Privacy Policy

Introduction

Hemeify ("we", "our", or "us") operates as a sole trader under Australian Business Number (ABN) 13 868 958 380, based in Queensland, Australia. We are committed to protecting your privacy and handling your health information responsibly and in accordance with the Australian Privacy Principles (APPs), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our blood test tracking service.

Information We Collect

Personal Information

We collect the following personal information:

• Email address (for account authentication)
• Date of birth (to apply age-appropriate reference ranges and confirm you are 18 years or older)
• Reference range selection (the sex or gender identity you wish to use for applying reference ranges)
• Country of residence (to provide supplement insights relevant to your region)

Health Information (Sensitive Information)

We collect sensitive health information that you voluntarily upload, including:

• Blood test results and biomarker data
• Test dates and historical health data

Important: You manually upload all health data. We do not integrate directly with pathology labs or healthcare providers.

Usage and Technical Information

• Device and browser information (IP address, browser type, device type)
• Usage data and analytics (pages visited, features used)
• Session information and authentication data
• Error logs and performance data

Legal Basis for Processing (GDPR)

For users in the European Union, we process your data based on:

• Explicit Consent (Health Data): You provide explicit consent when creating an account and uploading health data
• Contractual Necessity: To provide the services you've requested
• Consent (Analytics): For analytics cookies, which are only set after you opt in via the cookie consent banner
• Consent (Marketing Communications): For marketing emails, which are only sent after you explicitly opt in
• Legitimate Interests: To improve our service, prevent fraud, ensure security, and monitor for errors

How We Use Your Information

We use your information for the following purposes:

• Service Provision: Display your blood test results, trends, and health insights
• Age Restriction: Confirm users are 18 years or older (self-attestation via date of birth)
• Reference Ranges: Apply appropriate reference ranges based on your selected sex/gender and age
• Supplement Insights: Display supplement information relevant to your country of residence
• Service Communications: Send service-related communications such as technical notices, security alerts, account notifications, and respond to your inquiries
• Marketing Communications: With your explicit consent, send marketing communications such as educational content, blog posts, and promotional offers
• Service Improvement: Analyze usage patterns to improve features and user experience
• Security: Detect and prevent fraud, abuse, and security incidents
• Anonymized Research (See Below): Create de-identified reference ranges

Anonymized Data and Research

We may aggregate and anonymize your blood test data to develop our own reference ranges and improve the accuracy of our service. This process involves:

• Removing all personally identifiable information (name, email, account identifiers)
• Aggregating data with other users' anonymized data
• Using statistical methods to ensure individual users cannot be re-identified

Important: Once anonymized, this data cannot be traced back to you. Anonymized data may be retained even after you delete your account, as it no longer constitutes personal information under applicable privacy laws.

Information Sharing and Third Parties

We never sell your health data. We share limited information with essential service providers only as necessary to operate the Service. Below is a detailed breakdown of what each provider has access to:

Third-Party Service Providers

Data Processing Agreements

We maintain formal data processing agreements (DPAs) with all service providers that handle personal data, as required by GDPR and Australian privacy law. These agreements ensure that:

• Processors only process data according to our documented instructions
• Appropriate technical and organizational security measures are maintained
• Sub-processors are properly vetted and contracted
• Data subject rights can be exercised

Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to:

• Comply with legal obligations
• Protect our rights, property, or safety
• Prevent fraud or security issues
• Protect the rights and safety of our users or the public

International Data Transfers

Because we serve users globally while operating from Australia, your data may cross international borders:

• Your health data is stored in the European Union - this ensures EU users' data stays within the EU for GDPR compliance
• Analytics and error data is also processed in EU data centers
• Business operations are conducted from Australia
• Document processing may occur outside the EU

What this means for you: If you're in Australia, your data is stored in the EU. If you're in the EU, your data stays in the EU. If you're elsewhere, your data is stored in the EU under GDPR protections.

Data Retention and Deletion

We retain your personal and health information for as long as your account is active or as needed to provide you services.

Account Deletion

When you request account deletion:

• Your account is immediately deactivated and you lose access to the Service
• All personal information (email, date of birth, sex/gender selection, country of residence) is marked for deletion
• All health data linked to your account is marked for deletion
• Data deletion is completed within 30 days of your request
• Backups containing your data are purged within 90 days of deletion (technical limitation of backup retention)

Important: While we work to complete deletion within 30 days, backup systems may retain data for up to 90 days total. Your data cannot be recovered once deletion is complete.

What We Keep After Deletion

• Anonymized, aggregated data for reference range calculations (cannot be traced back to you)
• Records required for legal compliance (e.g., financial records for tax purposes)
• De-identified security and fraud prevention logs (without personal identifiers)

Your Privacy Rights

Depending on your location, you have the following rights:

All Users

• Access: Request a copy of your personal and health data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and data
• Data Portability: Request an export of your data in a machine-readable format
• Withdraw Consent: Withdraw your consent at any time (though this may limit service functionality)

Additional Rights (GDPR - EU Users)

• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing based on legitimate interests
• Lodge a Complaint: File a complaint with your local data protection authority

Additional Rights (Australian Privacy Principles)

• Complain: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)
• Access and Correction Requests: We will respond to requests within 30 days

To exercise any of these rights, please contact us at privacy@hemeify.com.

Data Security

We implement multiple layers of security to protect your sensitive health information:

Encryption

• In Transit: All data transmitted between your device and our servers uses HTTPS with modern TLS encryption (TLS 1.2 or higher)
• At Rest: Your health data is encrypted on disk using AES-XTS encryption

Access Controls

• Secure Authentication: HttpOnly cookies and session management protect your account
• User Isolation: Your health data is isolated to your account - only you can access your data
• Automatic Logout: Sessions expire after period of inactivity

Infrastructure Security

• Cloud infrastructure with SOC 2 and HIPAA compliance capabilities in EU data centers
• Regular security updates and monitoring
• Encrypted backups with geographic redundancy
• HTTP security headers including HSTS

Important: However, no method of transmission or storage is 100% secure. While we implement industry-standard security measures and strive to protect your information, we cannot guarantee absolute security.

In the event of a data breach that is likely to result in a risk to your rights, we will notify affected users and relevant authorities in accordance with applicable law.

For security questions or to report vulnerabilities, contact security@hemeify.com.

Children's Privacy

Our service is restricted to individuals 18 years of age or older. We do not knowingly collect information from children under 18. If we discover that a child under 18 has provided personal information, we will delete it immediately.

Cookies and Tracking

Essential Cookies

• Authentication: Required to maintain your login session. These are essential for the Service to function.
• Consent Preference: Stores your cookie consent choice so we don't ask you again on each visit.

Analytics Cookies

Analytics cookies are only set after you opt in via the cookie consent banner. You can change your preferences at any time via the "Manage Cookies" link in the footer. See the Analytics Platforms section above for details on what data is collected.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new policy on this page
• Updating the "Last updated" date
• Presenting the updated policy for your review and acceptance at your next login

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: