Privacy Policy

1. Introduction

Welcome to Health3 ("we," "us," or "our"). Your privacy is important to us. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our mobile application (the "App"). By using the App, you agree to the collection and use of information in accordance with this policy.

Note on HIPAA applicability: Health3 is a consumer wellness application and is not a "Covered Entity" or "Business Associate" under U.S. HIPAA, because we do not provide medical services, bill health plans, or engage with insurers. We instead protect your health information under GDPR, UK GDPR, CCPA/CPRA, and relevant state privacy laws.

2. Data Controller Information

• Company Name: Health3 AG
• Address: Wiesenstrasse 10A, Schlieren 8952, Switzerland
• Email: privacy@health3.app

3. Types of Data Collected

Within the app, we collect the following types of personal data:

• Health Biomarker Data: Common biomarkers measured with a blood test, as shared by you by using upload functionality within the App.
• Personal Identification Information: Email address, date of birth, gender, as shared by you by specifying profile details within the App.
• Usage Data: We collect usage metrics—such as which features you use, how often, and when (e.g., pages or tools accessed, timestamps)—via an anonymized analytics service (e.g., Mixpanel). All usage information is aggregated and cannot be linked to you or your account. We use this information to understand how users use our application and what we can do to add to the value it brings to our users. We also collect anonymized crash and error reports to help us diagnose and resolve technical issues.

On our website, we collect the following types of data:

• Personal Data: When you interact with our website, we may collect personal information such as your name, email address, phone number, and any other information you provide voluntarily.
• Usage Data: We may automatically collect certain information about your visit to our website, such as your IP address, browser type, operating system, referral URLs, and pages you viewed.
• Cookies and Tracking Technologies: We use cookies and similar tracking technologies to track the activity on our website and hold certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. See our Cookie Policy for more details.
• Analytics Data (with your consent): We use Google Analytics 4 to understand how visitors use our website. This service collects anonymized information about:
  • Pages you visit and how long you spend on them
  • Your approximate geographic location (country and city level)
  • Device type, browser, and operating system
  • How you found our website (traffic source)
  Important: We anonymize IP addresses, do not collect personally identifiable information, and only enable analytics if you accept analytics cookies. Google Analytics data is processed by Google LLC under a Data Processing Agreement. You can opt out at any time via our Cookie Settings.

4. Purpose of Data Processing

We process your data for the following purposes:

• Providing Services: To deliver the App's functionalities, including tracking and analyzing health metrics, we process the biomarker data you share with us.
• Personalization: To customize your experience and provide tailored content. To provide most accurate and relevant information in area of reference ranges, we use your personal identifying information about date of birth and gender in order to show you the reference range relevant to you.
• Communication: To send you updates (including in-app or push notifications about new features or health insights, with your consent), newsletters, and to respond to inquiries.
• Compliance: To comply with legal obligations and protect our legal rights.
• App Maintenance: To help us address any technical issues with the App and its operations, we process the anonymised usage data.
• Website Management:
  • To provide, operate, and maintain our website and services.
  • To improve, personalize, and expand our website.
  • To understand and analyze how you use our website.

Lawful Bases for Processing (GDPR / UK GDPR Art. 6 & 9):

• Consent: Explicit consent for all health data processing and analytics cookies.
• Contractual Necessity: To perform our services under the Terms of Service (e.g., login, data display).
• Legal Obligation: Where retention or disclosure is required by law (e.g., tax, record-keeping).
• Legitimate Interests: For security, fraud prevention, and service improvement (with safeguards and right to object).

5. Consent Management

• Obtaining Consent: We obtain your explicit consent before collecting or processing your health data and before collecting any analytical cookies.
• Withdrawing Consent: You may withdraw your consent at any time via deletion of your account within the App or by contacting us at privacy@health3.app. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

6. Data Sharing and Disclosure

We may share your personal data with:

• Service Providers: Third-party companies that assist us in operating the App and providing services to you. For example, cloud hosting and database providers (like AWS and Supabase for data storage), analytics providers (such as Mixpanel for usage analytics), and platforms for notifications and crash reporting (such as Google and Apple for push notifications and crash logs). These service providers act on our behalf, are bound by confidentiality agreements, and only use your data for the purposes we've described.
• Legal Requirements: Government authorities or law enforcement if required by law.

The data is never sold to third-parties or shared for any commercial purpose. The data is not provided to third parties in any other fashion and for any other purpose than is detailed within the scope of this privacy policy.

We do not use third-party advertising networks and we do not sell your personal or health data to anyone.

International Data Transfers:

• Your sensitive health data is never transferred outside of the area associated with your account. For Swiss-based accounts, the sensitive data stays always in Switzerland. For accounts created in any of the jurisdictions of European Union (EU), the data is stored and processed in a data center based in one of the countries of the EU.
• Some supplementary data, such as analytics cookies used on the web, or anonymised usage data used for application maintenance, might be collected and transferred outside the EU or Switzerland. In such cases, we ensure appropriate safeguards, such as Standard Contractual Clauses, are in place. By accepting analytic cookies or by using of the App, you agree that we may transfer, store and process such supplementary data outside of Switzerland and the European Union.

7. Data Security Measures

We implement the following security measures:

• Encryption: Data encryption in transit and at rest using industry-standard protocols.
• Access Controls: Restricted access to personal data to authorized personnel only.
• Regular Audits: Periodic security assessments and vulnerability scans.

8. Data Retention Policy

• Retention Period: We retain your personal data as long as your account is active or as needed to provide services.
• Deletion: Upon your request or account deactivation, we will delete or anonymize your personal data unless retention is required by law.

9. User Rights

Under the GDPR and FADP, you have the following rights:

• Right of Access: You may obtain confirmation of whether your data is being processed and obtain access to your personal data.
• Right to Rectification: You may request modification of any inaccurate or incomplete personal data.
• Right to Erasure ("Right to be Forgotten"): You may request deletion of your personal data. If you have created an account, you can delete it at any time using the App's account settings. This will remove your personal data from our active systems (except for data we may need to retain to comply with legal obligations or for legitimate safety reasons). You may also request account deletion by contacting us at privacy@health3.app.
• Right to Restrict Processing: You may request limitation of the processing of your personal data.
• Right to Data Portability: You may ask to receive your personal data in a structured, commonly used format.
• Right to Object: You have the right to object to processing based on legitimate interests.
• Right Not to Be Subject to Automated Decision-Making: You have the right not to be subjected to decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.
• Right to complain to an authority: You have the right to complain to a data protection authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA), United Kingdom, United States of America or in Switzerland (such an authority is, for example, the Information Commissioner's Office in the UK).
• If you are located in the United States, please note there is no single privacy supervisory authority. You may consider reaching out to a relevant consumer protection agency, such as the Federal Trade Commission or your state's Attorney General, for guidance or to lodge a complaint.

To exercise these rights, either use the functionalities offered through the App (e.g. account and data deletion), or contact us at privacy@health3.app.

10. Cookies and Similar Tracking Technologies

While our App does not use cookies in the traditional web browser sense, we employ similar technologies to collect information and improve your experience. These technologies are essential for the App's functionality, performance analytics or personalization.

Types of Tracking Technologies Used:

• Local Storage: Data stored locally on your device to enhance App functionality, such as user preferences, settings, and offline content.

Purpose of Using Tracking Technologies:

• App Functionality: To enable core features of the App, such as remembering your login status and preferences.

11. Children's Privacy

• Age Limitation: The App is not intended for individuals under the age of 18.
• Data Deletion: If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information.

12. Automated Decision-Making

• No Automated Decisions: We do not engage in automated decision-making that produces legal effects concerning you or similarly significantly affects you.

13. Third-Party Links

Our website may contain links to third-party websites that are not operated by us. We are not responsible for the privacy practices of these sites, and we encourage you to review their privacy policies.

14. Changes to the Privacy Policy

We may update this Privacy Policy periodically. Changes will be communicated via:

• In-App Notifications: Notices within the App.
• Email Notifications: Sent to the email address associated with your account.
• Updated Effective Date: Indicated at the top of this policy.

15. Contact Information

For questions or concerns regarding this Privacy Policy, please contact us:

• Email: privacy@health3.app
• Address: Health3 AG, Wiesenstrasse 10A, Schlieren 8952, Switzerland

16. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to file a complaint with:

• In the EEA: Your local data protection supervisory authority.
• In Switzerland: The Federal Data Protection and Information Commissioner (FDPIC).
• In the United Kingdom: The Information Commissioner's Office (ICO).
• In the United States of America: If you are located in the United States, please note there is no single privacy supervisory authority. You may consider reaching out to a relevant consumer protection agency, such as the Federal Trade Commission or your state's Attorney General, for guidance or to lodge a complaint.

17. Additional Notices for U.S. Residents (State-Specific Privacy Rights)

Under CCPA/CPRA and laws in Colorado, Virginia, Connecticut, Utah, Washington, Nevada:

• We do not sell or share your personal or health data for advertising.
• You have rights to access, delete, correct, and port your data; to opt-out of any sale/sharing (none exist); and to non-discrimination.
• We provide a detailed CCPA Category Disclosure table and a "Do Not Sell or Share My Personal Information" note stating no sale occurs.
• Washington's My Health My Data Act & Nevada SB 370: express consent required for health data (obtained in-app), plus notice and deletion rights.

17.1 CCPA Category Disclosure