Back to LongevOS

Privacy policy

Last updated February 6, 2026

Introduction

LongevAI B.V. ("LongevAI", "we", "us", or "our") operates LongevOS, a software-as-a-service platform designed for longevity and preventive health clinics. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our platform, whether as a healthcare professional ("Clinician") or as a client of one of our partner clinics ("Client").

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR), applicable Dutch data protection laws, and where relevant, the Health Insurance Portability and Accountability Act (HIPAA). By using LongevOS, you acknowledge that you have read and understood this Privacy Policy.

Data Controller

LongevAI B.V., registered in the Netherlands (KVK 94498792), acts as the data processor on behalf of your healthcare provider (the data controller) for health-related data. For account data and platform usage, LongevAI acts as the data controller.

Contact: info@longevai.nl

Data We Collect

Clinician Account Data

When a healthcare professional registers or is invited to LongevOS, we collect:

  • Full name, email address, and professional credentials
  • Organization name and role within the practice
  • Authentication credentials (passwords are hashed and salted, never stored in plaintext)
  • Usage logs including login times, features accessed, and actions performed

Client Health Data

When a Client uses the platform through their healthcare provider, the following data may be collected and processed:

  • Personal identifiers: name, date of birth, email address, and contact details
  • Laboratory results and biomarker data uploaded by your healthcare provider or extracted from lab reports
  • Questionnaire responses including health history, lifestyle, and symptoms
  • Consultation transcripts and clinical notes recorded during appointments
  • Wearable device data (e.g., from Apple Health, Garmin, or Oura Ring) if you choose to connect a device
  • AI-generated health insights, findings, and personalized action plans based on your data

Usage Data

We automatically collect certain technical data when you use the platform:

  • Device type, browser, operating system, and screen resolution
  • IP address and approximate geographic location
  • Pages visited, features used, and interaction patterns for service improvement

How We Use Your Data

We process personal data for the following purposes:

  • Service Delivery: To provide the core LongevOS platform features: biomarker tracking, health insights, action plan generation, appointment booking, and secure messaging between clinicians and clients.
  • AI-Assisted Analysis: To generate health insights, domain summaries, and personalized action plans using AI models. All AI-generated content is clearly marked and requires clinician review before being shared with clients.
  • Security and Compliance: To maintain the security and integrity of the platform, detect and prevent unauthorized access, and comply with legal obligations including healthcare regulations.
  • Platform Improvement: To analyze anonymized usage patterns and improve the platform experience. We never use identifiable health data for product development or marketing purposes.

Legal Basis for Processing

We process your personal data based on one or more of the following legal grounds under the GDPR:

  • Performance of a Contract: Processing necessary to provide the LongevOS services as agreed between LongevAI and your healthcare provider, or between you and your healthcare provider.
  • Legitimate Interest: Processing necessary for platform security, fraud prevention, and service improvement, where our interests do not override your fundamental rights and freedoms.
  • Legal Obligation: Processing required to comply with applicable healthcare regulations, tax laws, or other legal requirements.
  • Consent: Where required, we obtain your explicit consent before processing sensitive health data or using optional features such as wearable device integrations.

AI and Automated Processing

How We Use AI in LongevOS

  • AI models process your health data (biomarkers, questionnaire responses, wearable data) to generate health domain summaries and action plans
  • All AI-generated content is clearly labeled and presented to your clinician for review before it becomes part of your health record
  • No automated decisions with legal or similarly significant effects are made without clinician oversight
  • AI processing uses Google Vertex AI within your clinic's dedicated cloud project, ensuring data isolation between organizations

LongevOS uses artificial intelligence to assist healthcare professionals in analyzing health data and generating personalized recommendations. It is important to understand:

Data Sharing

We do not sell, rent, or trade your personal data. We share data only with the following categories of service providers, under strict contractual safeguards:

  • Cloud Infrastructure: We use Koyeb and Google Cloud Platform (GCP) for hosting and data storage. Health data is stored in DigitalOcean Managed MongoDB with encryption at rest (AES-256) and in transit (TLS 1.2+).
  • AI Model Providers: AI processing is performed through Google Vertex AI, running within the clinic's own GCP project. Your health data is not used to train AI models and is not accessible to Google for any purpose beyond processing your specific request.
  • Payment Processors: If applicable, payment processing is handled by third-party providers who receive only the minimum data necessary to complete transactions. We do not store credit card numbers.

Each organization's data is strictly isolated. Clinicians in one practice cannot access data from another practice, and clients can only see their own records.

Multi-Tenant Data Isolation

LongevOS is a multi-tenant platform where each healthcare organization operates in a logically isolated environment. Data belonging to one organization is never accessible to users of another organization. This isolation is enforced at the database query level and verified through automated testing.

Data Retention

  • Active Accounts: Client health data is retained for as long as the client has an active relationship with their healthcare provider on the platform, or as required by applicable medical record retention laws.
  • Deleted Records: When a client record is deleted by their healthcare provider, the data is soft-deleted (marked as inactive) and permanently purged after 30 days, unless longer retention is required by law.
  • Audio Recordings: Consultation audio recordings, when used, are temporarily stored for transcription purposes and automatically deleted within 7 days after the transcript has been generated.
  • Audit Logs: System audit logs recording access to health data are retained for a minimum of 12 months for security and compliance purposes.
  • Account Closure: Upon account closure, all personal data is deleted within 90 days, except where retention is required by law. You may request immediate deletion by contacting us at info@longevai.nl.

Data Security

We implement industry-standard security measures to protect your personal data:

  • All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher
  • Authentication tokens are securely managed with automatic expiration and refresh mechanisms
  • Role-based access control ensures users can only access data appropriate to their role (clinician, admin, client)
  • Regular security audits and penetration testing are conducted to identify and address vulnerabilities
  • All access to health data is logged and monitored for unauthorized access attempts
  • Database backups are encrypted and stored in geographically separate locations within the European Economic Area

Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of Access: You have the right to request a copy of the personal data we hold about you and information about how it is processed.
  • Right to Rectification: You have the right to request correction of inaccurate personal data or completion of incomplete data.
  • Right to Erasure: You have the right to request deletion of your personal data, subject to legal retention requirements for medical records.
  • Right to Restriction: You have the right to request that we limit the processing of your personal data in certain circumstances.
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
  • Right to Object: You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.

For Clinic Clients: If you are a client of a clinic using LongevOS, please contact your healthcare provider to exercise your rights, as they are the data controller for your health information. You may also contact us directly at info@longevai.nl.

For Clinicians: If you are a clinician or administrator, you may exercise your rights by contacting us directly at info@longevai.nl or through the account settings in your LongevOS dashboard.

International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). Where data processing involves services located outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or processing in countries with an adequacy decision.

Cookies and Tracking

LongevOS uses only strictly necessary cookies required for the platform to function (session management, authentication). We do not use advertising cookies, tracking pixels, or analytics services that profile individual users.

Children's Privacy

LongevOS is intended for use by healthcare professionals and their adult clients. We do not knowingly collect personal data from children under the age of 16. If a healthcare provider manages pediatric clients, the provider is responsible for obtaining appropriate parental or guardian consent.

HIPAA Compliance

For healthcare organizations subject to HIPAA, LongevAI is prepared to enter into a Business Associate Agreement (BAA). Our platform implements administrative, physical, and technical safeguards consistent with HIPAA requirements, including access controls, audit logging, and encryption of protected health information (PHI).

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify registered users of material changes via email or through a notice on the platform. The date of the most recent revision is indicated at the top of this page.

Supervisory Authority

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at https://autoriteitpersoonsgegevens.nl or with the supervisory authority in your country of residence.

Contact Us

For questions about this Privacy Policy or to exercise your data protection rights, contact us at: LongevAI B.V., Email: info@longevai.nl

LongevAI
Email: info@longevai.nl
Website: longevai.nl