Privacy Policy

Pheno AB (“we,” “our,” or “us”) operates the website https://www.pheno.health. We are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the General Data Protection Regulation (GDPR) and other applicable laws.

1. Data Controller and Contact Information

Pheno AB is the data controller responsible for processing your personal data.

Data Protection Officer (DPO): Alan Ramilton (acting DPO)
Company: Pheno AB
Registry: Sweden
Privacy Inquiries: privacy@pheno.health
Security Concerns: security@pheno.health
General Support: team@pheno.health
Website: https://www.pheno.health/contact

(Please mention "Data Protection" in your privacy-related queries.)

2. What Personal Data We Collect

We collect and process the following types of personal data:

2.1 Account Information

  • Name, email address, phone number
  • Account credentials (password stored as encrypted hash)
  • Profile preferences and settings

2.2 Health Data (Special Category Data)

  • Blood biomarker test results
  • Health surveys and assessment responses
  • Wearable device data (sleep, activity, heart rate variability) - only if you connect your device
  • AI-generated health insights and recommendations
  • Demographics and other relevant data to health analysis (age, sex, diet, lifestyle etc)

2.3 Usage and Technical Data

  • Device information (browser type, operating system)
  • IP address and general location (city/country level)
  • Usage patterns and feature interactions
  • Cookies and analytics data (see Section 7)

2.4 Communication Data

  • Email correspondence and support tickets
  • Marketing communication preferences

Data Provision Requirements

Some data is strictly necessary for providing our services (e.g., account creation, biomarker analysis). If you choose not to provide required data, you may be unable to access certain features. Other data (such as wearable integration or marketing communications) is voluntary, and you can opt out at any time.

3. Legal Basis for Processing

Under GDPR, we process personal data based on the following legal bases:

3.1 Explicit Consent (GDPR Article 6(1)(a) and Article 9(2)(a))

Required for processing special category data (health data):

  • Initial consent when you create your Pheno account
  • Separate consent for AI-powered health insights (optional)
  • Separate consent for wearable device integration (optional)
  • Marketing communications consent (optional)

Important: You can withdraw consent at any time through your account settings or by contacting privacy@pheno.health. Withdrawal does not affect the lawfulness of processing before withdrawal.

3.2 Contract Performance (GDPR Article 6(1)(b))

Processing necessary to provide services you've requested:

  • Account management and authentication
  • Delivering test results and health insights
  • Customer support and service communications

3.3 Legitimate Interests (GDPR Article 6(1)(f))

  • Platform security and fraud prevention
  • Service improvement and analytics (anonymized data)
  • Business operations and administration

3.4 Legal Obligations (GDPR Article 6(1)(c))

  • Compliance with medical records retention requirements
  • Tax and accounting obligations
  • Responding to legal requests from authorities

4. How We Use Your Data

We use the data we collect for the following purposes:

4.1 Service Delivery

  • Analyzing biomarker test results and generating personalized health insights
  • Providing AI-powered health recommendations (with your consent)
  • Tracking health metrics and progress over time
  • Integrating wearable device data for comprehensive health view

4.2 Platform Operations

  • Account management and authentication
  • Customer support and responding to inquiries
  • Sending service-related notifications (e.g., test results ready)
  • Platform security and fraud prevention

4.3 Corporate Wellness Programs

  • Managing team accounts and access
  • Generating anonymized aggregate statistics for employers
  • Tracking program participation rates (not individual results)

4.4 Analytics and Improvement

  • Understanding how users interact with our platform (anonymized)
  • Improving service quality and user experience
  • Developing new features and services

4.5 Marketing (With Consent)

  • Sending newsletters and health tips
  • Promoting new features and services
  • You can unsubscribe anytime via email links or account settings

5. AI-Powered Features and Model Training

Pheno uses AI technology (Claude via AWS Bedrock) to provide personalized health insights. We want to be completely transparent about how this works:

5.1 No Model Training

We have specifically disabled all logging and model training features. Your health data is NEVER used to train, improve, or develop AI models.

  • Your data generates only YOUR insights - never combined with other users
  • AI provider (Anthropic/AWS) contractually prohibited from using your data for training
  • Logging disabled at the infrastructure level

5.2 EU-Only AI Processing

  • All AI processing occurs exclusively within the European Union (AWS EU region)
  • Data never leaves the EU for AI analysis
  • Compliant with EU AI Act transparency requirements

5.3 Optional and Transparent

  • AI-powered insights require your separate, explicit consent
  • You can opt out at any time without affecting other Pheno features
  • Clear disclaimers: AI insights are informational, not medical advice
  • All AI-generated content is clearly labeled

Legal Basis: Your explicit consent (GDPR Article 9(2)(a) for health data processing).

6. Data Sharing and Third Parties

We do not sell or trade your personal data. However, we share data with carefully selected service providers as described below.

6.1 Data Processors

We work with trusted third-party processors who handle data on our behalf under GDPR-compliant Data Processing Agreements:

Service Provider Categories:

  • Cloud hosting and infrastructure services (EU-based)
  • Enterprise application platform (ISO 27001, SOC 2 certified)
  • Medical laboratory services for biomarker analysis (ISO 15189 for medical laboratories, ISO 9001 certified)
  • Wearable device integration services (optional, user-initiated)

All service providers:

  • Process data only under our instructions
  • Are bound by GDPR-compliant Data Processing Agreements
  • Maintain equivalent security standards to Pheno
  • Store and process data exclusively within the European Union
  • Undergo regular security assessments

For a complete list of specific processor names, please contact privacy@pheno.health

6.2 Corporate Wellness Programs - Employer Privacy

If you access Pheno through your employer's wellness program:

What Your Employer CANNOT See:

  • Your individual health data
  • Your biomarker test results
  • Your AI-generated insights
  • Your wearable device data
  • Your identity linked to any health information

What Your Employer CAN See:

  • Anonymized, aggregated team statistics only (e.g., "Average team sleep quality improved by 15%")
  • Participation rates (number of employees using Pheno)
  • Program engagement metrics

Technical Separation: Employee and employer data are strictly separated at the database level. Employers access a completely different dashboard with no ability to view individual data.

Your Rights: Participation in workplace wellness programs is voluntary. Your employer cannot require participation or penalize non-participation.

6.3 Legal Requirements

We may disclose personal data if required by law, court order, or government request, or to protect our legal rights, prevent fraud, or ensure user safety.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to improve your experience:

7.1 Essential Cookies

Necessary for platform functionality:

  • Session management and authentication
  • Security and fraud prevention
  • Remembering your preferences

7.2 Analytics Cookies

Help us understand platform usage (anonymized):

  • Google Analytics for aggregate usage statistics
  • Performance monitoring and error tracking
  • Feature usage patterns

7.3 Managing Cookies

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may affect platform functionality. Analytics cookies can be disabled without impacting core features.

8. Data Retention

We retain personal data only as long as necessary for its intended purpose or as required by law:

Retention Periods:

  • Account Data: Duration of account + 2 years after account closure
  • Biomarker Test Results: 10 years (medical records legal requirement)
  • AI-Generated Insights: Duration of account + 2 years
  • Wearable Device Data: Duration of account + 2 years
  • Marketing Consents: Until withdrawn or 3 years of inactivity
  • Support Communications: 3 years after last interaction
  • Aggregate Analytics: Indefinitely (fully anonymized, cannot be re-identified)

Legal Requirements:

Some data must be retained longer due to medical records regulations (biomarker results), accounting requirements (transaction records), or legal defense purposes (in case of disputes).

After retention periods expire, we securely delete or irreversibly anonymize your data.

9. Your Data Protection Rights

Under GDPR, you have the following rights regarding your personal data:

9.1 Right of Access

Request a copy of your personal data. Available through self-service download in account settings or by contacting privacy@pheno.health

9.2 Right to Rectification

Correct inaccurate or incomplete data. Update directly in account settings or contact us for assistance.

9.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data. Note: Biomarker test results must be retained for 10 years due to medical records regulations, but all other data will be deleted.

9.4 Right to Data Portability

Receive your data in machine-readable format (JSON) to transfer to another service. Request via privacy@pheno.health

9.5 Right to Object

Object to processing based on legitimate interests or for direct marketing. Manage preferences in account settings or contact us.

9.6 Right to Restriction of Processing

Request temporary limitation of processing in specific circumstances (e.g., while verifying data accuracy).

9.7 Right to Withdraw Consent

Withdraw consent for AI features, wearable integration, or marketing at any time through account settings. Withdrawal does not affect processing that occurred before withdrawal.

How to Exercise Your Rights:

  1. Use self-service options in your account settings (for access, rectification, deletion)
  2. Email privacy@pheno.health with your request
  3. Visit https://www.pheno.health/contact
  4. Specify the right you wish to exercise and provide details to help us respond efficiently

We will respond to your request within 30 days. If we need more time, we will inform you and explain why.

10. Data Security

We implement comprehensive security measures to protect your data:

10.1 Technical Measures

  • Bank-level encryption: AES-256 for data at rest
  • Secure transmission: TLS 1.3 protocol for data in transit
  • EU-only data storage: Data never leaves the European Union
  • Multi-factor authentication: MFA required for system access
  • Security testing: Regular penetration testing and vulnerability assessments
  • Automated backups: Daily encrypted backups with 30-day retention

10.2 Organizational Measures

  • ISO 27001-aligned practices: Following international security standards
  • Staff training: Annual security awareness training for all employees
  • Incident response: Documented procedures for security incidents
  • Access controls: Least privilege principle and quarterly access reviews
  • Vendor assessment: Regular security reviews of all service providers

10.3 Platform Security

Built on ISO 27001-certified enterprise platform with robust cloud infrastructure, ensuring enterprise-grade security and compliance.

Important: While we implement industry-leading security measures, no online service is completely secure. We encourage users to use strong passwords and enable all available security features.

11. International Data Transfers

We DO NOT transfer your personal data outside the European Economic Area (EEA). All data processing occurs exclusively within the EU:

  • Storage: EU-based cloud infrastructure
  • AI Processing: EU region only
  • Service Providers: All processors maintain EU infrastructure

This means your data is always subject to GDPR protection and never transferred to countries with lower data protection standards (such as the United States). If our data processing arrangements change in the future, we will update this policy and ensure appropriate safeguards are in place (such as Standard Contractual Clauses).

12. Automated Decision-Making and Profiling

We do not rely on fully automated decision-making processes (including profiling) that produce legal or similarly significant effects. Our AI-generated health insights are informational only and always include disclaimers that they are not medical advice. Should this change, we will update this Privacy Policy and provide all necessary information under GDPR.

13. Children's Privacy

Our services are not intended for users under 18 years old. We do not knowingly collect personal data from minors. If we discover that a minor has provided us with personal data, we will take immediate steps to delete it. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@pheno.health

14. Right to Lodge a Complaint

If you believe your data protection rights have been breached, you have the right to lodge a complaint with a supervisory authority:

Sweden (Pheno AB's jurisdiction):

Swedish Authority for Privacy Protection (IMY)
Website: https://www.imy.se/en/
Email: imy@imy.se

You may also contact the data protection authority in your country of residence. Find your local authority at: https://edpb.europa.eu/about-edpb/board/members_en

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. The latest version will always be available at https://www.pheno.health/privacy-policy with an updated effective date. We will notify users of significant changes via email or prominent notice on our platform.

16. Contact Us

For any privacy-related inquiries, questions about this policy, or to exercise your data protection rights, you can contact us at:

Pheno AB
Data Protection Officer: Alan Ramilton
Privacy Inquiries: privacy@pheno.health
Security Concerns: security@pheno.health
General Support: team@pheno.health
Website: https://www.pheno.health/contact

Last Updated: November 18, 2025
Version: 2.0


Learn more

For Companies

For Employees

How it Works

Data Privacy

Our Impact

Our Story

Follow us

Instagram

LinkedIn

© 2025 Pheno AB

Site mapPrivacy policy
Privacy Settings