Contents
1. Data controller
The entity responsible for the processing of your personal data is:
Lyvoo Health, Lda.
[Full address - to be completed]
Tax number (NIF): [to be completed]
Privacy email: privacidade@lyvoo.pt
Under Regulation (EU) 2016/679 (GDPR), Lyvoo is the data controller for data collected through the lyvoo.pt platform and the Lyvoo app.
2. Data we collect
2.1 Identification and contact data
- First name and surname
- Email address
- Delivery address (for kit delivery)
- Phone number (optional)
2.2 Health and biomarker data
⚠️ Please note: Health data is a special category of personal data under the GDPR (Article 9). Its processing requires explicit consent, which will be requested from you separately.
- Laboratory test results (blood biomarkers)
- Medical and nutritional reports
- Lifestyle data entered in the app (sleep, exercise, diet)
- History of assessments and reassessments
2.3 Platform usage data
- Browsing and interaction data on the website
- IP address and device information
- Cookies (see section 8)
2.4 Billing data
- Information required for payment processing (managed by Stripe)
- Transaction history
3. Legal basis and purposes
| Purpose | Legal basis (GDPR) |
|---|---|
| Creating and managing your account | Performance of contract (Art. 6(1)(b)) |
| Dispatching the analysis kit | Performance of contract (Art. 6(1)(b)) |
| Processing payment | Performance of contract (Art. 6(1)(b)) |
| Processing health and biomarker data | Explicit consent (Art. 9(2)(a)) |
| Sending communications about your programme | Performance of contract (Art. 6(1)(b)) |
| Sending newsletters and preventive health content | Consent (Art. 6(1)(a)) |
| Improving our services and conducting analyses | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal and regulatory obligations | Legal obligation (Art. 6(1)(c)) |
4. Health data - special category
The health data you entrust to us is processed with the highest level of protection. Only the clinical team directly responsible for your programme has access to your results, and strictly to the extent necessary to provide the service.
The processing of your health data is carried out exclusively for:
- Analysing the results of your laboratory tests
- Producing personalised medical and nutritional reports
- Monitoring the progress of your preventive health programme
- Providing clinical support by the medical and nutrition team
Your health data is not used for commercial purposes, is not shared with third parties for marketing purposes, and is not used to make automated decisions with significant effects on you.
You have the right to withdraw your consent to the processing of health data at any time via privacidade@lyvoo.pt. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal, but may mean it is no longer possible to continue providing the service.
5. Who we share your data with
Lyvoo does not sell or rent your personal data to third parties. We share your data only in the following circumstances:
5.1 Service providers (processors)
| Entity | Service | Location |
|---|---|---|
| Google Firebase / Firestore | Authentication and database | EU (eur3) |
| Stripe | Payment processing | EU |
| ISO 15189 certified partner laboratory | Laboratory analysis | Portugal |
All processors are bound by data processing agreements ensuring GDPR compliance.
5.2 Legal obligations
We may disclose your data where required by law, court order, or competent authority.
5.3 International transfers
Firebase servers are located in the EU (region eur3 - Europe). We do not transfer data to countries outside the European Economic Area without appropriate safeguards.
6. Retention periods
| Data type | Retention period |
|---|---|
| Account and profile data | Duration of account + 3 years |
| Health and biomarker data | Duration of account + 5 years (legal requirement for health records) |
| Billing data | 10 years (tax obligation) |
| Browsing and analytical cookie data | 13 months |
| Support communications | 3 years |
After the retention period expires, data is deleted or irreversibly anonymised.
7. Your rights
Under the GDPR, you have the following rights with respect to your personal data:
- Right of access - to know what data we hold about you and to receive a copy
- Right to rectification - to correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") - to request deletion of your data, unless we have a legal obligation to retain it
- Right to restriction of processing - to request suspension of processing in certain circumstances
- Right to data portability - to receive your data in a structured, machine-readable format
- Right to object - to object to processing based on legitimate interests
- Right not to be subject to automated decisions - we do not make decisions based solely on automated processing with significant effects
- Right to withdraw consent - for processing based on your consent, you may withdraw it at any time
To exercise any of these rights, contact us by email: privacidade@lyvoo.pt. We will respond within 30 days.
You also have the right to lodge a complaint with the Portuguese supervisory authority:
CNPD - Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados)
Rua de São Bento, 148-3.º, 1200-821 Lisboa
www.cnpd.pt
8. Cookies
We use cookies and similar technologies for the operation and improvement of the website.
Strictly necessary cookies
Essential for the functioning of the platform (authentication session, security preferences). These cannot be disabled.
Analytical cookies
We use Google Analytics to understand how users interact with the website (pages visited, session duration). These cookies require your consent and can be refused via the cookie banner displayed on your first visit.
How to manage cookies
You can manage your cookie preferences at any time through your browser settings or our cookie preference panel.
9. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure, including:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest in the database
- Role-based access control (only the clinical team accesses health data)
- Secure authentication via Firebase Authentication
- Access monitoring and audit logging
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you within 72 hours, as required by the GDPR.
10. Minors
The Lyvoo platform is intended for users aged 18 and over. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data without parental consent, please contact us so that we can arrange for the deletion of that data.
11. Changes to this policy
We may update this Privacy Policy periodically. In the event of significant changes, we will notify you by email or via a notice on the platform, with a minimum of 15 days' notice.
The version in force is always the most recent one available on this page, with the date of last update indicated.
12. Contact and complaints
For any questions relating to the protection of your personal data:
- Email: privacidade@lyvoo.pt
- Subject: "GDPR - [description of request]"
We commit to responding within 30 calendar days of receipt of the request.