Privacy Policy

Last updated: 07.07.2026

1. Data Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

heal.health GmbH
c/o Araz
Knorrstraße 2
80807 Munich
Germany
Email: info@heal.health
Phone: +4917656002308

For any questions regarding data protection, you may contact us using the details above.

2. Data We Collect

2.1 Account Data

  • Email address
  • Username (self-chosen, does not need to be your real name)
  • Date of birth
  • Biological sex

2.2 Health Data (Special Category under Art. 9 GDPR)

We may process the following health-related information provided by you:

  • Height, weight
  • Lifestyle data (diet, exercise, sleep, stress)
  • Alcohol and tobacco consumption
  • Medical history, allergies, conditions
  • Medications and supplements
  • Health goals
  • Laboratory results and biomarker data (uploaded documents and extracted values)

2.3 Apple Health Data

With your permission, we may read health data from Apple Health (HealthKit), such as step count, heart rate, sleep analysis, and activity data. Daily summary metrics (for example steps, sleep duration, resting heart rate, and active energy) are stored on Supabase, in its eu-west-1 region within the European Union, to power your Heal Score, trends, and health insights. With your explicit consent, 30-day aggregates of this data are sent to AWS Bedrock to generate your AI Health Summary and AI Action Plan (see Section 4). We do not export the full raw HealthKit sample data. Access can be revoked at any time in your device settings.

Health data constitutes a special category of personal data under Art. 9 GDPR and is processed solely based on your explicit consent.

2.4 Technical Data

  • IP address (via hosting provider)
  • Browser type and version
  • Access timestamps

3. Purpose and Legal Basis

  • Account creation and platform access: Art. 6(1)(b) GDPR (contract)
  • Processing health data to provide personalized insights: Art. 9(2)(a) GDPR (explicit consent)
  • Reading Apple Health data for health insights: Art. 9(2)(a) GDPR (explicit consent)
  • AI-supported analysis of lab reports: Art. 9(2)(a) GDPR (explicit consent)
  • AI-generated Health Summary and Action Plan from your health data: Art. 9(2)(a) GDPR (explicit consent)
  • Personalized recommendations, Heal Score, and insights: Art. 9(2)(a) GDPR (explicit consent)
  • Notifications and communication: Art. 6(1)(b) GDPR
  • Blood test booking services: Art. 6(1)(b) GDPR

These evaluations are intended solely for informational and self-optimization purposes and do not produce legal or similarly significant effects within the meaning of Art. 22 GDPR. We process only the data necessary to provide the functionality of the platform in accordance with the principles of data minimization and purpose limitation (Art. 5 GDPR).

4. Third-Party AI and Service Providers

To provide functionality, we use carefully selected service providers acting as data processors under Art. 28 GDPR unless stated otherwise:

  • Supabase Inc. (San Francisco, USA) for database hosting, authentication, and file storage. Data is stored on Supabase, in its eu-west-1 region within the European Union.
  • Amazon Web Services EMEA SARL (Luxembourg) for AI-powered biomarker extraction via AWS Bedrock, processed in the eu-central-1 (Frankfurt) region. When you upload a lab report, the file (PDF or image) and your biological sex are sent to AWS Bedrock, which runs Anthropic's Claude model inside AWS, solely to extract your biomarker values. This data is not used to train AI models and is not shared with the model provider. Uploaded files are deleted after extraction.
  • Amazon Web Services EMEA SARL (Luxembourg) for the AI-generated Health Summary and Action Plan via AWS Bedrock, processed in the eu-central-1 (Frankfurt) region. When you generate or update your Health Summary or Action Plan, the following data is sent to AWS Bedrock, which runs Anthropic's Claude model inside AWS, solely to produce that result: your age, biological sex, BMI, and lifestyle answers; your daily check-ins and Apple Health activity aggregates from the last 30 days; and your blood biomarker results. Your name and other direct identifiers are never sent. This data is not used to train AI models and is not shared with the model provider. The results are informational wellness content, not medical advice.
  • Communication providers for email notifications

Data is transmitted only to the extent necessary for the respective function. Data Processing Agreements (DPAs) are in place with all providers. Supabase and AWS process data within the European Union.

5. Hosting and Data Storage

We use infrastructure providers for database hosting, authentication, and backend services. Where possible, data is stored within the European Union. Appropriate technical and organizational measures are implemented, including encryption in transit and at rest.

6. Data Retention

  • Uploaded lab documents: Deleted after extraction or within 48 hours
  • Extracted biomarker data: Until account deletion
  • AI Health Summary: Stored until regenerated or account deletion
  • AI Action Plan: Stored until regenerated or account deletion
  • User profile and health data: Until account deletion
  • Booking data: Until account deletion or legal retention requirements

Users may request deletion at any time.

7. Your Rights

You have the following rights under GDPR:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object to processing (Art. 21)
  • Right to withdraw consent (Art. 7(3))
  • Right to lodge a complaint with a supervisory authority (Art. 77)

Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Competent supervisory authority:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
https://www.lda.bayern.de

8. International Data Transfers

heal processes personal data primarily within the European Economic Area (EEA). If a transfer outside the EEA becomes necessary in the future, heal will ensure appropriate safeguards in accordance with Art. 44 ff. GDPR.

9. Cookies

The application uses only technically necessary cookies for authentication and session management.

10. Data Security

We implement appropriate technical and organizational measures including:

  • Encryption (TLS/HTTPS)
  • Encryption of stored data
  • Access controls
  • Authentication safeguards
  • Abuse protection and rate limiting

11. Important Notice

heal is a wellness application and not a medical device within the meaning of EU Regulation 2017/745 (MDR). The insights and recommendations provided are for informational and self-optimization purposes only and do not constitute medical diagnosis, treatment, or advice. Users should consult qualified healthcare professionals for medical decisions.

12. AI Transparency

Certain features of the application involve AI: (1) biomarker extraction from uploaded lab reports, (2) the AI-generated Health Summary, and (3) the AI-generated Action Plan. All are performed by Anthropic's Claude model via AWS Bedrock, processed in the EU (Frankfurt). For biomarker extraction, only the uploaded file and your biological sex are sent. For the Health Summary and the Action Plan, your demographics, lifestyle answers, daily check-ins, Apple Health aggregates from the last 30 days, and blood biomarker results are sent; your name and other direct identifiers are never sent. In all cases the data is used solely for the stated feature and is not used to train AI models. Where a biomarker is not in our reference catalogue, its description and guidance may be generated by AI and should be treated as general information, not medical advice. The Health Summary and the Action Plan are informational wellness content only, are not medical advice, and are generated only when you request them. Final health-related decisions remain the responsibility of the user in consultation with medical professionals.

13. Changes to this Policy

We may update this Privacy Policy to reflect legal, technical, or operational changes. The latest version is always available within the application.

14. Contact

For privacy-related inquiries:
Email: info@heal.health
Address: Knorrstraße 2, 80807 Munich, Germany

© 2026 heal.health GmbH. All rights reserved.