Privacy Policy

Biometrica (Pty) Ltd Republic of South Africa Effective Date: [Insert Date] Last Updated: [Insert Date]

1. Introduction

This Privacy Policy explains how Biometrica (Pty) Ltd ("Company", "we", "us", or "our") collects, uses, stores, protects, shares, and otherwise processes personal information when you access or use our mobile application, website, and related services (collectively, the "Platform").

We are committed to processing personal information lawfully, transparently, and responsibly in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and other applicable legislation, including the General Data Protection Regulation ("GDPR") for users in the European Economic Area ("EEA") and the California Consumer Privacy Act ("CCPA") for users in California, United States.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. For information about cookies and similar tracking technologies, please see our separate Cookie Policy.

2. Definitions

  • Personal Information — information relating to an identifiable, living natural person, as defined in POPIA Section 1.
  • Special Personal Information — includes health data, biometric data, and other sensitive categories defined in POPIA Section 26.
  • Processing — any operation performed on personal information, including collection, storage, use, modification, disclosure, and deletion.
  • Data Subject — the individual to whom personal information relates (i.e., you, the user).
  • Information Officer — the person responsible for ensuring POPIA compliance within the Company.
  • Responsible Party — the entity that determines the purpose and means of processing personal information (i.e., the Company).

3. Information Officer

In accordance with POPIA, our designated Information Officer is:

  • Name: [Insert Name]
  • Email: [Insert Email]
  • Physical Address: [Insert Physical Address]
  • Company Registration Number: [Insert Registration Number]

You may contact the Information Officer for any queries related to the processing of your personal information or to exercise your rights under applicable law.

4. Categories of Information We Collect

We collect information directly from you, automatically through your use of the Platform, and from authorised third-party integrations. The categories below describe the types of information we may collect:

4.1 Identity Information

Full name, email address, username, date of birth, and account credentials. Collected to create and manage your account, verify your identity, provide customer support, and communicate essential service updates.

4.2 Contact and Communication Information

If you contact us for support or feedback, we may retain records of your communications, including messages, attachments, and response history. This helps us resolve issues and improve service quality.

4.3 Device and Technical Information

IP address, device type, operating system, browser type, app version, session data, crash logs, and diagnostic information. We use this data to enhance security, improve performance, prevent fraud, and ensure compatibility across devices.

4.4 Usage and Interaction Data

Information about how you interact with the Platform, including features used, time spent on certain screens, navigation patterns, and engagement metrics. This helps us improve usability and functionality.

4.5 Health and Fitness Information (Special Personal Information)

If you choose to use analytics features, we may process:

  • Lab biomarker data — blood test results uploaded via OCR or entered manually (e.g., cholesterol, glucose, hormone levels)
  • At-home vitals (Quick Log) — blood pressure, heart rate, blood glucose, weight, temperature, blood oxygen (SpO2), body fat percentage, waist circumference, respiratory rate
  • Activity data — exercise metrics, performance indicators, recovery data
  • Sleep data — sleep duration, quality indicators
  • User-entered wellness data — manual health observations and notes

This information constitutes "special personal information" under POPIA Section 26 and is processed only with your explicit consent.

4.6 Third-Party Integration Data

When you connect third-party services (e.g., Strava, Garmin, or other fitness platforms), we may receive authorised data such as activity history, performance statistics, GPS information, or wellness metrics. Data received depends on permissions granted through the third-party platform. Your relationship with those services remains governed by their respective policies.

4.7 Payment and Transactional Information

Subscription plan selections, billing history, and payment status. Payment card details are processed directly by our payment processor and are not stored on our servers.

4.8 Uploaded Documents

Blood test reports, pathology documents, and other files uploaded via the Platform for OCR processing. These documents may contain sensitive health information and are handled in accordance with the protections described in this Policy.

5. Legal Basis for Processing

We process personal information based on one or more of the following legal grounds:

5.1 Explicit Consent

We obtain your explicit consent before processing health or biometric data (special personal information). Consent is requested through clear affirmative actions such as selecting tick boxes, enabling integrations, or uploading health data.

5.2 Performance of a Service Agreement

We process certain information to provide the Platform's core functionality, including account management, analytics generation, and service communications.

5.3 Legitimate Operational Interests

We may process technical and usage data to maintain system security, prevent fraud, improve reliability, and enhance user experience, provided your rights are not overridden.

5.4 Legal and Regulatory Obligations

In certain circumstances, we may process or disclose personal information to comply with legal requirements or lawful requests from authorities.

6. How We Use Personal Information

We use personal information to:

  • Provide core services — account management, biomarker tracking, health dashboards, trend analysis
  • Generate AI-assisted analytics and insights — data is processed by automated systems to create personalised dashboards, trend analyses, and wellness summaries (see Section 7)
  • Process uploaded documents — OCR extraction of biomarker values from uploaded blood test reports
  • Improve and optimise the Platform — aggregated and de-identified data may be analysed to improve algorithms, refine features, and enhance overall functionality
  • Communicate with users — essential service messages such as account confirmations, security alerts, and policy updates; optional communications are sent only where permitted
  • Ensure security and integrity — monitoring and logging systems detect suspicious activity, unauthorised access, or misuse
  • Process payments — manage subscriptions, billing, and payment-related communications
  • Comply with legal obligations — respond to lawful requests, enforce our terms, and protect rights

7. AI and Automated Processing

The Platform uses automated systems and artificial intelligence to generate wellness analytics and insights. This processing is performed by our AI processing partner on our behalf.

7.1 How AI Processing Works

  • User health data (biomarkers, vitals, activity data) is sent to our AI processing systems for analysis
  • AI systems generate insights, trend analyses, and wellness recommendations
  • All results are written back to our database and displayed to you through the Platform
  • No user data is permanently stored by our AI processing partner — data is processed in-flight only

7.2 Limitations of Automated Processing

  • All AI outputs are generated through software models using pattern recognition and statistical analysis
  • No licensed healthcare professional reviews or confirms individual AI-generated outputs
  • AI outputs are informational only and do not constitute medical advice
  • Algorithmic systems may have limitations due to incomplete, inaccurate, or inconsistent input data
  • OCR-parsed results from uploaded documents may contain extraction errors

7.3 Your Rights Regarding Automated Processing

In accordance with POPIA Section 71, you have the right not to be subject to decisions based solely on automated processing that significantly affect you. You may:

  • Request human review of any AI-generated insight or recommendation
  • Object to automated processing of your personal information
  • Request information about the logic involved in automated processing

To exercise these rights, contact our Information Officer.

8. Data Sharing and Disclosure

We do not sell personal information. We may share information with:

8.1 Cloud Infrastructure Providers

To host and operate the Platform securely. These providers act under our instructions and are required to implement appropriate security measures.

8.2 AI Processing Partner

Our AI processing partner processes user health data to generate insights and analytics. Data is processed in-flight only and is not persisted by the partner.

8.3 Payment Processors

To process subscription payments securely. Payment processors operate under their own privacy policies and PCI-DSS compliance standards.

8.4 Analytics and Service Providers

To measure platform performance and improve features, subject to privacy safeguards. Only aggregated or de-identified data is shared for this purpose.

8.5 Integration Partners

When you enable third-party integrations (e.g., Strava), limited data sharing may occur to facilitate syncing and functionality, as authorised by you.

8.6 Legal Authorities

Where required by law, court order, or to protect the rights, safety, or security of the Company, our users, or the public.

9. Cross-Border Data Transfers

Your personal information may be stored or processed on servers located outside South Africa, including in the European Union and the United States.

9.1 Safeguards

Where cross-border transfers occur, we implement safeguards intended to ensure comparable protection of personal information, including:

  • Encryption in transit and at rest
  • Access controls and vendor due diligence
  • Contractual protections with service providers
  • Compliance with POPIA Section 72 requirements

9.2 User Acknowledgement

By using the Platform and providing consent where required, you acknowledge and agree to such cross-border processing. You may withdraw this consent at any time by discontinuing use of the Platform and requesting deletion of your account.

10. Data Security Measures

We implement technical and organisational measures to protect your personal information, including:

  • Encryption — data is encrypted in transit (TLS/SSL) and at rest
  • Role-based access controls — access to personal information is limited to authorised personnel with a legitimate need
  • Monitoring and incident response — structured procedures to detect, investigate, and respond to security incidents
  • Regular security assessments — periodic reviews of security practices and infrastructure
  • Secure development practices — security considerations integrated into our development lifecycle

No system is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

11. Data Retention

We retain personal information only for as long as necessary to:

  • Fulfil the purposes described in this Policy
  • Comply with legal obligations (including tax and accounting requirements)
  • Resolve disputes and enforce agreements
  • Maintain operational integrity

Account data — retained for the duration of your account and for a reasonable period thereafter as required by law.

Health data — retained for as long as your account is active. Upon account deletion, health data is deleted within 30 days, subject to lawful retention requirements.

De-identified or aggregated data — may be retained indefinitely for statistical, research, and improvement purposes, as it no longer constitutes personal information.

You may request deletion of your account at any time (see Section 13).

12. Children's Privacy

The Platform is intended solely for users aged 18 years and older. We do not knowingly collect personal information from children under 18.

If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact our Information Officer immediately.

13. Your Rights

13.1 Rights Under POPIA (All Users)

As a data subject under POPIA, you may:

  • Access — request access to your personal information held by us
  • Correction — request correction of inaccurate or incomplete information
  • Deletion — request deletion of your personal information (subject to lawful retention requirements)
  • Withdraw consent — withdraw consent for processing at any time
  • Object — object to certain processing activities
  • Data portability — request your data in a structured, commonly used format
  • Automated decision-making — not be subject to decisions based solely on automated processing (POPIA Section 71)
  • Complain — lodge a complaint with the Information Regulator of South Africa

Information Regulator Contact:

13.2 How to Exercise Your Rights

Requests may be directed to our Information Officer at [Insert Contact Email]. We will respond to verifiable requests within a reasonable timeframe, and no later than required by applicable law.

We may request verification of your identity before processing requests. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.

14. Data Breach Notification

In accordance with POPIA Section 22, if we become aware of a security breach that compromises your personal information, we will:

  1. Notify the Information Regulator as soon as reasonably possible
  2. Notify affected data subjects as soon as reasonably possible
  3. Provide details of the breach, the information affected, and the steps taken to address it
  4. Recommend measures you can take to mitigate potential harm

15. De-identification and Aggregated Data

We may de-identify or aggregate personal information so that it can no longer be used to identify you. De-identified and aggregated data is not considered personal information and may be used for:

  • Improving Platform algorithms and features
  • Research and statistical analysis
  • Generating industry benchmarks and reports

We apply technical measures to prevent re-identification of de-identified data.

16. Marketing Communications

We may send you marketing communications about our services only where:

  • You have provided explicit opt-in consent (as required by POPIA Section 69), or
  • You are an existing customer and the communications relate to similar services

You may opt out of marketing communications at any time by:

  • Using the "unsubscribe" link in any marketing email
  • Updating your communication preferences in your account settings
  • Contacting our Information Officer

Opting out of marketing does not affect essential service communications (e.g., security alerts, account notifications, policy updates).

17. Third-Party Integrations

When you connect third-party services to the Platform:

  • Data received depends on the permissions you grant through the third-party's authorisation interface
  • Data from third-party services is used solely to provide Platform features you have requested (e.g., activity syncing, wellness tracking)
  • We do not use third-party integration data for marketing purposes
  • You may disconnect integrations at any time through the Platform settings or the third-party platform
  • Third-party policies govern your relationship with those services; we encourage you to review them

18. Regional Privacy Addenda

18.1 European Economic Area (GDPR)

If you are located in the EEA, the following additional provisions apply:

Legal Bases for Processing:

Processing Activity Legal Basis (GDPR Art. 6)
Account management Performance of contract
Health data processing Explicit consent (Art. 9(2)(a))
Security monitoring Legitimate interests
Legal compliance Legal obligation
Marketing communications Consent

Additional Rights Under GDPR:

  • Right to erasure ("right to be forgotten") — Article 17
  • Right to restriction of processing — Article 18
  • Right to data portability — Article 20
  • Right to object — Article 21
  • Right not to be subject to automated decision-making — Article 22
  • Right to lodge a complaint with your local supervisory authority

Data Protection Officer: For GDPR-related queries, contact [Insert DPO Contact Email].

Cross-Border Transfer Mechanisms: Transfers of personal data outside the EEA are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards under GDPR Chapter V.

Data Retention: We retain your data only as long as necessary for the purposes set out in this Policy or as required by law. You may request deletion at any time.

18.2 United States — California (CCPA/CPRA)

If you are a California resident, the following additional provisions apply under the California Consumer Privacy Act (as amended by the CPRA):

Your Rights Under CCPA/CPRA:

  • Right to know — what personal information we collect, use, disclose, and sell
  • Right to delete — request deletion of your personal information
  • Right to correct — request correction of inaccurate personal information
  • Right to opt out — of the sale or sharing of personal information
  • Right to limit use — of sensitive personal information
  • Right to non-discrimination — for exercising your CCPA rights

We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising.

Categories of Personal Information Collected (per CCPA categories):

Category Examples Collected
Identifiers Name, email, IP address Yes
Personal records Account information Yes
Protected classifications Age Yes
Commercial information Subscription history Yes
Internet/network activity Usage data, browsing history Yes
Geolocation data Approximate location from IP Yes
Sensory data Uploaded documents (images/PDFs) Yes
Health information Biomarkers, vitals, activity data Yes
Inferences AI-generated wellness insights Yes

To Exercise Your Rights: Contact [Insert Contact Email] or use the privacy controls in your account settings. We will verify your identity before processing requests. You may designate an authorised agent to make requests on your behalf.

18.3 United States — Other States

We comply with applicable state privacy laws, including but not limited to the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and Connecticut Data Privacy Act (CTDPA), to the extent they apply.

19. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

  • We will notify you via email or in-app notification
  • We will update the "Last Updated" date at the top of this Policy
  • Continued use of the Platform after notification constitutes acceptance of the revised Policy

We encourage you to review this Policy periodically.

20. Contact Information

Biometrica (Pty) Ltd

  • Information Officer: [Insert Name]
  • Email: [Insert Contact Email]
  • Physical Address: [Insert Physical Address]
  • Company Registration Number: [Insert Registration Number]
  • Website: [Insert Website URL]

For privacy-related complaints, you may also contact the Information Regulator of South Africa at https://inforegulator.org.za.