biosatlas

Privacy Notice

Version:

This notice explains what data we process about you, why, on what legal basis, who else sees it, and what you can do about it. It is the same notice for everyone, regardless of where you live, with regime-specific rights called out by jurisdiction.

1. Who controls your data

The controller of your data is A H LEDIG IVOLUT SOFTWARE LTDA, a Brazilian single-shareholder limited liability company (Sociedade Limitada Unipessoal, registered under the small-enterprise tax regime EPP).

  • CNPJ: 36.062.448/0001-87
  • NIRE: 35235819092
  • Inscrição Municipal: 402865
  • Registered address: Rua Cambroé 243, Alphaville 2, 12244-045 São José dos Campos, SP, Brazil
  • Person responsible for processing: Alexander H Ledig
  • Privacy contact: privacy@gambrio.com

The controller operates the service “biosatlas.”

2. What data we collect

  • Account data: your email address, your name (optional), your profile photo (optional, provided by your sign-in provider).
  • Health data — special-category / sensitive personal data: the bloodwork PDFs and images you upload, the extracted marker values, units, reference ranges, lab metadata, and observation timestamps.
  • Profile data: your sex (optional) and date of birth (optional), used to select age- and sex-appropriate reference ranges.
  • Consent metadata: the date you consented and the version of this notice you consented to.
  • Usage metadata: session tokens, magic-link verification tokens, extraction job logs, per-extraction model-call cost.

4. Who else processes your data on our behalf

Sub-processorPurposeRegion & transfer basisStatusPrivacy policy
Fly.ioApplication hosting (the virtual machine that runs the service).EU (Frankfurt). Note: Fly.io's control plane and aggregated logs are US-hosted.PlannedView policy
ResendTransactional email (sign-in magic links).EU.ActiveView policy
OpenAI ([OPENAI_ORG_NAME — pending Alex creates the side-project org])Vision extraction of your uploaded bloodwork (your image bytes are sent to OpenAI's API).United States. Transfer under Standard Contractual Clauses (SCCs), Module 2 (controller-to-processor). OpenAI retains API inputs for up to 30 days for abuse monitoring; OpenAI does not train on API data by default.ActiveView policy
AnthropicAlternate vision provider, only active if the controller explicitly switches to it (configuration: BLOODWORK_PROVIDER=anthropic). Not active in this release.United States. Transfer under SCCs. Zero retention by default.DormantView policy

This list is current as of the date at the top of this notice. Any addition, removal, or material change triggers a notice update and re-consent.

5. When your data leaves your country

Your uploaded image bytes are processed by OpenAI in the United States under Standard Contractual Clauses, Module 2 (controller-to-processor). No other data leaves the EU hosting region. UK residents' data is handled identically; the SCCs include UK-specific addenda (UK IDTA / Addendum) where applicable.

6. How long we keep your data

We keep your account and all data associated with it for as long as your account exists. You can delete your account at any time:

  • Self-serve: the “Delete my account” button at the bottom of this notice (or in your profile) invokes DELETE /api/account. This cancels any active extraction jobs within ~30 seconds (the time for the current page to finish processing), deletes all your panels and markers, and deletes your account.
  • By email: write to privacy@gambrio.com.

We commit to processing deletion requests within 24-72 hours. LGPD allows us up to 15 days; GDPR allows up to 30 days; our target is faster.

Once you initiate deletion, we stop accepting new uploads immediately. Any extraction job already in flight is cancelled within ~30 seconds; data already sent to sub-processors during that window is governed by their retention policies (Section 4).

There are no automated backups in this release. Your data exists only on the production database. If you want a backup, regularly export your data as JSON via the /api/export endpoint or the export button in the app.

Sub-processor retention: OpenAI keeps API inputs up to 30 days (default policy), Resend keeps email metadata up to 30 days, Fly.io retains operational logs indefinitely.

7. Your rights — EU and UK users (GDPR + UK GDPR)

  • Access (Art. 15): your data is visible in the app; the /api/export endpoint returns a complete machine-readable export.
  • Rectification (Art. 16): edit any marker directly in the app.
  • Erasure (Art. 17): the “Delete my account” button cascades all your data.
  • Restriction of processing (Art. 18): use the “Withdraw consent” button below to pause future processing without deleting your account.
  • Portability (Art. 20): the /api/export JSON export is machine-readable.
  • Objection (Art. 21): withdraw your consent at any time and we stop processing immediately.
  • Withdraw consent (Art. 7(3)): at any time, via the button below. Lawfulness of processing before withdrawal is unaffected.
  • Complain to a supervisory authority: see Section 12 below.

8. Your rights — Brazilian users (LGPD Art. 18)

  • Confirmation of the existence of processing.
  • Access to your data.
  • Correction of incomplete, inaccurate, or outdated data.
  • Anonymization, blocking, or deletion of unnecessary or excessive data.
  • Portability of your data to another service or product provider.
  • Deletion of data processed with your consent.
  • Information about the public and private entities with which the controller has shared your data (see Section 4).
  • Information about the possibility of not giving consent and the consequences (you cannot use the service without consenting).
  • Revocation of consent at any time.
  • Complain to the National Data Protection Authority (ANPD) — see Section 12.

9. How we protect your data

  • In transit: HTTPS everywhere (TLS via Let's Encrypt managed by Fly.io).
  • At rest: Fly.io Volume disk encryption (LUKS-style).
  • Logging discipline: the application uses a redactPHI() helper to remove your name and date of birth before any data is written to logs.
  • Application-layer encryption (encryption of data at the application layer in addition to disk encryption) is NOT implemented in this release. It is on the roadmap for the next release.

11. Automated decision-making

This service does not make automated decisions about you that produce legal or similarly significant effects (GDPR Art. 22 / LGPD Art. 20). The vision-extraction step is automated processing, but the result is a set of values you review — no decisions about you are made by the system.

12. Complaining to a data protection authority

You have the right to complain to your local data protection authority. You do not need to contact us first, but we encourage it — it's usually faster.

13. Versioning + updates

This notice is versioned by its effective date, shown at the top of the page. When we make a change, we update the version and require you to re-consent the next time you sign in.

A history of past versions is available on request from privacy@gambrio.com.

14. Cookies we use

This service uses three cookies, all strictly necessary for the service to function:

  • authjs.session-token (or similar) — keeps you signed in. Set by the sign-in system (Auth.js). Session or 30 days.
  • bdl-language — remembers which language you read the app in. Set when you visit for the first time or change languages in your profile. 1 year.
  • bdl-format-locale — remembers which number/date format you prefer (e.g., 1,234.56 vs 1.234,56). 1 year.

All three are essential — without the session cookie you can't be signed in; without the language cookies the app cannot deliver content in a language you can read. Per GDPR Recital 30, strictly-necessary cookies do not require a consent banner. We do not use analytics, advertising, or tracking cookies.

15. Children

This service is not intended for users under 18 years old. We do not knowingly collect data from minors. If you believe a minor has signed up, contact privacy@gambrio.com and we will delete the account.

16. Contact us + response times

Privacy inquiries: privacy@gambrio.com

Response time commitments

  • Account deletion: 24-72 hours.
  • LGPD information / access / correction requests: 15 days (the LGPD maximum).
  • GDPR / UK GDPR information / access / correction requests: 30 days (the GDPR maximum).