1. Scope and data controller This Privacy Policy regulates the processing of personal data and sensitive health data on the BioGALF Home Health platform. The data controller is BioGALF, without prejudice to the authorized processors and partners involved in specific operations under contractual mandate. By using the platform, you acknowledge that you have read and understood this policy and authorize the processing of your data in accordance with the purposes, limits, and safeguards described herein.
2. Collection of sensitive data BioGALF may collect and process special categories of health data, including biometrics, clinical history, laboratory results, vital signs data, physical activity metrics and performance of Live Exercise modules, nutritional data, prescriptions, and therapeutic adherence. Identity and contact data: name, email, phone, country, and account metadata. Clinical data: medical history, allergies, medication, symptoms, and assessments. Laboratory data: values uploaded by the user or integrated by authorized third parties. Training data: frequency, intensity, repetitions, times, and recovery.
3. Legal basis and purposes of processing We process data under one or more legal bases: contractual execution of the service, express consent for sensitive data, regulatory compliance in digital health, legitimate interest for platform security and fraud prevention, and protection of vital interests when applicable. The purposes include personalization of recommendations, clinical-informational support, telemedicine coordination, management of prescriptions, and traceability of wellness results.
4. Security and HIPAA/GDPR standards Medical data is stored using high-level technical and organizational controls, including encryption in transit and at rest, access control, audit logs, and environment segregation, in accordance with principles aligned with HIPAA and GDPR. BioGALF implements least privilege policies, continuous monitoring, and periodic security assessments. However, no interconnected system can guarantee zero risk of incident, so we maintain response, containment, and notification protocols in accordance with applicable regulations.
5. Use of data for artificial intelligence BioGALF may use anonymized and/or aggregated data, without names or direct identifiers, to train, calibrate, and improve Triage AI models, recommendation engines, and predictive analytics systems. The user's nominal identity is not used for training general models. Data minimization and dissociation techniques are applied before analytical use. The processing for AI is limited to purposes of improving quality, safety, and accuracy of the service.
6. No commercialization of medical data BioGALF does not sell medical data or personal data to data brokers, advertising networks, or third parties for independent marketing purposes. We only share information with third parties strictly necessary to operate the service, under confidentiality agreements and with valid legal basis, for example, telemedicine professionals, pharmacies for dispensing, and technology infrastructure providers.
7. Telemedicine, pharmacy, and authorized third parties In telemedicine scenarios, necessary clinical data is shared with the healthcare professional providing the consultation. For pharmacy and logistics processes, only the essential data for prescription validation, dispensing, and delivery is shared. Each third party acts as a data processor or independent controller according to their regulatory role, and must comply with obligations of security, confidentiality, and purpose limitation.
8. Retention and storage of information We retain data for the time necessary to fulfill care, contractual, regulatory, and legal defense purposes. When the retention period ends, we apply secure deletion, irreversible anonymization, or blocking as required by law.
9. International data transfers When there are international transfers, BioGALF adopts appropriate safeguards, including standard contractual clauses, risk assessment of the receiving jurisdiction, and technical controls equivalent to those required in the data's country of origin.
10. User rights and total deletion (wipe) You may exercise, according to applicable law, rights of access, rectification, updating, opposition, limitation of processing, portability, and revocation of consent. The user has the right to request the total deletion (wipe) of their account and medical history at any time, subject to minimum legal retention obligations that may be applicable.
11. Minors, consent, and tracking technologies The platform is not directed to minors without valid legal authorization. In case of detecting data of minors without legal basis, blocking and deletion measures will be applied in accordance with regulations. BioGALF may use cookies and equivalent technologies for security, performance, analytics, and session continuity, under transparent and user-controllable settings where required by law.
12. Policy changes and contact channel BioGALF may update this policy due to regulatory, technical, or business changes. The current version will be published on the platform with the date of the last update and, when appropriate, prior notification. For rights requests, security incidents, or privacy inquiries, the user must use the official support channels of BioGALF indicated on the platform. Last privacy update: March 30, 2026.