Privacy Policy

This Privacy Statement relates to the processing of your personal data as part of the services that Optimize B.V. ("we" or "us") provides to you through the Optimize app (hereinafter the "App"). Optimize has its registered office at Keizersgracht 285, 1016 ED Amsterdam, the Netherlands, and is registered in the register of the Dutch Chamber of Commerce under number 93488866.

Optimize values your privacy highly. Therefore, we use this statement to inform you properly about the personal data we collect about you through the App, the purposes for which we do so, the parties with whom we share your personal data, how we handle your personal data and what rights you have.

Personal Data and Purposes

We process the following categories of personal data about you for the following purposes:

1. Administrative data, name and address details and payment details, so that we can provide you with our services in the App and so that you can buy credits.
2. Data about your lifestyle and goals, so that we can give you personalised lifestyle advice that ensures you can achieve your selected goals. This personal data is provided by you yourself and at your request through third parties such as Apple Health, Garmin Connect and Whoop. You have complete freedom of choice of which external data sources, such as Apple Health, Garmin Connect and Whoop, you want to link to.
3. Health data, so that we can give you personalised lifestyle advice that ensures you can achieve your selected goals.

If you have consented to the processing of your personal data, you may withdraw your consent at any time. As it is not possible for us to provide the services to you in that case, you can only withdraw your consent by terminating the service. For individual components, such as notifications or links to external sources, you may withdraw your consent separately. This preserves the lawfulness of the processing of your personal data prior to the withdrawal of consent.

Bases

We process your personal data on the following legal bases:

1. your administrative data and payment details. Without this information, we cannot perform our agreement with you to provide the services;
2. data about your lifestyle and your health data (blood values). We need this information to provide the services to you. We process this data on the basis of your consent, which you may withdraw at any time by terminating the service;
3. data about your lifestyle and your health data in pseudonymised or aggregated form for scientific research, the improvement of our App and the testing and monitoring of our AI Systems as described under "Use of Artificial Intelligence" below. Where such processing involves special categories of personal data, we do so on the basis of your explicit consent. For processing that does not involve special categories, we rely on our legitimate interest in improving the quality and safety of our services, having carried out a balancing test to ensure that your interests are not overridden.

With Whom Will Your Personal Data Be Shared?

Through our App, we share your contact details with ZorgDomein Nederland B.V. to request laboratory tests from our lab partner Unilabs Diagnostics B.V. Once your blood is shared with Unilabs through your selected collection site and Unilabs has performed the test, we will receive the results of your blood test. Those results are shared with us securely through our collaboration partner Enovation B.V.

In the context of the services, your data will also be processed by the following processors:

1. DigitalOcean (for cloud hosting and data storage);
2. Mollie (payment services); and
3. Anthropic PBC (AI-powered personalisation and content generation within the App). Anthropic processes data on our behalf via its API infrastructure. Personal data shared with Anthropic may be processed outside the European Economic Area ("EEA"), including in the United States. Anthropic retains API inputs and outputs for up to 7 days for safety and abuse monitoring purposes, after which they are automatically deleted. Anthropic does not use API data to train its models.

We have entered into a Data Processing Agreement with Anthropic that includes the Standard Contractual Clauses approved by the European Commission. We have conducted a Transfer Impact Assessment and implemented appropriate supplementary technical and organisational measures in line with the recommendations of the European Data Protection Board (EDPB), to address risks arising from the laws of the provider's country of establishment. These measures include pseudonymisation of personal data prior to transmission, as described under "Use of Artificial Intelligence" below.

What Do We Do With Your Data?

How does your lifestyle advice come about? We provide our services by combining your health data and lifestyle preferences. We analyse this information to show test results, build your health profiles and provide you with targeted notifications, recommendations and advice through the App.

We pseudonymise the information we hold about you for scientific research and for improving our App. This means that we replace or remove direct identifiers (such as your name and e-mail address) and apply technical measures to separate your identity from your data. While the resulting dataset cannot be traced back to you by the recipient without access to our internal systems, we retain the technical ability to re-link the data to your account. As a result, pseudonymised data remains personal data under the GDPR, and your rights — including the right to erasure — continue to apply in full.

Where we share pseudonymised data with third-party recipients for research purposes, we do so under data sharing agreements that require the recipient to maintain the pseudonymised character of the data and to delete it upon our instruction.

Where we process personal data in a truly aggregated and statistical form from which no individual can be identified (for example, average values across a large group of users), such data is no longer personal data under the GDPR. We may retain and use such aggregated data without restriction. If special categories of personal data are involved in the creation of aggregated data, we do so only with your explicit consent.

Use of Artificial Intelligence

We use artificial intelligence systems and AI-powered tools ("AI Systems") to support the delivery and improvement of our services through the App. Our AI service provider is identified as a processor under "With Whom Will Your Personal Data Be Shared?" above.

These AI Systems may be used to assist us in organising, structuring, generating, refining and presenting information within the App, including personalised explanations, recommendations and other content based on the data you provide to us or choose to connect through external sources as described under "Personal Data and Purposes" above.

The legal bases set out under "Bases" above apply equally to the processing of your personal data through AI Systems. In particular, where AI Systems process your health data or data about your lifestyle, we do so on the basis of your explicit consent. You may withdraw that consent at any time as described under "Personal Data and Purposes" above.

Personal data shared with AI Systems is pseudonymised before transmission. The categories of data that may be shared include blood values, age, sex, weight, and lifestyle data such as sleep patterns, physical activity and nutritional information. This includes data received from connected external sources such as wearable platforms, as described under "Personal Data and Purposes" above. Where functional identifiers are necessary for linking related data within the AI System, these are transmitted in a form that cannot be used to directly identify you. Such data is shared only to the extent necessary to generate personalised advice. The GDPR applies in full to this processing.

The AI Systems within the App are used in a supportive and informational capacity only. They are not used to:

1. make medical diagnoses or determine treatments;
2. replace healthcare professionals;
3. take decisions that produce legal effects or similarly significant effects concerning you within the meaning of Article 22 of the GDPR; or
4. serve as the sole basis for decisions regarding your access to the App, your eligibility for services, or any other decision that materially affects you.

We regularly assess whether our AI Systems qualify as high-risk AI systems within the meaning of Regulation (EU) 2024/1689 (the AI Act) and take additional measures where required.

Where you interact with content that is generated or substantially shaped by AI Systems, the App will make this identifiable to you by means of a clear indication in the user interface. We comply with the applicable transparency requirements under Regulation (EU) 2024/1689 (the AI Act).

AI-generated content, including recommendations and advice provided through the App, is subject to appropriate human oversight. Qualified personnel review the design, configuration and outputs of our AI Systems on a regular basis to ensure accuracy, safety and compliance.

When using AI Systems, we apply the principle of data minimisation and only process the personal data necessary for the relevant purpose. The technical and organisational security measures described under "Security of Your Personal Data" below apply equally to the processing of personal data through AI Systems. In addition, we implement appropriate contractual safeguards with our AI service provider.

Personal data shared with AI Systems may be processed outside the EEA, including in the United States, as described under "With Whom Will Your Personal Data Be Shared?" above. We have implemented appropriate safeguards for such transfers, including Standard Contractual Clauses and supplementary technical measures such as pseudonymisation prior to transmission.

We may use pseudonymised or aggregated data to test, monitor and improve the quality, safety and performance of our AI Systems.

Anthropic retains API inputs and outputs for up to 7 days for safety and abuse monitoring, after which they are automatically deleted. Anthropic does not use API data to train its models. We pseudonymise all personal data before transmission to minimise exposure during this retention period.

For further information about how AI Systems are used in the processing of your personal data, see "Your Rights" below.

Retention Periods

We will not keep your personal data for longer than necessary for the purposes for which it was collected. In most cases, this means that we keep the data until you delete your account or terminate the agreement. We will then delete your personal data from our systems one year after your account is deleted. This one-year retention period also applies to pseudonymised data used for research or improvement purposes. In addition, you may request deletion of such pseudonymised data at any time during the retention period, as it remains personal data under the GDPR. Data already processed in aggregated form cannot be attributed to you and will be retained. In certain cases, we are required by law to keep specific data for longer. For example, we keep your payment details in our records for seven years for tax reasons.

Since you may want to see your blood results again because you need them for medical reasons, we store the results of blood diagnostics through Unilabs for one year after you delete your account. You may request those details by sending an e-mail to privacy@optimizelifestyle.io.

Personal data processed through AI Systems as described under "Use of Artificial Intelligence" above is retained by our AI service provider for up to 7 days for safety monitoring, after which it is automatically deleted. Anthropic does not store data beyond this period and does not use it for model training.

Security of Your Personal Data

We have taken technical and organisational measures to adequately secure your personal data against loss or any other form of unlawful processing.

Your personal data is stored encrypted. Reports and other static files are protected separately according to current encryption standards (AES-256).

Access to the App is fully protected. Your identity is first verified using OAuth 2.0 with proof key for code exchange ("PKCE"), after which your data can only be accessed using biometric authentication (such as Face ID or Touch ID) or a personal access code.

We also apply data minimisation, pseudonymisation and data separation. Sensitive medical data is stored in separate, highly secure databases and can only be linked to users indirectly, without directly traceable personal data being used.

We apply the principles of privacy by design and privacy by default when developing and maintaining the App. Our technical and organisational security measures are aligned with current best practices and recognised standards, including ISO/IEC 27001 (information security), the OWASP Mobile Security Guidelines and the principles and recommendations of the Dutch Data Protection Authority.

Where personal data is transmitted to our AI service provider, such transmission takes place over encrypted connections to the provider's API endpoint. Data is pseudonymised before transmission.

Amendments

We may amend this Privacy Statement from time to time. If we do, we will notify you. You may always — i.e. including after such an amendment — decide to stop using the App.

Where the nature, scope or purpose of our use of artificial intelligence materially changes, we will proactively inform you of such changes in accordance with applicable transparency obligations, including those under Regulation (EU) 2024/1689 (the AI Act).

Your Rights

You have the right to ask us to:

1. provide access to your personal data (such as your contact details);
2. have your personal data (such as your contact details) supplemented, corrected or deleted;
3. stop processing your personal data;
4. restrict the processing of your personal data; and/or
5. transfer your personal data to you or a third party.

These rights are not absolute. We will assess your request in accordance with the GDPR. This means that we will first have to verify your identity on the basis of your proof of identity. As soon as possible and in any case within one month of your access request (unless we have been unable to verify your identity), we will then provide you with information on the actions we have taken in response to your request. We may extend this deadline by two months due to the complexity of your request or the number of requests we receive. In that case, we will notify you.

Where we process your personal data on the basis of our legitimate interest, you have the right to object to such processing at any time on grounds relating to your particular situation. Upon receiving such an objection, we will cease the processing unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims.

Your right to erasure under Article 17 of the GDPR extends to pseudonymised data that we hold about you, as such data remains personal data. Upon receiving a valid erasure request, we will delete your pseudonymised data from our systems and instruct our processors, as well as any third-party recipients to whom pseudonymised data has been provided, to do the same, unless we are required by law to retain it. Aggregated data is excluded from this right, as it can no longer be attributed to you.

You have the right to file a complaint with the Dutch Data Protection Authority at any time.

To exercise your rights, you may send an e-mail to privacy@optimizelifestyle.io.

At your request, we will provide you with further information about the logic involved in AI-assisted processing of your personal data as described under "Use of Artificial Intelligence" above, including the significance and envisaged consequences of such processing for you. You may submit such a request by contacting us at privacy@optimizelifestyle.io.

Cookies or Similar Technologies We Use

We use functional and analytical cookies. A cookie is a small text file that is stored on your computer, tablet or smartphone the first time you visit the Optimize App. Functional cookies perform a purely technical function. These ensure that the App works properly and that, for example, your preferred settings are remembered. These cookies are also used to make our App work properly and optimise it. If we are required by law to seek consent to place analytical cookies, we will do so through the App.

Contact

If you have any questions about this Privacy Statement, please contact us by sending an e-mail to privacy@optimizelifestyle.io.