Privacy Policy

At BioPrisma, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our biochemical nutrition analysis platform.

By using our Service, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use our Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address (required for account creation)
• Name (optional, for personalization)
• Profile picture (if using Google OAuth)
• Professional role and practice type (optional, for analytics)
• State/region (optional, for demographic analysis)

1.2 Payment Information

Payment processing is handled by Stripe, a third-party payment processor. We do not store your credit card information. Stripe collects and processes payment data in accordance with their privacy policy and PCI-DSS standards. See Stripe's Privacy Policy.

1.3 Usage Data

We automatically collect information about how you use our Service, including:

• Number of analyses performed
• Features accessed
• Time spent on the platform
• Device information (browser type, operating system)
• IP address (for security and fraud prevention)

1.4 HIPAA and Health Data

We treat all client and practitioner health data as protected health information (PHI) and comply with HIPAA. We do not sell, share, or use your or your clients' health data for research or marketing. Health data is used only to provide the Service (e.g., biomarker analysis, recommendations) and as permitted by our Business Associate Agreement where applicable.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Service
• Process your subscription and payments
• Send you service-related communications
• Respond to your inquiries and support requests
• Detect and prevent fraud or abuse
• Comply with legal obligations

3. Data Sharing and Disclosure

3.1 Service Providers

We share information with trusted third-party service providers who assist us in operating our Service:

• Stripe: Payment processing (see Stripe's privacy policy)
• Xata: Database hosting (data stored in US data centers)
• Vercel: Application hosting (see Vercel's privacy policy)
• Google: OAuth authentication (if you sign in with Google)

3.2 No Sale or Sharing of Health Data

We do not sell, share, or license your or your clients' health data to research institutions, pharmaceutical companies, or any third parties for research or marketing. Health data is used only to provide the Service.

3.3 HIPAA Compliance

We may disclose your information if required by law, court order, or government regulation, or to protect our rights, property, or safety, or that of our users or others.

3.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

4. Data Security

We implement industry-standard security measures to protect your information:

• Encryption at Rest: AES-256 encryption for stored data
• Encryption in Transit: TLS 1.3 for all data transmission
• Secure Data Centers: All data hosted in United States data centers
• Access Controls: Limited access to personal data on a need-to-know basis
• Regular Security Audits: We undergo regular security assessments
• SOC 2 Type II: Certification in progress (expected 2025)

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

5. Your Rights and Choices

You have the following rights regarding your personal information:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and data
• Export: Export your data in a machine-readable format
• Object: Object to certain processing activities

6. Children's Privacy

Our Service is intended for healthcare professionals who are at least 18 years old. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact us immediately.

7. International Users

Our Service is operated from the United States. If you are accessing our Service from outside the United States, please be aware that:

• Your information may be transferred to, stored, and processed in the United States
• US data protection laws may differ from those in your country
• By using our Service, you consent to the transfer of your information to the United States

For users in the European Economic Area (EEA), we comply with GDPR requirements. Contact us at info@bioprisma.io for GDPR-specific requests.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience. See our Cookie Policy for detailed information.

9. Changes to Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 30 days before they take effect.

The "Last Updated" date at the top of this page indicates when this policy was last revised. Continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact Information

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: