Privacy Policy

Bllod is operated by Yan Guyt França (individual, acting as data controller for European and Brazilian users). Contact — [email protected] Data Protection Officer — [email protected]

We only collect data necessary for the App to function. We do not sell your data. We do not track you across other apps or websites. Account information — Email address, name (provided during onboarding or pulled from Apple/Google Sign-In), and a unique authentication identifier from Supabase and your chosen sign-in provider. Health-profile information (optional) — Date of birth, gender, height, weight, body measurements, health goals, allergies, chronic conditions, and current medications. Blood-test data (the core of the App) — Uploaded PDF lab reports, photos of printed reports, extracted biomarker values with units, dates, and associated laboratory, and manually entered marker values. Device and operational data — Device type and operating system, language preference, app version, and push-notification token (only if you opt in). What we do NOT collect — Advertising identifiers (IDFA), precise location, contacts, calendar, social media, microphone or voice data, Apple HealthKit data, or cross-app browsing behavior.

We use your data only to run the App — never for advertising, profiling, or automated decisions that produce legal effects about you. Core features — Health data and profile power exam tracking and charts (contractual basis). Authentication — Your email, name, and auth ID identify you (contractual basis). Marker extraction — Uploaded PDFs are processed to extract biomarker values (contractual basis). Account emails — Essential service messages (contract / legitimate interest). Push notifications — Only if you opt in (consent). Reliability — Anonymized error logs help us improve the App (legitimate interest). Legal compliance — Data may be used when required by law.

We share your data only with service providers that help us run the App, under strict contractual obligations: Supabase, Inc. (USA) — database, storage, authentication. SOC 2 Type II compliant. Bllod extraction service — reads your uploaded PDFs to extract marker values. PDFs are not retained beyond the extraction window unless you explicitly save them. Apple Inc. / Google LLC — only for the Sign in with Apple / Google authentication flow. Expo / EAS (Expo Inc.) — app updates and build distribution. No personal health data passes through. We do not sell, rent, or trade your personal data with anyone.

Bllod stores data in the United States via Supabase. If you are in the European Economic Area, the United Kingdom, or Brazil, your data is transferred internationally under the EU Standard Contractual Clauses (SCCs) or equivalent safeguards.

Active account data — retained as long as your account exists. Deleted account — all personal data is permanently deleted within 30 days of account deletion. You can delete your account anytime via Profile → Delete Account. Error logs — anonymized and retained for up to 90 days. Payment records — retained as required by tax and accounting law (typically 5–10 years, varies by jurisdiction).

You have the right to: Access the personal data we hold about you. Correct inaccurate data. Delete your account and all associated data (in-app, under Profile → Delete Account). Export your data in a portable format (contact [email protected]). Withdraw consent for notifications (in-app, under Profile → Notification Settings). Object to processing based on legitimate interests. Lodge a complaint with your national data protection authority — the EU DPA, the UK Information Commissioner's Office (ICO), or Brazil's Autoridade Nacional de Proteção de Dados (ANPD). To exercise any right, write to [email protected]. We respond within 30 days.

In transit — all traffic is encrypted via TLS 1.2+ (HTTPS only). At rest — data is encrypted on Supabase infrastructure. On-device — session tokens are encrypted (AES-256-CTR key in iOS Secure Enclave / Android Keystore; ciphertext in AsyncStorage). Access controls — row-level security (RLS) on all user tables ensures no user can read another user's data. No system is 100% secure. If we learn of a breach affecting your data, we will notify you and the relevant authorities as required by law (within 72 hours under GDPR / LGPD).

Bllod is not intended for children under 13 (or under the age of digital consent in your jurisdiction, e.g., 16 in parts of the EU). We do not knowingly collect data from children. If you believe a child has provided data, contact [email protected] and we will delete it.

We may update this policy occasionally. When we make material changes, we will notify you via in-app banner or email. The "Last updated" date at the top always reflects the current version.

Bllod is not a medical device and does not provide medical advice, diagnosis, or treatment. The App is an organizational and educational tool only. Always consult a qualified healthcare professional about your results.

Questions about this policy or your data: Privacy — [email protected] General support — [email protected]