Privacy Policy

OVERVIEW

This Privacy Policy explains how I collect, use, disclose, and safeguard your personal information when you use my elite genetic longevity program and AI digital twin technology services. I am Dr. Ola Abdalla, an individual operating under the brand name "Loju Longevity" (referred to in this policy as "Loju Longevity," "I," "me," or "my")

IMPORTANT: Global Applicability Clause

Global Applicability Clause This Privacy Policy applies to all users worldwide. I strive to comply with the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA) and other applicable U.S. state privacy laws, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Australia's Privacy Act 1988, and other applicable privacy laws in the regions where you use my services. Where local laws provide additional rights to you, I will honor those rights in accordance with the applicable legal requirements.

TABLE OF CONTENTS

1. CONTACT INFORMATION

For all privacy-related inquiries, data protection requests, or concerns about this Privacy Policy:

Email: [email protected]
Subject Line for Data Requests: "Privacy Request - [Type of Request]"
Entity Responsible: Loju Longevity, operated by Dr. Ola Abdalla

Response Times:
• General privacy inquiries: 5 business days
• Data protection requests: 30 days (as required by applicable law)
• Urgent security matters: 48 hours

2. DEFINITIONS

• "Account": Your client account for accessing my elite genetic longevity program and AI digital twin technology services.

• "AI Analysis": The artificial intelligence technology that creates a unique digital twin for each client to model their individual biology, predict disease risks, and generate personalized longevity protocols.

• "Cookies": Small data files stored on your device to enable website functionality and analytics.

• "Data Controller": Dr. Ola Abdalla (Loju Longevity), who determines the purposes and means of processing your personal data.

• "Personal Data": Any information relating to an identified or identifiable individual, including but not limited to names, email addresses, phone numbers, IP addresses, device identifiers, usage patterns, and other online identifiers.

• "Processing": Any operation performed on personal data, including collection, storage, use, disclosure, deletion, or transfer.

• "Service": Loju Longevity's 12-month genetic longevity program, including PhD-led consultations, AI digital twin analysis, and personalized longevity protocols.

• "Third Parties": External service providers, payment processors, analytics providers, and other entities I work with to deliver my service.

• "Usage Data": Data collected automatically about how you use my Service, including device information, access logs, and interaction patterns.

• "You/Your": The individual client or authorized representative of an entity using my service.

3. INFORMATION I COLLECT

3.1 Information You Provide Directly (Required for Service)

Mandatory Information (Service cannot be provided without this data):

• Account Information: Full name, email address, phone number, net worth range, industry.
• Source: Provided directly by you during application/registration.
• Lawful Basis: Contract performance (necessary to provide longevity program services).
• Consequences of not providing: Cannot create account or access service.

• Health and Lifestyle Information: Current health optimization efforts, health goals, and relevant background information.
• Source: Provided directly by you when applying for the program.
• Lawful Basis: Contract performance (core service functionality).
• Consequences of not providing: Cannot receive personalized longevity analysis.

• Genetic and Medical Data: Genetic test results, laboratory results, biomarkers, epigenetic data, and other health-related information.
• Source: Provided directly by you throughout the program.
• Lawful Basis: Explicit consent and contract performance (necessary for AI digital twin analysis and personalized longevity protocols).
• Special Category Data: This constitutes sensitive health data under GDPR and requires enhanced protection.
• Storage: Securely stored throughout your 12-month program and retention period (see Section 6).
• Consequences of not providing: Cannot create digital twin models or provide personalized longevity protocols.

Optional Information (You may choose whether to provide):

• Support Communications: Messages when contacting customer service.
• Source: Provided directly by you when contacting support.
• Lawful Basis: Legitimate interest in customer service.
• Consequences of not providing: May limit my ability to assist you.

• Feedback: Comments, suggestions, or reviews about my service.
• Source: Provided directly by you voluntarily.
• Lawful Basis: Consent (can be withdrawn anytime).
• Consequences of not providing: No impact on service provision.

3.2 Billing Information (Processed by Third Parties)

• Payment Data: Credit card details, billing address, transaction history.
• Source: Provided directly by you during payment.
• Processing: Credit card details are processed and stored by my third-party payment processor.
• I may retain transaction records, payment confirmations, and billing history necessary for account management and legal compliance.
• Lawful Basis: Contract performance (necessary for program payment).
• Consequences of not providing: Cannot process payments or access program.

3.3 Information Collected Automatically

Technical Data (Essential for service functionality):

Device Information:
• IP address (approximate geographic location derived from this).
• Browser type and version.
• Operating system and version.
• Device type (mobile, desktop, tablet).
• Screen resolution and display settings.

Session Data:
• Login times and session duration.
• Pages accessed and features used.
• Click patterns and navigation paths.
• Time spent on each page.

Performance Data:
• Page load times and response times.
• Error reports and system failures.
• Bandwidth usage and connection quality.
• Service availability and uptime metrics.

Server Logs:
• Access logs with timestamps.
• Error logs for troubleshooting.
• Security logs for fraud prevention.
• System maintenance logs.

• Source: Automatically collected when you use my service.
• Lawful Basis: Legitimate interest in service operation, security, and improvement.
• Data Minimization: I collect only data necessary for service functionality and security.

3.4 Analytics and Usage Data

Analytics Information:
• Aggregated usage statistics via Google Analytics.
• Feature usage patterns and user behavior flows.
• Service performance metrics.
• Anonymized demographic data (where technically feasible).

• Source: Automatically collected through analytics tools.
• Lawful Basis: Legitimate interest in service improvement.
• Your Control: You can opt-out of analytics tracking (see Section 9).

3.5 Derived and Inference Data

• AI Digital Twin Analysis: Digital biological models, risk predictions, and personalized longevity insights generated for each client.
• Service Usage Patterns: Usage preferences and behavior patterns derived from your interactions.
• Security Assessments: Automated evaluations for account security threats, fraudulent activity, and service abuse.

• Source: Generated from your provided data and service usage.
• Lawful Basis: Contract performance and legitimate interest.
• GDPR Note: This derived data is considered personal data under GDPR.

3.6 Information I Do NOT Collect

I do NOT intentionally collect:
• Children's personal information (users must be 18+).
• Precise geolocation data (only approximate location from IP address).
• Data from your device contacts, photos, or other applications.
• Social media profile information (unless voluntarily shared).

3.7 Data Collection Principles

• Data Minimization: I collect only data that is necessary for my stated purposes.
• Transparency: All data collection is disclosed in this policy.
• Purpose Limitation: Data is used only for the purposes stated in this policy.
• Accuracy: I take reasonable steps to ensure data accuracy and provide correction mechanisms.

4. HOW I USE YOUR INFORMATION

4.1 Primary Service Functions

• Service Delivery: Providing AI-powered digital twin analysis, predictive risk analytics, and personalized longevity protocols.
• Consultation Services: Conducting PhD-led consultations and delivering personalized insights.
• Account Management: Managing your program enrollment and service access.
• Billing: Processing program payments and managing billing records.
• Customer Support: Responding to your inquiries and providing assistance.
• Service Improvement: Analyzing usage patterns to enhance my AI algorithms and digital twin models.

4.2 Secondary Uses

• Marketing Communications: Sending program updates, new research findings, and relevant longevity information (opt-in only).
• Product Development: Using aggregated, anonymized data to improve my AI models and longevity protocols.
• Security: Detecting and preventing fraud, abuse, or security incidents.

4.3 Legal and Compliance Uses

• Legal Compliance: Meeting regulatory and legal obligations.
• Dispute Resolution: Resolving billing disputes or service issues.
• Rights Protection: Protecting my intellectual property and legal rights.

4.4 Special Note on Genetic and Medical Data Use

Your genetic and medical data is used exclusively for:

• Creating and updating your personalized digital twin models.
• Generating predictive risk analytics specific to your biology.
• Designing your customized longevity protocols.
• Providing insights during PhD-led consultations.

I will NEVER:

• Share your genetic or medical data with third parties (except as required by law or with your explicit consent).
• Use your genetic data for research purposes without separate explicit consent.
• Sell your genetic or medical information to any third party.

5. LEGAL BASIS FOR PROCESSING

5.1 GDPR Lawful Bases (EU/EEA Residents)

Under GDPR Article 6, I process your personal data based on the following lawful bases:

Contract Performance (Article 6(1)(b)):

I process your data where it is necessary to perform a contract with you, including:

• Creating and managing your program account.
• Processing program payments and billing.
• Providing basic service access and authentication.
• Delivering consultation sessions and digital twin analysis.

Note: This basis cannot be withdrawn, as it is essential for providing the services you request.

Explicit Consent (Article 9(2)(a) - Special Category Data):

For processing genetic and medical data (special category data under GDPR Article 9), I rely on your explicit consent:

• Genetic Data Processing: Analysis of genetic test results to create digital twin models and identify genetic variants.
• Medical Data Processing: Analysis of laboratory results, biomarkers, and epigenetic data for personalized longevity protocols.
• Digital Twin Creation: Using your genetic and medical data to build and maintain AI-powered biological models.

Consent Management for Special Category Data:

• How to provide consent: Through explicit opt-in during program enrollment with clear explanation of data use.
• How to withdraw consent: Email [email protected] with subject "Withdraw Genetic Data Consent"
• Effect of withdrawal: Withdrawal results in deletion of your genetic and medical data and termination of digital twin services, as these are core to the program.
• Service impact: Withdrawing consent for genetic/medical data processing means I cannot provide the longevity program services.

Legitimate Interests (Article 6(1)(f)):

As the data controller, I rely on legitimate interests for activities such as:

• Digital Twin Analysis: Processing genetic and lifestyle data you provide to generate personalized longevity insights and risk predictions.
• AI Algorithm Training and Improvement: Using anonymized data to enhance my AI models and service accuracy.
• Fraud Prevention and Account Security: Monitoring for suspicious activity, unauthorized access, and service abuse.
• System Performance Monitoring: Collecting technical data to ensure service functionality, uptime, and optimization.
• Customer Support Enhancement: Analyzing support interactions to improve response quality and resolve issues.
• Operational and Business Activities: Administrative tasks necessary for service delivery, account management, and overall operation of my services.

Legal Justification: These activities support my legitimate operational and business interests in providing high-quality longevity services while respecting user privacy. Users also benefit from improved service accuracy, security, and functionality.

Your Rights: You may object to processing based on legitimate interests at any time. I will cease such processing unless I can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Consent (Article 6(1)(a)):

For certain non-essential processing activities, I rely on your explicit consent:

• Marketing Communications: Program updates, new research findings, and longevity information.
• Advanced Analytics: Optional usage data to improve and develop Loju Longevity's services.
• Non-Essential Cookies: Preference and analytics cookies beyond those strictly necessary for service functionality.

Legal Obligations (Article 6(1)(c)):

I process your personal data where necessary to comply with legal obligations under applicable laws worldwide. These include:

• Tax and Financial Compliance: Retaining billing and payment records as required by the EU VAT Directive, U.S. state and federal tax rules, Canadian GST/HST requirements, Australia's GST law, and other international financial regulations.
• Law Enforcement Cooperation: Responding to valid legal requests, court orders, and lawful investigations from competent authorities in the regions where I operate or provide services.
• Data Protection Compliance: Meeting obligations under GDPR, UK GDPR, Canada's PIPEDA, Australia's Privacy Act 1988, U.S. state privacy laws (such as CCPA/CPRA), and other applicable privacy frameworks. This includes data subject rights responses, breach notifications, and regulatory reporting.
• Payment Processing Compliance: Ensuring secure handling of payment information in line with PCI DSS standards and applicable financial services regulations in the jurisdictions where transactions occur.

Vital Interests (Article 6(1)(d)):

I do not normally rely on this basis. However, I may process personal data in genuine emergency situations where it is necessary to protect the life or safety of an individual. This aligns with GDPR, UK GDPR, Canada's PIPEDA, Australia's Privacy Act 1988, and similar global standards that recognize vital interests as a lawful basis for emergency data processing.

Public Task (Article 6(1)(e)):

This basis does not apply to my operations, as I do not carry out tasks in the public interest or exercise official authority. If I am ever required to perform such processing under applicable law, I will update this Privacy Policy to reflect that obligation.

5.2 Data Controller vs. Processor Roles

Under GDPR, UK GDPR, and comparable international privacy laws, my role depends on the type of processing activity:

I act as Data Controller for:

• User account information and service usage data
• Genetic and medical data you provide for analysis
• Digital twin models and personalized longevity insights
• Predictive risk analytics and derived insights
• Customer support communications
• Consultation records and program materials

Third parties act as Data Processors on my behalf for:

• Payment Processing: Credit card and payment details handled securely by my payment gateway provider in compliance with PCI DSS and applicable financial regulations.
• Cloud Hosting: Technical and account data stored by cloud infrastructure providers under written data processing agreements with appropriate security measures for sensitive data.
• Analytics: Usage data processed by Google Analytics or equivalent providers under their data processing terms.

Important Note on Genetic/Medical Data: All genetic and medical data you provide remains under my direct control as Data Controller. I do not share this sensitive data with third-party processors unless required by law or with your explicit written consent.

Global Application:

I ensure that all third-party processors provide appropriate safeguards and comply with privacy and data protection laws in all relevant jurisdictions, including but not limited to:

• GDPR/UK GDPR (Europe & United Kingdom)
• CCPA/CPRA and other U.S. state privacy laws
• PIPEDA (Canada)
• Privacy Act 1988 (Australia)

5.3 Special Category Data

I DO intentionally collect special categories of personal data as defined by GDPR Article 9, specifically:

• Genetic Data: Genetic test results, DNA analysis, and genetic variant information.
• Health Data: Laboratory results, biomarkers, epigenetic data, and medical information related to health optimization.

Legal Basis for Processing Special Category Data: Under GDPR Article 9(2)(a), I process this sensitive data based on your explicit consent, which you provide during program enrollment. You have the right to withdraw this consent at any time, though withdrawal will result in termination of services as this data is essential to the program.

Enhanced Protection Measures: Given the sensitive nature of genetic and medical data, I implement:

• Enhanced encryption and security protocols
• Strict access controls (only accessible by authorized personnel)
• Secure storage with regular security audits
• No sharing with third parties except as legally required or with explicit consent
• Immediate deletion upon program completion and retention period expiration (see Section 7)

Other Jurisdictions:

• I process "sensitive personal information" as defined by U.S. state privacy laws (e.g., CCPA/CPRA includes genetic data), with appropriate safeguards and consent mechanisms.
• For Canada's PIPEDA and Australia's Privacy Act 1988, I apply heightened protection standards for health and genetic information.
• For users in other regions with similar protections, I maintain the same rigorous security and consent requirements.

5.4 Other Jurisdictions

In addition to GDPR (EU/EEA) and UK GDPR, I comply with privacy and data protection requirements in other regions where my customers are located, to the extent these laws apply:

• United States – State Privacy Laws: (California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and similar laws) - I provide notice, access, deletion, and opt-out rights. For sensitive personal information (including genetic data), I obtain consent and provide enhanced protections.

• Canada (PIPEDA): I comply with the Personal Information Protection and Electronic Documents Act, ensuring transparency, limiting collection to necessary purposes, safeguarding information with appropriate security measures, and enabling access and correction rights. Special attention is given to sensitive health and genetic information.

• Australia (Privacy Act 1988): I comply with the Australian Privacy Principles, covering collection, use, access, correction, and secure handling of personal information. I apply heightened standards for sensitive information as defined under APP 3.

• United Kingdom (UK GDPR & Data Protection Act 2018): I extend the same protections as GDPR for UK users, including lawful bases, explicit consent for special category data, rights, and accountability measures.

Other Regions: For customers in countries with privacy or data protection laws not specifically listed, I apply the same core principles of transparency, fairness, security, and user rights, and will adjust compliance measures as required by local regulations. Where genetic or medical data is involved, I maintain the highest standard of protection regardless of jurisdiction.

5.5 Processing Purpose Limitations

• Specified Purposes: All personal data, including genetic and medical data, is processed for the specific, explicit, and legitimate purposes outlined in this Privacy Policy.
• Compatible Use: Any new use of existing data will only occur if it is compatible with the original collection purposes, or if I obtain an additional lawful basis (such as explicit consent or legal obligation).
• Purpose Change Notification: If processing purposes materially change, especially regarding genetic or medical data, I will notify affected users and obtain any required consent or legal basis before proceeding.
• Genetic Data Restrictions: Your genetic and medical data will NEVER be used for purposes other than those explicitly stated in this policy without your separate written consent. This includes research, commercial purposes, or sharing with third parties.

Global Application:

I comply with the principle of purpose limitation as required under:

• GDPR/UK GDPR (Articles 5–6),
• U.S. state privacy laws such as CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA (restrictions on secondary use, especially for sensitive data),
• Canada's PIPEDA (requiring consent for new or incompatible purposes, with heightened standards for health information),
• Australia's Privacy Act 1988 (Australian Privacy Principles on purpose use and disclosure, particularly APP 6 for sensitive information).

I comply with applicable privacy and data protection laws in each jurisdiction where my users are located. Where multiple laws apply, I follow the requirements of each, and when feasible, I extend stronger protections to all users.

5.6 Multiple Legal Bases and User Rights

• Overlapping Legal Bases: Some processing activities rely on more than one lawful basis, for example:
- Digital Twin Analysis: Explicit consent (for genetic/medical data) + contract performance (service delivery).
- Customer Support: Contract performance (service delivery) + legitimate interests (quality improvement).
- Security Monitoring: Legitimate interests (fraud prevention) + legal obligations (regulatory compliance).

• Most Favorable Rights: Users may exercise the rights available to them under their applicable law. If multiple legal bases apply, I will respect the framework that provides the user with the strongest protection available in their jurisdiction.

• Genetic Data Priority: For genetic and medical data specifically, explicit consent takes priority. You may withdraw consent for this data at any time, which will result in deletion of your genetic/medical data and termination of digital twin services.

• Legal Basis Documentation: I maintain internal records documenting the lawful basis for each processing activity and can provide this information upon request, where permitted or required by law.

Global Application:

This approach reflects:

• GDPR/UK GDPR requirements (Articles 6, 9, and 30),
• U.S. state laws (purpose-based limitations and consumer rights frameworks, with enhanced protections for sensitive personal information),
• Canada's PIPEDA (accountability and consent principles, particularly for health information),
• Australia's Privacy Act 1988 (obligations for transparency and accountability under APPs).

I comply with applicable privacy and data protection laws in each jurisdiction where my users are located. Where multiple laws apply, I follow the requirements of each, and when feasible, I extend stronger protections to all users.

5.7 User Objection Rights

Right to Object (GDPR Article 21 and Similar Laws):

• Legitimate Interest Processing: You may object to processing of your data based on legitimate interests.
• Direct Marketing: You may object to receiving marketing communications at any time, and this will take effect immediately.
• Automated Decision-Making: You may object to decisions made solely through automated processing where they produce legal or similarly significant effects.

Objection Process:

1. Email Request: Send to [email protected] with "Processing Objection" in the subject line.
2. Specify Processing: Clearly identify which processing activities you object to.
3. Account Settings: Use privacy controls in your account dashboard to manage marketing preferences.
4. Response Timeline: I will respond within 30 days and implement valid objections within 72 hours where technically feasible.

Compelling Legitimate Grounds:

I will cease processing unless I can demonstrate:
• Compelling legitimate grounds that override your interests, rights, and freedoms;
• Processing is necessary for the establishment, exercise, or defense of legal claims; or
• Processing is required by law or regulatory obligations.

Effect of Objection: Successful objections may limit some service features, but will not affect the provision of core subscription services based on contract performance.

Global Application:

• EU/UK (GDPR/UK GDPR): Full rights to object under Article 21.
• U.S. State Laws (CCPA/CPRA, VCDPA, CPA, CTDPA): Consumers may opt out of certain processing, including targeted advertising or profiling.
• Canada (PIPEDA): Individuals may withdraw consent or object to processing subject to legal and contractual restrictions.
• Australia (Privacy Act 1988): Individuals may opt out of direct marketing and object to certain uses of personal information.

I comply with applicable privacy and data protection laws in each jurisdiction where my users are located. Where multiple laws apply, I follow the requirements of each, and when feasible, I extend stronger protections to all users.

5.8 Legal Basis Transparency and Documentation

• Cross-Reference: The specific legal basis for each data processing activity is detailed in Section 4 ("How I Use Your Information").
• Documentation Maintenance: I maintain comprehensive records of:
- Legal basis assessments for each processing purpose, including special considerations for genetic and medical data,
- Documentation supporting legitimate interest determinations,
- Explicit consent records for genetic and medical data processing, including consent forms and withdrawal mechanisms,
- Legal obligation compliance requirements across all jurisdictions.

• User Access: You may request detailed information about the legal basis for specific processing of your personal data, including how your genetic and medical data is being used, by contacting [email protected].

• Enhanced Transparency for Genetic Data: Upon request, I will provide:
- Confirmation of what genetic and medical data I hold about you,
- The specific purposes for which this sensitive data is being processed,
- The lawful basis (explicit consent) under which processing occurs,
- Details of any third parties who may have access to this data (if applicable).

Global Application:

• EU/UK (GDPR/UK GDPR): Record-keeping obligations under Articles 5, 6, 9 (special category data), and 30 (records of processing activities).
• U.S. State Laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA): Transparency and disclosure of processing purposes, with enhanced requirements for sensitive personal information including genetic data.
• Canada (PIPEDA): Accountability principle requires organizations to document processing purposes and legal grounds, with heightened standards for health information.
• Australia (Privacy Act 1988): Transparency requirements under the Australian Privacy Principles, particularly for sensitive information under APP 3.

I comply with applicable privacy and data protection laws in each jurisdiction where my users are located. Where multiple laws apply, I follow the requirements of each, and when feasible, I extend stronger protections to all users.

6. DATA SHARING AND DISCLOSURE

6.1 Third-Party Service Providers

Data Processor Relationships:

Under GDPR Article 28, UK GDPR, and equivalent international requirements, I engage third-party processors who process personal data on my behalf under strict contractual and security obligations.

CRITICAL LIMITATION: Genetic and Medical Data
Your genetic and medical data is NOT shared with any third-party processors. This sensitive data remains under my direct control as Data Controller and is stored in secure, encrypted systems that I directly manage. Only authorized personnel involved in your program have access to this data.

Payment Processing

• Data Shared: Transaction details, billing information, payment confirmations (NO genetic or medical data)
• Legal Basis: Contract performance (program billing)
• Safeguards: PCI DSS compliance, encryption, data processing agreements
• Processors: Third-party payment gateways (specific providers available upon request)

Analytics Services

• Data Shared: Anonymized usage statistics, aggregated service performance metrics (NO genetic or medical data)
• Legal Basis: Legitimate interests (service improvement) or consent where required
• Safeguards: Data anonymization, Google Analytics data processing terms
• Processors: Google Analytics (privacy policy: https://policies.google.com/privacy)

Cloud Infrastructure

• Data Shared: Encrypted account data, service data, system logs
• Genetic/Medical Data Storage: Stored separately with enhanced encryption and access controls, not accessible to cloud infrastructure provider
• Legal Basis: Legitimate interests (service operation) and contract performance
• Safeguards: End-to-end encryption, access controls, server security measures, separate secure storage for sensitive data
• Processors: Cloud hosting providers with GDPR and international compliance frameworks (specific providers available upon request)

Customer Support Tools

• Data Shared: Support communications, account identifiers for issue resolution (NO genetic/medical data shared in support systems)
• Legal Basis: Contract performance (customer service) and legitimate interests
• Safeguards: Access restrictions, data retention limits, confidentiality agreements, separation of sensitive data
• Processors: Customer support platforms (specific providers available upon request)

Contractual Requirements for All Processors

All third-party processors are bound by written agreements that require them to:

• Process data only on my documented instructions
• Implement appropriate technical and organizational security measures
• Comply with GDPR/UK GDPR Articles 28 and 32 and equivalent international requirements
• Have NO access to genetic or medical data (this remains under my exclusive control)
• Provide assistance with data subject rights and breach notifications
• Ensure data deletion or return upon contract termination
• Maintain regular security audits and compliance certifications
• Apply enhanced protections where sensitive personal information is involved

These safeguards are designed to comply not only with GDPR/UK GDPR (including Article 9 for special category data), but also with:

• U.S. State Laws (e.g., CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA) – requiring clear disclosure of service provider roles, contractual limits on data use, and enhanced protections for sensitive personal information including genetic data.
• Canada's PIPEDA – requiring accountability through third-party contracts, with heightened standards for health information.
• Australia's Privacy Act 1988 – requiring reasonable steps to ensure overseas recipients comply with the Australian Privacy Principles, particularly regarding sensitive information.

I comply with applicable privacy and data protection laws in each jurisdiction where my users are located. Where multiple laws apply, I follow the requirements of each, and when feasible, I extend stronger protections to all users.

6.2 Legal Disclosures and Law Enforcement

Disclosure Criteria:

I only disclose personal information when required by law. Disclosures must meet all of the following conditions:

• Issued by a competent legal authority with proper jurisdiction.
• Accompanied by appropriate legal documentation (e.g., warrant, subpoena, court order, regulatory notice).
• Compliant with applicable procedural requirements under the relevant law.
• Limited to information within the scope of my data holdings.
• Not overly broad or beyond the requesting authority's legal powers.

Special Protection for Genetic and Medical Data: Given the highly sensitive nature of genetic and medical information, I apply heightened scrutiny to any legal request for such data. I will:

• Challenge any request that does not meet the highest legal standards
• Seek to narrow the scope of disclosure to exclude genetic/medical data where legally possible
• Provide immediate notification to affected users unless legally prohibited
• Maintain detailed records of any genetic/medical data disclosures

Types of Legal Disclosures

Law Enforcement Requests:

• Criminal investigations supported by valid warrants or equivalent legal process.
• National security requests where legally compelled (subject to legal review and minimization, with heightened protection for genetic data).
• Tax authority requests for billing and transaction records where required by applicable law (excluding genetic/medical data).
• Regulatory investigations initiated by competent data protection or financial authorities.

Court Proceedings

• Civil litigation where disclosure is legally mandated.
• Criminal proceedings requiring evidence or testimony.
• Regulatory enforcement actions requiring production of relevant data.
• Bankruptcy or insolvency proceedings where disclosure of business records is legally required.

Emergency Disclosures (Without Prior Legal Process)

I may disclose information without legal process if necessary to:

• Respond to an immediate threat to life or safety of individuals.
• Prevent serious crimes in progress (e.g., terrorism, child exploitation).
• Protect critical infrastructure or national security.
• Address time-sensitive emergencies where obtaining legal process would risk harm.

Note: Emergency disclosures of genetic or medical data would only occur in the most extreme circumstances where an individual's life is at immediate risk.

User Notification Procedures

• I will notify affected users of legal requests unless legally prohibited (e.g., gag orders, national security restrictions).
• For genetic/medical data requests: I will make every effort to notify users immediately and provide opportunity to challenge the request where legally possible.
• Notifications include: the nature of the request, the data disclosed, and the legal basis.
• Timing: prior to disclosure where legally permitted; otherwise, within 30 days after disclosure (or immediately upon legal permission for genetic/medical data).
• Users retain the right to challenge disclosures through appropriate legal channels.

Legal Challenge Process

• I review all legal requests for validity, proportionality, and jurisdiction.
• For genetic/medical data: I apply heightened scrutiny and will challenge requests that do not demonstrate compelling necessity.
• I challenge overly broad, invalid, or legally questionable requests.
• I limit disclosures to the minimum necessary under law.
• I maintain internal logs of all legal disclosures for accountability and may provide transparency reporting where permitted.
• I consult with legal counsel on all requests involving genetic or medical data.

Global Application:

These procedures are applied with regard to local legal requirements across multiple regions, including:

• GDPR/UK GDPR (EU/EEA & UK) — strict necessity and proportionality requirements, with Article 9 protections for special category data including genetic information.
• United States — federal and state lawful process (including CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA compliance where applicable), with enhanced protections for sensitive personal information including genetic data.
• Canada (PIPEDA) — lawful emergency disclosure rules, with heightened standards for health information.
• Australia (Privacy Act 1988) — disclosure only when required or authorized by law, with specific protections for sensitive information under the Australian Privacy Principles.

Other jurisdictions: where local laws permit or require disclosure, consistent with the criteria above. I comply with applicable privacy and data protection laws in each jurisdiction where my users are located. Where multiple laws apply, I follow the requirements of each, and when feasible, I extend stronger protections to all users.

6.3 Business Transfers and Corporate Transactions

Merger, Acquisition, or Asset Sale Protection:

Special Provisions for Genetic and Medical Data: Due to the highly sensitive and personal nature of genetic and medical information, these protections apply in addition to standard business transfer safeguards:

• 60-day advance notice (extended from standard 30 days) for any business transfer that would affect genetic or medical data
• Mandatory user consent for transfer of genetic and medical data to any acquiring entity
• Right to immediate deletion of all genetic and medical data before transfer, with no service termination penalties
• Enhanced vetting of acquiring entity's data protection capabilities specifically for health and genetic information

User Rights During Business Transfers:

• 30-day advance notice of any business transfer affecting personal data (60 days for genetic/medical data)
• Right to delete personal data before transfer completion
• For genetic/medical data: Explicit opt-in consent required before any transfer
• Continuation of all privacy rights under acquiring entity
• Option to terminate services if privacy protections are materially reduced
• Guaranteed data deletion if acquiring entity cannot meet current genetic data protection standards

Data Protection Safeguards:

• Due Diligence Requirements: Acquiring party must demonstrate adequate data protection measures, with enhanced security standards for genetic and medical data including:
- HIPAA-equivalent protections (for US-based transactions)
- ISO 27001 or equivalent security certifications
- Proven track record with sensitive health information
- Compliance with all genetic privacy laws (GINA in US, etc.)

• Contractual Protections: Transfer agreements require maintenance of current privacy standards, with specific contractual provisions prohibiting:
- Use of genetic data for research without separate consent
- Sharing genetic data with insurance companies, employers, or other third parties
- Commercialization of genetic information

• Regulatory Compliance: All transfers comply with GDPR Articles 44+ (including Article 9 for special category data) and equivalent international requirements
• Data Minimization: Only data necessary for business continuity is transferred; genetic and medical data transfer is optional and requires explicit consent
• International Transfer Protections:
- Standard Contractual Clauses (SCCs) for transfers to non-adequate countries
- Adequacy decision reliance where applicable (EU, UK, etc.)
- Additional safeguards for sensitive jurisdictions
- Mandatory user consent for genetic/medical data transfers regardless of destination country
- Enhanced protections meeting Article 9 GDPR requirements for special category data

Bankruptcy or Liquidation:

• Personal data treated as distinct from business assets
• Genetic and medical data must be deleted immediately upon bankruptcy filing unless adequate successor identified within 30 days
• Court-supervised data protection during proceedings
• User notification and deletion rights maintained
• Data destruction if no adequate successor entity is identified
• No genetic or medical data may be sold as business asset under any circumstances

6.4 Data Sharing Principles and Limitations

• Data Minimization: I share only the minimum personal data necessary for each specified purpose.
• Genetic Data Exclusion: Genetic and medical data is NEVER shared with third parties except:
- As required by valid legal process (see Section 6.2)
- With your explicit written consent for specific, disclosed purposes
- In genuine medical emergencies to protect life

• Purpose Limitation: Third parties may use shared data only for explicitly agreed purposes and must not repurpose it.
• Security Requirements: Recipients must maintain security standards equivalent to or higher than my own, with enhanced encryption and access controls for any sensitive data.
• No Commercial Data Sales: I never sell, rent, or license personal data for monetary or other valuable consideration. This prohibition is absolute for genetic and medical data.
• No Genetic Data Monetization: Your genetic and medical data will NEVER be:
- Sold to pharmaceutical companies, research institutions, or other entities
- Used for commercial research without separate explicit consent
- Shared with insurance companies, employers, or data brokers
- Included in any commercial transaction or business sale

• Regular Compliance Review: I conduct periodic reviews of data sharing arrangements to confirm ongoing compliance, with quarterly audits of genetic data security.
• Breach Reporting: All data recipients must notify me of any security breach involving shared personal data within 24 hours (or sooner if required by applicable law). For genetic or medical data breaches, I will notify affected users within 24 hours.

Global Application:

These principles are designed to comply with and reflect the requirements of applicable privacy laws worldwide, including but not limited to:

• GDPR/UK GDPR (including Article 9 protections for genetic data)
• U.S. federal and state laws including GINA (Genetic Information Nondiscrimination Act), HIPAA privacy principles, CCPA/CPRA, and other state privacy laws with enhanced protections for sensitive personal information
• Canada's PIPEDA with heightened standards for health information
• Australia's Privacy Act 1988 with specific protections for sensitive information

6.5 Your Rights Regarding Data Sharing

• Objection Rights: You may object to certain types of data sharing that rely on legitimate interests as the legal basis. For genetic and medical data, you have an absolute right to object to any sharing not explicitly consented to.

• Information Rights: You may request details about which third parties have received your personal data, including:
- Confirmation of whether genetic or medical data has been shared
- Identity of any recipients of your genetic/medical data
- Purpose and legal basis for any such sharing
- Categories of data shared

• Withdrawal Rights: You may withdraw consent for optional data sharing where consent is the legal basis. For genetic and medical data specifically:
- Withdrawal takes effect immediately
- Results in deletion of your genetic/medical data from all systems
- Does not affect lawfulness of processing before withdrawal
- May result in termination of digital twin services (as this data is essential to the program)

• Complaint Rights: You may file complaints about data sharing practices with the supervisory authority or regulator in your jurisdiction, including:
- EU/EEA: Your national data protection authority
- UK: Information Commissioner's Office (ICO)
- US: State Attorney General or relevant consumer protection agency
- Canada: Office of the Privacy Commissioner of Canada
- Australia: Office of the Australian Information Commissioner (OAIC)

• Restriction Rights: You may request restriction of data sharing in circumstances permitted by applicable law (for example, under GDPR Article 18 or equivalent frameworks), including:
- While contesting accuracy of your data
- When processing is unlawful but you prefer restriction over deletion
- When you need data for legal claims
- While objections to processing are being evaluated

• Genetic Data Protection Rights: Specific to genetic and medical data, you have the right to:
- Immediate deletion of all genetic and medical data upon request
- Access to detailed logs showing who has accessed your genetic data
- Notification if genetic data is subject to any legal request (unless prohibited by law)
- Challenge any processing of genetic data you believe is non-compliant
- Portability of genetic data in a structured, commonly used format

How to Exercise Your Rights:

To exercise any of these rights regarding data sharing:

• Email: [email protected]
• Subject Line: "Data Sharing Rights Request - [Type of Request]"
• Response Time: 30 days (or sooner as required by applicable law)
• Priority Handling: Requests involving genetic or medical data receive expedited processing within 48 hours for acknowledgment and 14 days for completion

No Retaliation: Exercising your data sharing rights will not result in:

• Service quality reduction
• Price increases
• Service denial (except where the requested action makes service provision impossible, such as deleting genetic data necessary for digital twin analysis)

Global Application:

These rights are recognized under international privacy and data protection laws, including:

• GDPR/UK GDPR (Articles 15-22, with Article 9 protections for genetic data)
• U.S. state privacy laws (CCPA/CPRA rights including access, deletion, correction, and opt-out, with enhanced protections for sensitive personal information)
• Canada's PIPEDA (access, correction, and withdrawal rights with heightened protections for health information)
• Australia's Privacy Act 1988 (Australian Privacy Principles 6, 12, 13 with protections for sensitive information)

These rights are extended consistently to all users regardless of location.

7. DATA RETENTION

7.1 Retention Principles and Global Compliance

I retain personal data only for as long as necessary and lawful, based on:

• Legal obligations: Compliance with tax, accounting, audit, and regulatory requirements.
• Legitimate interests: Service operations, dispute resolution, security monitoring, and service improvement.
• Contractual necessity: Maintaining records required to provide and support active program enrollment.
• User consent: Where you have explicitly agreed to specific retention purposes.

Special Retention Rules for Genetic and Medical Data:

Given the highly sensitive nature of genetic and medical information, I apply stricter retention rules:

• During Active Program (12 months): Genetic and medical data is retained as necessary to provide digital twin analysis and personalized longevity protocols.
• After Program Completion:
- Default retention: 30 days after program end (to allow for final consultations and data export)
- Extended retention: Only with your written consent for specific purposes (e.g., future program enrollment)
- Immediate deletion option: Available upon request at any time

• User Control: You may request deletion of genetic and medical data at any time during or after the program, which will be completed within 7 business days.
• No Indefinite Retention: Unlike general account data, genetic and medical data is NEVER retained indefinitely. Maximum retention is 2 years after program completion, and only with explicit consent.

Data Minimization During Retention

• Personal identifiers are removed once no longer necessary.
• Detailed data may be aggregated or anonymized where legally permissible.
• Genetic and medical data cannot be anonymized (as genetic data is inherently identifiable), so it must be deleted rather than anonymized when retention period ends.
• Access is restricted to authorized personnel only, with enhanced access controls for genetic and medical data.
• Retention periods are reviewed quarterly to confirm necessity and compliance, with monthly reviews for genetic data.

Global Application

Retention periods are applied in accordance with international privacy and data protection laws, including but not limited to:

• GDPR/UK GDPR (Article 5(1)(e) storage limitation, Article 9 special category data protections)
• U.S. state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA with enhanced protections for sensitive personal information including genetic data)
• Canada's PIPEDA (retention limitations with heightened standards for health information)
• Australia's Privacy Act 1988 (APP 11 with specific protections for sensitive information)
• U.S. Genetic Information Nondiscrimination Act (GINA) principles regarding genetic data handling

Retention practices are flexible to account for local legal obligations, contractual requirements, and operational needs, while ensuring personal data—especially genetic and medical data—is not kept longer than necessary.

7.2 Active Program Data Retention

Account and Authentication Data:

• Retained for the duration of the active program and, where necessary, for a limited period afterward to support account reactivation or dispute resolution.
• Legal Basis: Contract performance and legitimate interests.
• Data Types: Email address, encrypted password, name, phone number, account settings.
• Deletion Trigger: Deleted or anonymized after the limited period following program completion or account deletion, unless required for legal obligations.

Genetic and Medical Data

• Retained for the duration of the active program and longer only if necessary to fulfill service obligations or legitimate interests such as AI improvement.
• Legal Basis: Explicit consent and contract performance.
• Data Types: Genetic test results, laboratory results, biomarkers, digital twin models, longevity analysis results, processing logs.
• Deletion Trigger: Deleted when no longer needed for service provision or legal/operational purposes (cannot be anonymized due to inherent identifiability).

Technical and Performance Data

• Access Logs: Approximately 90 days for security and fraud prevention.
• Performance Metrics: Up to 12 months in identifiable form; anonymized indefinitely for service improvement.
• Security Logs: Up to 24 months for regulatory compliance and incident investigations.
• Error Reports: Up to 6 months for service improvement and debugging.
• Legal Basis: Legitimate interests.

Customer Support Communications

• Retained up to 24 months from last interaction to ensure service quality and dispute resolution.
• Legal Basis: Legitimate interests.
• Data Types: Support tickets, emails, resolution records.
• Extended Retention: Up to seven years if needed for billing disputes, legal matters, or regulatory obligations.

7.3 Billing and Financial Data Retention

Payment Transaction Records

• Retained up to seven years from transaction date.
• Data Types: Transaction IDs, amounts, dates, payment confirmations.
• Third-Party Processing: Payment processors retain credit card and payment details under PCI DSS security requirements.

Billing Disputes and Chargebacks

• Retained up to seven years from resolution.
• Legal Basis: Legal obligations and legitimate interests.
• Data Types: Dispute records, supporting documents, resolution outcomes.

Tax and Accounting Records

• Retained up to ten years to comply with legal obligations.
• Legal Basis: Legal compliance.
• Data Types: Invoice records, tax calculations, customer billing addresses.
• Access Restrictions: Limited to authorized accounting and legal personnel.

7.4 Marketing and Communications Data Retention

Marketing Consent Records

• Retained up to three years after consent withdrawal or account deletion.
• Legal Basis: Legal obligations to demonstrate consent compliance (e.g., GDPR Article 7(1)).
• Data Types: Consent timestamps, withdrawal records, communication preferences.

Marketing Communications History

• Retained up to two years from last communication or consent withdrawal.
• Legal Basis: Legitimate interests (preventing unwanted re-contact and ensuring communication accuracy).
• Data Types: Email delivery records, unsubscribe requests, bounce notifications.

7.5 Secure Deletion and Data Destruction

• When personal data is no longer needed for the purposes outlined in this policy, it is securely deleted or irreversibly anonymized using industry-standard technical and organizational measures.
• Genetic and medical data is securely deleted (not anonymized) as it cannot be truly anonymized due to its inherently identifiable nature.
• Third-party processors and cloud providers are required to implement secure deletion procedures in accordance with contractual agreements.
• Users may request confirmation of data deletion where legally permissible.

7.6 Legal Holds and Extended Retention

• Data may be retained beyond standard retention periods if required for:
- Legal obligations or regulatory compliance.
- Litigation, investigations, or law enforcement requests.

• Extended retention under legal holds is conducted under strict internal review to ensure data is only kept as necessary.
• For genetic and medical data: Legal holds are subject to heightened scrutiny and limited to the minimum data necessary.
• Users are notified of retention extensions where legally permissible.

7.7 User Rights Regarding Retention

• Account Deletion: Users may request deletion of their account and associated data.
• Selective Deletion: Users may request deletion of specific data categories where legally permissible.
• Genetic Data Deletion: Users have an absolute right to request immediate deletion of genetic and medical data at any time, completed within 7 business days.
• Consent-Based Extended Retention: Users may consent to extended retention for additional benefits and may withdraw this consent at any time.
• Retention Information: Users may request information on retention periods for their data and the legal basis for such retention.
• Response Timeline: Deletion and information requests will be addressed promptly, generally within 30 days, unless faster action is required by law. Genetic data deletion requests are prioritized and completed within 7 business days.

8. INTERNATIONAL DATA TRANSFERS

8.1 Transfer Locations and Data Residency

Primary Data Processing Locations:

• European Union: Ireland, Netherlands, Germany (cloud infrastructure and analytics).
• United States: Specific cloud regions for infrastructure services.
• United Kingdom: London region for EU-proximate processing.

Data Hosting and Infrastructure:

• Back-end: Application hosting and database storage.
• Front-end: Web hosting and static assets.
• Authentication & User Management: Google Firebase
• Security & Compliance: All providers implement industry-standard security measures, including encryption at rest and in transit, access controls, and monitoring.

Genetic and Medical Data Storage:

• Stored with enhanced encryption in secure, dedicated infrastructure separate from general account data.
• Subject to additional access controls and monitoring.
• Transfer restrictions apply: genetic and medical data transfers are minimized and subject to heightened safeguards.

Global Transfers:

Data may be stored or processed in multiple jurisdictions where these providers operate. Appropriate safeguards, such as contractual agreements and technical security measures, are in place to protect personal data during international transfers.

Data Center Specifications:

• Regional Selection: Automated routing of data based on user location and service optimization.
• Data Mirroring: Backup and disaster recovery may involve temporary transfers to additional regions.
• Monitoring: All cross-border transfers are logged and monitored to ensure compliance with applicable privacy laws.

8.2 Legal Basis and Adequacy Status (as of 2025)

EU Adequacy Decisions:

• United Kingdom: Recognized under EU adequacy decisions (subject to ongoing reviews).
• United States: No general adequacy decision following Privacy Shield invalidation.

EU/EEA → United States:

• Legal Mechanism: EU Standard Contractual Clauses (2021) with supplementary measures.
• US Data Privacy Framework: Verification of service provider participation where applicable.
• Enhanced Safeguards: End-to-end encryption, key management within EU/EEA jurisdictions, and restricted government access protocols.
• Special Category Data Protections: Additional safeguards for genetic and medical data transfers, including enhanced encryption and minimized transfer frequency.

8.3 Transfer Impact Assessments

I conduct Transfer Impact Assessments (TIAs) for all international data transfers to ensure compliance with applicable privacy laws.

Assessments evaluate:

• Legal and regulatory frameworks in recipient jurisdictions
• Risks of government or third-party access to data
• Adequacy of technical and organizational safeguards (e.g., encryption, pseudonymization, access controls)
• Special considerations for genetic and medical data: heightened risk assessment and enhanced protections

TIAs are reviewed periodically to reflect legal developments and ensure ongoing protection of user data, with quarterly reviews for transfers involving genetic or medical data.

8.4 Standard Contractual Clauses and Contractual Safeguards

• EU Standard Contractual Clauses (SCCs 2021) are applied where required for transfers of EU/EEA personal data to third countries.
• For genetic and medical data: Enhanced contractual provisions are included requiring recipients to apply Article 9 GDPR protections for special category data.
• Contractual safeguards with processors ensure:
- Data is processed only for specified purposes
- Transfers to sub-processors meet equivalent protection standards
- Breach notification obligations are included
- Genetic and medical data is subject to additional security requirements

• Users may rely on these safeguards to ensure their data is protected consistently across borders.

8.5 Supplementary Measures and Technical Safeguards

• Technical Measures: All transfers are protected using industry-standard encryption, access controls, and data minimization. Genetic and medical data receives enhanced encryption (AES-256 or equivalent) and is subject to stricter access controls.
• Organizational Measures: Staff are trained on international data transfer compliance, and data access is logged and monitored. Access to genetic and medical data is restricted to authorized personnel only and subject to additional audit trails.
• Government Access Protections: Any legal or government requests for personal data are reviewed for legitimacy, minimized to the extent possible, and notifications are provided to users where legally permitted. Requests for genetic or medical data are subject to heightened legal scrutiny.
• These safeguards are applied globally, regardless of the recipient country.

8.6 Derogations and Exceptional Transfers

In limited circumstances, international transfers of personal data may rely on derogations for specific legal or operational reasons:

Explicit Consent:

• Only used for exceptional transfers not covered by standard contractual safeguards.
• Users are informed of potential transfer risks before consent is obtained.
• For genetic and medical data: Explicit consent requires specific disclosure of which countries will receive data and enhanced risk warnings.
• Consent can be withdrawn at any time without affecting core service functionality.
• All consent-based transfers are fully documented with scope and timestamps.

Contract Performance:

• Applied only when transfers are necessary to fulfill contractual obligations or provide services directly to the user.
• Confirmed that no other transfer mechanism (such as SCCs or adequacy) is available.
• Used sparingly and only when genuinely required.
• For genetic and medical data: Contract performance derogation is not used; explicit consent or SCCs are required.

Important Public Interest:

• Reserved for genuine public interest situations requiring international transfers.
• External legal review or equivalent assessment is conducted before applying this derogation.
• Full justification and documentation are maintained to demonstrate necessity.
• Not applicable to genetic and medical data transfers except in genuine life-threatening emergencies.

8.7 Data Subject Rights for International Transfers

Users have rights regarding their personal data when it is transferred internationally:

Right to Information:

• Users can request details about international transfers, including the protective measures in place.
• Users may access summaries of contractual safeguards (e.g., SCCs) with confidential information redacted.
• For genetic and medical data: Users can request specific information about which countries receive their sensitive data and what enhanced protections apply.

Right to Object:

• Users may object to international transfers based on legitimate interests.
• Where technically feasible, services may be provided using domestic processing alternatives.
• For genetic and medical data: Users have an enhanced right to object, and I will assess alternatives to minimize or eliminate international transfers of sensitive data.

Right to Restriction:

• Users can request restriction of international transfers pending resolution of concerns.
• Temporary domestic processing measures may be applied while respecting service continuity.
• For genetic and medical data: Restriction requests are prioritized and processed within 7 business days.

Data Portability:

• Users' rights to receive and transfer their data apply regardless of international processing location.
• Data is provided in widely accepted portable formats compatible with international service providers.
• Assistance is provided for direct transfers to other controllers or service providers globally.
• Genetic and medical data portability: Provided in standard formats (e.g., VCF for genetic data, PDF reports for analysis results).

8.8 Transparency and Monitoring

Transfer Transparency Reporting:

• Annual Transparency Reports: Summarized reporting on international transfer volumes and destinations.
• Government Request Statistics: Aggregated statistics on government access requests where legally permitted, with separate reporting for requests involving genetic or medical data.
• Breach Reporting: Disclosure of security incidents involving internationally transferred data in accordance with applicable laws. Incidents involving genetic or medical data are reported with priority notification to affected users.

Continuous Monitoring:

• Legal Developments: Ongoing monitoring of international transfer laws and regulations worldwide, with particular attention to laws affecting genetic and health data.
• Adequacy Updates: Immediate review and update of procedures following changes in adequacy decisions or legal frameworks.
• Risk Assessments: Periodic assessment of international transfer arrangements to ensure continued protection of personal data. Quarterly assessments for transfers involving genetic or medical data.

User Communication:

• Transfer Notifications: Users are notified of significant changes in transfer practices or locations, with advance notice for changes affecting genetic or medical data.
• Policy Updates: Notifications provided when international transfer provisions are materially updated.
• Educational Resources: Guidance is made available to users regarding international transfer implications and their rights, with specific resources explaining protections for genetic and medical data.

8.9 Breach Notification and International Transfers

Breach Notification:

• Supervisory Authority Notification: Relevant authorities in both origin and destination jurisdictions are notified promptly, generally within 72 hours, when required by law.
• Data Subject Notification: Users are informed of high-risk breaches involving internationally transferred data. Breaches involving genetic or medical data are treated as high-risk and result in immediate user notification within 24 hours.
• Cross-Border Coordination: Coordination with supervisory authorities across jurisdictions to ensure compliance.
• Remediation Measures: Specific actions are taken to mitigate impact and prevent recurrence of international transfer-related breaches. Breaches involving genetic or medical data trigger immediate suspension of affected transfers pending security review.

Processor Breach Obligations:

• Immediate Notification: Third-party processors must report breaches affecting international transfers within 24 hours of detection.
• Jurisdiction-Specific Reporting: Processors comply with breach notification requirements in the jurisdictions where data is processed.
• Assistance Obligations: Processors provide support for cross-border breach response and investigation.
• Enhanced Requirements for Sensitive Data: Processors handling any data in proximity to genetic or medical data storage must report any security incidents immediately, even if no breach is confirmed.

8.10 Future-Proofing and Legal Updates

Adaptability Measures:

• Legal Framework Changes: All international transfer practices are reviewed promptly when laws or regulations change in any jurisdiction, with immediate review for changes affecting genetic or health data protections.
• New Transfer Mechanisms: New, legitimate transfer mechanisms are adopted as soon as they become available and applicable.
• Risk-Based Adjustments: Transfer safeguards are dynamically updated based on evolving risk assessments to maintain high protection standards, with quarterly reviews for genetic and medical data transfers.

User Protection Guarantees:

• Stronger Protection Principle: Any changes to international transfers maintain or enhance existing protection levels for personal data, particularly for genetic and medical data.
• Service Continuity: Core services remain available and functional despite updates to transfer mechanisms or regulations.
• User Choice: Where technically and commercially feasible, users may be offered options for data localization or regional processing. Users with genetic and medical data may request information about storage locations and available alternatives.

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 Types of Cookies I Use

Essential Cookies (Always Active):

• Authentication and session management
• Security and fraud prevention
• Core service functionality required for your account and program access

Analytics Cookies (Optional):

• Usage statistics collection (e.g., Google Analytics)
• Performance monitoring and service optimization
• User experience improvement

Preference Cookies (Optional):

• Language and region settings
• Interface and display customizations
• Service preference storage

9.2 Managing Cookies

You control cookie usage through:

• Browser Settings: Configure acceptance, deletion, or blocking of cookies.
• Opt-Out Tools: Use standard industry opt-out mechanisms for analytics cookies.
• Account Settings: Adjust preference cookies in your dashboard.

9.3 Third-Party Tracking

• No third-party advertising trackers are used on the service.
• Analytics data collected is solely for service improvement, optimization, and operational purposes.

10. YOUR PRIVACY RIGHTS

10.1 Universal Rights

All users worldwide have the right to:

• Access: Request information about the personal data I hold, including genetic and medical data.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request removal of personal data where legally permissible. Genetic and medical data deletion requests are prioritized and completed within 7 business days.
• Support: Contact me with any privacy questions or concerns.

10.2 Rights Under Local Laws

EU/EEA and UK Residents:

• Right to erasure ("right to be forgotten")
• Right to data portability (including genetic data in standard formats)
• Right to restrict processing
• Right to object to processing
• Right to withdraw consent (including explicit consent for genetic and medical data processing)
• Right to lodge complaints with supervisory authorities

California Residents (CCPA/CPRA):

• Right to know what personal information is collected, including sensitive personal information (genetic data)
• Right to delete personal information
• Right to correct inaccurate personal information
• Right to opt-out of sale (I do not sell personal data)
• Right to limit use and disclosure of sensitive personal information
• Right to non-discrimination for exercising privacy rights

Other Jurisdictions:

• Rights under applicable local data protection and consumer privacy laws
• Access to local dispute resolution mechanisms
• Enhanced protections for health and genetic information where applicable

10.3 Supervisory Authority Contacts (Global Guidance)

If you wish to lodge a complaint or seek guidance about your privacy rights, you may contact the relevant authority in your jurisdiction:

• EU/EEA Residents: Find your local Data Protection Authority: EDPB Members
• UK Residents: Information Commissioner's Office (ICO)
• California Residents: California Privacy Protection Agency
• Canada Residents: Office of the Privacy Commissioner of Canada
• Australia Residents: Office of the Australian Information Commissioner (OAIC)
• Other Jurisdictions: Contact your local data protection or consumer privacy authority.

Note: This list is for guidance. Users outside these regions should refer to their local privacy authorities for complaint or dispute resolution procedures.

10.4 Exercising Your Rights

To exercise any of your privacy rights:

1. Email [email protected] with the subject line "Privacy Request."
2. Clearly specify the type of request (access, deletion, correction, restriction, objection, portability, etc.).
3. Provide your account email and any verification information required.
4. I will respond within 30 days (or sooner if required by applicable law).

Priority Processing for Genetic and Medical Data:

• Requests involving genetic or medical data receive expedited acknowledgment within 48 hours.
• Deletion requests for genetic and medical data are completed within 7 business days.
• Access requests for genetic and medical data are provided within 14 days.

Data Portability Formats:

• Account data: JSON or CSV format
• Genetic data: VCF (Variant Call Format) or similar standard formats
• Analysis reports: PDF format
• Digital twin models: Structured data export in JSON format

Note: Some rights may be limited by legal obligations or contract requirements. For full details, see Sections 5–8 of this Privacy Policy.

11. DATA SECURITY

11.1 Technical Security Measures

I implement appropriate technical measures to ensure a level of security suitable to the risk of processing your personal data:

• Encryption: Personal data encrypted in transit and at rest where technically feasible. Genetic and medical data receives enhanced encryption (AES-256 or equivalent) with additional key management protections.
• Access Controls: Multi-factor authentication and role-based access. Genetic and medical data access is restricted to authorized personnel only with additional authentication requirements.
• Network Security: Continuous monitoring, intrusion detection, and firewalls with enhanced monitoring for systems containing genetic or medical data.
• System Maintenance: Regular updates, patches, and vulnerability remediation with prioritized patching for systems handling sensitive data.
• Backups & Recovery: Secure backup and disaster recovery procedures. Genetic and medical data backups are encrypted separately with additional access controls.
• Testing & Evaluation: Regular testing of security measure effectiveness, with quarterly penetration testing for systems containing genetic or medical data.

11.2 Organizational Safeguards

I maintain documented organizational measures, including:

• Ongoing training on data protection and security best practices, with specialized training on handling genetic and medical data.
• Strict access controls based on need-to-know. Access to genetic and medical data is limited to essential personnel only.
• Documented incident response and breach notification procedures, with expedited protocols for breaches involving genetic or medical data.
• Regular internal and external security assessments and audits, with annual third-party security audits for systems handling genetic and medical data.
• Secure data disposal when no longer needed, using certified data destruction methods for genetic and medical data.
• Security assessment and management of vendors and third-party processors, with enhanced vetting for any vendor with potential access to sensitive data.

11.3 Data Breach Response

In the event of a personal data breach:

• Conduct immediate investigation and containment.
• Notify relevant supervisory authorities within 72 hours, where legally required. Breaches involving genetic or medical data are reported within 24 hours.
• Notify affected individuals without undue delay if the breach poses high risk. Users whose genetic or medical data is involved in a breach are notified within 24 hours.
• Document the breach, including facts, effects, and remedial actions.
• Implement corrective measures to prevent recurrence.
• For genetic and medical data breaches: immediate suspension of affected systems, forensic investigation, and enhanced monitoring.

11.4 Risk-Based Security Approach

Security measures are determined based on:

• The current state of the art in security technology.
• Implementation costs relative to risk.
• Nature, scope, and purposes of data processing. Genetic and medical data processing receives heightened security measures regardless of cost due to sensitivity.
• Likelihood and severity of potential risks to individuals. Genetic data breaches are treated as high-severity risks given potential for discrimination and privacy harm.
• Regular reassessment as technology and threats evolve, with quarterly reviews for genetic and medical data security.

11.5 Security Limitations

While I implement reasonable and industry-standard safeguards, no system is completely secure:

• Unauthorized access, hacking, or data loss may still occur.
• Personal data is provided with understanding of residual risk.
• This disclaimer does not limit obligations under applicable data protection laws or liability for gross negligence or willful misconduct.
• Given the sensitive nature of genetic and medical data, I apply enhanced security measures that exceed industry standards to minimize risks.

12. THIRD-PARTY SERVICES

12.1 Overview of Third-Party Service Providers

To deliver my elite genetic longevity program reliably and securely, I work with selected third-party service providers who handle various aspects of service delivery. These providers may process your personal data in different capacities and under varying legal relationships, including:

• Payment processing services for program billing
• Analytics providers for service performance monitoring
• Cloud hosting providers for service infrastructure
• Customer support and communication platforms
• Security monitoring and backup services

IMPORTANT: Third-party service providers do NOT have access to your genetic or medical data. This sensitive information remains under my direct control as Data Controller and is stored in secure, separate systems.

The specific legal relationships, contractual safeguards, and data protection measures governing these arrangements are detailed in sections 12.2 and 12.3 below, which outline how your data remains protected throughout these service relationships.

12.2 Data Processing Agreements and Safeguards

I engage third-party service providers ("processors") to help deliver my services. My relationships with these processors are governed by:

Contractual Requirements:

• Written data processing agreements that comply with GDPR Article 28 and equivalent provisions under other applicable privacy laws
• Contractual obligations requiring processors to implement appropriate technical and organizational security measures
• Requirements that processors process personal data only on my documented instructions, except where required by applicable law
• Confidentiality commitments from processor personnel who have access to personal data
• Absolute prohibition on accessing genetic or medical data without explicit written authorization
• Obligations for processors to assist me in responding to data subject rights requests and conducting data protection impact assessments
• Requirements to notify me of personal data breaches without undue delay and, where feasible, within 72 hours (24 hours for any incident involving systems near genetic/medical data)
• Obligations to return, delete, or transfer personal data upon termination of services, subject to legal retention requirements

Processor Accountability:

• I remain the data controller and maintain legal responsibility for my processors' handling of your personal data
• I conduct due diligence on processors' security practices and compliance capabilities before engagement, with enhanced vetting for any processor with potential proximity to genetic or medical data
• I monitor processor performance and compliance through contractual reporting requirements and available audit information
• Processors handling any infrastructure components are subject to additional security requirements and regular audits

Sub-Processor Authorization:

• I may authorize processors to engage sub-processors for specific processing activities
• Any sub-processor arrangements must meet the same data protection standards required of my direct processors
• Sub-processors are prohibited from accessing genetic or medical data
• I maintain records of authorized sub-processors and their processing purposes

12.3 Sub-Processor Management

Definition and Scope: Sub-processors are third-party service providers that my primary processors may engage to provide specialized services such as cloud hosting infrastructure, database management, content delivery networks, and technical support services. Sub-processors handle personal data as part of the services they provide to my primary processors.

CRITICAL RESTRICTION: Sub-processors do NOT have access to genetic or medical data. This sensitive data remains under my exclusive control in separate, secure systems not accessible to processors or sub-processors.

Authorization and Oversight:

• Sub-processors may only be engaged with my prior written authorization or under pre-approved categories of services
• All sub-processor engagements must comply with the same data protection obligations that apply to my primary processors
• Sub-processors must be bound by data protection agreements that provide substantially the same level of protection as my primary processor agreements
• Enhanced prohibition: Sub-processors are contractually prohibited from accessing or processing genetic or medical data under any circumstances

Current Sub-Processor Categories:

I currently authorize the following categories of sub-processors:

• Cloud hosting and infrastructure services (for non-sensitive account data only)
• Authentication and user management services (Google Firebase)
• Payment processing services
• Analytics and performance monitoring services (Google Analytics)
• Email and communication services
• Database hosting and management services (for non-sensitive data only)

Important Note: None of these sub-processors have access to genetic or medical data.

Sub-Processor Changes:

I maintain a current list of sub-processors and their processing purposes.

For any new sub-processor categories or material changes to existing sub-processors, I will:

• Update this privacy policy with at least 30 days' notice
• Provide notification through email or account dashboard notifications
• Allow you to object to the use of new sub-processors
• If you object to a new sub-processor and I cannot accommodate your objection, you may terminate your account without penalty
• For genetic/medical data: No sub-processors will ever be authorized to access this data

Data Subject Rights and Sub-Processors:

• I facilitate the exercise of your data protection rights across my entire processing chain, including sub-processors
• Sub-processors are contractually required to assist with data subject rights requests
• If a sub-processor cannot adequately support data subject rights, I will take appropriate measures, including changing providers if necessary
• Genetic data rights: Processed directly by me without sub-processor involvement

Security and Monitoring:

• I require all processors and sub-processors to maintain appropriate technical and organizational security measures
• I conduct periodic reviews of processor and sub-processor security practices through available audit reports, certifications, and contractual reporting
• I investigate any reported security incidents involving processors or sub-processors and take appropriate remedial action
• Enhanced monitoring: Systems containing genetic or medical data are monitored separately with additional security controls to prevent any sub-processor access

International Transfers:

Some processors and sub-processors may be located outside your jurisdiction.

All international transfers are protected by appropriate safeguards such as:

• European Commission adequacy decisions (for EU data)
• Standard Contractual Clauses (SCCs) with Article 9 GDPR protections where applicable
• Binding Corporate Rules
• Cross-border privacy rules (CBPR) certification
• Other legally recognized transfer mechanisms under applicable laws

I maintain records of all international transfer safeguards and can provide details upon request.

Important Note: Genetic and medical data transfers are subject to separate, enhanced protections and are NOT processed by sub-processors.

Liability and Accountability:

• I remain fully liable under applicable data protection laws for my processors' and sub-processors' handling of your personal data
• This liability extends to ensuring that adequate remedies are available to you in case of non-compliance by any party in my processing chain
• My processors and sub-processors also maintain independent liability under applicable laws for their own processing activities
• Enhanced accountability: For genetic and medical data, I maintain direct and exclusive liability as no sub-processors are involved

Transparency and Contact:

• You may request current information about my processors and sub-processors by contacting me
• I will respond to processor-related inquiries within 30 days
• You may raise concerns about specific processor practices, which I will investigate and address appropriately
• For genetic data inquiries: I will provide detailed information about how this sensitive data is stored and protected separately from sub-processor systems

13. CHILDREN'S PRIVACY

My service is not intended for children. I do not knowingly collect personal information from:

• Children under 18 years of age (all users globally)
• Individuals under the minimum age specified by applicable local laws

Age Requirement Justification: Given the nature of genetic longevity services and the sensitive medical and genetic information involved, all users must be at least 18 years of age to ensure they can provide informed consent for genetic data processing.

If I become aware that personal information from a minor has been collected without appropriate consent:

• I will delete the information promptly, including any genetic or medical data
• I will terminate the associated account immediately
• I will take reasonable steps to notify the parent/guardian where legally required and contact information is available

Parents or guardians who believe their child has provided personal information should contact [email protected] immediately.

14. CHANGES TO THIS PRIVACY POLICY

14.1 Update Authority

I reserve the right to modify this Privacy Policy at any time to reflect:

• Changes in my practices or services
• Legal or regulatory requirements
• Operational or security considerations

14.2 Notification Process

• Minor changes: Posted on the website with the updated "Last Modified" date
• Material changes: Reasonable advance notice via email to registered users and/or prominent website notice, as required by law
• Changes affecting genetic or medical data processing: 60 days advance notice via email with clear explanation of changes and right to object or request data deletion before changes take effect
• The updated Privacy Policy becomes effective on the date specified in the notice

14.3 Continued Use

Your continued use of my services after the effective date constitutes acceptance of the updated Privacy Policy.

• If you do not agree with the changes, discontinue use of my services
• You may request deletion of your data, subject to applicable retention obligations
• For changes affecting genetic or medical data: You have the right to request immediate deletion of your genetic and medical data before the changes take effect, without penalty

15. GOVERNING LAW AND JURISDICTION

15.1 Governing Law

This Privacy Policy and my data processing practices are primarily governed by Egyptian law, except where:

• Mandatory local consumer protection or data protection laws apply to you based on your residence
• International treaties or agreements require the application of other laws
• Specific regulatory requirements override this choice of law

Special Protections for Genetic Data: Regardless of governing law, genetic and medical data processing complies with the highest applicable standards under GDPR Article 9, US state genetic privacy laws (including GINA), and other jurisdiction-specific protections for genetic information.

15.2 Jurisdiction and Dispute Resolution

Data Protection Matters:

• EU/EEA residents: You retain all rights under GDPR (including Article 9 protections for genetic data), including the right to lodge complaints with your local supervisory authority and pursue remedies in local courts
• UK residents: You retain all rights under UK GDPR and may pursue remedies through the ICO and UK courts
• California residents: You retain rights under CCPA/CPRA (including enhanced protections for sensitive personal information) and may pursue remedies through California authorities and courts
• Canada residents: You retain rights under PIPEDA and may pursue remedies through the Privacy Commissioner and Canadian courts
• Australia residents: You retain rights under the Privacy Act 1988 and may pursue remedies through the OAIC and Australian courts
• Other jurisdictions: Applicable local data protection and consumer rights are preserved

Genetic Data Disputes:

• Given the sensitive nature of genetic and medical data, disputes involving this data are subject to the most protective legal framework available under applicable laws
• Users may seek remedies in their local jurisdiction for any genetic data privacy violations

Other Disputes:

• Subject to mandatory consumer protection laws in your jurisdiction, disputes may be resolved through:
1. Good faith negotiation
2. Local courts where mandatory consumer protections apply
3. Egyptian courts for matters not subject to mandatory local jurisdiction

15.3 Regulatory Compliance

As a provider with international users, I comply with applicable privacy laws, including:

• GDPR for EU/EEA residents (with Article 9 protections for genetic data)
• UK GDPR for UK residents
• CCPA/CPRA for California residents (with enhanced protections for sensitive personal information including genetic data)
• GINA (Genetic Information Nondiscrimination Act) principles for US users
• PIPEDA for Canadian residents
• Privacy Act 1988 for Australian residents
• Other applicable jurisdictional requirements based on user location

This does not waive any rights you may have under your local consumer protection or data protection laws.

Genetic Privacy Laws: I comply with genetic-specific privacy laws in all applicable jurisdictions, including but not limited to regulations governing genetic discrimination, genetic data sharing, and genetic privacy protections.

Effective Date:
This Privacy Policy is effective as of Decemeber 15, 2025, and replaces all previous versions.

Last Review:
This policy was last reviewed for legal accuracy and compliance on Decemeber 15, 2025.