1. Introduction
This Privacy Policy ("Policy") explains how Origin BioSense Technologies FZCO ("BioSense", "we", "us", or "our"), a company registered in Dubai Free Zone, United Arab Emirates, collects, uses, processes, stores, and protects your personal data when you access or use the BioSense platform (the "Platform"), including any mobile application, website, and related services.
We are committed to protecting your privacy and handling your personal data in accordance with applicable laws of the United Arab Emirates, including Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL") and its implementing regulations.
BioSense acts as the data controller in respect of the personal data described in this Policy. By creating an account or using the Platform, you acknowledge that you have read and understood this Policy.
2. Scope of This Policy
This Policy applies to all users of the Platform and covers:
- Personal data you provide to us directly;
- Data collected automatically through your use of the Platform;
- Data obtained through integrations with third-party services and connected devices that you choose to link to your account.
3. Definitions
- "Personal Data" means any information relating to an identified or identifiable individual.
- "Sensitive Personal Data" means data revealing health information, including biomarker, laboratory, and physiological data, and any information relating to your physical or mental health.
- "Processing" means any operation performed on personal data, whether automated or not, including collection, recording, organisation, storage, use, disclosure, or deletion.
- "Connected Services" means third-party devices, applications, and data sources that you authorise to share data with the Platform, including WHOOP, Oura, Garmin, Fitbit, Withings, Apple Health, Dexcom, and Levels.
4. Data We Collect
4.1 Account and Identity Information
We collect:
- Name;
- Email address;
- Account credentials and authentication data.
4.2 Health and Sensitive Personal Data
With your consent, you may provide or connect:
- Blood test and laboratory results;
- Biomarker data;
- Wearable and physiological data from Connected Services (for example heart rate, heart rate variability, sleep, recovery, strain, and activity data);
- Lifestyle, wellness, and self-reported information.
This data is classified as Sensitive Personal Data and is processed only on the basis of your explicit consent.
4.3 Data from WHOOP and Other Connected Services
Where you choose to connect a WHOOP account or other Connected Service, we receive physiological and activity data from that service through its official interface (API), strictly in accordance with the permissions you grant and the terms of that service. We collect this data solely to provide the features described in Section 5. You may disconnect any Connected Service at any time, after which we will stop receiving new data from that service.
4.4 Technical and Usage Data
We may automatically collect:
- IP address;
- Device, operating system, and browser information;
- Platform usage and interaction data;
- Log files, diagnostic, and analytics data.
5. How We Use Your Data
We process your data to:
- Bring together your wearable data, laboratory and biomarker results, and self-reported information into a single view, and generate personalised insights, predictions, trends, and goal-led recommendations for you;
- Operate, maintain, secure, and improve the Platform;
- Provide customer support and respond to your requests;
- Detect, prevent, and address security incidents, fraud, or misuse;
- Comply with our legal and regulatory obligations.
BioSense provides health and wellness information for educational and informational purposes only. BioSense does not provide medical advice, diagnosis, or treatment, and the Platform is not a substitute for professional medical care.
6. Use of WHOOP and Connected Service Data
We apply the following commitments to all data received from WHOOP and other Connected Services:
- Purpose limitation — we use this data only to provide and personalise the insights, predictions, and recommendations delivered to you within the Platform.
- No sale of data — we do not sell, rent, or trade your WHOOP or Connected Service data.
- No advertising use — we do not use this data for advertising, and we do not share it with advertising networks or data brokers.
- No AI model training — we do not use WHOOP or other Connected Service data to train, develop, or improve artificial intelligence or machine-learning models. Such data is used only to generate outputs for your own account.
- Deletion on request and disconnection — if you disconnect a Connected Service or request deletion, we will delete the associated data held by us, except where retention is required by law.
- Compliance with service terms — we handle WHOOP data in accordance with WHOOP's developer and API terms, and we limit our access to the scopes you authorise.
7. Legal Basis for Processing
We process your personal data on the following bases under the PDPL:
- Your consent — in particular for the processing of Sensitive Personal Data and connection of Connected Services;
- Performance of a contract — to provide the Platform and services you request;
- Legitimate interests — including securing and improving the Platform, where not overridden by your rights;
- Legal obligations — where processing is required by applicable law.
You may withdraw your consent at any time (see Section 12). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
8. Data Sharing and Disclosure
We do not sell your personal data. We may share your data only as follows:
8.1 Service Providers
We share data with trusted third parties that support our operations, such as cloud hosting and storage providers, and analytics and technology partners. These providers process data only on our documented instructions, under written agreements requiring confidentiality, security, and PDPL-compliant safeguards, and may not use the data for their own purposes.
8.2 AI and Technology Partners
We use AI and technology service providers to operate the analytical features of the Platform. Where such a provider processes your data on our behalf, it does so only to deliver insights to you and under contractual terms that prohibit it from using your data for its own purposes, including the training of its own models, except as permitted by this Policy.
8.3 Legal and Regulatory Authorities
We may disclose your data where necessary to comply with applicable laws or regulations, respond to lawful requests by public authorities, or establish, exercise, or defend our legal rights.
9. International Data Transfers
Your data may be stored and processed in the United Arab Emirates or in other jurisdictions where we or our service providers operate. Where data is transferred outside the United Arab Emirates, we ensure that an adequate level of protection is in place as required by the PDPL — for example, by transferring to jurisdictions recognised as providing adequate protection, or by putting in place appropriate contractual safeguards with the recipient.
10. Data Storage and Security
We implement appropriate technical and organisational measures to protect your data, including:
- Secure servers and infrastructure provided by reputable cloud providers;
- Encryption of data in transit and, where appropriate, at rest;
- Access controls, authentication, and role-based permissions;
- Monitoring and logging to detect unauthorised access.
While we take these measures seriously, no system can be guaranteed to be completely secure. In the event of a personal data breach that is likely to cause harm, we will notify the UAE Data Office and affected users as required by the PDPL.
11. Data Retention
We retain your personal data:
- For as long as your account remains active;
- As necessary to provide the Platform and services to you;
- As required to comply with legal and regulatory obligations.
When data is no longer required, we will securely delete or anonymise it. Data received from Connected Services is deleted following disconnection or account closure, subject to any legal retention requirements.
12. Your Rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you;
- Request correction of inaccurate or incomplete data;
- Request deletion of your data;
- Withdraw your consent to processing;
- Object to or restrict certain types of processing;
- Request a copy of your data in a portable format;
- Lodge a complaint with the UAE Data Office.
To exercise any of these rights, please contact us at privacy@bio-sense.ai. We will respond within the timeframe required by applicable law.
13. AI and Automated Processing
BioSense uses artificial intelligence and automated systems to generate insights, predictions, and recommendations based on the data you provide and connect. You acknowledge that:
- AI-generated outputs may not always be accurate or complete;
- Outputs are provided for informational and educational purposes only and are not medical advice;
- BioSense does not make solely automated decisions that produce legal or similarly significant effects on you.
As stated in Section 6, data received from WHOOP and other Connected Services is not used to train or develop AI models.
14. Third-Party Services
The Platform integrates with third-party Connected Services, including wearable devices and external data providers, which you choose to link to your account. These services are controlled by third parties and governed by their own privacy policies. BioSense is not responsible for the privacy practices of those third parties or for the accuracy of data they provide. We encourage you to review their privacy policies before connecting them.
15. Cookies and Similar Technologies
Our website and application may use cookies and similar technologies to operate the Platform, remember your preferences, and analyse usage. You can control non-essential cookies through your browser or device settings. Disabling certain cookies may affect the functionality of the Platform.
16. Children's Privacy
The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate consent, we will take steps to delete it.
17. Changes to This Policy
We may update this Policy from time to time. Where changes are significant, we will notify users through the Platform or by other appropriate means. Your continued use of the Platform after the updated Policy takes effect constitutes acceptance of the changes.
18. Contact
If you have any questions about this Policy or wish to exercise your rights, please contact: