Skip to content

Privacy Policy — MyHealth

Version (policy_version): 2.0 Last updated: June 22, 2026 Effective: as of the date of publication on the App Store.


In short (read this first)

MyHealth is an iPhone app that helps you organize your own health record, with an artificial intelligence (AI) assistant that reads the documents and photos you upload to extract and fill in records (which you confirm before saving) and offers a supportive educational reading. You bring together your lab results, conditions, medications, vaccines, appointments, measurements, and documents in a single place, and the app builds a timeline of your health to prepare you for the conversation with your doctor.

The most important points:

The full text below details all of this and describes your legal rights.


1. Who we are (the Controller) and the DPO

The party responsible for processing your personal data ("Controller" under the LGPD; "Controller" under the GDPR) is:

BAS AI — BAS ARTIFICIAL INTELLIGENCE LTDA
CNPJ: 64.106.409/0001-70
Website: www.bas-ai.com
Address: Rua Gomes de Carvalho, 911, Vila Olímpia, São Paulo/SP, ZIP 04547-003, Brazil

In this document, "MyHealth", "we", or "the app" refer to this Controller.

Data Protection Officer (DPO)

For any privacy and data protection matter, contact our Officer (LGPD Art. 41 / Data Protection Officer, GDPR Art. 37):

Email: privacy@bas-ai.com
Officer's name: Guilherme Kaschny Bastian
Mailing address: Rua Gomes de Carvalho, 911, Vila Olímpia, São Paulo/SP, ZIP 04547-003, Brazil

Today MyHealth does not have a representative in the European Union; if the service comes to be offered in a meaningful way to data subjects in the EEA/United Kingdom, we will appoint a representative (GDPR Art. 27) and indicate the contact here.


2. To whom this Policy applies

This Policy applies to everyone who uses the MyHealth app, in any country. The app is global and multi-language (Portuguese, English, and Spanish).

The initial launch focuses on Brazil, but, where the law of your country is more protective, it prevails. We treat the LGPD (Law No. 13.709/2018, Brazil) and the GDPR (Regulation (EU) 2016/679) as our minimum standard everywhere.

Children and adolescents: self-registration is intended for people 18 or older. Data of minors may only be included by a legal guardian, who manages the dependent's profile (see Section 11).


3. What data we collect

We collect only what is necessary for the app to work (the minimization principle). Below is what we collect and where it is stored.

3.1 Identity data (PII) — encrypted in a vault

The following data identifies you directly and is stored in an identity vault (identity_vault), encrypted field by field (XChaCha20-Poly1305), physically separated from the clinical tables. It is decrypted only by a secure function, under your own identity:

The clinical tables do not contain this data — they refer to you only by a profile code (pseudonym). In the pseudonymized profile we keep only the clinical-demographic minimum needed to interpret the data correctly (for example, biological sex and date of birth/age, important for lab reference ranges).

3.2 Health / sensitive data (PHI)

This is sensitive personal data (health) and receives maximum protection. We collect, as you record or import it:

When this data refers to a minor in your care, the same protections apply (see Section 11).

3.3 Locality and language (optional, in clear text)

Optionally, to adapt the experience and prepare future features (such as recommending professionals by city), we may store country, state/province, city, and the preferred language. We do not collect a full address, latitude/longitude, or precise location. These locality fields are kept in clear text because the "city" granularity is not, in itself, sensitive data, and they are protected by the same access rules as your account. When you authorize AI Processing (Section 6), your profile's country is part of the context sent to the AI, only to regionalize, in an educational way, emergency guidance and vaccination-calendar guidance (state/province and city are not sent to the AI).

3.4 Account, session, and security data

3.5 De-identified usage data

We collect minimal stability and diagnostics data (telemetry) — crashes, errors, performance — in a de-identified way and without any health content, to keep the app safe and working (see Section 13). This is internal processing: we do not use analytics SDKs or third-party tracking. As a self-limited minimization measure, we retain this telemetry for up to about 12 months (see Sections 12 and 13).

3.6 What we DO NOT collect / DO NOT do


4. Purposes and legal bases

Every processing activity has a legal basis. Because we process sensitive health data, we are especially rigorous: each sensitive purpose is recorded in our consent record with the corresponding legal basis and Policy version.

PurposeWhat it isLegal basis — LGPDLegal basis — GDPR
Clinical processing (clinical_processing)Organize your documents, structure values, build the health record's timeline and trendsPrimary basis: Art. 7, II and Art. 11, II, "a" (specific and prominent consent for sensitive data). Subsidiary basis (only for security, integrity, compliance with a legal obligation, and operating deletion): Art. 7, II and Art. 10. We do not invoke health protection (Art. 11, II, "f")Primary basis: Art. 6(1)(a) + Art. 9(2)(a) (explicit consent for health data). Subsidiary basis (security, integrity, legal obligation, and deletion): Art. 6(1)(c) and (f). We do not invoke Art. 9(2)(h): Art. 9(3) would require a health professional bound by confidentiality in the flow, and there is no doctor in the loop
AI processing (ai_processing)Send the pseudonymized clinical content (without direct identifiers) to the AI (Anthropic) to read the documents and photos you upload and from them extract and fill in records (lab results, medications, vaccines, measurements, professionals — which you confirm before saving), structure the health record, and generate a supportive educational reading (assistant, never diagnostic — see Section 6)Art. 7, I and Art. 11, I (specific consent)Art. 6(1)(a) + Art. 9(2)(a)
International transfer (intl_transfer)When, and only when, necessary, process de-identified data outside Brazil (see Section 9)Art. 7, I; Art. 11, I; Art. 33 (international transfer)Art. 6(1)(a) + Art. 9(2)(a); Art. 44–49
Family sharing (family_sharing)You authorize a family member to read your health record, in a revocable way (see Section 7)Art. 7, I and Art. 11, I (consent)Art. 6(1)(a) + Art. 9(2)(a)
Data of minors in your careOrganize a dependent's health recordArt. 14 (best interest of the child/adolescent; consent of at least one parent or legal guardian)Art. 8 + Art. 9(2)(a), exercised by the legal guardian
Age attestation (age_attestation)You declare you are 18+; registration of a minor under 18 is blocked and the attestation is recorded immutably, with the server's date/timeArt. 14 + Law 15.211/2025 (Digital ECA)Art. 8
Security, fraud prevention, and auditAccess logs, defense against attacks, compliance with legal record-keeping obligationsArt. 7, II (compliance with a legal obligation) and Art. 10 (legitimate interest, limited)Art. 6(1)(c) (legal obligation) and Art. 6(1)(f) (legitimate interest)
App notificationsStore a technical delivery token (push/APNs) and send generic app notices (e.g., "your analysis is ready"), with no health data in the content; operational consent via the iOS notification permissionArt. 7, IX (legitimate interest)Art. 6(1)(f) (legitimate interest)
Technical telemetry / stabilityCrash diagnostics, without health data, in internal processing (no analytics SDK or third-party tracking)Art. 7, IX (legitimate interest), with self-limited minimization (Art. 6, III)Art. 6(1)(f) (legitimate interest)
Account, subscription, and packsMaintain the account and process subscriptions and AI usage packs (measured in pages and prompts). A minor's AI consumption is charged to the guardianArt. 7, VArt. 6(1)(b)
Pseudonymized research (opt-in at deletion)Pseudonymized research cohort (only sex, age range, and year, in random cohorts, without profile_id, without free text, and without an exact date) that you may authorize at the moment of deleting your account (see Section 12)Art. 7, II and Art. 11, II, "a" (specific consent); pseudonymized data, not irreversibly anonymous dataArt. 6(1)(a) + Art. 9(2)(a) (explicit consent); cf. Art. 9(2)(j) (research purposes)

Legal basis of the clinical core — clarification. The primary basis for processing your health record is your specific and prominent consent (LGPD Art. 11, II, "a" / GDPR Art. 9(2)(a)), consistent with the "sovereign health record" positioning: you authorize, and you may revoke. We reserve a subsidiary basis only for what consent does not cover — information security, data integrity, compliance with a legal obligation, and the very operation of account deletion —, supported by LGPD Art. 7, II and Art. 10 and by GDPR Art. 6(1)(c) and (f). We do not adopt the health protection ground (LGPD Art. 11, II, "f" / GDPR Art. 9(2)(h)): under the GDPR, Art. 9(3) conditions this ground on the presence, in the flow, of a health professional bound by a duty of confidentiality, and there is no doctor in the loop of MyHealth.


5. Consent and how to revoke it

When you authorize a sensitive purpose, that consent is:

Our system only executes an operation if the corresponding consent is active. For example: if you do not authorize "AI Processing", the app does not send anything to the AI — this check happens automatically, on the server (the has_active_consent function), on every operation.

How the record works: each authorization or revocation is recorded as an immutable event in our consent record (consent_events), with the purpose, the legal basis, the language, and the Policy version in effect. Revoking does not erase the consent history — it records a new event that halts future processing of that purpose.

Revocation does not make unlawful processing already lawfully carried out, but it halts the future use of that purpose. You do not lose access to the health record you had already organized.


6. How Artificial Intelligence (AI) processes your data

AI is a central piece of MyHealth (assistant and extraction of data from documents), so we explain it with full transparency. Our AI provider is Anthropic, which acts as a subprocessor.

6.1 The AI receives the clinical content of your health record, without your direct identifiers

6.2 We DO NOT use your data to train AI

6.3 Technical safeguards

6.4 Open standards and vocabularies (LOINC® / UCUM)

So that the same test coming from different laboratories (with different names, abbreviations, and languages) is recognized as a single parameter and produces a coherent timeline, MyHealth normalizes markers using the open vocabulary LOINC® (Logical Observation Identifiers Names and Codes) and standardizes units of measure based on UCUM. These standards are licensed reference content embedded in the app — they work like a dictionary and receive none of your personal data (Regenstrief Institute is not a sub-processor and nothing from your record is sent to it).

This product includes content from LOINC® (loinc.org). LOINC is copyright © 1995–2024, Regenstrief Institute, Inc. and the LOINC Committee, and is available at no cost under the LOINC license (loinc.org/license). LOINC® is a registered trademark of Regenstrief Institute, Inc.

6.5 Organizing medications and supplements (derived data, AI-assisted)

To organize your record, the AI may produce, from the medications and supplements you log, a derived organizational datum: the decomposed active ingredients (a compounded formula is split into its label ingredients) and a general category; the canonical vaccine, the disease prevented, and the dose in the series (consolidating the same vaccine under different names); and the normalized allergen and its class. This datum is generated from what you already provided (we collect nothing new from you) and serves to relate, for example, an active ingredient to the corresponding marker in your lab test. It is educational and AI-assisted — you can review and correct it, and it is not a clinical classification, a prescription, or interaction checking (see the Medical Notice, item 5.2). AI processing details follow Sections 6.1–6.3.


7. Family sharing (opt-in, read-only, revocable)

MyHealth lets you share your health record with a family member, in a controlled way:

The family member must also be a user of the app. This sharing is between you and the person you choose — it is not sharing with third parties or for commercial purposes.


8. Apple Health (HealthKit)

MyHealth lets you import measurements from Apple Health (HealthKit) — weight, height, body composition, blood glucose, blood pressure, heart rate, saturation, and temperature — into your health record.

Connecting smart bands and rings (Oura and WHOOP)

In addition to Apple Health, you may, optionally and revocably, connect third-party wearables, with specific consent per provider (wearable_sync_oura, wearable_sync_whoop):

The authorization uses OAuth: the access tokens are encrypted (AES-256-GCM) on our server and are not accessible by the app. Oura operates in Finland (European Economic Area) and WHOOP in the United States; connecting these services involves an inbound international transfer, under the safeguards in Section 9.1. Oura and WHOOP act as data sources (independent controllers of their own platforms), not as our subprocessors, and do not receive data from your health record.

When you disconnect a wearable:

Data imported from wearables and from Apple Health is always recorded in your own health record (account holder) and never in a dependent's profile, even if you are viewing a minor's profile.


9. Subprocessors and international transfers

We do not sell your data. To operate the service, we use a minimal set of vendors ("subprocessors"/"processors"), each under a data processing agreement (DPA), confidentiality, and security, processing data only under our instructions. The relationship with Anthropic and Resend is already governed by a DPA/SCC in effect; the Supabase DPA is in effect (signed 2026-06-18) (see the status of each in the "Safeguards" column).

SubprocessorWhat it doesWhat data it processesWhereSafeguards
SupabaseDatabase (PostgreSQL), authentication, document storage, and edge functionsPseudonymized clinical data; encrypted PII in the vault; encrypted documents; account metadataSão Paulo, Brazil (sa-east-1)DPA in effect (signed 2026-06-18; Supabase Pte. Ltd) — includes EU SCCs + transfer safeguards (UK/Switzerland); SOC 2 Type 2 + ISO 27001 (Supabase provider certifications); daily backups (14 days); 28-day log retention; regional hosting; encryption in transit (TLS) and at rest; additional field encryption under our key management; isolation via RLS; SCC for any transfers outside the EEA
Anthropic, PBCAnthropic's AI models for health-record analysis, document extraction, and chatPseudonymized clinical content (values, dates, notes, lifestyle habits, cycle, wearable aggregates) and, in document analysis, the image/PDF itself (with best-effort on-device redaction of printed identifiers, when located) — transientlyUnited StatesDPA in effect (Anthropic Commercial Terms); EU SCC (Modules 2/3) + UK IDTA + Swiss addendum; contractual non-training; limited retention (~30 days); TLS
ResendSending transactional emails (access code/OTP and account notices)Only your email and the email's content; no health contentUS / globalDPA in effect (acceptance of terms); EU-US DPF certification + UK extension; SCC; TLS
Apple (App Store / In-App Purchase / HealthKit / push)Distribution, HealthKit, notifications, and payment processing for subscriptions and add-on packs as merchant of recordPurchase/receipt data; we do not receive your card data; no health content in the payment flowUS / globalApp Store Terms; Guideline 5.1.3

Oura and WHOOP do not appear in this table: they are data sources that you connect (Section 8), acting as independent controllers of their own platforms, and not as our subprocessors. The relationship with Anthropic and Resend is already governed by a DPA/SCC in effect; the Supabase DPA is in effect (signed 2026-06-18; Supabase Pte. Ltd). We maintain a public subprocessors page kept up to date at https://www.bas-ai.com/myhealth/legal/subprocessors-en. We will give notice before adding a relevant new subprocessor.

9.1 International transfers

Your health record is stored in Brazil (São Paulo) — that is the rule. Transfers outside Brazil occur in a limited way and with your authorization (intl_transfer): in AI processing (Anthropic, United States — Section 6), in which we send the clinical content without your direct identifiers (in document extraction, the file itself — after a best-effort on-device automatic redaction that attempts to cover name, tax ID, email, and phone; identifiers not located may remain in the file); in the connection of wearables (Oura, in Finland/EEA; WHOOP, in the United States — Section 8); and in distribution by Apple (United States). When there is an international transfer, we adopt the required safeguards:

We may also disclose data when required by law (court order or competent authority), always limited to what is strictly necessary and, where legally permitted, notifying you.


10. Information security

The confidentiality of your health data is our number one control. The main measures:

We seek alignment with the best international practices for health information security. No system is 100% immune; that is why we maintain incident response plans (see Section 14).


11. Data of children and adolescents (minors)

The protection of children and adolescents follows the Statute of the Child and Adolescent (Law 8.069/1990), Law 15.211/2025 (Digital ECA), Art. 14 of the LGPD, and Art. 8 of the GDPR (EEA).

We adopt, in any country, a single 18-year-old threshold for a self-owned account. This requirement refers to account ownership and is not to be confused with the GDPR's age of autonomous digital consent (Art. 8, between 13 and 16 years old depending on the country). Below 18, data processing only occurs through a profile managed by an adult guardian.

Users in the United States (COPPA): MyHealth does not offer accounts to minors and does not collect data directly from children. Any minor's data is entered and controlled by a responsible adult, who exercises verifiable parental consent.


12. Retention and disposal

We adopt the minimization principle: we keep each category of data only for as long as needed for its purpose or required by law. Because MyHealth is distributed worldwide, we apply the most protective standard among the applicable laws: by default, deletion erases the identity, and retention is the exception, triggered only when a concrete law requires it.

12.1 Retention periods

CategoryPeriodWhy
Health record and identity vault (clinical data + PII)As long as your account exists; removed upon account deletion (see 12.2)You keep the health record organized for as long as you want
Access / audit logs (access_log — date/time, source IP, action; never clinical content)6 monthsSecurity and fraud/abuse detection (a proportionate measure — legitimate interest, GDPR Art. 6(1)(f); LGPD Art. 7, IX). In Brazil, it also meets the floor of the Internet Civil Framework (Law 12.965/2014, Art. 15) for an application provider. The log (date/time + IP) is not health data, and the IP is never used to infer a health condition
Minimum identity retained upon deletion (encrypted name + encrypted email + creation date + last-access date)Only when there was a transaction (subscription or packs purchased); for the tax period of your jurisdiction (Brazil: 5 years; other countries: the local-law period, typically 5–6 years), with automatic purging at the end. For anyone who never transacted: none of this is retained — the identity is erased upon deletionTo comply with a tax/accounting obligation that arises only from a real transaction (Brazil: CTN, Arts. 173 and 174; European Union: the Member State's period; United Kingdom: Limitation Act 1980 / HMRC; Canada: Income Tax Act s. 230). Without a transaction, there is no legal obligation that would justify keeping the identity
Billing and tax data (receipts, subscription and pack movements)Tax period of the jurisdiction (Brazil: 5 years) — only for those who transactedTax periods (Brazil: CTN, Arts. 173 and 174; or the applicable local tax law)
De-identified technical telemetryUp to about 12 monthsInternal minimization policy (LGPD Art. 6, III) — not a legal period
Consent records (consent_events, de-linked from your profile upon deletion)Kept as proof of lawfulness for the applicable limitation periodTo prove lawfulness and the authorizations granted/revoked (accountability — GDPR Art. 5(2)/7(1); LGPD Art. 8/6, X)

How the identity is protected when retained: when there is a transaction and tax law requires retention, we keep the name and email encrypted (the same protection as the identity vault), in an isolated table, accessible only by the internal service (RLS, with no user access), and we erase it automatically at the end of the period. We do not keep your email in legible text.

A gap we acknowledge transparently: there is not yet automatic purging due to inactivity (an account unused for a long period is not deleted on its own). This is a gap to be defined — when we adopt an inactivity policy, we will update this Section and the Policy version. We do not describe here, as a practice currently in effect, something the app does not yet do.

12.2 Permanent account deletion (right to erasure — LGPD Art. 18, VI / GDPR Art. 17 / local equivalents)

Deletion is available directly in the app, under Profile › Privacy › Delete my account (an Apple requirement). Upon confirmation, we execute the permanent cascade removal — an immediate operation — of all of your clinical health record (lab results, conditions, medications, vaccines, documents, measurements, history, appointments, conversations with the AI, wearable data) and of the files in storage, we revoke the wearable connections, and we close your access account.

The backups may, for a short period, still contain data already deleted: they are overwritten in our processor's normal cycle (Supabase, around 14 days — well within the 6 months), and the data processing agreements (DPAs) with Supabase and Anthropic govern the disposal of any residual copies. (We do not claim "key destruction" or instant backup purging.)

Whether your identity is erased depends on whether or not you made a purchase:

Deletion receipt (accountability — LGPD Art. 6, X): we can confirm the completion of the deletion upon request to the DPO. The deletion is not total — the minimum records below remain, due to a legal requirement.

What always remains after deletion, for any user:

Dependent profiles (minors): when deleting a minor's profile, we never retain the minor's name or email for tax reasons — the tax obligation, if any, belongs to the paying guardian, and not to the minor's profile. For the minor, erasure of the identity is the rule; only the minimum deletion record by irreversible code remains.

Users in jurisdictions with a reinforced right to deletion (e.g., Washington — My Health My Data Act): we treat the request as a deletion of consumer health data — we erase the identity (without invoking a tax period against someone who did not transact), and the disposal of the residual copies at the processors occurs within 6 months, in accordance with the respective data processing agreements (DPAs).

12.3 Death of the data subject

The LGPD and the GDPR protect living persons and, as a rule, do not reach the deceased (ANPD, Technical Note No. 3/2023; GDPR, Recital 27). Even so, a deceased person's health record involves personality rights that survive death (Civil Code, Art. 12, sole paragraph) and matters of succession.


12-A. Notifications and reminders (opt-in)

MyHealth may send reminders on your iPhone — about medication, a wellbeing check-in, your schedule (appointments/tests/follow-ups/vaccines), and a few server-side notices (when an analysis is ready, when one of your exams is updated, and when a follow-up appointment is approaching). Key points:

13. Cookies, telemetry, and tracking

MyHealth is a native iPhone app (not a website), so it does not use browsing cookies in the traditional sense.

Today we do not use any third-party analytics or tracking tool; if that changes, we will update this Policy and the subprocessors page before activation, with a new notice — also reviewing the App Store privacy labels and the need (or not) for App Tracking Transparency (ATT).


14. Security incidents and notification

We maintain incident response plans. In the event of a security incident that may create relevant risk to you:


15. Your rights

You are the owner of your data and have rights guaranteed by the LGPD (Art. 18) and the GDPR (Chapter III):

RightWhat it meansHow to exercise it in MyHealth
Access / confirmationTo know what data we hold and obtain a copy (LGPD Art. 18, I–II; GDPR Art. 15)View the full health record in the app; export it
CorrectionTo correct incomplete or wrong data (LGPD Art. 18, III; GDPR Art. 16)You review and edit the data directly
Deletion / erasureTo delete your data and account (LGPD Art. 18, VI; GDPR Art. 17)Delete account / data in the app (see Section 12)
PortabilityTo take your data in a structured, interoperable format (LGPD Art. 18, V; GDPR Art. 20)Export in FHIR R4 and as PDF
Consent revocationTo withdraw an authorization (LGPD Art. 8, §5; GDPR Art. 7(3))Turn off a purpose (e.g., "AI Processing") in the settings (see Section 5)
Information on sharingTo know with whom we share (LGPD Art. 18, VII)This Policy (Section 9) and the subprocessors page
Objection / restrictionTo object to a processing or request its restriction (LGPD Art. 18, §2; GDPR Art. 18 and 21)Contact the DPO
No subjection to automated decision / reviewThe AI does not decide anything on its own (LGPD Art. 20; GDPR Art. 22)You always review and confirm (see Section 6.3)
View the access historyTransparency about who accessed whatYour access log is available
Petition to the authority (ANPD)To petition against the controller before the national authority (LGPD Art. 18, §1)Contact us (Section 1) and/or the ANPD — see "Complaints" below

How to exercise: many rights are exercised directly in the app (review, export, delete, revoke consent). For the others, or if something does not work, write to our DPO (Section 1). We respond within the legal period (as a rule, up to 15 days for confirmation of existence or access, under the LGPD; up to 30 days under the GDPR, extendable where the law permits).

Complaints: if you believe we process your data improperly, you can complain to the competent authority — in Brazil, the ANPD (https://www.gov.br/anpd); in Europe, the data protection authority of your country. We ask, however, that you talk to our DPO first — we want to resolve it directly with you.


16. MyHealth is NOT a medical service


17. Changes to this Policy and versioning

We may update this Policy to reflect changes in the app, in vendors, or in the law. The Policy has a version (policy_version):

The version history is published at https://www.bas-ai.com/myhealth/legal/versoes; each accepted version remains archived.


18. Contact us

Questions, requests, or complaints about your data:


MyHealth — your health record, sovereign and private. This Policy was drafted in Portuguese as the basis for translation into the app's other languages (at least PT/EN/ES). In case of divergence between versions, the Portuguese prevails.