BodySynk
Privacy by design

Privacy Policy

Last updated: May 3, 2026 · Effective: May 3, 2026

Your health data belongs to you. This policy explains exactly what we collect, how we store and protect it, who can access it, and the rights you have at any time.

The short version

  • • We never sell your data. We never share it with advertisers.
  • • Raw lab files, DNA files and personal identifiers are never sent to AI providers.
  • • AI analysis runs on anonymized data only, through a single enforced gateway (Atomic Privacy Scrub™).
  • • You can export everything, or delete your account and all associated data, at any time from Settings.
  • • Data is encrypted in transit and at rest, with row-level isolation per user.

1. Who we are

BodySynk (“BodySynk”, “we”, “us”) operates the BodySynk platform at bodysynk.com. We are the data controller for personal data processed through the platform. For privacy questions, see the Contact section below.

2. What we collect

We only collect what you actively give us, plus the minimum needed to operate the service.

Account data

  • • Email address and authentication credentials.
  • • Display name and optional profile information.

Health data you upload

  • • Lab results (blood panels, biomarkers, etc.) you upload as PDFs or enter manually.
  • • Supplement and medication stacks, dosages and schedules.
  • • Fasting logs (start and end times, notes).
  • • Wearable summaries (sleep, HRV, steps, recovery) you choose to sync.
  • • Self-reported health conditions, family history and goals.
  • • DNA files: parsed locally in your browser. We only store the derived markers report, never the raw genome file or full sequence.
  • • Food scans and product lookups you perform.

Usage data

  • • Basic technical logs (timestamps, request paths, error codes) for security and reliability.
  • • Device and browser type, sufficient to render the app correctly.
  • • No advertising trackers, no third-party analytics that profile you across the web.

3. How we use your data

  • • Provide the core features: dashboards, summaries, fasting tracking, drug and food scans, family sharing.
  • • Generate personalized insights from your own data — never cross-user profiling.
  • • Send transactional emails (sign-in, account changes, share invites). No marketing without consent.
  • • Detect abuse, fraud, and protect the integrity of the service.
  • • Comply with legal obligations.

4. AI processing & anonymization

Some BodySynk features (lab interpretation, the “Ask” assistant, drug interaction summaries, food insights) use large language models. Before any of your data reaches an AI provider, it passes through our Atomic Privacy Scrub™ pipeline:

  1. Text is extracted from uploaded files within our trusted environment.
  2. Pattern-based, deterministic redaction removes names, dates of birth, IDs, addresses, phone numbers and other identifiers.
  3. A second verification pass re-scans the sanitized text. If anything personal remains, the request is blocked.
  4. Only the anonymized text is sent to the AI provider, through a single enforced gateway. There is no bypass path; the build itself fails if any code tries to call AI directly.

We do not use your data to train any AI model. AI providers process the anonymized payload as transient input and do not retain it for training under our contractual terms.

Read the full pipeline on our Trust Center.

6. Storage & security

  • • Encryption in transit (TLS) and at rest.
  • • Row-level security in our database — by default, only your own user can read your records.
  • • Strict separation between accounts; family or shared-access features require your explicit invitation.
  • • Principle of least privilege for internal access; engineering access to production data is logged and limited to incident response.
  • • Regular dependency and security scanning.

7. Sharing & disclosure

We share data only in these limited cases:

  • Sub-processors we use to run the service: cloud hosting, database, email delivery, and AI inference (always on anonymized payloads). Each is bound by a Data Processing Agreement.
  • People you invite — family members or trusted contacts you explicitly grant access to.
  • Legal requirements — if compelled by a valid legal process. We push back on overbroad requests.
  • Business transfer — in the unlikely event of a merger or acquisition, your data and these protections move with the service. You will be notified in advance.

We do not sell your data. We do not share it with advertisers or data brokers. Ever.

8. Retention & deletion

  • • Account and health data are retained as long as your account is active.
  • • You can delete individual records (a lab, a fast, a supplement) at any time.
  • • Deleting your account removes all associated personal and health data within 30 days. Encrypted backups roll off within 90 days.
  • • Minimal anonymous logs may be retained for security and debugging up to 12 months.

9. Your rights

Wherever you live, you can:

  • Access — see all data we hold about you.
  • Export — download everything as JSON or CSV from Settings.
  • Correct — edit any record at any time.
  • Delete — remove individual records or your entire account.
  • Restrict or object — to specific processing.
  • Withdraw consent — without affecting prior lawful processing.
  • Lodge a complaint — with your local data protection authority (EEA/UK).

10. International transfers

Our infrastructure may process data in the EU and the US. Where data leaves the EEA, we rely on Standard Contractual Clauses and additional safeguards (encryption, anonymization before AI processing) to protect it.

11. Children

BodySynk is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.

12. Not medical advice

BodySynk surfaces patterns in your data and provides educational context. Nothing on the platform is medical advice, diagnosis or treatment. Always consult a qualified clinician before making health decisions or changing medications.

13. Changes to this policy

When we make material changes, we will notify you by email and in-app at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the current version.

14. Contact us

Privacy questions, data requests, or anything else: privacy@bodysynk.com. You can also reach us via the contact page.