Privacy Policy

The data controller responsible for your personal data is:

A&K Worldwide Enterprises FZCO
DWTCA Free Zone, Dubai, United Arab Emirates
Email: info@biolyze-health.com

For questions concerning this Privacy Policy or the processing of your personal data, you may contact us at the address above.

We collect and process the following categories of data:

2.1 Lab report content (sensitive health data). When you upload a blood lab report, our service temporarily processes the file (PDF or image) to extract biomarker values. Files are processed in-memory and are not persisted to disk on our servers. After extraction, the original file is discarded. Only the structured numerical values (e.g. glucose 98.2 mg/dL) and any sex/age inputs you provide are retained in encrypted form for the duration of your session or, in the mobile app, your account history.

2.2 Account data (mobile apps only). If you create an account in the iOS or Android app, we collect your email address and a securely-hashed password (or your Apple ID / Google ID if you sign in with those providers). On the web, no account is required for the pay-per-scan flow.

2.3 Payment data. Payments are processed by Stripe Payments Europe Ltd. and, for in-app purchases, by Apple or Google. We do not store your full card number. We retain a transaction reference, the amount, and the type of plan purchased.

2.4 Device and usage data. Standard log data such as IP address (truncated), device type, operating system, browser type, and timestamps of requests. This is used for security, fraud prevention, and aggregate analytics.

2.5 Communications. If you email us, we retain your message and our reply for support history.

Because lab values are special categories of personal data under GDPR Article 9, we rely on the following legal bases:

Explicit consent (Art. 9(2)(a) GDPR). By uploading a lab report, you give explicit consent for us to process the health data contained in it for the purpose of generating your analysis. You may withdraw this consent at any time (see Section 8).

Performance of contract (Art. 6(1)(b) GDPR). Processing necessary to deliver the service you purchased.

Legitimate interests (Art. 6(1)(f) GDPR). Security, fraud prevention, and basic operational analytics, balanced against your rights and freedoms.

We use the data we collect strictly to:

(a) extract biomarker values from your uploaded reports;
(b) generate your personalized analysis, nutrition recommendations, supplement protocol, and 4-week meal plan;
(c) operate your account (mobile apps), including history and trend tracking across reports;
(d) process payments and provide receipts;
(e) deliver customer support;
(f) detect, prevent, and respond to fraud, abuse, and security incidents;
(g) comply with legal obligations.

We do not use your lab reports or extracted values to train AI models. We do not sell your data. We do not share your data with advertisers.

We rely on the following sub-processors to operate the service. Each is bound by a data processing agreement and processes data only on our instructions:

• OpenAI, L.L.C. (USA) — image-based extraction (GPT-4o vision). Zero-retention API; inputs and outputs are not used for training.
• Anthropic PBC (USA) — text-based extraction and meal plan generation (Claude Opus 4.7). Zero-retention API; inputs and outputs are not used for training.
• Google LLC (USA / EU) — fallback model (Gemini 1.5 Pro) and, for mobile users, Firebase Authentication, Firebase Firestore, and Firebase Cloud Storage in the europe-west3 (Frankfurt) region.
• Stripe Payments Europe Ltd. (Ireland) — payment processing.
• Vercel Inc. (USA) — web hosting and edge delivery.
• Apple Inc. and Google LLC — in-app subscription billing for iOS and Android respectively.

Where data is transferred outside the EEA or UAE, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, the provider's adherence to recognized adequacy frameworks, or your explicit consent under GDPR Art. 49(1)(a).

Lab report files: not persisted. Discarded immediately after extraction.

Extracted biomarker values (web, anonymous flow): retained for the duration of your browser session and deleted within 30 days.

Extracted biomarker values (mobile app, signed-in users): retained as part of your scan history until you delete the entry or your account.

Account data (mobile app): retained until you delete your account (see Section 8 and our Your Data page).

Payment records: retained for 10 years where required by tax and accounting law.

Support correspondence: retained for up to 3 years.

We protect your data using:

• TLS 1.2+ encryption for all data in transit;
• encryption at rest for all stored extracted values and account data;
• in-memory processing of uploaded files with no disk persistence;
• strict access controls, least-privilege service accounts, and audit logging;
• continuous monitoring and timely security patching.

No system can be guaranteed 100% secure. In the event of a personal data breach affecting your data, we will notify the competent supervisory authority within 72 hours where required, and notify you without undue delay where the breach is likely to result in a high risk to your rights.

Under GDPR and the UAE PDPL, you have the right to:

• Access the personal data we hold about you;
• Rectify inaccurate or incomplete data;
• Erase your data (“right to be forgotten”);
• Restrict or object to processing;
• Data portability — receive your data in a structured, machine-readable format;
• Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal;
• Lodge a complaint with a supervisory authority (in the EU, your local DPA; in the UAE, the UAE Data Office).

To exercise any of these rights — including deleting your account on iOS or Android — visit biolyze.app/personal or email info@biolyze-health.com. We will respond within 30 days.

Biolyze is not intended for users under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us and we will delete it.

Biolyze provides educational information based on your lab values. It is not a medical device and does not diagnose, treat, cure, or prevent any disease. Always consult a qualified physician before making changes to your diet, supplementation, or treatment.

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be communicated through the app or by email where appropriate.

A&K Worldwide Enterprises FZCO
DWTCA Free Zone, Dubai, United Arab Emirates
Email: info@biolyze-health.com