Privacy Policy
Last updated: 9 July 2026 · Effective date: 9 July 2026
The short version: We collect what we need to help you understand your health, we don't sell your data, and you can delete everything with one email. The long version below spells out the specifics.
1. Who we are
Biomena Health ("Biomena," "we," "us," or "our") operates the website biomenahealth.com and the Biomena Health mobile applications (collectively, the "Service"). This Privacy Policy explains what personal information we collect, how we use and share it, and the rights you have over it.
If you have any questions about this policy or your data, contact us at privacy@biomenahealth.com.
2. Information we collect
2.1 Information you provide directly
- Account information — your name, email address, date of birth, sex assigned at birth, and password (stored only as a hashed value).
- Health and assessment data — answers to the Biomena Method™ assessments (nutrition, sleep, movement, recovery, mental performance, herbal medicine, women's physiology, biomarker inputs). This is sensitive personal data under GDPR (Art. 9) and equivalent laws.
- Payment information — processed by our payment provider (Stripe, Inc.). We do not receive or store your full card number. We only receive a token, the last 4 digits, expiry, and country.
- Content you upload — profile photos, voice notes to the AI coach, chat messages, journal entries, and any files you attach to the Service.
- Communications with us — support emails, feedback, and any messages you send to coaches through the Service.
2.2 Information collected automatically
- Device and usage data — IP address, device type, operating system, browser type, screen size, app version, session timestamps, and features used.
- Diagnostic and crash logs — anonymised error reports to help us keep the Service stable.
- Cookies and similar technologies — see Section 8 below.
2.3 Information from third parties
- Wearable devices — with your explicit consent, we import data from Withings, Oura, WHOOP, Apple HealthKit, Google Health Connect, and similar providers. This includes heart rate, heart rate variability, sleep stages, VO₂ max, activity minutes, steps, body composition, and menstrual-cycle data.
- Payment provider — Stripe shares subscription status, trial status, and refund history back to us.
- Authentication providers — if you sign in with Google or Apple, we receive your name, email, and a unique identifier from that provider.
3. How we use your information
We use your information to:
- Provide and personalise the Service — assessments, scores, coaching, plans, and recommendations.
- Generate AI-assisted insights from your data (see Section 5 on AI processing).
- Show your data back to you and to any human coach you actively engage.
- Process payments, manage subscriptions, and prevent fraud.
- Send you transactional emails (receipts, password resets, security alerts, waitlist confirmations).
- Send you optional product updates and educational content (you can unsubscribe at any time).
- Debug problems, improve the Service, and detect abuse.
- Comply with legal obligations.
4. Legal bases for processing (GDPR / UK GDPR)
If you are in the European Economic Area, the UK, or Switzerland, we rely on the following legal bases:
- Contract — to deliver the Service you signed up for.
- Explicit consent — for processing health data, importing wearable data, and marketing emails. You can withdraw consent at any time.
- Legitimate interests — for security, fraud prevention, and product improvement, balanced against your rights.
- Legal obligation — where the law requires us to retain records.
5. How AI processes your data
The Biomena AI Coach and the Biomena Method™ engine use large language models to help interpret your data. Specifically:
- Prompts sent to AI providers include only the minimum data needed to answer your question, and are stripped of your name, email, and precise date of birth before transmission.
- We use Anthropic (Claude) and, where applicable, other model providers under agreements that prohibit them from using your inputs to train their models.
- We do not allow AI providers to store your data beyond the time needed to return the response.
- AI outputs are stored in your account so you can revisit them; you can delete individual conversations from within the app.
6. Sharing your information
We only share your information with:
- Service providers we use to run Biomena, under strict contracts:
- Hosting & databases — MongoDB Atlas, Cloudflare
- Payments — Stripe, Inc.
- Email delivery — Resend, Inc.
- AI processing — Anthropic PBC
- Analytics — privacy-respecting analytics (Plausible or Fathom); no cross-site tracking
- Error monitoring — Sentry (with PII scrubbing)
- Coaches you engage with — if you enrol with a Biomena coach, they see only the data you explicitly share with them.
- Wearable providers — data flows are two-way only for the providers you connect, and only under the scopes you authorised.
- Authorities — where required by valid legal process, we may disclose information; we will notify you unless prohibited by law.
- Successors — if Biomena is acquired or merged, your data may transfer to the acquirer under the same protections.
We do not sell your personal information. We do not share your data with advertisers or data brokers.
7. Data retention
- We keep your data for as long as your account is active.
- If you delete your account, we permanently erase your personal and health data within 30 days, except for anonymised, aggregated statistics and records we are legally required to retain (e.g., tax and payment records — up to 7 years).
- Backup copies are purged on a rolling 90-day cycle after account deletion.
8. Cookies & similar technologies
We use only essential cookies to keep you logged in and to remember your preferences. We use privacy-respecting analytics (e.g., Plausible or Fathom) that do not use cookies and do not track you across sites. We do not use advertising cookies or third-party trackers.
9. Data security
We take reasonable measures to protect your information, including:
- TLS 1.2+ encryption for all data in transit.
- Encryption at rest for sensitive fields including wearable tokens.
- Access controls and audit logs for our internal systems.
- Regular security reviews and dependency scanning.
- Prompt notification of any personal-data breach as required by applicable law (within 72 hours where GDPR applies).
No system is 100% secure. If you believe your account has been compromised, contact security@biomenahealth.com immediately.
10. Your rights
Depending on where you live, you have the right to:
- Access — request a copy of the data we hold about you.
- Rectify — correct inaccurate data.
- Erase — delete your account and all associated data ("right to be forgotten").
- Restrict or object — limit how we process your data.
- Portability — receive your data in a machine-readable format (JSON export).
- Withdraw consent — at any time, for any consent-based processing.
- Not be subject to automated decisions that produce legal effects — our AI insights are advisory, not automated decisions.
- Lodge a complaint with your local data protection authority.
To exercise any of these, email privacy@biomenahealth.com. We respond within 30 days.
11. California residents (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect, to delete it, to correct it, and to opt out of any sale or "sharing" of it — which we do not do. To exercise these rights, email privacy@biomenahealth.com. We will not discriminate against you for exercising your rights.
12. International data transfers
Biomena is based in the United Kingdom. If you use the Service from outside the UK/EU, your data may be transferred to and processed in the UK, US, or other countries where our service providers operate. Where required, we use Standard Contractual Clauses and equivalent safeguards to protect these transfers.
13. Children
The Service is not directed to children under 16. We do not knowingly collect data from anyone under 16. If you believe a minor has provided us with information, please contact us and we will delete it promptly.
14. Not a medical device
Biomena is a wellness platform. It is not a medical device, does not diagnose, treat, cure, or prevent any disease, and its insights are not medical advice. See our Terms of Service for full disclaimers.
15. Changes to this policy
If we make material changes to this Privacy Policy, we will notify you by email or through the app at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
16. Contact us
Questions, requests, or complaints?
Email: privacy@biomenahealth.com
Data Protection: privacy@biomenahealth.com
General: hello@biomenahealth.com