HomeAboutPricingSupplementsSuccess StoriesBlogLoginStart your protocol

Privacy

Privacy Policy

biolune.eu — Last updated: April 17, 2026

1. Data Controller

Biolune, KvK 42054136, Netherlands. Email: privacy@biolune.eu. We are responsible for your personal data and committed to full GDPR compliance.

2. What Data We Collect

Standard Personal Data

Name, email, age, professional background, subscription and billing information.

Health Data (Special Category — GDPR Art. 9)

Self-reported symptoms, lifestyle data, sleep patterns, energy levels, health history, bloodwork values (Elite tier).

Biometric Data (Special Category — GDPR Art. 9)

HRV, sleep quality and duration, resting heart rate, activity metrics — collected via wearable devices (Oura, Garmin, Whoop) through Apple HealthKit and Android Health Connect, where you choose to connect a device.

Genetic Data (Special Category — GDPR Art. 9)

SNP data, APOE status, and related genetic markers — for Precision and Elite subscribers who voluntarily upload genetic data. Strictly optional, separate explicit consent required.

AI Interaction Data

Conversation records and dialogue with the Lune AI. These records contain health context and are treated as high-sensitivity data.

Usage and Technical Data

Device type, IP address, app version, crash logs, feature usage — used for service reliability and security.

3. Legal Basis for Processing

  • Standard personal and payment data: contract performance (GDPR Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))
  • Health, biometric, and AI interaction data: explicit consent (GDPR Art. 9(2)(a))
  • Genetic data: explicit consent via separate opt-in (GDPR Art. 9(2)(a))
  • Error monitoring and service security: legitimate interest (GDPR Art. 6(1)(f))

You may withdraw consent for special category data at any time via Settings → Data & Privacy or by emailing privacy@biolune.eu. Withdrawal does not affect the lawfulness of prior processing.

4. How We Use Your Data

To deliver wellness-matched research insights via the Lune AI system. To surface peer-reviewed research relevant to your profile. To process subscription payments. To send transactional and wellness communications. To maintain service security and reliability. We do not use your data for advertising, profiling for third parties, or sale to any party.

5. Third-Party Data Processors

All processors have signed Data Processing Agreements (DPAs) ensuring GDPR compliance.

ProcessorRoleLocation
SupabasePrimary data storage, AES-256 encryption at restEU
VercelApplication infrastructure, EU-US DPF certifiedUS/EU
AnthropicAI processing via Claude API for protocol generation and chat. Personal data including biometric data and (for Precision/Elite users) genetic interpretations may be processed. Anthropic does not use customer API data for model training (since March 2024). Data Processing Agreement incorporating EU SCCs Module 2.US (SCCs)
StripePayment processing, PCI DSS Level 1 compliantUS/EU
ResendTransactional and wellness email, EU-US DPF certifiedUS
SentryError monitoring, auto-redacts health data from logsUS

We do not sell your data. We do not share your data with advertisers.

6. International Data Transfers

Several processors are US-based. All US transfers are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission and/or EU-US Data Privacy Framework (DPF) certification. You may request information about specific transfer mechanisms at privacy@biolune.eu.

7. Data Retention

Data TypeRetention Period
Health and biometric dataActive subscription + 90 days post-cancellation
AI conversation recordsActive subscription + 180 days
Genetic dataUntil explicitly deleted by you; not retained after account deletion
Payment and billing records7 years per Dutch accounting law
Error logs90 days

All health-related data is permanently deleted within 30 days of a verified deletion request.

8. Your GDPR Rights

Right of access (Art. 15), right to rectification (Art. 16), right to erasure (Art. 17), right to data portability (Art. 20), right to restrict processing (Art. 18), right to object (Art. 21), right to withdraw consent.

To exercise any right, email privacy@biolune.eu with the subject “Data Subject Request.” We respond within 30 days.

You may also lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl.

9. Security

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Row-level security ensuring users cannot access each other’s data
  • JWT authentication with token rotation
  • Rate limiting and DDoS protection
  • Sentry error monitoring with automatic health data redaction
  • 72-hour breach notification to supervisory authority and affected users
  • Annual security assessment

10. Cookies

We use minimal, functional cookies only: session token, language preference, theme. Optional anonymised analytics via Vercel Analytics. No third-party tracking, no advertising pixels, no health data sent to ad networks.

11. Contact

Privacy enquiries: privacy@biolune.eu. Data Protection: dpo@biolune.eu. Response time: within 30 days.

© 2026 Biolune. All rights reserved. Based in the Netherlands.

biolunePRECISION WELLNESS

The protocol. In your inbox. Weekly.

Join high performers getting weekly insights on HRV, wellness, and precision recovery — all sourced from peer-reviewed research.

Biolune is a wellness information platform. We do not provide medical advice, diagnosis, or treatment. Information shown is research-informed and educational. Always consult your healthcare provider for medical decisions.