Privacy Policy — MyHealth
Version (policy_version): 2.0 Last updated: June 22, 2026 Effective: as of the date of publication on the App Store.
In short (read this first)
MyHealth is an iPhone app that helps you organize your own health record, with an artificial intelligence (AI) assistant that reads the documents and photos you upload to extract and fill in records (which you confirm before saving) and offers a supportive educational reading. You bring together your lab results, conditions, medications, vaccines, appointments, measurements, and documents in a single place, and the app builds a timeline of your health to prepare you for the conversation with your doctor.
The most important points:
- Who you are is kept separate from your health data. Your name, email, phone, and identification document (such as your tax ID) are stored in an encrypted vault (XChaCha20-Poly1305 encryption) and are decrypted only under your own identity, by a secure function. The clinical tables refer to you only by a code (pseudonym).
- Your data stays in Brazil. The database is hosted in the São Paulo region (
sa-east-1). - The AI receives the clinical content of your health record — without your direct identifiers — and only if you consent. It may include lab results, medications, symptoms, sleep and wearable metrics, your device's events, lifestyle habits you declare (smoking, alcohol, activity, sleep), and menstrual cycle records, plus your sex and age. Name, tax ID, email, and phone are kept encrypted in a separate vault and are not sent to the AI. Your data does not train models. This processing involves an international transfer to the United States (Anthropic). See Sections 6 and 9.
- The account is for people 18 or older. Minors are only included as a profile managed by an adult guardian (Section 11).
- The AI features are paid and consume your usage quota (analyzed pages and AI Chat prompts). There is an initial free courtesy, a subscription that renews the quota each cycle, and add-on packs that do not expire. Purchases are processed by Apple (App Store); a minor's AI use is charged to the guardian. See Section 9 and the Terms.
- You're in charge. You can access, correct, export (in the standard health format FHIR R4 and as PDF), revoke consents, and delete your account whenever you want.
- MyHealth is NOT a doctor and is not a medical device. It does not diagnose and does not prescribe. The readings and the AI assistant's responses are educational — you must always confirm with your doctor. To help you prepare for your appointment, the educational reading may explain the meaning and context of your findings (the mechanism, what clinical practice generally investigates, and what is worth bringing to your specialist), but it remains educational information: it never defines your diagnosis, your management, your work-up, or your treatment — that is your doctor's decision.
- Vaccination reminder (minor profiles). For a dependent minor's profile, the educational reading may, based on the recommended immunization schedule (WHO / your country's reference) and the vaccines you have recorded, informatively flag that a vaccine may be pending. It is only an educational reminder to the guardian: the absence of a record in the app does NOT mean the vaccine was not given (it may have been administered elsewhere), it is not a demand nor an individual immunization recommendation, and it must be confirmed on the vaccination card, with the pediatrician, or at the immunization service.
The full text below details all of this and describes your legal rights.
1. Who we are (the Controller) and the DPO
The party responsible for processing your personal data ("Controller" under the LGPD; "Controller" under the GDPR) is:
BAS AI — BAS ARTIFICIAL INTELLIGENCE LTDA
CNPJ: 64.106.409/0001-70
Website: www.bas-ai.com
Address: Rua Gomes de Carvalho, 911, Vila Olímpia, São Paulo/SP, ZIP 04547-003, Brazil
In this document, "MyHealth", "we", or "the app" refer to this Controller.
Data Protection Officer (DPO)
For any privacy and data protection matter, contact our Officer (LGPD Art. 41 / Data Protection Officer, GDPR Art. 37):
Email: privacy@bas-ai.com
Officer's name: Guilherme Kaschny Bastian
Mailing address: Rua Gomes de Carvalho, 911, Vila Olímpia, São Paulo/SP, ZIP 04547-003, Brazil
Today MyHealth does not have a representative in the European Union; if the service comes to be offered in a meaningful way to data subjects in the EEA/United Kingdom, we will appoint a representative (GDPR Art. 27) and indicate the contact here.
2. To whom this Policy applies
This Policy applies to everyone who uses the MyHealth app, in any country. The app is global and multi-language (Portuguese, English, and Spanish).
The initial launch focuses on Brazil, but, where the law of your country is more protective, it prevails. We treat the LGPD (Law No. 13.709/2018, Brazil) and the GDPR (Regulation (EU) 2016/679) as our minimum standard everywhere.
Children and adolescents: self-registration is intended for people 18 or older. Data of minors may only be included by a legal guardian, who manages the dependent's profile (see Section 11).
3. What data we collect
We collect only what is necessary for the app to work (the minimization principle). Below is what we collect and where it is stored.
3.1 Identity data (PII) — encrypted in a vault
The following data identifies you directly and is stored in an identity vault (identity_vault), encrypted field by field (XChaCha20-Poly1305), physically separated from the clinical tables. It is decrypted only by a secure function, under your own identity:
- Name (or display name);
- Email;
- Phone;
- Identification document (for example, the CPF/tax ID).
The clinical tables do not contain this data — they refer to you only by a profile code (pseudonym). In the pseudonymized profile we keep only the clinical-demographic minimum needed to interpret the data correctly (for example, biological sex and date of birth/age, important for lab reference ranges).
3.2 Health / sensitive data (PHI)
This is sensitive personal data (health) and receives maximum protection. We collect, as you record or import it:
- Lab results and laboratory markers (values, units, reference ranges, dates);
- Conditions and body systems ("head to toe" line);
- Medications (item, dose, indication, period, prescriber, active/inactive status);
- Allergies and intolerances (substance, category, reaction, severity);
- Vaccines;
- Appointments / encounters;
- Vital signs and bioimpedance — weight, body fat percentage, lean mass, circumferences, blood glucose, blood pressure, heart rate, saturation, temperature;
- Symptoms and complaints;
- Physical activity;
- Documents and reports (PDFs, photos, and text files — lab results, prescriptions, reports, records you submit);
- Family history of health;
- Care team (professionals, area, institution, reason);
- Card / emergency information (blood type, allergies, emergency contact);
- Notes, questions, and messages that you write in the app (including the chat with the AI assistant), to the extent they contain health data.
- Device events — events that your device records: ECG classification (sinus rhythm / atrial fibrillation / inconclusive) with the average heart rate, irregular rhythm and high or low heart rate notifications, atrial fibrillation burden, and fall detection. We store the event's classification and metadata — never the raw ECG trace (waveform), which stays only on your device and is not sent to the AI.
- Menstrual cycle and reproductive health — menstrual flow, intermenstrual bleeding, ovulation tests, cervical mucus quality, and pregnancy tests, when you record or import them. Correlated signals, such as basal body temperature, may be imported as vital signs. If you are female and 40 years old or older, the app may, optionally, ask your phase in relation to menopause (still menstruating, in transition, or already in menopause — with the option not to answer); this information is self-declared by you, not imported from Apple Health, and helps the AI better interpret your hormones (for example, FSH, LH, and estradiol). We do not import sexual activity records. This is sensitive data with the same maximum protection as the rest of the health data.
- Lifestyle habits you provide — data you declare, optionally, in the app's cards: smoking (and cigarettes-per-week range), alcohol consumption (and drinks-per-week range), physical activity level, and your perception of your sleep. When you authorize AI Processing (Section 6), these habits are part of the context sent to the AI.
When this data refers to a minor in your care, the same protections apply (see Section 11).
3.3 Locality and language (optional, in clear text)
Optionally, to adapt the experience and prepare future features (such as recommending professionals by city), we may store country, state/province, city, and the preferred language. We do not collect a full address, latitude/longitude, or precise location. These locality fields are kept in clear text because the "city" granularity is not, in itself, sensitive data, and they are protected by the same access rules as your account. When you authorize AI Processing (Section 6), your profile's country is part of the context sent to the AI, only to regionalize, in an educational way, emergency guidance and vaccination-calendar guidance (state/province and city are not sent to the AI).
3.4 Account, session, and security data
- Account and authentication: technical account identifiers and session tokens, to keep you securely signed in; two-factor authentication (MFA/2FA via TOTP), when enabled by you.
- Notifications (push): when you turn on notifications, we store a technical token that your device generates, used only to deliver the app's notices (e.g., when your analysis is ready). It is a delivery identifier — it is not used for tracking, does not train AI, and is not shared with third parties (it only travels through Apple's push service). You control this in the iOS notification permission and in the Notifications button inside the app, and the notice's content is generic, with no health data.
- Access and audit logs (
access_log): metadata about who accessed what and when (action, table, origin, source IP address) — metadata only, never the clinical content. - Consent records (
consent_events): which purpose you authorized, the legal basis, the Policy version, and the moment — in an immutable way (see Section 5). - AI usage and billing: we record metadata of the use of the AI features (function, model, number of tokens) and your usage-quota balance and consumption (pages and prompts) and add-on packs, to operate billing and prevent abuse. These records do not contain the analyzed health content.
3.5 De-identified usage data
We collect minimal stability and diagnostics data (telemetry) — crashes, errors, performance — in a de-identified way and without any health content, to keep the app safe and working (see Section 13). This is internal processing: we do not use analytics SDKs or third-party tracking. As a self-limited minimization measure, we retain this telemetry for up to about 12 months (see Sections 12 and 13).
3.6 What we DO NOT collect / DO NOT do
- We do not sell your data.
- We do not run targeted advertising based on your health, nor do we use third-party trackers that see your health data.
- We do not collect precise location, phone contacts, or microphone. The camera and gallery are accessed only at the exact moment you decide to upload a document (just-in-time permission).
4. Purposes and legal bases
Every processing activity has a legal basis. Because we process sensitive health data, we are especially rigorous: each sensitive purpose is recorded in our consent record with the corresponding legal basis and Policy version.
| Purpose | What it is | Legal basis — LGPD | Legal basis — GDPR |
|---|---|---|---|
Clinical processing (clinical_processing) | Organize your documents, structure values, build the health record's timeline and trends | Primary basis: Art. 7, II and Art. 11, II, "a" (specific and prominent consent for sensitive data). Subsidiary basis (only for security, integrity, compliance with a legal obligation, and operating deletion): Art. 7, II and Art. 10. We do not invoke health protection (Art. 11, II, "f") | Primary basis: Art. 6(1)(a) + Art. 9(2)(a) (explicit consent for health data). Subsidiary basis (security, integrity, legal obligation, and deletion): Art. 6(1)(c) and (f). We do not invoke Art. 9(2)(h): Art. 9(3) would require a health professional bound by confidentiality in the flow, and there is no doctor in the loop |
AI processing (ai_processing) | Send the pseudonymized clinical content (without direct identifiers) to the AI (Anthropic) to read the documents and photos you upload and from them extract and fill in records (lab results, medications, vaccines, measurements, professionals — which you confirm before saving), structure the health record, and generate a supportive educational reading (assistant, never diagnostic — see Section 6) | Art. 7, I and Art. 11, I (specific consent) | Art. 6(1)(a) + Art. 9(2)(a) |
International transfer (intl_transfer) | When, and only when, necessary, process de-identified data outside Brazil (see Section 9) | Art. 7, I; Art. 11, I; Art. 33 (international transfer) | Art. 6(1)(a) + Art. 9(2)(a); Art. 44–49 |
Family sharing (family_sharing) | You authorize a family member to read your health record, in a revocable way (see Section 7) | Art. 7, I and Art. 11, I (consent) | Art. 6(1)(a) + Art. 9(2)(a) |
| Data of minors in your care | Organize a dependent's health record | Art. 14 (best interest of the child/adolescent; consent of at least one parent or legal guardian) | Art. 8 + Art. 9(2)(a), exercised by the legal guardian |
Age attestation (age_attestation) | You declare you are 18+; registration of a minor under 18 is blocked and the attestation is recorded immutably, with the server's date/time | Art. 14 + Law 15.211/2025 (Digital ECA) | Art. 8 |
| Security, fraud prevention, and audit | Access logs, defense against attacks, compliance with legal record-keeping obligations | Art. 7, II (compliance with a legal obligation) and Art. 10 (legitimate interest, limited) | Art. 6(1)(c) (legal obligation) and Art. 6(1)(f) (legitimate interest) |
| App notifications | Store a technical delivery token (push/APNs) and send generic app notices (e.g., "your analysis is ready"), with no health data in the content; operational consent via the iOS notification permission | Art. 7, IX (legitimate interest) | Art. 6(1)(f) (legitimate interest) |
| Technical telemetry / stability | Crash diagnostics, without health data, in internal processing (no analytics SDK or third-party tracking) | Art. 7, IX (legitimate interest), with self-limited minimization (Art. 6, III) | Art. 6(1)(f) (legitimate interest) |
| Account, subscription, and packs | Maintain the account and process subscriptions and AI usage packs (measured in pages and prompts). A minor's AI consumption is charged to the guardian | Art. 7, V | Art. 6(1)(b) |
| Pseudonymized research (opt-in at deletion) | Pseudonymized research cohort (only sex, age range, and year, in random cohorts, without profile_id, without free text, and without an exact date) that you may authorize at the moment of deleting your account (see Section 12) | Art. 7, II and Art. 11, II, "a" (specific consent); pseudonymized data, not irreversibly anonymous data | Art. 6(1)(a) + Art. 9(2)(a) (explicit consent); cf. Art. 9(2)(j) (research purposes) |
Legal basis of the clinical core — clarification. The primary basis for processing your health record is your specific and prominent consent (LGPD Art. 11, II, "a" / GDPR Art. 9(2)(a)), consistent with the "sovereign health record" positioning: you authorize, and you may revoke. We reserve a subsidiary basis only for what consent does not cover — information security, data integrity, compliance with a legal obligation, and the very operation of account deletion —, supported by LGPD Art. 7, II and Art. 10 and by GDPR Art. 6(1)(c) and (f). We do not adopt the health protection ground (LGPD Art. 11, II, "f" / GDPR Art. 9(2)(h)): under the GDPR, Art. 9(3) conditions this ground on the presence, in the flow, of a health professional bound by a duty of confidentiality, and there is no doctor in the loop of MyHealth.
5. Consent and how to revoke it
When you authorize a sensitive purpose, that consent is:
- Freely given — the app works in its essentials even if you do not authorize the AI;
- Informed — we explain the purpose on the spot, in plain language;
- Specific and prominent — each sensitive purpose has its own request (not a generic "accept all"), as the LGPD requires for health data;
- Revocable at any time — you can withdraw an authorization in the settings, without losing access to what you have already organized.
Our system only executes an operation if the corresponding consent is active. For example: if you do not authorize "AI Processing", the app does not send anything to the AI — this check happens automatically, on the server (the has_active_consent function), on every operation.
How the record works: each authorization or revocation is recorded as an immutable event in our consent record (consent_events), with the purpose, the legal basis, the language, and the Policy version in effect. Revoking does not erase the consent history — it records a new event that halts future processing of that purpose.
Revocation does not make unlawful processing already lawfully carried out, but it halts the future use of that purpose. You do not lose access to the health record you had already organized.
6. How Artificial Intelligence (AI) processes your data
AI is a central piece of MyHealth (assistant and extraction of data from documents), so we explain it with full transparency. Our AI provider is Anthropic, which acts as a subprocessor.
6.1 The AI receives the clinical content of your health record, without your direct identifiers
- The content sent to the AI is the user's own and is processed only upon your consent (
ai_processing). - The clinical content we send to the AI, without sending your direct identifiers (name, tax ID, email, phone) — replaced by sex and age and, when available, by your country (only to regionalize, in an educational way, emergency guidance and vaccination-calendar guidance — never the city or precise location) — may include: lab markers and trends, measurements and bioimpedance, medications, vaccines, allergies, symptoms, appointments and notes, family history, physical activity, sleep data and wearable scores, device events (ECG classification, irregular rhythm, fall), menstrual cycle and reproductive data (including the menopause phase, when you provide it), lifestyle habits you provide (smoking and years of use, alcohol, activity, and sleep), the blood type and the observations from your emergency card, and the document itself (photo/PDF) when you request AI extraction — before sending, the app attempts to cover (redact), directly on your device, your name, tax ID, email, and phone number printed on the document, and you can cover areas manually; the original file remains intact in your health record and the version sent to the AI is the redacted one, when generated. This automatic redaction is best-effort: it may fail on low-quality photos or handwriting and is not a guarantee of complete removal. We do not send the contacts from your emergency card (name, phone, relationship). Free-text notes written by you or by professionals may, occasionally, contain names — which is why we recommend not entering identifying data in text fields. In the chat with the assistant, the context may additionally include the conversation history itself and the location and the professional recorded in your appointments — items that do not enter the longitudinal analysis of the health record.
- Web search exists only in the assistant chat, for general clinical knowledge. We instruct the model to use only generic clinical terms, without including your values, dates, age, names, or identifiers. This protection is applied by instructing the model and not by an infallible technical filter; the search is run by Anthropic's infrastructure. The health-record analysis and document-extraction functions do not perform web search.
6.2 We DO NOT use your data to train AI
- Under Anthropic's commercial terms, your data (inputs and outputs) is not used to train or improve models and is retained for a limited period and then deleted (as a rule, within 30 days), except for retention required by law or to prevent abuse. This relationship is governed by Anthropic's Data Processing Addendum (DPA), which includes the EU Standard Contractual Clauses (SCC) (Modules 2 and 3), the UK IDTA, and the Swiss addendum, effective automatically upon acceptance of Anthropic's Commercial Terms (anthropic.com/legal/data-processing-addendum).
6.3 Technical safeguards
- Traffic with the AI uses an encrypted (TLS) connection.
- We apply safeguards against prompt injection and minimization of the content sent.
- The AI does not make automated decisions about you within the meaning of GDPR Art. 22 / LGPD Art. 20: it organizes and describes, it does not decide, diagnose, or prescribe. You review and confirm the information, and the readings come marked as content to confirm with your doctor.
- The AI does not detect, monitor, or diagnose the risk of suicide, self-harm, or psychiatric crisis, and does not alert anyone on your behalf. If you are in crisis, seek immediate help (in Brazil, CVV 188, 24h, free; outside Brazil, the national prevention line). See Section 3.5 of the Terms of Use.
6.4 Open standards and vocabularies (LOINC® / UCUM)
So that the same test coming from different laboratories (with different names, abbreviations, and languages) is recognized as a single parameter and produces a coherent timeline, MyHealth normalizes markers using the open vocabulary LOINC® (Logical Observation Identifiers Names and Codes) and standardizes units of measure based on UCUM. These standards are licensed reference content embedded in the app — they work like a dictionary and receive none of your personal data (Regenstrief Institute is not a sub-processor and nothing from your record is sent to it).
This product includes content from LOINC® (loinc.org). LOINC is copyright © 1995–2024, Regenstrief Institute, Inc. and the LOINC Committee, and is available at no cost under the LOINC license (loinc.org/license). LOINC® is a registered trademark of Regenstrief Institute, Inc.
6.5 Organizing medications and supplements (derived data, AI-assisted)
To organize your record, the AI may produce, from the medications and supplements you log, a derived organizational datum: the decomposed active ingredients (a compounded formula is split into its label ingredients) and a general category; the canonical vaccine, the disease prevented, and the dose in the series (consolidating the same vaccine under different names); and the normalized allergen and its class. This datum is generated from what you already provided (we collect nothing new from you) and serves to relate, for example, an active ingredient to the corresponding marker in your lab test. It is educational and AI-assisted — you can review and correct it, and it is not a clinical classification, a prescription, or interaction checking (see the Medical Notice, item 5.2). AI processing details follow Sections 6.1–6.3.
7. Family sharing (opt-in, read-only, revocable)
MyHealth lets you share your health record with a family member, in a controlled way:
- It is opt-in: nothing is shared unless you initiate and authorize it (
family_sharing). - Access is read-only and to the entire health record (all or nothing — it is not possible to share only parts): the family member can view, but cannot edit or delete.
- The link is created by a single-use invitation code, which expires in 7 days if not used.
- You can revoke the link at any time, ending the access.
The family member must also be a user of the app. This sharing is between you and the person you choose — it is not sharing with third parties or for commercial purposes.
8. Apple Health (HealthKit)
MyHealth lets you import measurements from Apple Health (HealthKit) — weight, height, body composition, blood glucose, blood pressure, heart rate, saturation, and temperature — into your health record.
- The import is optional and happens only with your explicit authorization, granted in the iOS permissions. Access is read-only — MyHealth does not write data to Apple Health.
- Data coming from Apple Health is used exclusively to enrich your own health record within the app.
- In compliance with Apple App Store Guideline 5.1.3, Apple Health data is NEVER used for marketing/advertising, is NEVER shared with third parties for advertising purposes or data mining, and is NEVER used to train AI models.
Connecting smart bands and rings (Oura and WHOOP)
In addition to Apple Health, you may, optionally and revocably, connect third-party wearables, with specific consent per provider (wearable_sync_oura, wearable_sync_whoop):
- Oura Ring: sleep and sleep stages, daily scores (sleep, readiness, activity, stress, resilience), temperature deviation, steps, calories, distance, sedentary time, SpO2, VO2max, cardiovascular age, workouts, and meditation sessions.
- WHOOP: recovery score, resting heart rate, heart rate variability (HRV), SpO2, skin temperature, strain, sleep, and workouts.
The authorization uses OAuth: the access tokens are encrypted (AES-256-GCM) on our server and are not accessible by the app. Oura operates in Finland (European Economic Area) and WHOOP in the United States; connecting these services involves an inbound international transfer, under the safeguards in Section 9.1. Oura and WHOOP act as data sources (independent controllers of their own platforms), not as our subprocessors, and do not receive data from your health record.
When you disconnect a wearable:
- WHOOP: to comply with the WHOOP API's terms of use and as a matter of the privacy standard we adopt, we request the revocation of access at WHOOP and permanently delete all data originating from WHOOP already synced (sleep, scores, measurements, activities, and events). We recommend exporting beforehand if you want to keep a copy.
- Oura / Apple Health: we revoke access and delete the encrypted tokens we hold. Data already synced remains in your health record, unless you request its deletion.
Data imported from wearables and from Apple Health is always recorded in your own health record (account holder) and never in a dependent's profile, even if you are viewing a minor's profile.
9. Subprocessors and international transfers
We do not sell your data. To operate the service, we use a minimal set of vendors ("subprocessors"/"processors"), each under a data processing agreement (DPA), confidentiality, and security, processing data only under our instructions. The relationship with Anthropic and Resend is already governed by a DPA/SCC in effect; the Supabase DPA is in effect (signed 2026-06-18) (see the status of each in the "Safeguards" column).
| Subprocessor | What it does | What data it processes | Where | Safeguards |
|---|---|---|---|---|
| Supabase | Database (PostgreSQL), authentication, document storage, and edge functions | Pseudonymized clinical data; encrypted PII in the vault; encrypted documents; account metadata | São Paulo, Brazil (sa-east-1) | DPA in effect (signed 2026-06-18; Supabase Pte. Ltd) — includes EU SCCs + transfer safeguards (UK/Switzerland); SOC 2 Type 2 + ISO 27001 (Supabase provider certifications); daily backups (14 days); 28-day log retention; regional hosting; encryption in transit (TLS) and at rest; additional field encryption under our key management; isolation via RLS; SCC for any transfers outside the EEA |
| Anthropic, PBC | Anthropic's AI models for health-record analysis, document extraction, and chat | Pseudonymized clinical content (values, dates, notes, lifestyle habits, cycle, wearable aggregates) and, in document analysis, the image/PDF itself (with best-effort on-device redaction of printed identifiers, when located) — transiently | United States | DPA in effect (Anthropic Commercial Terms); EU SCC (Modules 2/3) + UK IDTA + Swiss addendum; contractual non-training; limited retention (~30 days); TLS |
| Resend | Sending transactional emails (access code/OTP and account notices) | Only your email and the email's content; no health content | US / global | DPA in effect (acceptance of terms); EU-US DPF certification + UK extension; SCC; TLS |
| Apple (App Store / In-App Purchase / HealthKit / push) | Distribution, HealthKit, notifications, and payment processing for subscriptions and add-on packs as merchant of record | Purchase/receipt data; we do not receive your card data; no health content in the payment flow | US / global | App Store Terms; Guideline 5.1.3 |
Oura and WHOOP do not appear in this table: they are data sources that you connect (Section 8), acting as independent controllers of their own platforms, and not as our subprocessors. The relationship with Anthropic and Resend is already governed by a DPA/SCC in effect; the Supabase DPA is in effect (signed 2026-06-18; Supabase Pte. Ltd). We maintain a public subprocessors page kept up to date at https://www.bas-ai.com/myhealth/legal/subprocessors-en. We will give notice before adding a relevant new subprocessor.
9.1 International transfers
Your health record is stored in Brazil (São Paulo) — that is the rule. Transfers outside Brazil occur in a limited way and with your authorization (intl_transfer): in AI processing (Anthropic, United States — Section 6), in which we send the clinical content without your direct identifiers (in document extraction, the file itself — after a best-effort on-device automatic redaction that attempts to cover name, tax ID, email, and phone; identifiers not located may remain in the file); in the connection of wearables (Oura, in Finland/EEA; WHOOP, in the United States — Section 8); and in distribution by Apple (United States). When there is an international transfer, we adopt the required safeguards:
- LGPD (Art. 33): transfer based on specific consent and/or on adequate contractual guarantees (standard clauses), as regulated by the ANPD.
- GDPR (Art. 44–49): Standard Contractual Clauses (SCC) and/or other adequate guarantees for transfers outside the EEA, with a transfer impact assessment where applicable.
We may also disclose data when required by law (court order or competent authority), always limited to what is strictly necessary and, where legally permitted, notifying you.
10. Information security
The confidentiality of your health data is our number one control. The main measures:
- Separation between identity and clinical data: who you are (name, email, phone, document) stays in an encrypted vault (
identity_vault, XChaCha20-Poly1305), separated from the clinical tables, which refer to you only by a code. - Controlled decryption: PII is decrypted only by a secure function, under your own identity, with an audit record.
- Encryption at rest and in transit: encrypted database and storage; communications over TLS.
- Row-level access control (RLS) per verb: the database ensures that only you (or an authorized guardian/family member) access your data — and the read and write permissions are separated.
- Two-factor authentication (MFA/2FA via TOTP): available to strengthen access to your account.
- Versioned consents and an immutable audit record (access metadata only, never the clinical content).
- AI safeguards: removal of the direct identifiers (name, tax ID, email, phone) from the context sent, non-sending of the emergency card's contacts, content minimization, and protection against prompt injection.
We seek alignment with the best international practices for health information security. No system is 100% immune; that is why we maintain incident response plans (see Section 14).
11. Data of children and adolescents (minors)
The protection of children and adolescents follows the Statute of the Child and Adolescent (Law 8.069/1990), Law 15.211/2025 (Digital ECA), Art. 14 of the LGPD, and Art. 8 of the GDPR (EEA).
- Self-registration is intended for people 18 or older (or the country's age of civil majority, if higher).
- The minor has no account or email of their own: they exist only as a managed profile within an adult guardian's account (the
managed_byfield), who declares this condition. - The profile may have more than one guardian: the primary guardian invites another adult by an invitation code with an expiration date. Each invitee receives a role: guardian (views and edits) or companion (read-only). Every authorization is verified on the server, on each operation.
- The consent relating to the minor is recorded identifying which adult granted it, observing the best interest of the child and adolescent (LGPD Art. 14).
- Paid AI features require the guardian role and are charged to the primary guardian (the profile's paying holder), regardless of which guardian triggered them; the usage record remains linked to the minor's profile for audit purposes.
- We apply the same maximum protection to this data (identity vault, RLS, AI non-training). We do not target advertising to minors. Wearable data never follows a minor's profile.
- The guardian may, at any time, export the dependent's data and, as the primary guardian, permanently delete the dependent's profile and all associated data (exams, documents, and records) — this deletion is permanent.
We adopt, in any country, a single 18-year-old threshold for a self-owned account. This requirement refers to account ownership and is not to be confused with the GDPR's age of autonomous digital consent (Art. 8, between 13 and 16 years old depending on the country). Below 18, data processing only occurs through a profile managed by an adult guardian.
Users in the United States (COPPA): MyHealth does not offer accounts to minors and does not collect data directly from children. Any minor's data is entered and controlled by a responsible adult, who exercises verifiable parental consent.
12. Retention and disposal
We adopt the minimization principle: we keep each category of data only for as long as needed for its purpose or required by law. Because MyHealth is distributed worldwide, we apply the most protective standard among the applicable laws: by default, deletion erases the identity, and retention is the exception, triggered only when a concrete law requires it.
12.1 Retention periods
| Category | Period | Why |
|---|---|---|
| Health record and identity vault (clinical data + PII) | As long as your account exists; removed upon account deletion (see 12.2) | You keep the health record organized for as long as you want |
Access / audit logs (access_log — date/time, source IP, action; never clinical content) | 6 months | Security and fraud/abuse detection (a proportionate measure — legitimate interest, GDPR Art. 6(1)(f); LGPD Art. 7, IX). In Brazil, it also meets the floor of the Internet Civil Framework (Law 12.965/2014, Art. 15) for an application provider. The log (date/time + IP) is not health data, and the IP is never used to infer a health condition |
| Minimum identity retained upon deletion (encrypted name + encrypted email + creation date + last-access date) | Only when there was a transaction (subscription or packs purchased); for the tax period of your jurisdiction (Brazil: 5 years; other countries: the local-law period, typically 5–6 years), with automatic purging at the end. For anyone who never transacted: none of this is retained — the identity is erased upon deletion | To comply with a tax/accounting obligation that arises only from a real transaction (Brazil: CTN, Arts. 173 and 174; European Union: the Member State's period; United Kingdom: Limitation Act 1980 / HMRC; Canada: Income Tax Act s. 230). Without a transaction, there is no legal obligation that would justify keeping the identity |
| Billing and tax data (receipts, subscription and pack movements) | Tax period of the jurisdiction (Brazil: 5 years) — only for those who transacted | Tax periods (Brazil: CTN, Arts. 173 and 174; or the applicable local tax law) |
| De-identified technical telemetry | Up to about 12 months | Internal minimization policy (LGPD Art. 6, III) — not a legal period |
Consent records (consent_events, de-linked from your profile upon deletion) | Kept as proof of lawfulness for the applicable limitation period | To prove lawfulness and the authorizations granted/revoked (accountability — GDPR Art. 5(2)/7(1); LGPD Art. 8/6, X) |
How the identity is protected when retained: when there is a transaction and tax law requires retention, we keep the name and email encrypted (the same protection as the identity vault), in an isolated table, accessible only by the internal service (RLS, with no user access), and we erase it automatically at the end of the period. We do not keep your email in legible text.
A gap we acknowledge transparently: there is not yet automatic purging due to inactivity (an account unused for a long period is not deleted on its own). This is a gap to be defined — when we adopt an inactivity policy, we will update this Section and the Policy version. We do not describe here, as a practice currently in effect, something the app does not yet do.
12.2 Permanent account deletion (right to erasure — LGPD Art. 18, VI / GDPR Art. 17 / local equivalents)
Deletion is available directly in the app, under Profile › Privacy › Delete my account (an Apple requirement). Upon confirmation, we execute the permanent cascade removal — an immediate operation — of all of your clinical health record (lab results, conditions, medications, vaccines, documents, measurements, history, appointments, conversations with the AI, wearable data) and of the files in storage, we revoke the wearable connections, and we close your access account.
The backups may, for a short period, still contain data already deleted: they are overwritten in our processor's normal cycle (Supabase, around 14 days — well within the 6 months), and the data processing agreements (DPAs) with Supabase and Anthropic govern the disposal of any residual copies. (We do not claim "key destruction" or instant backup purging.)
Whether your identity is erased depends on whether or not you made a purchase:
- If you never made any purchase (subscription or packs): we also erase your name and your email upon deletion. We do not create any identity record that survives. For you, deletion is the actual cessation of the processing of your identity.
- If you made at least one purchase: your country's tax/accounting law requires us to keep the transaction record for a period (in Brazil, 5 years). For that purpose we keep a minimum accounting record and, when it is indispensable to link it to you, your name and email encrypted — isolated, accessible only upon a judicial request or that of a competent authority, and erased automatically at the end of the legal period.
Deletion receipt (accountability — LGPD Art. 6, X): we can confirm the completion of the deletion upon request to the DPO. The deletion is not total — the minimum records below remain, due to a legal requirement.
What always remains after deletion, for any user:
- A minimum deletion record, without any personal data and with your identity replaced by an irreversible code (which does not allow re-identifying you), only to prove that the deletion occurred.
- Access logs for the 6-month retention period (12.1), provided only upon a judicial request or that of a competent authority.
- Consent records de-linked from your profile (we replace the identifier with a pseudonymous code, separated by a key that does not stay in the database), kept only as proof of lawfulness for the limitation period. We treat this as pseudonymized data, not as irreversibly anonymous data.
- Optional — research: if, and only if, you authorize it at the moment of deletion, we keep your markers in a pseudonymized way — without a name, without a profile identifier (
profile_id), without free text, and without an exact date, keeping only sex, age range, and the year, in random cohorts. We treat this as pseudonymized data, and not as irreversibly anonymous data: re-identification is unlikely, but we do not declare it impossible. You may decline and still delete the account.
Dependent profiles (minors): when deleting a minor's profile, we never retain the minor's name or email for tax reasons — the tax obligation, if any, belongs to the paying guardian, and not to the minor's profile. For the minor, erasure of the identity is the rule; only the minimum deletion record by irreversible code remains.
Users in jurisdictions with a reinforced right to deletion (e.g., Washington — My Health My Data Act): we treat the request as a deletion of consumer health data — we erase the identity (without invoking a tax period against someone who did not transact), and the disposal of the residual copies at the processors occurs within 6 months, in accordance with the respective data processing agreements (DPAs).
12.3 Death of the data subject
The LGPD and the GDPR protect living persons and, as a rule, do not reach the deceased (ANPD, Technical Note No. 3/2023; GDPR, Recital 27). Even so, a deceased person's health record involves personality rights that survive death (Civil Code, Art. 12, sole paragraph) and matters of succession.
- The heir does not inherit access to the content of the health record. The Superior Court of Justice (REsp 2.124.424/SP) treated health records as a non-transferable existential asset — tied to the person's intimacy, and not to their estate.
- For this reason, we do not carry out total deletion at the request of third parties (the access logs for 6 months and the tax records for 5 years still remain — 12.1), nor do we hand over the clinical content to heirs as if it were an inheritance.
- Requests related to the death of a data subject (for example, to cease processing, or measures provided for in Art. 12, sole paragraph, of the Civil Code by someone with standing) must be directed to our DPO (Section 1), upon proof of the death and of the standing of the requester. We assess each request in light of the applicable law.
12-A. Notifications and reminders (opt-in)
MyHealth may send reminders on your iPhone — about medication, a wellbeing check-in, your schedule (appointments/tests/follow-ups/vaccines), and a few server-side notices (when an analysis is ready, when one of your exams is updated, and when a follow-up appointment is approaching). Key points:
- Local notifications vs. remote push. Many notifications are LOCAL, scheduled on your own device (medication, check-in, and schedule reminders) — for those we use no push server. Others are delivered by remote push (Apple's APNs) because the event happens on the server, in three cases: (a) an analysis is ready; (b) one of your exams was updated (a marker that was out of range received a new result); and (c) a follow-up appointment is coming up. For remote push we store a technical delivery token from your device (see Section 3.4) and the notice's content is generic, fixed text, with no health data ("One of your exams was updated", "You have a follow-up appointment") — never the test name, marker, value, or doctor. The token is a delivery identifier — it is not tracking, does not train AI, and is not shared with third parties beyond Apple's push service. To avoid bothering you, we cap this at one interruptive notice per day and respect your quiet-hours window; each category can be turned off separately in Profile › Notifications.
- Granular, revocable opt-in. Each type is off by default (medication and check-in) or controlled by you in Profile › Notifications, where you choose what to receive, the times, and the quiet-hours window. You can turn everything off at any time (in the app or in iOS Settings). The legal basis is consent (LGPD Art. 7, I and Art. 11, I; GDPR Art. 6(1)(a) and Art. 9(2)(a)).
- Minimized lock-screen content. The notification never shows lab values, a diagnosis, a disease name, a medication name, a specialty, or the AI summary. It only says that something exists and where ("Did you take your medications today?", "Your analysis is ready. Tap to view in the app.", "Tomorrow: Appointment"). Clinical content stays inside the app only. Remember the lock screen can be seen by others and read aloud by Siri — that's why iOS lets you hide previews (Settings › Notifications › Show Previews: When Unlocked).
- Reply right from the notification. You can answer certain reminders in the notification itself (e.g., "Took all" / "So-so"). Those answers are health data (medication adherence, wellbeing) stored in your record with the same protection as your other health data; none of it appears on the lock screen.
- Minors: when the reminder is for a dependent's profile, the notice on the guardian's device is generic ("Reminder for a dependent") and never exposes the minor's name or any health data.
- Recheck and update reminders are educational and universal. Some reminders flag that it may be time to repeat a routine test, update a record (e.g., weight), or check a follow-up/device. They are based only on generic reference intervals (e.g., routine tests are usually repeated periodically) and on the dates of your own records — we collect nothing new, and the app does not compute an individual interval from your result. They are not an individual clinical recommendation: the right interval should be confirmed with your doctor.
13. Cookies, telemetry, and tracking
MyHealth is a native iPhone app (not a website), so it does not use browsing cookies in the traditional sense.
- De-identified technical telemetry: we collect minimal stability and diagnostics data (crashes, errors, performance), without health content, to keep the app safe and working. This is internal processing: we do not embed any analytics SDK or any third-party tracker. As a self-limited minimization measure, we keep this telemetry for up to about 12 months (see Section 12).
- No third-party trackers with access to health data and no sale of data. We do not track across apps/sites for advertising purposes.
- App Store privacy labels: our App Store declarations reflect what is described here.
Today we do not use any third-party analytics or tracking tool; if that changes, we will update this Policy and the subprocessors page before activation, with a new notice — also reviewing the App Store privacy labels and the need (or not) for App Tracking Transparency (ATT).
14. Security incidents and notification
We maintain incident response plans. In the event of a security incident that may create relevant risk to you:
- LGPD (Art. 48): we will communicate to the National Data Protection Authority (ANPD) and to you, within a reasonable period, indicating the nature of the incident, the data affected, the measures adopted, and the recommendations for you to protect yourself.
- GDPR (Art. 33–34): we will notify the competent supervisory authority, as a rule within 72 hours, and we will communicate to you when there is a high risk to your rights and freedoms.
15. Your rights
You are the owner of your data and have rights guaranteed by the LGPD (Art. 18) and the GDPR (Chapter III):
| Right | What it means | How to exercise it in MyHealth |
|---|---|---|
| Access / confirmation | To know what data we hold and obtain a copy (LGPD Art. 18, I–II; GDPR Art. 15) | View the full health record in the app; export it |
| Correction | To correct incomplete or wrong data (LGPD Art. 18, III; GDPR Art. 16) | You review and edit the data directly |
| Deletion / erasure | To delete your data and account (LGPD Art. 18, VI; GDPR Art. 17) | Delete account / data in the app (see Section 12) |
| Portability | To take your data in a structured, interoperable format (LGPD Art. 18, V; GDPR Art. 20) | Export in FHIR R4 and as PDF |
| Consent revocation | To withdraw an authorization (LGPD Art. 8, §5; GDPR Art. 7(3)) | Turn off a purpose (e.g., "AI Processing") in the settings (see Section 5) |
| Information on sharing | To know with whom we share (LGPD Art. 18, VII) | This Policy (Section 9) and the subprocessors page |
| Objection / restriction | To object to a processing or request its restriction (LGPD Art. 18, §2; GDPR Art. 18 and 21) | Contact the DPO |
| No subjection to automated decision / review | The AI does not decide anything on its own (LGPD Art. 20; GDPR Art. 22) | You always review and confirm (see Section 6.3) |
| View the access history | Transparency about who accessed what | Your access log is available |
| Petition to the authority (ANPD) | To petition against the controller before the national authority (LGPD Art. 18, §1) | Contact us (Section 1) and/or the ANPD — see "Complaints" below |
How to exercise: many rights are exercised directly in the app (review, export, delete, revoke consent). For the others, or if something does not work, write to our DPO (Section 1). We respond within the legal period (as a rule, up to 15 days for confirmation of existence or access, under the LGPD; up to 30 days under the GDPR, extendable where the law permits).
Complaints: if you believe we process your data improperly, you can complain to the competent authority — in Brazil, the ANPD (https://www.gov.br/anpd); in Europe, the data protection authority of your country. We ask, however, that you talk to our DPO first — we want to resolve it directly with you.
16. MyHealth is NOT a medical service
- MyHealth is a tool for organizing and educating about your own health, which prepares you for the appointment with health professionals and offers a supportive educational reading by AI.
- It does NOT diagnose, does NOT prescribe treatment, and does NOT replace the assessment of a doctor or qualified health professional.
- The readings and the AI assistant's responses serve to bring questions and information to your doctor — you must always confirm with your doctor before any decision.
- MyHealth is not a medical device (it is not "SaMD") and must not be used as one.
- In an emergency, seek medical care immediately — do not use the app for that.
17. Changes to this Policy and versioning
We may update this Policy to reflect changes in the app, in vendors, or in the law. The Policy has a version (policy_version):
- The app collects your acceptance at registration, tied to the version in effect;
- We update the version and the date at the top when there is a change;
- We notify you in the app and/or by email; and, when the change requires it, we will ask for a NEW acceptance — the app requires a new acceptance when the version changes — recording it immutably in our consent record.
The version history is published at https://www.bas-ai.com/myhealth/legal/versoes; each accepted version remains archived.
18. Contact us
Questions, requests, or complaints about your data:
- Officer/DPO: privacy@bas-ai.com
- Controller: BAS ARTIFICIAL INTELLIGENCE LTDA — CNPJ 64.106.409/0001-70 — www.bas-ai.com — Rua Gomes de Carvalho, 911, Vila Olímpia, São Paulo/SP, ZIP 04547-003, Brazil
- Subprocessors page: https://www.bas-ai.com/myhealth/legal/subprocessors-en
MyHealth — your health record, sovereign and private. This Policy was drafted in Portuguese as the basis for translation into the app's other languages (at least PT/EN/ES). In case of divergence between versions, the Portuguese prevails.