Version 0.1
Lifexam — Privacy Policy
Version: 1.0 (draft) · Effective date: [DATE]
Draft note for internal review — not for publication. Bracketed
[...]items await confirmation (DPO identity, company details, and the engineering confirmations from the drafting plan: the 14-day backup-erasure window as true worst-case, the categorisation-first failure-diagnosis path, and key-custody separation). This Policy is written in clear language as GDPR Article 12 requires; the per-purpose detail lives in the processing table in section 4.
This Privacy Policy explains what personal data Lifexam collects, why, on what legal basis, how long we keep it, who receives it, and the rights you have. It describes the same processing that you agree to in the Terms & Conditions and the in-app consent screens — and it is written to say the same thing as those screens.
1. Who is responsible for your data
[Lifexam Ltd] (Irish company number [NUMBER], registered office [ADDRESS]) is the sole data controller for the personal data described here. We decide what data is processed and why, and we are accountable for it.
We have appointed a Data Protection Officer, who is a named, accountable [person / external firm] — [DPO name and contact]. You can contact the DPO for any question about your data or this Policy.
Our lead supervisory authority is the Irish Data Protection Commission (DPC).
2. Our promise about your health data
Most of what you store in Lifexam is health data, which the law treats as a special category needing the highest protection. We treat it that way.
Your data is hosted within the European Economic Area (EEA), in Ireland. We do not transfer your health data outside the EEA. We never sell your data and never share it for advertising.
3. What we collect, and from where
- Account data — your name, email, and the credentials used to secure your account; or, if you sign in through a third-party provider (currently Google or Apple), the basic profile information they return to confirm your identity.
- Your declared country — which you tell us at sign-up. This determines which country's rules apply to you; it is not guessed from your IP address.
- Documents you upload — your medical documents (health data).
- Extracted Data — the structured information our systems read from your Documents: test names, values, units, reference ranges, dates, practitioner references (health data).
- Managed-profile data — where you keep a profile for someone else (a dependent adult or your child), the documents and data you upload for them (health data), and your confirmation that you are authorised to manage it. See section 13.
- Corrections — changes you make to Extracted Data using the correction tool.
- Reviews and feedback — reviews of facilities or professionals, survey responses, and suggestions.
- Technical data — connection and usage information, including IP address, needed to run and secure the Service.
4. How and why we use your data
Each purpose below has its own legal basis and retention period. This table is the detailed core of this Policy.
| Purpose | Data used | Legal basis | How long we keep it |
|---|---|---|---|
| Create and manage your account | Name, email, account credentials, declared country | Contract (Art. 6(1)(b)) | Until you close your account (plus a short grace period) |
| Store your original Documents | Uploaded Documents (health data) | Your explicit consent (Art. 9(2)(a)) | Until you delete them or close your account; a 7-day grace period, then permanent erasure |
| Extract structured data from your Documents | Health data within Documents | Your explicit consent (Art. 9(2)(a)) | As above; deletion cascades to Extracted Data |
| Let you correct extraction errors | Corrections you submit | Your explicit consent (Art. 9(2)(a)) — for service quality, not model training | Kept with your record |
| Diagnose systematic processing failures | Document type and issuing organisation (not your identity or results) | Legitimate interest in improving the Service (data-minimised) | Short, fixed operational window |
| Investigate a specific processing problem, on request or escalation | Document content (health data); an access log | Your request / explicit consent (Art. 9(2)(a)); escalation is data-minimised quality assurance, not training | Access ends when resolved; the access log is kept and is available to you |
| Account sign-in via Google or Apple | Profile data the provider returns | Contract (Art. 6(1)(b)) | With your account; used for authentication only — never linked to your health data |
| Reviews of facilities and professionals | Review text, rating, your identity | Contract / legitimate interest (Art. 6(1)(b)/(f)); special-category rules apply only if a review reveals health data | Until you delete the review, or we remove it under the Content Guidelines |
| Product analytics | Usage events and page views (no health data) | Legitimate interest / consent — light, because analytics is self-hosted and privacy-respecting | Short, fixed window |
| Feedback and surveys | Responses, ratings, free text | Consent or legitimate interest | Anonymised after a short window |
| Security and fraud prevention | Connection and usage logs, IP address | Legitimate interest | Short, fixed periods |
| Support | Your contact details and request | Contract / legitimate interest | A fixed period after your request |
| Establishing or defending legal claims | Relevant data | Legal obligation / legitimate interest | The applicable limitation period |
| Research and AI-model training | — | Not active. Would require your separate, explicit, future opt-in (Art. 9(2)(a)) | Not applicable until and unless activated |
5. The legal bases, in plain terms
- Your account runs on the basis of our contract with you (the Terms).
- Storing your Documents and extracting data from them runs on your explicit consent, which we ask for before your first upload. Explicit consent is the right and most protective basis for health data, and you can withdraw it at any time.
- Some supporting activities (security, basic analytics, support) run on our legitimate interests, balanced against your rights.
Research and AI-model training are switched off. Your consent does not include them. We will ask you separately and explicitly if we ever offer them, and you will be free to say no. Nothing happens to your data for these purposes unless you actively opt in.
6. Automated processing and AI
The extraction of structured data from your Documents is performed by an automated AI system (OCR and machine-learning models). We tell you this here, and again in the app where your Extracted Data appears.
This processing organises and displays your information. It does not make any decision about you that produces legal or similarly significant effects — there is no automated decision-making of that kind in Lifexam. We organise; we do not decide.
7. Who receives your data
We keep the list of recipients deliberately short. This Policy — not our cookie notice — is the complete record of who receives data.
- Amazon Web Services (AWS) — our single external infrastructure provider. AWS hosts the Service and runs the AI inference, within the EEA (Ireland). The specific AI models we use may change over time; they run within the AWS EEA environment and your data is not shared with model vendors or used to train their models.
- Self-operated components — the systems that read documents, look up reference codes, store data, and manage encryption keys run on our own infrastructure with no external calls. They are not separate recipients of your data.
- Google and Apple — only if you choose to sign in with them, and only for authentication. They confirm your identity to us and learn that a sign-in to Lifexam occurred; we do not share your health data with them.
- Analytics — our analytics is self-hosted, so usage data is not sent to an external analytics company.
We do not sell your data or share it for advertising. A full, current list of any sub-processors is available [on request / at LINK].
8. International transfers
Our position is simple: your health data stays within the EEA. If any future recipient were located outside the EEA, we would put in place the safeguards the law requires (such as Standard Contractual Clauses) and update this Policy first. At launch, health data does not leave the EEA.
9. How long we keep your data, and what happens when you delete it
Retention is set per purpose in the table in section 4. For your Documents and Extracted Data, the rule is the product promise: we keep them until you delete them or close your account.
When you delete a Document or close your account:
- it is removed from active systems immediately and put beyond use;
- because our backups are stored as secure, immutable bundles that rotate on a fixed cycle, your data is fully erased from all backups within a maximum of [14] days;
- during that period, backups are used only for disaster recovery, never for anything else.
There is a short 7-day grace period after deletion (to protect against accidental deletion) before erasure becomes permanent. You can also set an auto-delete schedule; by default, nothing auto-deletes. The practical "how" of all this is explained in plain language in the Vault Policy.
10. Your rights
You have the right to:
- access the data we hold about you;
- correct inaccurate data (your Documents stay authoritative — see the correction tool);
- erase your data ("right to be forgotten") — this cascades across every copy, including backups within the period above;
- restrict or object to certain processing;
- port your data — receive it in a structured, commonly used, machine-readable format;
- withdraw consent at any time, as easily as you gave it;
- complain to a supervisory authority (the Irish DPC, or the authority in your own country).
The easiest way to exercise most of these is directly in the app, through your Vault and consent settings — the Vault Policy shows you where. You can also contact us at [privacy contact]. For a managed profile, these rights are exercised by the account holder who manages it; the managed person (or anyone entitled to act for them) can also write to [privacy contact] directly. Withdrawing consent or deleting data does not undo processing we already, lawfully carried out before you did so.
11. Security
We protect your data with appropriate technical and organisational measures, including encryption and strict access controls. Encryption is central to how we keep your documents confidential — it is a core protection, not a marketing line. Access to document content by our staff is restricted to the limited cases described in section 4 and the Vault Policy, and is logged.
12. If something goes wrong (data breach)
If a data breach affects your rights, we will notify the relevant supervisory authority within 72 hours where the law requires, and we will tell you directly when the law requires that too.
13. Children and managed profiles
Account holders must be 18 or older. A child does not hold a Lifexam account and does not log in.
Lifexam does let an adult account holder keep a managed profile for another person they are responsible for — including a child (with parental responsibility or guardianship) or an adult they care for (with authority). For these profiles:
- the adult account holder is the person who manages the data and provides the explicit consent for processing the managed person's health data, on that person's behalf;
- because the relevant age of valid data-consent differs between countries, and because the managed person does not log in, we rely on the managing adult's authority rather than the managed person's own consent;
- the managing adult confirms their authority when creating the profile (we do not collect proof documents — see the Terms);
- the managed person's rights are exercised through the managing adult. A managed person, or anyone entitled to act for them, can contact [privacy contact] directly;
- if someone with authority disputes a managed profile, we will review and may suspend, restrict, or remove it (Terms section 6a).
We do not knowingly allow anyone under 18 to create their own account.
14. Changes to this Policy
If we make a material change — for example, a new purpose, a new recipient, or longer retention — we will show you a clear in-app notice highlighting the specific change before it affects you. For changes that affect health-data processing, we will ask for fresh consent where the law requires it.
15. Contact
- Data Protection Officer: [DPO name and contact]
- Support: [support contact]
- Lead supervisory authority: Irish Data Protection Commission — [www.dataprotection.ie]
End of Privacy Policy (draft v1.0).