Privacy Policy

Last updated: February 6, 2026

1. Introduction

This Privacy Policy explains how LongevAI ("we," "us," or "our"), a company registered in the Netherlands, collects, uses, stores, and protects personal data through the LongevOS platform ("the Platform"), accessible at app.longevos.nl, and the LongevOS website at longevos.nl. LongevOS is a clinical operating system designed for longevity and preventive health clinics.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the Dutch Implementation Act (UAVG), and, where applicable, the Health Insurance Portability and Accountability Act (HIPAA) for clinics operating in the United States.

2. Data Controller

LongevAI is the data controller for the Platform infrastructure and the LongevOS website. Each clinic ("Tenant") using LongevOS acts as a data controller for the personal and health data of their clients processed through the Platform. LongevAI acts as a data processor on behalf of each Tenant for client health data.

Contact: info@longevai.nl

3. Data We Collect

3.1 Website Visitors (longevos.nl)

Our marketing website does not use tracking cookies, analytics, or advertising networks. If you contact us via the website, we use your details only to respond to your inquiry.

3.2 Clinician Account Data

When clinicians register or are invited to the Platform, we collect:

  • Full name, email address, and professional title
  • Authentication credentials (passwords are hashed and never stored in plain text)
  • Two-factor authentication setup data
  • Role and organization membership

3.3 Client Health Data

Clinics may input the following client data through the Platform:

  • Personal identifiers: name, date of birth, biological sex, client ID
  • Health data: biomarker values, lab report data, health scores, biological age calculations
  • Consultation data: audio recordings, transcripts, AI-generated clinical reports
  • Questionnaire responses and intake form data
  • Action plans and health recommendations
  • Wearable device data (sleep, HRV, activity metrics) when connected

3.4 Usage Data

We collect minimal technical data necessary for Platform operation:

  • Audit logs of significant actions (report approvals, downloads, edits) for compliance purposes
  • Session information for authentication
  • Error logs for Platform reliability

4. How We Use Your Data

We process personal data for the following purposes:

  • Service delivery: Operating the Platform, generating AI-powered reports, processing lab data, and delivering health insights
  • AI processing: Using large language models (LLMs) to generate clinical reports, domain summaries, action plans, and extract biomarker data from lab reports. AI-generated content is always subject to clinician review and approval before becoming visible to clients
  • Security: Protecting accounts through authentication, authorization, and audit logging
  • Platform improvement: Analyzing aggregated, anonymized usage patterns to improve Platform functionality

5. Legal Basis for Processing

We process personal data on the following legal bases under the GDPR:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Platform services to clinics and their users
  • Legitimate interest (Art. 6(1)(f)): Security measures, fraud prevention, and Platform reliability
  • Legal obligation (Art. 6(1)(c)): Compliance with healthcare regulations and data retention requirements
  • Consent (Art. 9(2)(a)): Where required for processing special categories of health data, obtained by the Tenant from their clients

6. AI and Automated Processing

LongevOS uses artificial intelligence to process clinical data. This includes:

  • Generating clinical reports from consultation transcripts
  • Extracting biomarker data from lab report PDFs
  • Producing health domain summaries and action recommendations
  • Calculating biological age and health scores

All AI-generated outputs go through a clinician approval workflow. No automated decisions with legal or significant effects are made without human review. Clinicians maintain full control over what information becomes visible to their clients.

7. Data Sharing and Third Parties

We do not sell, rent, or trade personal data. Data may be shared with:

  • Cloud infrastructure providers: For secure hosting and storage
  • AI model providers: Consultation data and lab reports are processed through LLM APIs to generate clinical outputs. We use providers that offer data processing agreements and do not use customer data for model training
  • Payment processors: For subscription billing (no health data is shared)

All third-party processors are bound by data processing agreements compliant with GDPR requirements.

8. Multi-Tenant Data Isolation

Each clinic on the Platform operates in complete data isolation. Clinic A cannot access data belonging to Clinic B. This isolation extends to client records, configurations, reports, and all health data. Organization-level access controls ensure that only authorized team members within a clinic can access client data.

9. Data Retention

  • Active accounts: Data is retained for the duration of the service agreement
  • Deleted client records: Soft-deleted and retained for 10 years per healthcare regulatory requirements, then permanently deleted
  • Audio recordings: Retained per the clinic's configured retention policy, with a default of 10 years for regulatory compliance
  • Audit logs: Retained for the lifetime of the clinic's account for compliance purposes
  • Account closure: Upon termination, all data is deleted within 90 days, subject to legal retention obligations

10. Data Security

We implement appropriate technical and organizational measures, including:

  • Encryption of data in transit (TLS) and at rest (AES-256)
  • Multi-factor authentication for clinician accounts
  • Role-based access controls
  • Passwordless magic link authentication for client portal access
  • Regular security assessments
  • Audit logging of all significant actions

11. Your Rights

Under the GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data, subject to legal retention obligations
  • Restriction: Request limitation of processing
  • Portability: Receive your data in a structured, machine-readable format
  • Object: Object to processing based on legitimate interest
  • Withdraw consent: Where processing is based on consent

For clinic clients: Please contact your healthcare provider (the clinic) directly to exercise your rights regarding health data, as the clinic is the data controller for your health information.

For clinicians: Contact us at info@longevai.nl to exercise your rights regarding your account data.

12. International Data Transfers

Data may be processed in countries outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

13. Cookies

The Platform uses only essential cookies required for authentication and session management. We do not use tracking cookies, analytics cookies, or advertising cookies. The marketing website (longevos.nl) does not use cookies.

14. Children's Privacy

The Platform is not intended for use by children under 16. We do not knowingly collect data from children. If client data pertaining to minors is entered by a clinic, the clinic is responsible for ensuring appropriate parental or guardian consent.

15. HIPAA Compliance

For clinics operating in the United States, LongevOS supports HIPAA compliance through Business Associate Agreements (BAAs), appropriate administrative, technical, and physical safeguards, and access controls consistent with the HIPAA Security Rule. Clinics requiring a BAA should contact us at info@longevai.nl.

16. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated through the Platform or on this website. The "Last updated" date at the top indicates the most recent revision.

17. Supervisory Authority

You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.

18. Contact Us

For questions about this Privacy Policy or our data practices, contact us at:

LongevAI
Email: info@longevai.nl
Website: longevai.nl