1. Controller and representative
Controller
LongevityDoc GmbH
Zürich, Switzerland
hello@longevitydoc.ch
Questions about this policy and requests to exercise your rights should be directed to hello@longevitydoc.ch.
2. Data we collect
Identity and contact
Name, surname, date of birth, gender, email address, and a profile avatar if uploaded.
Health data (special-category)
Blood biomarkers from uploaded lab results, biological-age scores, cognitive assessment responses and mind-age scores, AI-generated health reports, and uploaded lab documents. This is special-category personal data under GDPR Art. 9 and revFADP Art. 5(c). It is processed only on the basis of your explicit consent.
Financial data
Billing address, card brand and last four digits, and Stripe customer and payment identifiers. Full card numbers are handled exclusively by Stripe — we never receive or store them.
Behavioral and preference data
Dietary preferences entered during test intake; country and language settings.
Communication data
Free-text content from contact forms, feedback forms, and consultation booking metadata (appointment time, specialist selected).
Technical data
IP address, browser type, and device information. Our marketing website uses Plausible Analytics — see section 9.
3. Why we process it
Biological Age Test and Mind Age Test
We process your health data solely to execute the test you purchased and deliver your personalised report. Lawful basis: explicit consent under GDPR Art. 9(2)(a) and revFADP Art. 6(7). You will be asked for this consent separately — it is not bundled into terms acceptance. You may withdraw consent at any time (see section 7).
Account and service delivery
Creating and maintaining your account, processing payments, and fulfilling consultation bookings. Lawful basis: contract performance (GDPR Art. 6(1)(b)).
Transactional communications
Order confirmations, report-ready notifications, and password resets sent by email. Lawful basis: contract performance / legitimate interest (GDPR Art. 6(1)(b)/(f)). Health results are never included in email bodies — emails contain a link to your secure dashboard only.
Contact form enquiries
Responding to messages submitted through our website. Lawful basis: legitimate interest (GDPR Art. 6(1)(f)).
Website analytics
Understanding aggregate traffic patterns via Plausible Analytics (cookie-free, no personal data). No consent is required because no cookies or personal data are processed.
4. Sub-processors and recipients
We use the following sub-processors. Each is bound to us by a Data Processing Agreement. Your data is shared only to the extent necessary to deliver our services.
| Provider | Role | Location | Transfer basis |
|---|---|---|---|
| Amazon Web Services Privacy & compliance info | Cloud hosting, databases, file storage | EU — Frankfurt, Germany | EU data residency; DPA + Standard Contractual Clauses |
| Stripe, LLC Privacy policy | Payment processing and card vaulting | United States | EU–US and Swiss–US Data Privacy Framework; SCCs as fallback |
| Twilio Inc. (SendGrid) GDPR information | Transactional email delivery | United States | EU–US and Swiss–US Data Privacy Framework; SCCs as fallback |
| cal.eu Privacy policy | Consultation scheduling | European Union | EU data residency; DPA |
5. International data transfers
The majority of your data is stored and processed in the European Union (AWS Frankfurt). Transfers outside the EU/EEA or Switzerland are limited to the following:
United States — Stripe and Twilio SendGrid
Both are certified under the EU–US Data Privacy Framework and the Swiss–US Data Privacy Framework, providing an equivalent level of protection to that within the EU/EEA and Switzerland. Standard Contractual Clauses are in place as a fallback.
6. Data retention
We retain your data only for as long as necessary for the purpose for which it was collected, or as required by applicable law.
- Account and profile data — held for the life of your account and deleted within 90 days of account closure.
- Health data (biomarkers, test results, reports, lab documents) — retained while your account is active. You may request erasure at any time subject to any applicable legal retention obligation.
- Financial records (orders, invoices) — retained for 10 years as required by Swiss commercial law (CO Art. 958f). Personal identifying data within financial records is minimised once no longer necessary.
- Consultation bookings — retained for the period necessary for tax and refund purposes, then anonymised.
- Contact form submissions — retained for up to 12 months.
- Authentication tokens (password reset, email verification) — deleted on use or after 30 days, whichever is earlier.
7. Your rights
Under GDPR (EU/EEA residents) and Swiss revFADP (Switzerland residents), you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — request deletion of your data, subject to legal retention obligations.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
To exercise any right, email hello@longevitydoc.ch with the subject line "Data Subject Request". We respond within 30 days (GDPR: 1 month). We may ask you to verify your identity before acting on a request.
8. Automated decision-making
Our Biological Age Test and Mind Age Test produce individual scores through automated AI processing of your health data. These results have a significant personal effect — they are the core output of the service you purchased.
Under GDPR Art. 22 and revFADP Art. 21, you have the right to request human review of your result, express your point of view, and contest the outcome. To do so, contact us at hello@longevitydoc.ch.
Scores are used only to deliver your personal health report. They are not shared with insurers, employers, or any third parties beyond the sub-processors listed in section 4.
9. Cookies and analytics
Our marketing website uses Plausible Analytics — a privacy-friendly analytics tool that sets no cookies and collects no personal data. Page view counts are aggregated and cannot be linked to individual visitors. No consent is required for Plausible under the EU ePrivacy Directive.
We do not use advertising cookies, tracking pixels, or cross-site profiling on this website.
If you submit the contact form on this site, your name, email, and message are stored as described in sections 3 and 6.
10. Contact and complaints
For questions about this policy or to submit a data subject request:
hello@longevitydoc.ch — subject line: "Data Subject Request"
Supervisory authorities
Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
EU: the supervisory authority of your Member State of habitual residence or place of work.
This policy was last updated on 6 June 2026. We will notify you of material changes by email or by a notice on our website.