Privacy Policy
Last updated: April 2026
1. Data Controller
HealthPhin is operated by PhinLabs (Markus Egolf), Glärnistr. 52b, 8712 Stäfa, Switzerland. For any privacy-related inquiries, contact us at [email protected]. This policy applies under the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (nDSG, effective since September 1, 2023).
2. Data We Collect
We collect only the data necessary to provide our service: (a) Account data — email address, name, hashed password. (b) Health data — supplements, blood work results, training logs, nutrition data, journal entries (sleep, energy, mood). (c) AI usage data — chat history with Phin AI, tokens used, analysis results. (d) Technical data — IP address (not stored), device info for push notifications. We do NOT use tracking cookies, analytics tools, or advertising pixels.
3. Legal Basis for Processing
We process your data based on: (a) Contractual necessity (Art. 6(1)(b) GDPR) — to provide HealthPhin features. (b) Explicit consent (Art. 9(2)(a) GDPR, Art. 6(7) nDSG) — for processing special categories of personal data (health data). You provide this consent during registration via a separate opt-in checkbox. You may withdraw consent at any time by contacting us or deleting your account.
4. Sensitive Health Data
HealthPhin processes sensitive health data as defined by Art. 9 GDPR and Art. 5 nDSG. This includes supplement intake records, blood test values, training data, nutrition data, and journal entries. All health data is encrypted at rest (AES-256) and in transit (TLS 1.3). We process this data solely to provide the requested analysis and tracking features.
5. Data Storage
All data is stored on a dedicated server at Hetzner Online GmbH in Nuremberg, Germany (EU). The landing page is served via Vercel (EU servers). We do not transfer data outside the EU/EEA. The operator is based in Switzerland, which has an EU adequacy decision under Art. 45 GDPR.
6. Third Parties & Sub-Processors
We do not sell, rent, or share your data with third parties. AI features use AWS Bedrock (Anthropic Claude) in the EU region (eu-central-1, Frankfurt). A Data Processing Agreement (DPA) is in place with AWS per Art. 28 GDPR. Your health data is NEVER used for AI model training. Sub-processors: Hetzner (hosting), AWS (AI processing), Vercel (landing page).
7. Data Retention
Account data is retained while your account is active. After account deletion, all personal data is permanently deleted within 30 days. AI chat histories are automatically deleted after 90 days unless actively saved. Anonymized usage statistics (without personal reference) may be retained for service improvement.
8. Automated Decision-Making
HealthPhin uses AI-based analyses (blood work interpretation, coaching tips, supplement checks). This constitutes automated processing under Art. 22 GDPR. However, NO automated decisions with legal or similarly significant effects are made. All AI outputs serve informational purposes only — you make all decisions yourself.
9. Your Rights
You have the following rights: (a) Right of access (Art. 15 GDPR, Art. 25 nDSG). (b) Right to rectification (Art. 16 GDPR). (c) Right to erasure (Art. 17 GDPR). (d) Right to data portability (Art. 20 GDPR) — export function available in settings. (e) Right to withdraw consent (Art. 7(3) GDPR) — at any time via email or account deletion. (f) Right to restriction of processing (Art. 18 GDPR). Contact [email protected] to exercise these rights.
10. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. In Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, www.edoeb.admin.ch. In the EU: Your local Data Protection Authority under Art. 77 GDPR.
11. Changes
We may update this privacy policy at any time. Material changes will be communicated via email or in-app notification. The current version is always available on this page.
Privacy inquiries: [email protected]