automated Decision-Making: You have the right not to be subjected to decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.
• Right to complain to an authority: You have the right to complain to a data protection authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA), United Kingdom, United States of America or in Switzerland (such an authority is, for example, the Information Commissioner's Office in the UK).
• If you are located in the United States, please note there is no single privacy supervisory authority. You may consider reaching out to a relevant consumer protection agency, such as the Federal Trade Commission or your state's Attorney General, for guidance or to lodge a complaint.

To exercise these rights, either use the functionalities offered through the App (e.g. account and data deletion), or contact us at privacy@health3.app.

10. Cookies and Similar Tracking Technologies

While our App does not use cookies in the traditional web browser sense, we employ similar technologies to collect information and improve your experience. These technologies are essential for the App's functionality, performance analytics or personalization.

Types of Tracking Technologies Used:

• Local Storage: Data stored locally on your device to enhance App functionality, such as user preferences, settings, walkthrough completion state, and offline content. We do not use cookies inside the App.
• Pseudonymous identifier (only if you opt in to analytics): when you enable analytics in Settings → Analytics, we attach your Health3 user ID to analytics events so that activity from the same session can be grouped. The identifier is stored locally on your device and inside the analytics processor's data store. Disabling the analytics toggle clears the identifier locally and stops further capture. This identifier is not an advertising ID and is not used for cross-app or cross-website tracking.

Purpose of Using Tracking Technologies:

• App Functionality: To enable core features of the App, such as remembering your login status and preferences.

11. Children's Privacy

• Age Limitation: The App is not intended for individuals under the age of 18.
• Data Deletion: If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information.

12. Automated Decision-Making

• No Automated Decisions: We do not engage in automated decision-making that produces legal effects concerning you or similarly significantly affects you.

13. Third-Party Links

Our website may contain links to third-party websites that are not operated by us. We are not responsible for the privacy practices of these sites, and we encourage you to review their privacy policies.

14. Changes to the Privacy Policy

We may update this Privacy Policy periodically. Changes will be communicated via:

• In-App Notifications: Notices within the App.
• Email Notifications: Sent to the email address associated with your account.
• Updated Effective Date: Indicated at the top of this policy.

15. Contact Information

For questions or concerns regarding this Privacy Policy, please contact us:

• Email: privacy@health3.app
• Address: Health3 AG, Wiesenstrasse 10A, Schlieren 8952, Switzerland

16. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to file a complaint with:

• In the EEA: Your local data protection supervisory authority.
• In Switzerland: The Federal Data Protection and Information Commissioner (FDPIC).
• In the United Kingdom: The Information Commissioner's Office (ICO).
• In the United States of America: If you are located in the United States, please note there is no single privacy supervisory authority. You may consider reaching out to a relevant consumer protection agency, such as the Federal Trade Commission or your state's Attorney General, for guidance or to lodge a complaint.

17. Additional Notices for U.S. Residents (State-Specific Privacy Rights)

Under CCPA/CPRA and laws in Colorado, Virginia, Connecticut, Utah, Washington, Nevada:

• We do not sell or share your personal or health data for advertising.
• You have rights to access, delete, correct, and port your data; to opt-out of any sale/sharing (none exist); and to non-discrimination.
• We provide a detailed CCPA Category Disclosure table and a "Do Not Sell or Share My Personal Information" note stating no sale occurs.
• Washington's My Health My Data Act & Nevada SB 370: express consent required for health data (obtained in-app), plus notice and deletion rights.

17.1 CCPA Category Disclosure