Privacy Notice
Version:
This notice explains what data we process about you, why, on what legal basis, who else sees it, and what you can do about it. It is the same notice for everyone, regardless of where you live, with regime-specific rights called out by jurisdiction.
1. Who controls your data
The controller of your data is A H LEDIG IVOLUT SOFTWARE LTDA, a Brazilian single-shareholder limited liability company (Sociedade Limitada Unipessoal, registered under the small-enterprise tax regime EPP).
- CNPJ: 36.062.448/0001-87
- NIRE: 35235819092
- Inscrição Municipal: 402865
- Registered address: Rua Cambroé 243, Alphaville 2, 12244-045 São José dos Campos, SP, Brazil
- Person responsible for processing: Alexander H Ledig
- Privacy contact: privacy@gambrio.com
The controller operates the service “biosatlas.”
2. What data we collect
- Account data: your email address, your name (optional), your profile photo (optional, provided by your sign-in provider).
- Health data — special-category / sensitive personal data: the bloodwork PDFs and images you upload, the extracted marker values, units, reference ranges, lab metadata, and observation timestamps.
- Profile data: your sex (optional) and date of birth (optional), used to select age- and sex-appropriate reference ranges.
- Consent metadata: the date you consented and the version of this notice you consented to.
- Usage metadata: session tokens, magic-link verification tokens, extraction job logs, per-extraction model-call cost.
3. Why we process your data + on what legal basis
Purposes
- Track your bloodwork over time.
- Normalize marker names and units across labs so you can compare results.
- Provide a machine-readable JSON export of all your data.
Legal bases
- LGPD Art. 7(I) — your consent, for personal data.
- LGPD Art. 11(I) — your explicit consent (“consentimento de forma destacada”), for sensitive personal data (health data).
- GDPR Art. 6(1)(b) — performance of the contract under which we provide the service.
- GDPR Art. 9(2)(a) — your explicit consent, for special-category personal data (health data).
- UK GDPR — equivalent bases.
Without your explicit consent, we cannot provide the service. You give consent via the two checkboxes below — one to acknowledge this notice, and a second, separately highlighted, to consent specifically to processing your health data.
4. Who else processes your data on our behalf
| Sub-processor | Purpose | Region & transfer basis | Status | Privacy policy |
|---|---|---|---|---|
| Fly.io | Application hosting (the virtual machine that runs the service). | EU (Frankfurt). Note: Fly.io's control plane and aggregated logs are US-hosted. | Planned | View policy |
| Resend | Transactional email (sign-in magic links). | EU. | Active | View policy |
| OpenAI ([OPENAI_ORG_NAME — pending Alex creates the side-project org]) | Vision extraction of your uploaded bloodwork (your image bytes are sent to OpenAI's API). | United States. Transfer under Standard Contractual Clauses (SCCs), Module 2 (controller-to-processor). OpenAI retains API inputs for up to 30 days for abuse monitoring; OpenAI does not train on API data by default. | Active | View policy |
| Anthropic | Alternate vision provider, only active if the controller explicitly switches to it (configuration: BLOODWORK_PROVIDER=anthropic). Not active in this release. | United States. Transfer under SCCs. Zero retention by default. | Dormant | View policy |
This list is current as of the date at the top of this notice. Any addition, removal, or material change triggers a notice update and re-consent.
5. When your data leaves your country
Your uploaded image bytes are processed by OpenAI in the United States under Standard Contractual Clauses, Module 2 (controller-to-processor). No other data leaves the EU hosting region. UK residents' data is handled identically; the SCCs include UK-specific addenda (UK IDTA / Addendum) where applicable.
6. How long we keep your data
We keep your account and all data associated with it for as long as your account exists. You can delete your account at any time:
- Self-serve: the “Delete my account” button at the bottom of this notice (or in your profile) invokes DELETE /api/account. This cancels any active extraction jobs within ~30 seconds (the time for the current page to finish processing), deletes all your panels and markers, and deletes your account.
- By email: write to privacy@gambrio.com.
We commit to processing deletion requests within 24-72 hours. LGPD allows us up to 15 days; GDPR allows up to 30 days; our target is faster.
Once you initiate deletion, we stop accepting new uploads immediately. Any extraction job already in flight is cancelled within ~30 seconds; data already sent to sub-processors during that window is governed by their retention policies (Section 4).
There are no automated backups in this release. Your data exists only on the production database. If you want a backup, regularly export your data as JSON via the /api/export endpoint or the export button in the app.
Sub-processor retention: OpenAI keeps API inputs up to 30 days (default policy), Resend keeps email metadata up to 30 days, Fly.io retains operational logs indefinitely.
7. Your rights — EU and UK users (GDPR + UK GDPR)
- Access (Art. 15): your data is visible in the app; the /api/export endpoint returns a complete machine-readable export.
- Rectification (Art. 16): edit any marker directly in the app.
- Erasure (Art. 17): the “Delete my account” button cascades all your data.
- Restriction of processing (Art. 18): use the “Withdraw consent” button below to pause future processing without deleting your account.
- Portability (Art. 20): the /api/export JSON export is machine-readable.
- Objection (Art. 21): withdraw your consent at any time and we stop processing immediately.
- Withdraw consent (Art. 7(3)): at any time, via the button below. Lawfulness of processing before withdrawal is unaffected.
- Complain to a supervisory authority: see Section 12 below.
8. Your rights — Brazilian users (LGPD Art. 18)
- Confirmation of the existence of processing.
- Access to your data.
- Correction of incomplete, inaccurate, or outdated data.
- Anonymization, blocking, or deletion of unnecessary or excessive data.
- Portability of your data to another service or product provider.
- Deletion of data processed with your consent.
- Information about the public and private entities with which the controller has shared your data (see Section 4).
- Information about the possibility of not giving consent and the consequences (you cannot use the service without consenting).
- Revocation of consent at any time.
- Complain to the National Data Protection Authority (ANPD) — see Section 12.
9. How we protect your data
- In transit: HTTPS everywhere (TLS via Let's Encrypt managed by Fly.io).
- At rest: Fly.io Volume disk encryption (LUKS-style).
- Logging discipline: the application uses a redactPHI() helper to remove your name and date of birth before any data is written to logs.
- Application-layer encryption (encryption of data at the application layer in addition to disk encryption) is NOT implemented in this release. It is on the roadmap for the next release.
10. Giving and withdrawing consent
You give explicit consent below via two checkboxes: one to acknowledge this notice, and a second, separately highlighted, to specifically consent to processing your health data. The consent record is stored against your user account (consent date + notice version + the locale you read the notice in + a hash of the rendered notice content).
You can withdraw consent at any time without deleting your account by using the “Withdraw consent” button below. While withdrawn, you can still view and export your existing data, but no new uploads are processed. You can re-consent later, or use “Delete my account” for full erasure.
If we update this notice in a way that materially changes your rights or our processing, we will require you to re-consent the next time you sign in.
11. Automated decision-making
This service does not make automated decisions about you that produce legal or similarly significant effects (GDPR Art. 22 / LGPD Art. 20). The vision-extraction step is automated processing, but the result is a set of values you review — no decisions about you are made by the system.
12. Complaining to a data protection authority
You have the right to complain to your local data protection authority. You do not need to contact us first, but we encourage it — it's usually faster.
- EU residents: find your country's data protection authority in the official EDPB registry: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- Germany: for a commercial service like ours, complaints go to the data protection authority of your federal state (full list: https://www.bfdi.bund.de/DE/Service/Anschriften/anschriften-table.html). The federal commissioner (BfDI) handles federal-government, telecoms, and postal sectors and is not the primary route for this service.
- United Kingdom: Information Commissioner's Office (ICO), https://ico.org.uk/
- Brazil: Autoridade Nacional de Proteção de Dados (ANPD), https://www.gov.br/anpd/
- United States: your state Attorney General, where applicable. There is no federal complaint route for services not covered by HIPAA.
13. Versioning + updates
This notice is versioned by its effective date, shown at the top of the page. When we make a change, we update the version and require you to re-consent the next time you sign in.
A history of past versions is available on request from privacy@gambrio.com.
14. Cookies we use
This service uses three cookies, all strictly necessary for the service to function:
- authjs.session-token (or similar) — keeps you signed in. Set by the sign-in system (Auth.js). Session or 30 days.
- bdl-language — remembers which language you read the app in. Set when you visit for the first time or change languages in your profile. 1 year.
- bdl-format-locale — remembers which number/date format you prefer (e.g., 1,234.56 vs 1.234,56). 1 year.
All three are essential — without the session cookie you can't be signed in; without the language cookies the app cannot deliver content in a language you can read. Per GDPR Recital 30, strictly-necessary cookies do not require a consent banner. We do not use analytics, advertising, or tracking cookies.
15. Children
This service is not intended for users under 18 years old. We do not knowingly collect data from minors. If you believe a minor has signed up, contact privacy@gambrio.com and we will delete the account.
16. Contact us + response times
Privacy inquiries: privacy@gambrio.com
Response time commitments
- Account deletion: 24-72 hours.
- LGPD information / access / correction requests: 15 days (the LGPD maximum).
- GDPR / UK GDPR information / access / correction requests: 30 days (the GDPR maximum).