Privacy

Privacy Policy

Protection of your personal data

Last updated: May 20, 2026

BIOSENSE PRIVACY POLICY

1. PURPOSE

The purpose of this Privacy Policy is to inform Users about how their personal data, including health-related data, is collected and processed in the context of the provision of Services.

The Services are provided via a Platform accessible on the internet. The website www.biosense.life is published by Inspiration 4 SAS, a simplified joint-stock company with a capital of 1,000 euros, with its registered office at Circulade des Fontanelles, 34980 Saint-Clément-de-Rivière, registered with the Montpellier Trade and Companies Register under number 911 516 532 ("BioSense").

The provision of Services accessible via the Platform requires the processing of personal data within the meaning of the Regulations, jointly designating the French Data Protection Act of January 6, 1978, as amended (known as "Loi Informatique et Libertés") and EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data of April 27, 2016 (known as "GDPR").

This Privacy Policy aims to specify to the User:

  • Who is the Data Controller for their Personal Data;
  • What categories and types of Personal Data are collected and processed;
  • Why Personal Data is collected and processed, on what legal basis and for how long;
  • To whom the collected Personal Data is intended;
  • What rights they have over their Personal Data;
  • How they can express their choices regarding the use of their Personal Data;
  • What security measures are taken by BioSense.

By using the Services, the User acknowledges having read the Privacy Policy and having accepted it.

When the use of Services involves the processing of health data (particularly when transmitting a Biological Report), the User also acknowledges having been informed of the methods of processing their data and, where applicable, having expressed their consent under the conditions provided herein and via the Information and Consent Notice made available and accepted via the Platform.

Terms not defined in this Privacy Policy beginning with a capital letter are defined in the General Terms and Conditions of Sale and Use, accessible at any time on the Platform.

BioSense may modify, supplement or update this Privacy Policy to take into account any legal, regulatory, case law and/or technical developments.

In the event of a significant modification to the Privacy Policy, BioSense undertakes to inform Users by any written means within a minimum period of fifteen (15) days before the effective date. In case of disagreement by the User with the terms of the new Privacy Policy, they may delete their Personal Account.

After this period, any access and use of the Services will be subject to the new Privacy Policy.

2. DEFINITIONS

"Biological Report" means any report or result of medical biology analyses transmitted by the User as part of the Service.

"General Terms and Conditions of Sale and Use" or "GTCSU" means the General Terms and Conditions of Sale and Use of the Platform and Services accepted by Users.

"Personal Account" means the individual account created by the User upon registration or first login to the Platform, allowing access to a personal, secure and reserved space, necessary for use of the Service and, where applicable, consultation of the BioSense Report.

"Personal Data" means the personal data of Users collected and processed in the context of use of the Platform and provision of Services, including, where applicable, health data.

"Platform" means the BioSense online service accessible at www.biosense.life as well as all its pages, features, spaces and associated services.

"Privacy Policy" means this document whose purpose is to inform the User about how their Personal Data is collected and processed in the context of use of the Platform and provision of Services. Where applicable, the Privacy Policy is supplemented by any information and/or consent document.

"Data Controller" within the meaning of the Regulations, means the legal or natural person who determines the purposes and means of processing of Personal Data implemented in the context of use of the Platform and provision of Services.

"Regulations" means jointly the French Data Protection Act of January 6, 1978, as amended (known as "Loi Informatique et Libertés") and EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data of April 27, 2016 (known as "GDPR").

"Service(s)" means all services, features and content accessible via the Platform, free or paid, including in particular the generation of a BioSense Report, longitudinal biomarker tracking, the wellness program, consultation preparation, the personal assistant, access to a customer area and general wellness suggestions.

"User" means any adult natural person acting for non-professional purposes, using the Platform and/or subscribing to the Service, and, where applicable, having a Personal Account or taking out a Subscription.

Capitalized terms that are not defined in this Privacy Policy have the meaning given to them in the General Terms and Conditions of Sale and Use.

3. DATA CONTROLLER

Regarding the User's Personal Data processed for the creation and management of the Personal Account, access and use of the Platform, as well as the provision of Services, the Data Controller is:

Inspiration 4 SAS

Circulade des Fontanelles, 34980 Saint-Clément-de-Rivière, France

Represented by Michael Chekroun

Contact: contact@biosense.life

BioSense uses technical service providers acting as processors within the meaning of Article 28 GDPR. As of the latest update of this policy, the main providers used to operate the Service include:

  • Scaleway (European Union), for hosting the Platform, the database (managed PostgreSQL), object storage, encryption key management, sending transactional emails (Scaleway Transactional Email), and backups; the Supabase software stack (authentication, database, backend functions) is self-hosted on this Scaleway infrastructure;
  • Stripe (Stripe Payments Europe, Ireland; a transfer outside the European Union may occur, governed by standard contractual clauses), for payment processing, billing, and subscription management — no payment card data is stored by BioSense;
  • OpenAI and Anthropic (United States, outside the European Union, on the basis of standard contractual clauses), depending on Platform configuration, only for controlled AI workflows (report generation, conversational assistant, extraction), with minimization and without sending unfiltered raw PDFs outside the local environment;
  • PostHog (data hosted in the European Union), for technical error monitoring, session replay and product usage analytics, used for technical diagnostics and Service improvement, with all text content and input fields masked (no raw health data);
  • Google Analytics (United States, outside the European Union, on the basis of standard contractual clauses) — and, where applicable, Plausible — for optional analytics and analysis of Platform use, according to the choices expressed by the User via the applicable consent banner.

These providers act only on BioSense's instructions, within the limits necessary to perform their services, and under technical and organizational measures designed to protect the security and confidentiality of Personal Data.

BioSense maintains a security and hosting trajectory appropriate for sensitive data.

4. CATEGORIES AND TYPES OF PERSONAL DATA COLLECTED AND PROCESSED

BioSense, as Data Controller, may collect and process the following categories of Personal Data of Users in the context of creation and management of the Personal Account, use of the Platform and provision of Services:

4.1. Identification and Contact Data

  • surname, first name, age, sex;
  • email address;
  • phone number.

4.2. Data Relating to Personal Account and Platform Use

  • login credentials;
  • password (stored in encrypted form);
  • connection and usage data: IP address, logs, terminal and browser information, timestamps, data relating to interactions with the Platform and, where applicable, data from cookies and other trackers under the conditions provided by this Privacy Policy.

4.3. Data Transmitted for Service Execution – Including Personal Health Data

When the User uses the Service and transmits a Biological Report (or any other document containing health information), BioSense processes Personal Health Data, including:

  • the uploaded/transmitted Biological Report (analysis results, biological parameters, values, units, references, laboratory comments where applicable);
  • health information provided by the User via the form offered on the Platform, when the User chooses to provide it, in particular information relating to their lifestyle, their personal and family medical history, their ongoing treatments, their body mass index (BMI), their prevention objectives and any symptoms;
  • data from optional tracking, wellness program, consultation preparation, chat, questionnaire, notification and summary PDF features when used.

This Personal Health Data is processed exclusively to provide the Services requested by the User, including transmission of the Biological Report, generation of the BioSense Report, longitudinal tracking, and preparation or support features enabled by the User.

4.4. Data Relating to Subscription and Payment

In the context of the Subscription, BioSense processes Personal Data relating to the transaction, including:

  • information related to the Subscription (offer subscribed, price, date and time of transaction);
  • billing elements and/or proof of payment;
  • technical payment data (e.g., transaction identifier).

As payment is processed by Stripe, BioSense does not have access to the User's credit card data.

In the absence of provision and/or processing of certain Personal Data (particularly those necessary for the creation of the Personal Account and execution of the Service), the User will not be able to create a Personal Account and/or benefit from all or part of the Services.

5. LEGAL BASIS AND RETENTION PERIOD OF PERSONAL DATA

BioSense processes Users' Personal Data as Data Controller for the purposes below.

PURPOSELEGAL BASISRETENTION PERIOD
Management of Service use:
  • Creation and management of the Personal Account;
  • Provision of Services (generation of the BioSense Report, access to the personal area, biomarker tracking, wellness program, questionnaires, consultation preparation, summary PDFs, service notifications and user support);
  • Processing of Biological Reports and health information provided by the User;
  • Use of the Platform and its features, including, where applicable, the use of artificial intelligence tools; and
  • Management of complaints / disputes and the contractual relationship.
Contract performance (art. 6.1.b GDPR)

Health data processed with consent (Article 9.2.a GDPR)
For the lifetime of the account. If the account is deleted, operational erasure is carried out within thirty (30) days, subject to elements retained separately for proof, security, or legal obligations.

Intermediate archiving: 10 years
Securing the Platform, access management and monitoring of technical eventsContract performance (Article 6.1.b GDPR)12 months maximum, except for a specific extract relating to a security incident, a complaint or litigation, which may be retained separately for the period necessary to manage the incident or defend BioSense's rights.
Sending information related to the Personal Account / ServiceContract performance (Article 6.1.b GDPR)5 years from the last activity
Management of Subscriptions, payments and invoicing
(Subscription validation, payment processing via Stripe, receipt/invoice issuance, refund and dispute management)

(No personal health data processed. Payment card data is not retained by BioSense)
Contract performance (Article 6.1.b GDPR) and, for retention of accounting documents, legal obligation (Article 6.1.c GDPR)Subscription-related data: duration necessary for performance

Invoices and supporting accounting documents: 10 years from fiscal year end

Payment card data: not retained by BioSense (payment processed by Stripe) (standard contractual clauses and additional measures where required)
Management of rights exercise requestsLegal obligation (Article 12.2 GDPR)5 years from the request

Intermediate archiving: 10 years
Audience measurement and analysis of Platform use
(in particular Google Analytics 4 with Consent Mode v2, Plausible and server-side first-party tracking, according to the choices expressed by the User via the consent banner)
User consent where required (Article 6.1.a GDPR) or legitimate interest (Article 6.1.f GDPR)13 months maximum from collection or a shorter period depending on the tool concerned and the choices expressed by the User
Improvement of Service and Platform useLegitimate interest (Article 6.1.f GDPR)

Health data processed with consent (Article 9.2.a GDPR)
3 years from the last activity
Generation of statisticsLegitimate interest (Article 6.1.f GDPR)

Health data processed with consent (Article 9.2.a GDPR)
5 years from the last activity
Reuse of Personal Data for research, studies or evaluation of public interest in the field of healthLegitimate interest (Article 6.1.f GDPR)

Health data processed for scientific research purposes (Article 9.2.j GDPR)
In accordance with the periods provided either by the authorization issued by the CNIL, or by the reference methodology MR-004 (art. 2.6 of deliberation no. 2018-155 of May 3, 2018): (i) 2 years after the last publication of the research results; or (ii) in the absence of publication, until the signature of the final research report.

When, to achieve the various objectives listed under the purposes above, BioSense needs to process the User's Personal Health Data, it is specified that access is restricted to only the necessary Personal Data.

Certain Personal Data may be retained in intermediate archiving where necessary to comply with BioSense's legal obligations, for proof, security, complaint handling or litigation purposes.

At the end of the applicable periods, this Personal Data is deleted or irreversibly anonymized.

BioSense may retain Anonymized Data for statistical purposes or to improve the Services, as long as it no longer allows the User to be identified or re-identified, directly or indirectly.

Our Use of Artificial Intelligence:

BioSense uses algorithmic tools that may include artificial intelligence to extract, structure, format, and present information from Biological Reports transmitted by the User and to generate the BioSense Report.

As of the latest update of this policy, when an external AI provider is used, the flow is limited, depending on the workflow, to extracted then pseudonymized text or to a previously redacted document. BioSense does not send unfiltered raw PDFs, raw page images, or unfiltered OCR text to an external AI provider outside the local environment. Document preparation and optical character recognition (OCR) are performed locally, on BioSense's infrastructure, without relying on a dedicated third-party service.

These tools have no medical purpose and are not intended to establish a diagnosis, deliver a medical opinion, or substitute for a healthcare professional. The content provided via the Platform is for informational purposes only and is intended to be discussed with a doctor and/or competent healthcare professional.

Furthermore, the use of these tools does not lead to an entirely automated decision producing legal effects or significantly affecting the User within the meaning of Article 22 of the GDPR. The use of these tools is governed by appropriate technical and organizational measures to ensure the security and confidentiality of Personal Data, in accordance with applicable Regulations.

6. RECIPIENTS OF PERSONAL DATA

Users' Personal Data is intended for:

  • Members of BioSense staff, specifically authorized, in strict compliance with their duties;
  • BioSense service providers and subcontractors, including Scaleway (hosting, database, object storage, transactional emails), Stripe (payment), OpenAI and Anthropic (controlled AI workflows), PostHog (technical error monitoring and session replay for technical diagnostics), and Google Analytics — where applicable Plausible — (analytics, if enabled), within the limits necessary for the performance of their services;
  • Persons authorized as third parties authorized by law (administrative or judicial authorities, competent bodies), when BioSense is required to do so.

BioSense service providers and subcontractors access Personal Data only to the extent strictly necessary for the performance of their duties, and are subject to confidentiality and security obligations.

Irreversibly anonymized data, which no longer allows the User to be identified or re-identified, does not constitute Personal Data within the meaning of the GDPR and may be made available to third parties under the conditions provided by this Privacy Policy.

Regarding Personal Data Hosting

Account data, application data, and documents stored by BioSense are hosted primarily on secure infrastructure located in Europe. Temporary exports and documents are encrypted at rest and in transit. This statement is not a claim that BioSense is HDS certified.

Regarding Personal Data Transfers

BioSense prioritizes European processing for identifying and health-related data. Where a provider could involve processing outside the European Union / European Economic Area, in particular OpenAI, Anthropic or Google Analytics depending on the features actually used, BioSense ensures that the relevant flow either does not contain identifying personal data, or is governed by appropriate safeguards under the applicable Regulations (standard contractual clauses and supplementary measures where required).

Any transfers are limited to the data strictly necessary for the processing concerned and are subject, where possible, to minimization, pseudonymization or prior redaction measures.

The User can obtain information regarding the safeguards applicable to any transfers by contacting BioSense at the following address: dpo@biosense.life.

Personal Health Data

Personal Health Data transmitted by the User is intended exclusively for BioSense and, where applicable, its authorized technical providers involved in hosting, security and operation of the Platform, as well as providers involved in controlled AI workflows, where strictly necessary and under the conditions described in Article 5, to the extent strictly necessary for the provision of the Service, and in compliance with applicable confidentiality and security obligations.

7. USER RIGHTS REGARDING PERSONAL DATA

In accordance with the Regulations, the User has the following rights:

  • Right to information: The User has the right to obtain concise, transparent, understandable and easily accessible information about how BioSense processes their Personal Data and about their rights. This is notably the purpose of this Privacy Policy.
  • Right of access: The User has the right to access their Personal Data processed by BioSense and to obtain a copy.
  • Right to rectification: The User has the right to require that their Personal Data be rectified if it is inaccurate or outdated and/or that it be completed if it is incomplete.
  • Right to erasure (right to be forgotten): In certain cases, the User has the right to obtain the erasure of their Personal Data. Erasure may in particular be requested from the User's personal space or by email to dpo@biosense.life.
  • Right to restriction of processing: Under the conditions provided by the Regulations, the User has the right to obtain the restriction of processing of their Personal Data, so that BioSense may retain this Personal Data but may no longer use it, except in cases authorized by the Regulations.
  • Right to object: The User may object at any time to the processing of their Personal Data when the processing is based on BioSense's legitimate interest, unless BioSense demonstrates compelling legitimate grounds or this Personal Data is necessary for the establishment, exercise or defense of legal claims.
  • Right to portability: When processing is based on the User's consent or contract performance, and is carried out using automated processes, the User has the right to receive Personal Data concerning them that they have provided to BioSense, in a structured, commonly used and machine-readable format, and to transmit it to another data controller.
  • Right to lodge a complaint with the CNIL: The User has the right to lodge a complaint with the CNIL to challenge BioSense's personal data protection practices. They may file their complaint via the CNIL website or by mail to: CNIL – Complaints Service – 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07.
  • Right relating to the fate of Personal Data after death ("digital death"): The User has the right to define directives relating to the retention, erasure and communication of their Personal Data after their death, under the conditions provided by applicable regulations.

The User acknowledges that they may, at any time, delete their Personal Account from their personal space (or, failing that, by sending a request to BioSense). In the event of deletion of the Personal Account, the active data associated with the account is erased within an operational period of thirty (30) days, subject to data that must be retained in intermediate archiving for the periods provided by this Privacy Policy, in particular for proof, security, complaint handling or compliance with legal obligations.

When processing is based on consent, the User may also withdraw their consent at any time, it being specified that this withdrawal does not affect the lawfulness of processing carried out before this withdrawal.

The User may exercise their rights by contacting BioSense at the following address: dpo@biosense.life

To facilitate the processing of the request, the User is invited to:

  • indicate the right(s) they wish to exercise;
  • clearly mention their surname, first name and contact details;
  • specify, where applicable, the account concerned and elements useful for identifying Personal Data.

Proof of identity may be requested if the information provided does not allow certain identification of the User.

8. SECURITY MEASURES

BioSense implements appropriate technical and organizational measures to protect Users' Personal Data against loss, misuse, unauthorized access, disclosure, alteration and destruction. The nature and level of these measures take into account, in particular, the sensitivity of the Personal Data processed and, in particular, the fact that the Platform may process Personal Health Data.

The measures implemented include, in particular:

  • secure hosting of Personal Data on servers located in the European Union;
  • encryption of Personal Data in transit (TLS) and in storage;
  • versioned consent logging and consent history;
  • account export and deletion features;
  • access restricted to authorized persons only, in strict compliance with their duties;
  • separation of patient, staff, administrator and system access;
  • logging, sensitive-log redaction by default, and controls intended to prevent, detect and limit any unauthorized access.

BioSense also raises Users' awareness of the need to preserve the confidentiality of their credentials and to secure access to their Personal Account (strong password, logout, terminal protection), these elements being their responsibility.

9. COOKIES AND OTHER TRACKERS

A cookie or tracker is a file or device that may be placed on or read from the User's terminal, in particular their computer, smartphone or tablet, while browsing the Platform.

The Platform uses cookies and other trackers necessary for its operation, in particular to enable User authentication, secure access to the Personal Account, maintain the session, store the choices expressed by the User, and manage the Subscription and payment.

In accordance with Article 82 of the French Data Protection Act, these strictly necessary cookies and trackers are not subject to the User's prior consent, as long as their sole purpose is to enable or facilitate electronic communication or they are strictly necessary for the provision of a service requested by the User.

The Platform may also use audience-measurement and Platform-usage-analysis cookies and trackers, in particular Google Analytics 4 with Consent Mode v2, Plausible and a server-side first-party tracking mechanism.

Where the User's consent is required, these cookies and trackers are only placed or activated after acceptance via the consent banner made available on the Platform. In the absence of consent, only cookies and trackers strictly necessary for the operation of the Platform are placed or activated.

The consent banner allows the User to accept, refuse or configure the cookies and trackers subject to consent, globally or, where offered, purpose by purpose. The validity period of consent is six (6) months. At the end of this period, the User's consent may be sought again.

The User may modify their choices at any time via the cookie management link or tab accessible at all times on the Platform.

The User may also configure their browser to block all or part of the cookies. In this case, certain Platform features may be limited or unavailable, in particular where the cookies concerned are necessary for the operation of the Services.

The cookies and trackers used by BioSense are not intended to collect raw health data. The information collected is used by BioSense, its technical providers and, where applicable, its audience-measurement providers, under the conditions described in this Privacy Policy.

BioSense does not use advertising-targeting cookies.

The details of the cookies and trackers used, their purposes, their retention periods and, where applicable, the third parties concerned, are presented in the cookie management module accessible on the Platform.