Privacy Policy

Last updated: 6 June 2026

1. Controller and representative

Controller
LongevityDoc GmbH
Zürich, Switzerland
hello@longevitydoc.ch

Questions about this policy and requests to exercise your rights should be directed to hello@longevitydoc.ch.

2. Data we collect

Identity and contact

Name, surname, date of birth, gender, email address, and a profile avatar if uploaded.

Health data (special-category)

Blood biomarkers from uploaded lab results, biological-age scores, cognitive assessment responses and mind-age scores, AI-generated health reports, and uploaded lab documents. This is special-category personal data under GDPR Art. 9 and revFADP Art. 5(c). It is processed only on the basis of your explicit consent.

Financial data

Billing address, card brand and last four digits, and Stripe customer and payment identifiers. Full card numbers are handled exclusively by Stripe — we never receive or store them.

Behavioral and preference data

Dietary preferences entered during test intake; country and language settings.

Communication data

Free-text content from contact forms, feedback forms, and consultation booking metadata (appointment time, specialist selected).

Technical data

IP address, browser type, and device information. Our marketing website uses Plausible Analytics — see section 9.

3. Why we process it

Biological Age Test and Mind Age Test

We process your health data solely to execute the test you purchased and deliver your personalised report. Lawful basis: explicit consent under GDPR Art. 9(2)(a) and revFADP Art. 6(7). You will be asked for this consent separately — it is not bundled into terms acceptance. You may withdraw consent at any time (see section 7).

Account and service delivery

Creating and maintaining your account, processing payments, and fulfilling consultation bookings. Lawful basis: contract performance (GDPR Art. 6(1)(b)).

Transactional communications

Order confirmations, report-ready notifications, and password resets sent by email. Lawful basis: contract performance / legitimate interest (GDPR Art. 6(1)(b)/(f)). Health results are never included in email bodies — emails contain a link to your secure dashboard only.

Contact form enquiries

Responding to messages submitted through our website. Lawful basis: legitimate interest (GDPR Art. 6(1)(f)).

Website analytics

Understanding aggregate traffic patterns via Plausible Analytics (cookie-free, no personal data). No consent is required because no cookies or personal data are processed.

4. Sub-processors and recipients

We use the following sub-processors. Each is bound to us by a Data Processing Agreement. Your data is shared only to the extent necessary to deliver our services.

Provider Role Location Transfer basis
Amazon Web Services
Privacy & compliance info
Cloud hosting, databases, file storage EU — Frankfurt, Germany EU data residency; DPA + Standard Contractual Clauses
Stripe, LLC
Privacy policy
Payment processing and card vaulting United States EU–US and Swiss–US Data Privacy Framework; SCCs as fallback
Twilio Inc. (SendGrid)
GDPR information
Transactional email delivery United States EU–US and Swiss–US Data Privacy Framework; SCCs as fallback
cal.eu
Privacy policy
Consultation scheduling European Union EU data residency; DPA

5. International data transfers

The majority of your data is stored and processed in the European Union (AWS Frankfurt). Transfers outside the EU/EEA or Switzerland are limited to the following:

United States — Stripe and Twilio SendGrid

Both are certified under the EU–US Data Privacy Framework and the Swiss–US Data Privacy Framework, providing an equivalent level of protection to that within the EU/EEA and Switzerland. Standard Contractual Clauses are in place as a fallback.

6. Data retention

We retain your data only for as long as necessary for the purpose for which it was collected, or as required by applicable law.

  • Account and profile data — held for the life of your account and deleted within 90 days of account closure.
  • Health data (biomarkers, test results, reports, lab documents) — retained while your account is active. You may request erasure at any time subject to any applicable legal retention obligation.
  • Financial records (orders, invoices) — retained for 10 years as required by Swiss commercial law (CO Art. 958f). Personal identifying data within financial records is minimised once no longer necessary.
  • Consultation bookings — retained for the period necessary for tax and refund purposes, then anonymised.
  • Contact form submissions — retained for up to 12 months.
  • Authentication tokens (password reset, email verification) — deleted on use or after 30 days, whichever is earlier.

7. Your rights

Under GDPR (EU/EEA residents) and Swiss revFADP (Switzerland residents), you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — request deletion of your data, subject to legal retention obligations.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.

To exercise any right, email hello@longevitydoc.ch with the subject line "Data Subject Request". We respond within 30 days (GDPR: 1 month). We may ask you to verify your identity before acting on a request.

8. Automated decision-making

Our Biological Age Test and Mind Age Test produce individual scores through automated AI processing of your health data. These results have a significant personal effect — they are the core output of the service you purchased.

Under GDPR Art. 22 and revFADP Art. 21, you have the right to request human review of your result, express your point of view, and contest the outcome. To do so, contact us at hello@longevitydoc.ch.

Scores are used only to deliver your personal health report. They are not shared with insurers, employers, or any third parties beyond the sub-processors listed in section 4.

9. Cookies and analytics

Our marketing website uses Plausible Analytics — a privacy-friendly analytics tool that sets no cookies and collects no personal data. Page view counts are aggregated and cannot be linked to individual visitors. No consent is required for Plausible under the EU ePrivacy Directive.

We do not use advertising cookies, tracking pixels, or cross-site profiling on this website.

If you submit the contact form on this site, your name, email, and message are stored as described in sections 3 and 6.

10. Contact and complaints

For questions about this policy or to submit a data subject request:
hello@longevitydoc.ch — subject line: "Data Subject Request"

Supervisory authorities
Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
EU: the supervisory authority of your Member State of habitual residence or place of work.

This policy was last updated on 6 June 2026. We will notify you of material changes by email or by a notice on our website.