Privacy Policy

Last updated: July 30, 2025

1. Identity of the Data Controller

Bionutara, 9 rue des colonnes, 75002 Paris ("Bionutara" or "we"), is the data controller for all data collected via our web and mobile app.
DPO Contact: dpo@bionutara.fr

2. Data We Collect

• Identity data: first name, email, (optionally) phone number
• Health data: information about cycle, mood, symptoms, lifestyle (nutrition, sleep, activity), connected devices (Apple Watch, Oura, etc.)
• Technical data: device ID, IP address, logs, essential cookies
• Usage data: preferences, feature usage, feedback

3. Legal Basis & Purposes of Processing

Your data is used for:

• Account management and access to the application (contract/consent)
• Personalized wellbeing tracking & recommendations (explicit consent – GDPR Art. 6 & 9)
• Algorithm and product improvement, anonymized R&D/statistics (legitimate interest)
• Security, fraud detection, technical maintenance (legal obligation/legitimate interest)
• Sending notifications or information (consent, configurable in your settings)

Health data is only collected and analyzed with your explicit consent, which you can withdraw at any time in your account settings.

4. Required vs. Optional Data

Some fields are required to access the core features (e.g. registration, personalized analytics). All health tracking is optional and can be enabled/disabled at any time.

5. Hosting & Security Measures

• All personal and health data are hosted on EU-located, HDS-certified (Health Data Hosting) servers
• Data is encrypted both at rest and in transit
• Access limited to authorized staff, regular security audits, ISO 27001 standards

6. Sub-processors, Access & Data Sharing

• No commercial sharing or sale of your data.
• Sharing only with:
  • Technical subcontractors strictly bound by contract (hosting, maintenance, EU analytics)
  • Health or scientific partners only with your explicit consent
• No transfers outside the EU without adequate safeguards (adequacy decision or standard contractual clauses).
  If any exceptional transfer outside the EU is needed, you'll be informed in advance with details of protections.

7. Data Retention

• Account data: as long as your account is active + 3 years (or immediate deletion upon request)
• Health data: deleted immediately if you withdraw consent, otherwise anonymized for statistics after account closure
• Technical logs: kept a maximum of 12 months

8. Your Rights

You can, at any time:

• Access your data
• Correct or update your data
• Delete your data (“right to be forgotten”)
• Restrict or object to processing
• Request data portability (export)
• Withdraw your consent at any time
• Lodge a complaint with your data protection authority (e.g. CNIL in France)

To exercise your rights: contact dpo@bionutara.fr, or use the “My Account > My Data” menu in the app.

9. Explicit Consent & Health Data

• Processing of health data (cycle, mood, symptoms, device tracking) is based on your explicit consent (GDPR Article 9.2.a).
• You can enable/disable sensitive data collection at any time in your preferences.
• Refusing or withdrawing consent does not limit access to general features (registration, community, general information).

10. AI, Profiling & Automated Decisions

• No automated decisions about you are made solely by algorithms
• AI is used to personalize recommendations; it is not diagnostic, medical, or prescriptive.
• You always have full control and can opt-out of AI-based personalization.

11. Cookies & Trackers

• Only essential cookies for core features (security, session, consent)
• Anonymous, GDPR-compliant analytics; no commercial trackers
• Consent banner on first visit lets you customize your preferences

12. Minors

• Bionutara is strictly for users aged 18 and above
• No intentional processing of data from or about minors

13. Updates to This Policy

This policy may change. Any major changes will be communicated by email or in-app notification.
This version: July 30, 2025

14. Contact

Any privacy question, concern or request?
Email us: dpo@bionutara.fr
DPO, Bionutara, 9 rue des colonnes, 75002 Paris
For complaints: CNIL (www.cnil.fr)

Bionutara complies with EU GDPR, French health data laws, and industry best practices for women's health privacy.