Skip to content

Privacy Policy — MyHealth

Version (policy_version): 1.6 Last updated: June 11, 2026 Effective: as of the date of publication on the App Store.


In short (read this first)

MyHealth is an iPhone app that helps you organize your own health record, with an artificial intelligence (AI) assistant that reads the documents and photos you upload to extract and fill in records (which you confirm before saving) and offers a supportive educational reading. You bring together your lab results, conditions, medications, vaccines, appointments, measurements, and documents in a single place, and the app builds a timeline of your health to prepare you for the conversation with your doctor.

The most important points:

The full text below details all of this and describes your legal rights.


1. Who we are (the Controller) and the DPO

The party responsible for processing your personal data ("Controller" under the LGPD; "Controller" under the GDPR) is:

BAS AI — BAS ARTIFICIAL INTELLIGENCE LTDA
CNPJ: 64.106.409/0001-70
Website: www.bas-ai.com
Address: Rua Gomes de Carvalho, 911, Vila Olímpia, São Paulo/SP, ZIP 04547-003, Brazil

In this document, "MyHealth", "we", or "the app" refer to this Controller.

Data Protection Officer (DPO)

For any privacy and data protection matter, contact our Officer (LGPD Art. 41 / Data Protection Officer, GDPR Art. 37):

Email: privacy@bas-ai.com
Officer's name: Guilherme Kaschny Bastian
Mailing address: Rua Gomes de Carvalho, 911, Vila Olímpia, São Paulo/SP, ZIP 04547-003, Brazil

Today MyHealth does not have a representative in the European Union; if the service comes to be offered in a meaningful way to data subjects in the EEA/United Kingdom, we will appoint a representative (GDPR Art. 27) and indicate the contact here.


2. To whom this Policy applies

This Policy applies to everyone who uses the MyHealth app, in any country. The app is global and multi-language (Portuguese, English, and Spanish).

The initial launch focuses on Brazil, but, where the law of your country is more protective, it prevails. We treat the LGPD (Law No. 13.709/2018, Brazil) and the GDPR (Regulation (EU) 2016/679) as our minimum standard everywhere.

Children and adolescents: self-registration is intended for people 18 or older. Data of minors may only be included by a legal guardian, who manages the dependent's profile (see Section 11).


3. What data we collect

We collect only what is necessary for the app to work (the minimization principle). Below is what we collect and where it is stored.

3.1 Identity data (PII) — encrypted in a vault

The following data identifies you directly and is stored in an identity vault (identity_vault), encrypted field by field (XChaCha20-Poly1305), physically separated from the clinical tables. It is decrypted only by a secure function, under your own identity:

The clinical tables do not contain this data — they refer to you only by a profile code (pseudonym). In the pseudonymized profile we keep only the clinical-demographic minimum needed to interpret the data correctly (for example, biological sex and date of birth/age, important for lab reference ranges).

3.2 Health / sensitive data (PHI)

This is sensitive personal data (health) and receives maximum protection. We collect, as you record or import it:

When this data refers to a minor in your care, the same protections apply (see Section 11).

3.3 Locality and language (optional, in clear text)

Optionally, to adapt the experience and prepare future features (such as recommending professionals by city), we may store country, state/province, city, and the preferred language. We do not collect a full address, latitude/longitude, or precise location. These locality fields are kept in clear text because the "city" granularity is not, in itself, sensitive data, and they are protected by the same access rules as your account.

3.4 Account, session, and security data

3.5 De-identified usage data

We collect minimal stability and diagnostics data (telemetry) — crashes, errors, performance — in a de-identified way and without any health content, to keep the app safe and working (see Section 13). This is internal processing: we do not use analytics SDKs or third-party tracking. As a self-limited minimization measure, we retain this telemetry for up to about 12 months (see Sections 12 and 13).

3.6 What we DO NOT collect / DO NOT do


4. Purposes and legal bases

Every processing activity has a legal basis. Because we process sensitive health data, we are especially rigorous: each sensitive purpose is recorded in our consent record with the corresponding legal basis and Policy version.

PurposeWhat it isLegal basis — LGPDLegal basis — GDPR
Clinical processing (clinical_processing)Organize your documents, structure values, build the health record's timeline and trendsPrimary basis: Art. 7, II and Art. 11, II, "a" (specific and prominent consent for sensitive data). Subsidiary basis (only for security, integrity, compliance with a legal obligation, and operating deletion): Art. 7, II and Art. 10. We do not invoke health protection (Art. 11, II, "f")Primary basis: Art. 6(1)(a) + Art. 9(2)(a) (explicit consent for health data). Subsidiary basis (security, integrity, legal obligation, and deletion): Art. 6(1)(c) and (f). We do not invoke Art. 9(2)(h): Art. 9(3) would require a health professional bound by confidentiality in the flow, and there is no doctor in the loop
AI processing (ai_processing)Send the pseudonymized clinical content (without direct identifiers) to the AI (Anthropic) to read the documents and photos you upload and from them extract and fill in records (lab results, medications, vaccines, measurements, professionals — which you confirm before saving), structure the health record, and generate a supportive educational reading (assistant, never diagnostic — see Section 6)Art. 7, I and Art. 11, I (specific consent)Art. 6(1)(a) + Art. 9(2)(a)
International transfer (intl_transfer)When, and only when, necessary, process de-identified data outside Brazil (see Section 9)Art. 7, I; Art. 11, I; Art. 33 (international transfer)Art. 6(1)(a) + Art. 9(2)(a); Art. 44–49
Family sharing (family_sharing)You authorize a family member to read your health record, in a revocable way (see Section 7)Art. 7, I and Art. 11, I (consent)Art. 6(1)(a) + Art. 9(2)(a)
Data of minors in your careOrganize a dependent's health recordArt. 14 (best interest of the child/adolescent; consent of at least one parent or legal guardian)Art. 8 + Art. 9(2)(a), exercised by the legal guardian
Age attestation (age_attestation)You declare you are 18+; registration of a minor under 18 is blocked and the attestation is recorded immutably, with the server's date/timeArt. 14 + Law 15.211/2025 (Digital ECA)Art. 8
Security, fraud prevention, and auditAccess logs, defense against attacks, compliance with legal record-keeping obligationsArt. 7, II (compliance with a legal obligation) and Art. 10 (legitimate interest, limited)Art. 6(1)(c) (legal obligation) and Art. 6(1)(f) (legitimate interest)
Technical telemetry / stabilityCrash diagnostics, without health data, in internal processing (no analytics SDK or third-party tracking)Art. 7, IX (legitimate interest), with self-limited minimization (Art. 6, III)Art. 6(1)(f) (legitimate interest)
Account, subscription, and creditsMaintain the account and process subscriptions and AI credits (as a rule, 1 credit = 1 page). A minor's AI consumption is charged to the guardianArt. 7, VArt. 6(1)(b)
Pseudonymized research (opt-in at deletion)Pseudonymized research cohort (only sex, age range, and year, in random cohorts, without profile_id, without free text, and without an exact date) that you may authorize at the moment of deleting your account (see Section 12)Art. 7, II and Art. 11, II, "a" (specific consent); pseudonymized data, not irreversibly anonymous dataArt. 6(1)(a) + Art. 9(2)(a) (explicit consent); cf. Art. 9(2)(j) (research purposes)

Legal basis of the clinical core — clarification. The primary basis for processing your health record is your specific and prominent consent (LGPD Art. 11, II, "a" / GDPR Art. 9(2)(a)), consistent with the "sovereign health record" positioning: you authorize, and you may revoke. We reserve a subsidiary basis only for what consent does not cover — information security, data integrity, compliance with a legal obligation, and the very operation of account deletion —, supported by LGPD Art. 7, II and Art. 10 and by GDPR Art. 6(1)(c) and (f). We do not adopt the health protection ground (LGPD Art. 11, II, "f" / GDPR Art. 9(2)(h)): under the GDPR, Art. 9(3) conditions this ground on the presence, in the flow, of a health professional bound by a duty of confidentiality, and there is no doctor in the loop of MyHealth.


5. Consent and how to revoke it

When you authorize a sensitive purpose, that consent is:

Our system only executes an operation if the corresponding consent is active. For example: if you do not authorize "AI Processing", the app does not send anything to the AI — this check happens automatically, on the server (the has_active_consent function), on every operation.

How the record works: each authorization or revocation is recorded as an immutable event in our consent record (consent_events), with the purpose, the legal basis, the language, and the Policy version in effect. Revoking does not erase the consent history — it records a new event that halts future processing of that purpose.

Revocation does not make unlawful processing already lawfully carried out, but it halts the future use of that purpose. You do not lose access to the health record you had already organized.


6. How Artificial Intelligence (AI) processes your data

AI is a central piece of MyHealth (assistant and extraction of data from documents), so we explain it with full transparency. Our AI provider is Anthropic (the Claude model), which acts as a subprocessor.

6.1 The AI receives the clinical content of your health record, without your direct identifiers

6.2 We DO NOT use your data to train AI

6.3 Technical safeguards

6.5 Organizing medications and supplements (derived data, AI-assisted)

To organize your record, the AI may produce, from the medications and supplements you log, a derived organizational datum: the decomposed active ingredients (a compounded formula is split into its label ingredients) and a general category; the canonical vaccine, the disease prevented, and the dose in the series (consolidating the same vaccine under different names); and the normalized allergen and its class. This datum is generated from what you already provided (we collect nothing new from you) and serves to relate, for example, an active ingredient to the corresponding marker in your lab test. It is educational and AI-assisted — you can review and correct it, and it is not a clinical classification, a prescription, or interaction checking (see the Medical Notice, item 5.2). AI processing details follow Sections 6.1–6.3.

6.4 Open standards and vocabularies (LOINC® / UCUM)

So that the same test coming from different laboratories (with different names, abbreviations, and languages) is recognized as a single parameter and produces a coherent timeline, MyHealth normalizes markers using the open vocabulary LOINC® (Logical Observation Identifiers Names and Codes) and standardizes units of measure based on UCUM. These standards are licensed reference content embedded in the app — they work like a dictionary and receive none of your personal data (Regenstrief Institute is not a sub-processor and nothing from your record is sent to it).

This product includes content from LOINC® (loinc.org). LOINC is copyright © 1995–2024, Regenstrief Institute, Inc. and the LOINC Committee, and is available at no cost under the LOINC license (loinc.org/license). LOINC® is a registered trademark of Regenstrief Institute, Inc.

7. Family sharing (opt-in, read-only, revocable)

MyHealth lets you share your health record with a family member, in a controlled way:

The family member must also be a user of the app. This sharing is between you and the person you choose — it is not sharing with third parties or for commercial purposes.


8. Apple Health (HealthKit)

MyHealth lets you import measurements from Apple Health (HealthKit) — weight, height, body composition, blood glucose, blood pressure, heart rate, saturation, and temperature — into your health record.

Connecting smart bands and rings (Oura and WHOOP)

In addition to Apple Health, you may, optionally and revocably, connect third-party wearables, with specific consent per provider (wearable_sync_oura, wearable_sync_whoop):

The authorization uses OAuth: the access tokens are encrypted (AES-256-GCM) on our server and are not accessible by the app. Oura operates in Finland (European Economic Area) and WHOOP in the United States; connecting these services involves an inbound international transfer, under the safeguards in Section 9.1. Oura and WHOOP act as data sources (independent controllers of their own platforms), not as our subprocessors, and do not receive data from your health record.

When you disconnect a wearable:

Data imported from wearables and from Apple Health is always recorded in your own health record (account holder) and never in a dependent's profile, even if you are viewing a minor's profile.


9. Subprocessors and international transfers

We do not sell your data. To operate the service, we use a minimal set of vendors ("subprocessors"/"processors"), each under a data processing agreement (DPA — signed or to be signed before launch, as indicated in the "Safeguards" column of each row), confidentiality, and security, processing data only under our instructions.

SubprocessorWhat it doesWhat data it processesWhereSafeguards
SupabaseDatabase (PostgreSQL), authentication, document storage, and edge functionsPseudonymized clinical data; encrypted PII in the vault; encrypted documents; account metadataSão Paulo, Brazil (sa-east-1)DPA «to be signed»; encryption in transit (TLS) and at rest; additional field encryption under our key management; isolation via RLS; SCC for any transfers outside the EEA
Anthropic, PBCAI model (Claude) for health-record analysis, document extraction, and chatPseudonymized clinical content (values, dates, notes, lifestyle habits, cycle, wearable aggregates) and, in document analysis, the image/PDF itself (with best-effort on-device redaction of printed identifiers, when located) — transientlyUnited StatesDPA «to be signed»; contractual non-training; limited retention (~30 days); SCC; TLS
ResendSending transactional emails (access code/OTP and account notices)Only your email and the email's content; no health contentUS / globalDPA «to be signed»; SCC; TLS
Apple (App Store / In-App Purchase / HealthKit / push)Distribution, HealthKit, notifications, and payment processing for subscriptions and credits as merchant of recordPurchase/receipt data; we do not receive your card data; no health content in the payment flowUS / globalApp Store Terms; Guideline 5.1.3

Oura and WHOOP do not appear in this table: they are data sources that you connect (Section 8), acting as independent controllers of their own platforms, and not as our subprocessors. The DPAs and standard contractual clauses (SCC) listed above are to be signed before launch, and we maintain a public subprocessors page kept up to date at https://www.bas-ai.com/myhealth/legal/subprocessadores. We will give notice before adding a relevant new subprocessor.

9.1 International transfers

Your health record is stored in Brazil (São Paulo) — that is the rule. Transfers outside Brazil occur in a limited way and with your authorization (intl_transfer): in AI processing (Anthropic, United States — Section 6), in which we send the clinical content without your direct identifiers (in document extraction, the file itself — after a best-effort on-device automatic redaction that attempts to cover name, tax ID, email, and phone; identifiers not located may remain in the file); in the connection of wearables (Oura, in Finland/EEA; WHOOP, in the United States — Section 8); and in distribution by Apple (United States). When there is an international transfer, we adopt the required safeguards:

We may also disclose data when required by law (court order or competent authority), always limited to what is strictly necessary and, where legally permitted, notifying you.


10. Information security

The confidentiality of your health data is our number one control. The main measures:

We seek alignment with the best international practices for health information security. No system is 100% immune; that is why we maintain incident response plans (see Section 14).


11. Data of children and adolescents (minors)

The protection of children and adolescents follows the Statute of the Child and Adolescent (Law 8.069/1990), Law 15.211/2025 (Digital ECA), Art. 14 of the LGPD, and Art. 8 of the GDPR (EEA).

We adopt, in any country, a single 18-year-old threshold for a self-owned account. This requirement refers to account ownership and is not to be confused with the GDPR's age of autonomous digital consent (Art. 8, between 13 and 16 years old depending on the country). Below 18, data processing only occurs through a profile managed by an adult guardian.

Users in the United States (COPPA): MyHealth does not offer accounts to minors and does not collect data directly from children. Any minor's data is entered and controlled by a responsible adult, who exercises verifiable parental consent.


12. Retention and disposal

We adopt the minimization principle: we keep each category of data only for as long as needed for its purpose or required by law.

12.1 Retention periods

CategoryPeriodWhy
Health record and identity vault (clinical data + PII)As long as your account exists; removed upon account deletion (see 12.2)You keep the health record organized for as long as you want
Access / audit logs (access_log — date/time, IP, action; never clinical content)Minimum of 6 monthsMinimum retention of access logs (Brazilian Internet Civil Framework, Law 12.965/2014, Art. 15). It is a retention floor; the access log (date/time + IP) is not health data and does not justify retaining the health record
Billing and tax data (receipts, credit/subscription movements)5 yearsTax periods (Brazilian Tax Code (CTN), Arts. 173 and 174)
De-identified technical telemetryUp to about 12 monthsInternal minimization policy (LGPD Art. 6, III) — not a legal period
Consent records (consent_events)Kept as an immutable historyTo prove lawfulness and the authorizations granted/revoked (accountability)

A gap we acknowledge transparently: there is not yet automatic purging due to inactivity (an account unused for a long period is not deleted on its own). This is a gap to be defined — when we adopt an inactivity policy, we will update this Section and the Policy version. We do not describe here, as a practice currently in effect, something the app does not yet do.

12.2 Permanent account deletion (right to erasure — LGPD Art. 18, VI / GDPR Art. 17)

Deletion is available directly in the app, under Profile › Privacy › Delete my account (an Apple requirement). Upon confirmation, we execute the permanent cascade removal — an immediate operation — of your identity vault (identity_vault) and of all clinical data (lab results, conditions, medications, vaccines, documents, measurements, history, appointments, conversations with the AI, wearable data), we revoke the wearable connections, and we close your access account.

The backups may, for a period, still contain data already deleted: they are overwritten in our processor's normal retention cycle, after which they cease to exist. (We do not claim "key destruction" or instant backup purging.)

Deletion receipt (accountability — LGPD Art. 6, X): we can confirm the completion of the deletion upon request to the DPO. There is no automatic receipt issued, and the deletion is not total — the minimum records described below remain, due to a legal requirement.

What remains after deletion, and why:

12.3 Death of the data subject

The LGPD and the GDPR protect living persons and, as a rule, do not reach the deceased (ANPD, Technical Note No. 3/2023; GDPR, Recital 27). Even so, a deceased person's health record involves personality rights that survive death (Civil Code, Art. 12, sole paragraph) and matters of succession.


12-A. Notifications and reminders (opt-in, local)

MyHealth may send reminders on your iPhone — about medication, a wellbeing check-in, your schedule (appointments/tests/follow-ups/vaccines), and a notice that an analysis is ready. Key points:

13. Cookies, telemetry, and tracking

MyHealth is a native iPhone app (not a website), so it does not use browsing cookies in the traditional sense.

Today we do not use any third-party analytics or tracking tool; if that changes, we will update this Policy and the subprocessors page before activation, with a new notice — also reviewing the App Store privacy labels and the need (or not) for App Tracking Transparency (ATT).


14. Security incidents and notification

We maintain incident response plans. In the event of a security incident that may create relevant risk to you:


15. Your rights

You are the owner of your data and have rights guaranteed by the LGPD (Art. 18) and the GDPR (Chapter III):

RightWhat it meansHow to exercise it in MyHealth
Access / confirmationTo know what data we hold and obtain a copy (LGPD Art. 18, I–II; GDPR Art. 15)View the full health record in the app; export it
CorrectionTo correct incomplete or wrong data (LGPD Art. 18, III; GDPR Art. 16)You review and edit the data directly
Deletion / erasureTo delete your data and account (LGPD Art. 18, VI; GDPR Art. 17)Delete account / data in the app (see Section 12)
PortabilityTo take your data in a structured, interoperable format (LGPD Art. 18, V; GDPR Art. 20)Export in FHIR R4 and as PDF
Consent revocationTo withdraw an authorization (LGPD Art. 8, §5; GDPR Art. 7(3))Turn off a purpose (e.g., "AI Processing") in the settings (see Section 5)
Information on sharingTo know with whom we share (LGPD Art. 18, VII)This Policy (Section 9) and the subprocessors page
Objection / restrictionTo object to a processing or request its restriction (LGPD Art. 18, §2; GDPR Art. 18 and 21)Contact the DPO
No subjection to automated decision / reviewThe AI does not decide anything on its own (LGPD Art. 20; GDPR Art. 22)You always review and confirm (see Section 6.3)
View the access historyTransparency about who accessed whatYour access log is available
Petition to the authority (ANPD)To petition against the controller before the national authority (LGPD Art. 18, §1)Contact us (Section 1) and/or the ANPD — see "Complaints" below

How to exercise: many rights are exercised directly in the app (review, export, delete, revoke consent). For the others, or if something does not work, write to our DPO (Section 1). We respond within the legal period (as a rule, up to 15 days for confirmation of existence or access, under the LGPD; up to 30 days under the GDPR, extendable where the law permits).

Complaints: if you believe we process your data improperly, you can complain to the competent authority — in Brazil, the ANPD (https://www.gov.br/anpd); in Europe, the data protection authority of your country. We ask, however, that you talk to our DPO first — we want to resolve it directly with you.


16. MyHealth is NOT a medical service


17. Changes to this Policy and versioning

We may update this Policy to reflect changes in the app, in vendors, or in the law. The Policy has a version (policy_version):

The version history is published at https://www.bas-ai.com/myhealth/legal/versoes; each accepted version remains archived.


18. Contact us

Questions, requests, or complaints about your data:


MyHealth — your health record, sovereign and private. This Policy was drafted in Portuguese as the basis for translation into the app's other languages (at least PT/EN/ES). In case of divergence between versions, the Portuguese prevails.