Privacy Policy

1. Categories of Personal Data processed

   The Data Controller processes the following types of Personal Data voluntarily provided by the Data Subject:

   • Contact Data: first name, last name, address, e-mail address, phone number, pictures, authentication credentials, any further information sent by the Data Subject, etc.
   • Special Data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data intended to uniquely identify the natural person, data concerning health or sex life or sexual orientation, collected with the consent of the Data Subject. The Data Subject may withdraw consent at any time

   The Data Controller processes the following types of Personal Data collected automatically:

   • Technical Data: Personal Data produced by devices, applications, tools and protocols such as, for example, information about the device used, IP addresses, browser type, type of Internet provider (ISP). Such Personal Data may leave traces which, combined with unique identifiers and other information received by the servers, can be used to create profiles of individuals
   • Usage Data: such as, for example, pages visited, number of clicks, actions taken, duration of sessions, etc.

   If the Data Subject decides not to provide Personal Data for which there is a legal or contractual obligation, or if such data is a necessary requirement for the conclusion of the contract with the Data Controller, it will be impossible for the Data Controller to establish or continue any relationship with the Data Subject.

   The Data Subject who communicates Personal Data of third parties to the Data Controller is directly and exclusively liable for their origin, collection, processing, communication or divulgation.

2. Cookies and similar technologies

   The Application uses cookies, web beacons, univocal identifiers and other similar technologies to collect the Data Subject's Personal Data on visited pages and links and other actions performed during the use of the Application. This data is stored and then used the next time the interested party browses the Application. The full Cookie Policy can be viewed at the following address: https://www.biome.coach/en/privacy.html

3. Legal basis and purpose of data processing

   The processing of Personal Data is necessary:

   1. for the performance of the contract with the Data Subject and especially:
      1. fulfillment of any obligation arising from the pre-contractual or contractual relationship with the Data Subject
      2. registration and authentication of the Data Subject: to allow the Data Subject to register in the Application, to access it and to be identified in it, also via external platforms
      3. support and contact with the Data Subject: to answer the Data Subject's requests
   2. for legal obligations and especially:
      1. the fulfilment of any obligation provided for by the applicable norms, laws and regulations, in particular, on tax and fiscal matters
   3. for the legitimate interest of the Data Controller, for:
      1. marketing purposes by e-mail of products and/or services of the Data Controller  to directly sell the Data Controller's products or services using the email provided by the Data Subject in the context of the sale of a product or service similar to the one being sold
      2. management, optimization and monitoring of the technical infrastructure: to identify and solve any technical issue, to improve the performance of the Application, to manage and organize the information in a computer system (e.g. server, database, etc.)
      3. anonymous data based statistics: in order to carry out statistical analysis on aggregated and anonymous data in order to analyze behaviors of the Data Subject to improve products and/or services provided by the Data Controller and better meet the expectations of the Data Subject
   4. on the basis the Data Subject's consent, for:
      1. profiling the Data Subject for marketing purposes: to provide the Data Subject with information on the Data Controller's products and/or services through automated processing designed to collect personal information to predict or assess the Data Subject's preferences or behaviors
      2. marketing purposes of the Data Controller’s products and/or services: to send information or commercial and/or promotional materials, to perform direct sales activities of the Data Controller’s products and/or services or to conduct market research with automated and traditional methods
      3. marketing purposes of third-party products and/or services: to send information or commercial and/or promotional materials of third parties, to carry out direct sales activities or to perform market research of their products and/or services with automated and traditional methods

   On the basis of the legitimate interest of the Data Controllerowner, the application allows interactions with external web platforms or social networks whose processing of personal data is governed by their respective privacy policies to which please refer. The interactions and information acquired by this Application are in any case subject to the privacy settings that the Data Subject has chosen on such platforms or social networks. Such information - in the absence of specific consent to processing for other purposes - is used exclusively to allow the use of the Application and to provide the information and services requested.

   The Data Subject's Personal Data may also be used by the Data Controller to protect itself in judicial proceedings before the competent courts.

4. Data processing methods and receivers of Personal Data

   The processing of Personal Data is performed via paper-based and computer tools with methods of organization and logics strictly related to the specified purposes and through the adoption of appropriate security measures.

   Personal Data are processed exclusively by:

   • persons authorized by the Data Controller to process Personal Data who have committed themselves to confidentiality or have an appropriate legal obligation of confidentiality;
   • subjects that operate independently as separate data controllers or by subjects designated as data processors by the Data Controller in order to carry out all the processing activities necessary to pursue the purposes set out in this policy (for example, business partners, consultants, IT companies, service providers, hosting providers);
   • subjects or bodies to whom it is mandatory to communicate Personal Data by law or by order of the authorities.

   The subjects listed above are required to use appropriate measures and guarantees to protect Personal Data and may only access data necessary to perform their duties.

   Personal Data will not be indiscriminately shared in any way.

5. Place

   If necessary, Personal Data may be transferred to entities located outside the European Economic Area (EEA). Whenever Personal Data is transferred outside the EEA, the Data Controller will adopt all appropriate and necessary contractual measures to ensure an adequate level of protection of Personal Data, including - among others - agreements based on the standard contractual clauses for the transfer of data outside the EEA, approved by the European Commission.
   
   Access and registration:

   Data collected through Firebase may be transferred to Google LLC, based in the United States. Google LLC adheres to the Data Privacy Framework (DPF) approved by the European Commission, which guarantees an adequate level of protection of personal data pursuant to art. 45 of Regulation (EU) 2016/679 (GDPR).

   Use of artificial intelligence services – OpenAI (Chatbot, Image Analysis and KPIs):

   Within our platform we use artificial intelligence technologies provided by OpenAI, L.L.C. (USA) to offer interactive chatbot features, automated image analysis (e.g. recognition and description of foods or ingredients) and the processing of performance indicators (KPIs) calculated by our systems.

   When the user interacts with these features, the textual content (e.g. messages entered into the chatbot), the uploaded images and the generated KPIs can be transmitted to OpenAI systems for processing and generation of a response.

   Type of data processed:
   • Texts entered voluntarily by the user while using the chatbot;
   • Images of food or objects uploaded by the user;
   • KPIs calculated by our systems, which may derive from user interactions with the platform;
   • Minimum technical metadata (e.g. file type, resolution), only if necessary for the system to function.

   We do not intentionally collect or transmit sensitive or identifying personal data (e.g. faces, documents, unnecessary health information). However, we invite you to not upload images that contain recognizable people or private information.

   Purpose and legal basis of the processing:

   The processing is aimed at providing the service requested by the user (art. 6, par. 1, letter b GDPR), namely: providing interactive responses, processing content generated by artificial intelligence and supporting the user in using the platform.

   Transfer of data to third countries:

   The data sent to OpenAI may be processed on servers located in the United States, where the provider is based. OpenAI is not currently certified according to the Data Privacy Framework (DPF), therefore the transfer occurs on the basis of the Standard Contractual Clauses (SCCs) provided for by art. 46 of the GDPR.

   We have implemented technical, contractual and organizational measures to reduce the risks associated with the transfer, including data minimization, non-use for profiling purposes and processing only on a temporary basis.

   Data retention:

   The data transmitted to OpenAI are not retained by our platform for purposes other than generating the real-time response. Any technical or diagnostic logs are managed in compliance with the principles of storage limitation.

   We invite you to use the chatbot and image analysis services responsibly and not to send unnecessary personal data.
   
   To request information on the specific guarantees adopted, the Data Subject can contact the Data Controller at the following email address info@biome.coach.

6. Fully automated decision-making processes

   The Data Controller uses fully automated decision-making processes that may produce legal effects for the Data Subject or significantly affect him or her and that operate according to these criteria:
   
   Data Analysis:
   The BioMe platform adopts a transparent and secure approach in the analysis of the data collected. The raw data provided by the user is saved exclusively within the platform infrastructure and is not shared with third parties, unless expressly required by law or authorized by the user.
   The data collected is analyzed through automatic processes that process the information to identify and calculate useful parameters. These parameters are for information purposes only and are not used to make decisions that produce legal or significant effects on the user without their consent.
   The analyzed data is used to generate customized summary reports, which are made available to users to allow them to obtain a clear and simplified overview of the information processed. In addition, the platform offers an interactive interface, accessible via a dedicated chatbot, that allows the user to access and analyze their data autonomously, exploring additional details or delving into specific areas of interest.
   Biome ensures that all data analysis processes comply with current regulations on personal data protection and that user information is treated with the utmost respect for privacy and security.
   
   Chatbot Features:
   The chatbot integrated into the BioMe platform is designed to operate completely autonomously, using advanced technologies based on LLM (Large Language Model) models. This tool offers three main features:
   
   1. Support on the use of the BioMe app
   Users can ask questions related to the operation and use of the BioMe app. The chatbot provides clear and practical answers to help users navigate and make the most of the platform's features.
   2. Information on health and wellness
   The chatbot can provide general information and advice on health and wellness practices. These contents are based on reliable sources and are intended to improve users' awareness on topics related to personal care, always maintaining an approach that does not replace professional medical advice.
   3. Analysis of the user's personal data
   The chatbot is able to analyze the data collected from the user on the platform to provide personalized answers. During this process, a high level of privacy protection is guaranteed: raw data is never shared with third parties. Only the final result of the data analysis (for example an aggregate value or an interpretative summary) is used to generate the answers. This approach ensures that the information remains confidential and that the data processing takes place in accordance with the principles of security and minimization.
   The chatbot does not make autonomous decisions that may have legal or significant effects on the user, but limits itself to providing informational and operational support.
   
   PRECAUTIONS:
   THE SERVICES ARE NOT A MEDICAL DEVICE AND YOU EXPRESSLY AGREE THAT THE SERVICES DO NOT CONSTITUTE THE PROVISION OF MEDICAL ADVICE BY BIOME. THE SERVICES ARE NOT INTENDED TO DIAGNOSE, TREAT, CURE OR PREVENT ANY DISEASE OR MEDICAL CONDITION. THE SERVICES ARE FOR INFORMATIONAL PURPOSES ONLY AND ARE NOT A SUBSTITUTE FOR THE SERVICES OF A DOCTOR OR MEDICAL PROFESSIONAL.
   THE SERVICES, INCLUDING ALL INFORMATION, TEXT, PHOTOGRAPHS, IMAGES, ILLUSTRATIONS, GRAPHICS, AUDIO, VIDEO AND AUDIO-VIDEO CLIPS AND OTHER MATERIALS, WHETHER PROVIDED BY US OR ANY THIRD PARTY, SHOULD NOT BE USED AS A SUBSTITUTE FOR (a) THE ADVICE OF YOUR DOCTOR OR OTHER MEDICAL PROFESSIONAL, (b) A VISIT, CALL OR CONSULT WITH YOUR DOCTOR OR OTHER MEDICAL PROFESSIONAL, OR (c) ANY INFORMATION CONTAINED ON OR IN ANY PRODUCT PACKAGING OR LABEL.
   IF YOU HAVE ANY QUESTIONS ABOUT YOUR HEALTH, PROMPTLY CALL OR SEE YOUR DOCTOR OR OTHER MEDICAL PROVIDER. IN THE EVENT OF AN EMERGENCY, CALL YOUR MEDICAL DOCTOR OR 911 IMMEDIATELY. YOU SHOULD NEVER DISREGARD MEDICAL ADVICE OR DELAY IN SEEKING MEDICAL ADVICE BECAUSE OF ANY INFORMATION PRESENTED ON THE SERVICES, AND YOU SHOULD NOT USE THE SERVICES OR ANY INFORMATION PROVIDED ON THE SERVICES TO DIAGNOSE OR TREAT A HEALTH PROBLEM. THE TRANSMISSION OR RECEIPT OF SERVICES, IN WHOLE OR IN PART, OR COMMUNICATION VIA THE INTERNET, EMAIL OR OTHER MEANS DOES NOT CONSTITUTE OR CREATE A DOCTOR-PATIENT, THERAPIST-PATIENT, OR OTHER HEALTH CARE PROFESSIONAL RELATIONSHIP BETWEEN YOU AND BIOME.
   Always consult a physician before making any changes to your sleep or activities based on information provided through the Services, or if you have any questions about your medical condition. Biome is not responsible for any health problems that may arise from information acquired through the Services. If you make any changes to your sleep or activities based on Biome Services, you agree to do so at your own risk. It is important to pay attention to your body's responses. For example, if you experience unexpected, repeated, or prolonged pain, fatigue, or discomfort after making changes to your sleep or activities, we recommend that you consult a physician before making any changes. Information in the Services may be misleading if your physiological functions and responses differ significantly from the population average due to medical conditions or rare natural differences..

7. Personal Data storage period

   Personal Data will be stored for the period of time that is required to fulfill the purposes for which it was collected. In particular:

   • for purposes related to the execution of the contract between the Data Controller and the Data Subject, will be stored for the entire duration of the contractual relationship and, after termination, for the ordinary prescription period of 10 years. In the event of legal disputes, for the entire duration of such disputes, until the time limit for appeals has expired
   • for purposes related to legitimate interests of the Data Controller, they will be stored until the fulfilment of such interest
   • in compliance with legal obligations, by order of an authority and for legal protection, they shall be stored according to the relevant timeframes provided for by such obligations, regulations and, in any case, until the expiry of the prescriptive term provided for by the rules in force
   • for purposes based on the consent of the Data Subject, they will be stored until the consent is revoked

   At the end of the conservation period, all Personal Data will be deleted or stored in a form that does not allow the identification of the Data Subject.

8. Rights of the Data Subject

   Data Subjects may exercise specific rights regarding the Personal Data processed by the Data Controller. In particular, the Data Subject has the right to:

   • be informed about the processing of their Personal Data
   • withdraw consent at any time
   • restrict the processing of his or her Personal Data
   • object to the processing of their Personal Data
   • access their Personal Data
   • verify and request the rectification of their Personal Data
   • restrict the processing of their Personal Data
   • obtain the erasure of their Personal Data
   • transfer their Personal Data to another data controller
   • file a complaint with the Personal Data protection supervisory authority and/or take legal action.

   In order to use their rights, Data Subjects may send a request to the following e-mail address info@biome.coach. Requests will be immediately treated by the Data Controller and processed as soon as possible, in any case within 30 days.

9. Use of the camera

   The application may request access to the device's camera to allow the user to capture images for use within the app's features. Images are processed exclusively to provide the services provided by the application and are not shared with unauthorized third parties. Visual data is not used for marketing or profiling purposes. The user can revoke access to the camera at any time via the device settings.

Last update: 05/05/2025