Last updated: 07.07.2026
1. Data Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
heal.health GmbH
c/o Araz
Knorrstraße 2
80807 Munich
Germany
Email: info@heal.health
Phone: +4917656002308
For any questions regarding data protection, you may contact us using the details above.
2. Data We Collect
2.1 Account Data
2.2 Health Data (Special Category under Art. 9 GDPR)
We may process the following health-related information provided by you:
2.3 Apple Health Data
With your permission, we may read health data from Apple Health (HealthKit), such as step count, heart rate, sleep analysis, and activity data. Daily summary metrics (for example steps, sleep duration, resting heart rate, and active energy) are stored on Supabase, in its eu-west-1 region within the European Union, to power your Heal Score, trends, and health insights. With your explicit consent, 30-day aggregates of this data are sent to AWS Bedrock to generate your AI Health Summary and AI Action Plan (see Section 4). We do not export the full raw HealthKit sample data. Access can be revoked at any time in your device settings.
Health data constitutes a special category of personal data under Art. 9 GDPR and is processed solely based on your explicit consent.
2.4 Technical Data
3. Purpose and Legal Basis
These evaluations are intended solely for informational and self-optimization purposes and do not produce legal or similarly significant effects within the meaning of Art. 22 GDPR. We process only the data necessary to provide the functionality of the platform in accordance with the principles of data minimization and purpose limitation (Art. 5 GDPR).
4. Third-Party AI and Service Providers
To provide functionality, we use carefully selected service providers acting as data processors under Art. 28 GDPR unless stated otherwise:
Data is transmitted only to the extent necessary for the respective function. Data Processing Agreements (DPAs) are in place with all providers. Supabase and AWS process data within the European Union.
5. Hosting and Data Storage
We use infrastructure providers for database hosting, authentication, and backend services. Where possible, data is stored within the European Union. Appropriate technical and organizational measures are implemented, including encryption in transit and at rest.
6. Data Retention
Users may request deletion at any time.
7. Your Rights
You have the following rights under GDPR:
Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Competent supervisory authority:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
https://www.lda.bayern.de
8. International Data Transfers
heal processes personal data primarily within the European Economic Area (EEA). If a transfer outside the EEA becomes necessary in the future, heal will ensure appropriate safeguards in accordance with Art. 44 ff. GDPR.
9. Cookies
The application uses only technically necessary cookies for authentication and session management.
10. Data Security
We implement appropriate technical and organizational measures including:
11. Important Notice
heal is a wellness application and not a medical device within the meaning of EU Regulation 2017/745 (MDR). The insights and recommendations provided are for informational and self-optimization purposes only and do not constitute medical diagnosis, treatment, or advice. Users should consult qualified healthcare professionals for medical decisions.
12. AI Transparency
Certain features of the application involve AI: (1) biomarker extraction from uploaded lab reports, (2) the AI-generated Health Summary, and (3) the AI-generated Action Plan. All are performed by Anthropic's Claude model via AWS Bedrock, processed in the EU (Frankfurt). For biomarker extraction, only the uploaded file and your biological sex are sent. For the Health Summary and the Action Plan, your demographics, lifestyle answers, daily check-ins, Apple Health aggregates from the last 30 days, and blood biomarker results are sent; your name and other direct identifiers are never sent. In all cases the data is used solely for the stated feature and is not used to train AI models. Where a biomarker is not in our reference catalogue, its description and guidance may be generated by AI and should be treated as general information, not medical advice. The Health Summary and the Action Plan are informational wellness content only, are not medical advice, and are generated only when you request them. Final health-related decisions remain the responsibility of the user in consultation with medical professionals.
13. Changes to this Policy
We may update this Privacy Policy to reflect legal, technical, or operational changes. The latest version is always available within the application.
14. Contact
For privacy-related inquiries:
Email: info@heal.health
Address: Knorrstraße 2, 80807 Munich, Germany
© 2026 heal.health GmbH. All rights reserved.