Privacy Policy
1. Introduction
Santani App ("Santani", "we", "us", or "our") operates the Health Index application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
We process health-related data, which is classified as "special category data" under the General Data Protection Regulation (GDPR). We take the protection of this sensitive information very seriously.
Please read this Privacy Policy carefully. By using the Service, you consent to the collection and use of your information as described herein.
The Service is currently in beta. During this period, data collection practices, retention policies, and processing methods may be updated as the platform evolves. We will update this Privacy Policy to reflect any material changes.
2. Data Controller
The data controller responsible for your personal data is:
3. Information We Collect
3.1 Personal Information
When you create an account, we collect:
- Full Name - To personalize your experience and for identification by resort staff
- Email Address - For account authentication, communication, and as your unique identifier
- Password - Stored in encrypted (hashed) form for account security
3.2 Health Data (Special Category Data)
To calculate your Health Index score, we collect and process:
- Blood Test Values - Including glucose levels, cholesterol markers (HDL, LDL, triglycerides), liver enzymes (ALT, GGT), kidney function (eGFR), hemoglobin, and inflammation markers (ESR)
- Demographic Information - Age, biological sex, and geographic region (for accurate health scoring)
- Health Index Scores - Calculated scores and interpretations based on your blood test results
- AI-Generated Health Insights - Personalized analysis and recommendations generated from your data
Important: Health data is classified as "special category data" under GDPR Article 9, requiring explicit consent and enhanced protection measures.
3.3 Technical Data
We automatically collect certain technical information:
- IP Address - For security and consent verification
- Browser Information - For service optimization and security
- Access Timestamps - For audit logging and security monitoring
4. How We Use Your Information
4.1 Primary Purposes
- Health Score Calculation - Processing your blood test values to generate your Health Index score
- AI Health Analysis - Generating personalized health insights and recommendations
- Account Management - Managing your account and providing customer support
- Service Communication - Sending you results, updates, and service-related notifications
4.2 Legal Basis for Processing
We process your data based on the following legal grounds:
- Explicit Consent (Article 6(1)(a) and Article 9(2)(a)) - For processing health data, which you provide when creating an account and accepting this Privacy Policy
- Contract Performance (Article 6(1)(b)) - To provide the Service you requested
- Legitimate Interests (Article 6(1)(f)) - For security monitoring and service improvement
5. How We Share Your Information
5.1 Third-Party Service Providers
We share data with trusted service providers who assist in operating our Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database hosting & authentication | All user data (encrypted) |
| Vercel | Application hosting | Technical data only |
| OpenAI | AI health analysis & OCR | Blood test values (anonymized) |
All service providers have signed Data Processing Agreements (DPAs) and are contractually obligated to protect your data in accordance with GDPR requirements.
5.2 We Do Not Sell Your Data
We do not sell, rent, or trade your personal information to third parties for marketing purposes. Your health data is never used for advertising.
6. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States (where our service providers operate).
For transfers outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:
- EU-US Data Privacy Framework certification (for US providers)
- Standard Contractual Clauses approved by the European Commission
- Binding Corporate Rules where applicable
7. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Health calculations | 7 years | Medical record standards |
| Account information | Until account deletion | Service provision |
| Audit logs | 3 years | Compliance verification |
| Deleted account data | 30 days then permanently deleted | Recovery window |
You may request earlier deletion of your data at any time (see Your Rights below).
8. Your Rights
Under GDPR and other applicable privacy laws, you have the following rights:
Right of Access (Article 15)
Request a copy of all personal data we hold about you.
Right to Rectification (Article 16)
Request correction of inaccurate or incomplete data.
Right to Erasure (Article 17)
Request deletion of your personal data ("Right to be Forgotten").
Right to Data Portability (Article 20)
Receive your data in a machine-readable format (JSON/CSV).
Right to Withdraw Consent (Article 7)
Withdraw your consent at any time through your account settings.
Right to Restrict Processing (Article 18)
Request limitation of how we process your data.
Right to Object (Article 21)
Object to processing based on legitimate interests.
To exercise any of these rights, please contact us at support@healbysantani.com or use the options in your account settings. We will respond within one month.
9. Automated Decision-Making
Our Service uses automated processing to calculate your Health Index score and generate AI-powered health insights. This processing:
- Is based on your explicit consent
- Applies standardized, research-based scoring algorithms
- Does not produce legally binding or similarly significant effects
- Is intended for informational and wellness purposes only
Disclaimer: Health Index scores and AI insights are for wellness information only and do not constitute medical advice. Always consult qualified healthcare professionals for medical decisions.
10. Data Security
We implement industry-standard security measures to protect your data:
- Encryption at Rest - All data stored using AES-256 encryption
- Encryption in Transit - All communications secured with TLS 1.2+
- Access Controls - Role-based access with principle of least privilege
- Authentication - Secure password hashing and session management
- Audit Logging - All data access is logged for security monitoring
- Regular Security Reviews - Ongoing assessment of security measures
11. Additional Rights for California Residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know - What personal information we collect, use, and disclose
- Right to Delete - Request deletion of your personal information
- Right to Opt-Out - We do not sell your personal information
- Right to Non-Discrimination - We will not discriminate against you for exercising your privacy rights
Do Not Sell or Share My Personal Information: We do not sell or share your personal information for cross-context behavioral advertising purposes.
12. Children's Privacy
Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.
13. Complaints
If you have concerns about how we handle your data, please contact us first. If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority:
- UK: Information Commissioner's Office (ICO) - ico.org.uk
- EU: Your local Data Protection Authority
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any significant changes by email and/or by posting a prominent notice on our Service. The "Last Updated" date at the top of this policy indicates when it was last revised.
15. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Santani App - Privacy Team
Email: support@healbysantani.com