Health Data Policy

1. About This Policy

This Health Data Policy explains how BioSport, Inc., a Delaware corporation ("BioSport," "we," "us," or "our"), handles your health information when you use our website at www.thebiosport.com (the "Website") and our mobile applications for iOS and Android (the "App"). It sits alongside, and is part of, our Privacy Policy. Where this Policy and the Privacy Policy describe the same topic, the more protective provision applies.

2. What Counts as Health Information

In this Policy, "Health Information" means any information you provide, or that we collect or derive, relating to your physical, mental, or reproductive health, fitness, behaviour, or biology, including:

Health profile data — medical history, conditions, allergies, medications, height, weight, vitals, family medical history, lifestyle factors.
Wearable and sensor data — heart rate, heart rate variability, blood pressure, sleep stages, steps, oxygen saturation, body temperature, respiratory rate, GPS during workouts.
Reproductive and cycle data — menstrual cycle, fertility, pregnancy, sexual health.
Mental wellness data — mood logs, stress markers, journal entries.
Biometric identifiers — voiceprints (if enabled), face scans for ID, and similar.
Genetic and biospecimen data — covered in detail in the separate Genetic Information Policy.
Clinical data — notes, lab results, imaging reports, prescriptions, and care plans shared with us by you or your provider.
Inferences and AI outputs — risk scores, recommendations, predictions, and other outputs we generate from your data.

3. Why This Policy Exists

Health Information is one of the most sensitive categories of personal data. Most data-protection laws treat it as a "special category" requiring heightened protection. This Policy explains the specific commitments we make above and beyond the general Privacy Policy.

4. Legal Bases We Rely On

We process your Health Information only when we have a lawful basis. The bases we rely on are:

Your explicit consent — the default basis for collecting, storing, and analysing your Health Information for personal use of the Services.
Performance of a contract — to deliver the Services you have asked for, including coaching, insights, and reports.
Legitimate interests — limited to security, fraud prevention, and product safety, where these do not override your rights.
Vital interests — only in emergencies where processing is necessary to protect life or health.
Legal obligations — where we must process to comply with applicable law.

You can withdraw your consent at any time through the in-app Privacy Centre. Withdrawal will stop future processing for that purpose but does not affect processing already carried out.

5. Sources of Health Information

Information you enter directly in the Website or App (profile, journal, symptoms, goals).
Voice and audio inputs to our AI health coach.
Sensors in your mobile device and in connected wearables (Apple HealthKit, Google Health Connect, Oura, Ultrahuman, Fitbit, Garmin, Samsung Health, and others you authorize).
Environmental sources (air quality, weather, pollen, UV) tied to your location.
Healthcare providers and laboratories, where you authorize sharing.
Inferences we generate from any of the above using our AI models.

6. How We Use Your Health Information

We use your Health Information to:

Provide personalized AI coaching, nutrition, training, sleep, and recovery plans.
Track trends and generate predictive and preventive insights.
Power telehealth consultations and clinician hand-offs you initiate.
Provide environmental context (e.g., air quality affecting your run).
Improve safety — for example, by flagging values that suggest you should consult a clinician.
Improve our products and AI models, only as described in Section 10 and only with your control to opt out.

7. How We Share Your Health Information

We share Health Information only as described in our Privacy Policy and additionally subject to the following commitments specific to Health Information:

We never sell your Health Information.
We never share your Health Information with advertising platforms or use it to target advertising on or off our Services.
We never share your Health Information with your employer, even if you access the Services through a corporate wellness programme.
We never share your Health Information with data brokers.
We do not voluntarily disclose your Health Information to law enforcement; we require a valid court order or subpoena and we will challenge overbroad requests.
We share Health Information with healthcare and laboratory partners only as needed to deliver a service you have requested, under written contracts that require comparable protections.
We share Health Information with cloud and security service providers strictly to host and protect it, under written contracts that require them to act only on our instructions.

8. Special-Category Health Information — Heightened Protection

8.1 Reproductive, Cycle, and Pregnancy Data

We treat this data with additional encryption at rest, separately from your account profile, and accessible to a strictly limited set of engineers. You can delete it with one tap from the in-app Privacy Centre; deletion propagates to backups within thirty-five (35) days. We never share this data with employers, advertisers, insurers, or data brokers, and we will not voluntarily disclose it to law enforcement.

8.2 Mental Wellness Data

Mood logs, mindfulness inputs, and journal entries are treated as sensitive personal information. They are not used for advertising, not shared with employers, and you may delete them at any time. Where you trigger a self-harm or crisis safety response, we may surface crisis resources (such as 988 in the United States or 116 123 in the United Kingdom); we do not provide therapy or crisis counselling ourselves.

8.3 Voice and Biometric Identifiers

Voice recordings, transcripts, and (where you enable speaker verification) voiceprints are biometric data subject to laws such as the Illinois Biometric Information Privacy Act (BIPA) and equivalent state laws. We obtain separate consent for voiceprint use, do not share voice data with third-party speech-model providers for training, and let you delete voice history at any time.

8.4 Clinical and Telehealth Data

Where you receive telehealth services through the Services, the clinician's notes and prescriptions are governed additionally by the Telehealth Policy and applicable medical-records laws (such as HIPAA in the United States). BioSport does not provide medical care; we provide the technology platform.

8.5 Genetic and Biospecimen Data

Genetic data and biological samples are governed by the separate Genetic Information Policy. They are stored with additional access controls, never used for advertising, never shared with employers, insurers, or marketers, and never voluntarily disclosed to law enforcement.

9. How We Protect Your Health Information

Beyond our general security measures (encryption in transit at TLS 1.2 or higher, encryption at rest at AES-256, multi-factor authentication for staff, SOC 2 Type II attestation, and continuous monitoring), we apply the following measures specifically to Health Information:

Additional layered encryption for genetic, reproductive, and biometric data, with separate key management.
Role-based access controls so that only personnel with a legitimate need can access identifiable Health Information.
All access to identifiable Health Information is logged and subject to anomaly detection.
Personnel with access to Health Information complete specific privacy and security training.
Third parties handling Health Information sign written agreements imposing equivalent protections.

10. Use of Health Information in Our AI Models

Our AI models, including our health coach and our prediction and recommendation engines, are trained and operated under the following rules:

We do NOT send your identifiable Health Information (or your voice recordings, or your genetic data) to third-party model providers for them to train their general-purpose foundation models.
Where we use a third-party model to deliver a feature, we operate it in a privacy-preserving configuration that does not allow the provider to use your data for training.
We may use aggregated, de-identified Health Information to improve and evaluate our own purpose-built models, in accordance with our AI Governance Policy.
You can turn off "Help improve BioSport" in the in-app Privacy Centre at any time. This excludes even your de-identified data from future model-improvement work.
Where an AI output has a significant effect on you (for example, a clinical-risk flag or a triage recommendation), we offer human review on request, in line with GDPR Article 22 and CPRA §1798.185(a)(16).

11. Your Rights Over Your Health Information

In addition to the rights described in the Privacy Policy, you have the following specific rights over your Health Information:

Access — download a machine-readable copy of all your Health Information through the in-app Privacy Centre.
Correction — correct or update any inaccurate Health Information directly in the App, or by emailing privacy@thebiosport.com.
Deletion — delete some or all of your Health Information at any time, with one-tap deletion available for reproductive/cycle data, voice history, and other sensitive categories.
Portability — export your Health Information to another platform of your choosing.
Withdrawal of consent — withdraw consent for any specific category of processing at any time.
Object to AI-based decisions — request human review of any AI output with significant effects.
Complain — contact your local data-protection or health-privacy regulator if you believe your rights have been infringed.

12. Children's Health Information

The Services are not directed to children under sixteen (16) (or thirteen (13) in the United States under COPPA, with verifiable parental consent required). Where a verified minor uses the Services with parental consent, additional protections in our Children's and Minors Safety Policy apply. We treat children's Health Information with particular caution: it is not used for any non-essential analytics or marketing, is not used to train AI models, and is subject to the strictest retention limits.

13. Retention

We retain Health Information only as long as you maintain your account and as needed for the purposes described above. You can delete categories of Health Information at any time. On account closure, we delete or de-identify all your Health Information within ninety (90) days, except where we are legally required to retain certain records (in which case the data is segregated and protected under this Policy until secure destruction).

14. Contact Us

If you have any questions or concerns about how we handle your Health Information:

Privacy: privacy@thebiosport.com
Data Protection Officer: Kazim Syed — kazimsyed@thebiosport.com
General inquiries: hello@thebiosport.com
Postal address: BioSport, Inc., Delaware, United States