LongevLab LogoLongevLab

    App Privacy Policy

    Last Updated: March 19, 2026

    1. Introduction

    Welcome to LongevLab. The protection and security of your personal data are important to us. This Privacy Policy explains how we handle your information and underscores our commitment to your privacy, built on our hybrid architecture where your sensitive health data is processed locally on your device whenever possible. Your trust is the foundation of our service.

    2. Data Controller Information

    Company: LongevLab ("we," "us," or "our")

    Contact: For any privacy-related questions, please contact our Data Protection team at hello@longevlab.com.

    3. The Data We Handle and Our Legal Basis for Processing

    We are transparent about what data we process and why. For each purpose, we have a clear legal basis under GDPR.

    A. Data Processed Locally on Your Device (Not Stored by Us):

    This is the core of your health information, which remains under your control on your device.

    Apple HealthKit Data: With your explicit, granular consent (Art. 6.1.a GDPR), our app reads your HealthKit data to perform on-device analysis. We request read-only access to the following data types: step count, flights climbed, heart rate, resting heart rate, heart rate recovery, active energy burned, body mass, height, VO2 max, heart rate variability (HRV/SDNN), respiratory rate, body fat percentage, lean body mass, sleep analysis, wrist temperature, and workout data. We never write data to HealthKit.

    User-Entered Health Data: When you provide biomarker values (lab markers), custom lab markers, or health questionnaire responses (age, height, weight, gender, birth date, health goals), our app processes this data locally. This data is stored on your device using Apple's SwiftData framework, protected by your device's encryption.

    Journal Entries: Personal journal entries you create are stored locally on your device.

    Chat Conversations: Conversations with the in-app AI assistant are stored locally on your device. You control which data categories (profile, health metrics, lab results) are shared with the AI assistant for each conversation.

    B. Data We Collect and Store on Our Servers:

    We collect a limited set of data to provide and manage our service.

    Account Information:

    Data: Your Apple ID identifier, name, and email address (provided through Sign in with Apple). These credentials are stored securely in your device's Keychain and your account is managed through Firebase Authentication.

    Purpose: To create and manage your LongevLab account and to communicate essential service information with you.

    Legal Basis: Performance of a Contract (Art. 6.1.b GDPR).

    Device Information:

    Data: Device platform, app version, build number, a vendor identifier, and push notification token (FCM token). This information is stored in our Firebase Firestore database.

    Purpose: To deliver push notifications, ensure compatibility, and for security and troubleshooting purposes.

    Legal Basis: Legitimate Interest (Art. 6.1.f GDPR), specifically our interest in ensuring the functionality and security of the app.

    Profile Image:

    Data: An optional profile photo you may upload, stored as compressed image data (max 256×256 pixels).

    Purpose: To personalize your account experience.

    Legal Basis: Consent (Art. 6.1.a GDPR). You may remove your profile image at any time.

    C. Data Processed by Third-Party AI Services:

    Certain features require sending data to external AI providers for processing.

    AI Chat Assistant:

    Data: When you use the chat feature, your messages and any health data you choose to include (profile data, health metrics, lab results) are sent to our backend, which forwards them to Google Gemini or OpenAI for response generation.

    Purpose: To provide personalized health insights and answer your questions.

    Legal Basis: Consent (Art. 6.1.a GDPR). You explicitly control which data categories are shared with the AI assistant for each conversation.

    Safeguards: Data is transmitted over encrypted connections (TLS). AI providers process data according to their respective data processing agreements.

    Deep Research Reports:

    Data: When you request a Deep Research report, your health profile, lab markers, health questionnaire responses, HealthKit metrics, and lifestyle data are sent to Google Gemini's Deep Research model for comprehensive analysis.

    Purpose: To generate a personalized, evidence-based health analysis report with citations from medical literature.

    Legal Basis: Consent (Art. 6.1.a GDPR). You explicitly initiate each report request.

    Retention: Report data and request data are stored on our servers for 72 hours after generation, then automatically deleted.

    Disclosure: Each report includes a data processing disclosure specifying the AI provider, model used, and data retention period.

    D. Data We Generate or Infer:

    Purpose: Based on the data processed locally, our algorithms generate inferred data points such as your Sleep Score, Recovery Score, System Scores (cardiovascular, metabolic, body composition, respiratory, recovery), Wellbeing Score, and Digital Biological Age. These are presented to you within the app to provide a deeper understanding of your health.

    Legal Basis: Performance of a Contract (Art. 6.1.b GDPR), as generating these insights is the core service you have signed up for.

    4. Optional iCloud Sync

    LongevLab supports optional synchronization of your on-device data via Apple's CloudKit (iCloud). When enabled, your health metrics, lab markers, journal entries, chat conversations, and other app data are synced to your private iCloud database, encrypted by Apple. This enables data to sync between your devices. This sync uses Apple's infrastructure and is governed by Apple's privacy practices. We do not have access to your iCloud-synced data on Apple's servers.

    5. Provision of Personal Data

    Signing in with your Apple ID is a contractual requirement necessary to create a LongevLab account. If you do not sign in, you will be unable to use the features of the Service that require an account. Granting HealthKit permissions, sharing data with AI features, enabling iCloud sync, and enabling telemetry are all optional.

    6. Analytics and Diagnostics (Telemetry)

    We offer two separate, independently controllable telemetry categories. You are prompted for consent during onboarding and can change your preferences at any time in Settings.

    Diagnostics (Crash Reports & Performance):

    When enabled, we collect crash reports via Firebase Crashlytics and performance traces via Firebase Performance Monitoring. This data helps us identify and fix bugs and performance issues.

    Usage Analytics:

    When enabled, we collect anonymized usage events via Firebase Analytics, such as which features you use, onboarding completion, and error occurrences. Event names and values are truncated and sanitized. Your Firebase user ID is cleared from analytics data when you sign out.

    Legal Basis: Consent (Art. 6.1.a GDPR). Both categories are opt-in during onboarding and can be disabled at any time.

    7. Push Notifications

    With your permission, we send push notifications via Firebase Cloud Messaging (FCM). Notification categories include sleep insights, activity milestones, weekly health reports, lab result alerts, journal prompts, and feature tips. Your FCM token is stored in our Firestore database to deliver these notifications. You can disable notifications at any time through your device settings or within the app.

    8. Automated Decision-Making and Profiling

    Our Service utilizes automated processing and profiling to function.

    Logic Involved: Our proprietary algorithms analyze your physiological data against scientific models, population norms, and your personal baselines to calculate your scores and insights (e.g., Digital Biological Age, System Scores, Wellbeing Score). AI-powered features (Chat, Deep Research) use large language models to provide personalized health information based on your data and published medical literature.

    Significance & Consequences: The purpose of this automated processing is not to make decisions that have legal or similarly significant effects on you, but rather to provide you with a personalized and actionable understanding of your health trends to help you reach your wellness goals. AI-generated content is informational and does not constitute medical advice.

    9. Third-Party Service Providers

    We do not sell your personal data. We use the following third-party service providers to operate our app:

    Google Firebase (Google LLC):

    Authentication, cloud database (Firestore), crash reporting (Crashlytics), analytics, performance monitoring, push notifications (FCM), and app integrity verification (App Check). Data is processed in accordance with Google's Data Processing Terms.

    Google Gemini (Google LLC):

    AI-powered chat responses and Deep Research report generation. Health data you choose to share is sent to Gemini's API for processing. Google processes this data under their API data processing terms.

    OpenAI (OpenAI, L.L.C.):

    Used as an alternative AI provider for chat functionality. When active, chat messages and selected health data are processed by OpenAI's models under their data processing agreement.

    Apple (Apple Inc.):

    Sign in with Apple for authentication, HealthKit for health data access, CloudKit for optional iCloud sync, and Apple Push Notification service (APNs). Data is processed in accordance with Apple's privacy policies.

    Google Cloud Platform:

    Our backend infrastructure is hosted on Google Cloud, including Cloud Tasks for asynchronous processing and Cloud Storage for temporary report storage.

    10. International Data Transfers

    Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), specifically to Google (United States) and OpenAI (United States) servers. When we transfer data outside the EEA, we ensure that a similar degree of protection is afforded to it by using legal safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and relying on adequacy decisions where applicable.

    11. Data Retention and Deletion

    We apply different retention periods depending on the type of data:

    • On-device data (HealthKit metrics, lab markers, journal entries, chat conversations, scores): Stored on your device and optionally in your iCloud account. Deleted when you remove the app or delete data within the app.
    • Account data (name, email, Firebase auth): Retained as long as your account is active. Permanently deleted upon account deletion request.
    • Deep Research reports and request data: Automatically deleted 72 hours after generation.
    • AI observability metadata (anonymized processing logs): Automatically deleted after 30 days. Raw content artifacts are deleted after 72 hours.
    • Credit transaction records: Retained for legal and accounting purposes as required by applicable law.
    • Device and push notification tokens: Retained while your account is active and removed upon account deletion.
    • Crash reports and analytics: Retained according to Firebase's standard retention periods.

    You can request the deletion of your account and all associated data at any time by contacting us. Upon receiving a request, we will permanently remove your account data from our systems.

    12. Data Security

    We implement appropriate technical and organizational measures to protect your data:

    • Authentication credentials are stored in your device's secure Keychain, not in plain storage.
    • On-device data is encrypted by your device's operating system.
    • CloudKit data is stored in your private iCloud database with Apple's end-to-end encryption.
    • All data transmissions use TLS encryption.
    • Firebase App Check verifies device integrity to prevent unauthorized access.
    • Firebase Authentication tokens are validated server-side with revocation checking.

    13. Your Privacy Rights

    As a data subject, you have the following rights regarding the personal data we store:

    Right of Access: You have the right to obtain confirmation as to whether your personal data is being processed and to access that data.

    Right to Rectification: You have the right to obtain the correction of inaccurate personal data.

    Right to Erasure ('Right to be Forgotten'): You have the right to request the deletion of your personal data under certain conditions.

    Right to Restriction of Processing: You have the right to request the restriction of processing of your personal data under certain conditions.

    Right to Data Portability: You have the right to receive the data you provided to us in a structured, commonly used, and machine-readable format.

    Right to Object: You have the right to object to processing based on our legitimate interests.

    Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw that consent at any time. For telemetry, you can do so in the app's Settings. For HealthKit, you can revoke permissions in your device's Health app settings. For AI features, you control data sharing per conversation.

    You can exercise these rights by contacting us at hello@longevlab.com. You also have the right to lodge a complaint with a supervisory authority, such as the CNPD in Portugal.

    14. Children's Privacy

    We do not knowingly collect Personal Data from children under the age of 18. If you are under the age of 18, please do not submit any Personal Data through the app.

    15. Policy Updates

    We reserve the right to update or modify this Privacy Policy at any time. We will inform you of any significant updates to this policy through the app or via email. The "Last Updated" date at the top of this policy indicates when it was last revised.

    16. Contact Us

    If you have any questions about this Privacy Policy or our information practices, please send an email to hello@longevlab.com. When you contact us, we will do our best to address any concerns you may have about our processing of your Personal Data.