Last Updated: April 2025

1. About Biostarks and This Privacy Policy

Biostarks, headquartered at La Voie Creuse 16, 1202 Geneva, Switzerland, is committed to protecting your personal data and respecting your privacy rights across all regions in which we operate. This Privacy Policy outlines how we collect, use, share, and protect personal data when you interact with us, including through our websites, digital platforms, and services (collectively referred to as the “Services”).

This Privacy Policy applies to all individuals who access or use our Services, regardless of their country of residence. It is intended to comply with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other regional frameworks.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms, please do not use our Services. If you have any questions about how we handle your personal data, we encourage you to contact us using the details provided in Section 11 of this Policy.

2. Key Definitions

To help you better understand this Privacy Policy, we’ve included definitions for some commonly used terms:

• “Personal Data” (or “Personal Information”) means any information that can directly or indirectly identify you, such as your name, email address, date of birth, IP address, or data related to your health and biological samples.
• “Sensitive Personal Data” includes health-related data, genetic or biometric information, and any other data defined as sensitive under applicable laws, including the GDPR.
• “Processing” refers to any operation performed on Personal Data, whether automated or not. This includes collecting, storing, using, disclosing, sharing, and deleting data.
• “Controller” means the party that determines the purposes and means of the processing of Personal Data. In most cases, Biostarks acts as the controller of your data.
• “Data Subject” is the individual to whom the personal data relates. In this policy, “you” or “your” refers to the data subject.
• “Services” refers to all websites, digital tools, products, and services provided by Biostarks, including at-home testing kits, result dashboards, and customer support platforms.
• “Applicable Laws” includes the laws and regulations that govern data privacy and protection in your country of residence, such as the General Data Protection Regulation (GDPR) in the European Union, or the California Consumer Privacy Act (CCPA) in the United States.

3. What Data We Collect

Biostarks collects different types of personal data depending on how you interact with us and use our Services. This includes information you provide directly, data we collect automatically, and data we may receive from third parties.

3.1 Personal Identifiable Information (PII)

This includes information you provide when purchasing a test, creating an account, or contacting our support team. It may include:

• Full name
• Email address
• Mailing and billing address
• Date of birth
• Gender (as self-identified by the user)
• Phone number (if provided)
• Language preference and country of residence
• Account credentials (username, hashed passwords)

3.2 Personal Health Information (PHI)

In the context of our testing and wellness services, we collect data that may be considered sensitive or health-related under applicable privacy laws. This may include:

• Biological sample data (e.g., blood biomarkers)
• Health and wellness-related test results
• Information provided via questionnaires (e.g., symptoms, habits, goals)
• Optional notes shared with our team when registering your kit

This data is collected and processed solely for the purpose of delivering the Services, providing results, and generating personalized wellness recommendations.

3.3 Technical & Usage Data

We collect certain data automatically when you access our website or platforms. This helps us operate, secure, and improve the user experience. This includes:

• IP address
• Device and browser information
• Operating system
• Session time, date, and duration
• Pages visited and interaction logs
• Cookies and similar tracking technologies (see Section 9)

3.4 Data from Third Parties

We may receive personal data from third-party partners, healthcare providers, or platforms that you have authorized to share data with us. This may include:

• Referral information or tracking (e.g., from affiliates or partners)
• Health data from integrated wellness platforms (if applicable in the future)
• Order or payment verification via payment processors

3.5 Sample Identification Process

To protect your privacy, we never label biological samples with personally identifiable information. Instead, your sample is identified using a unique alphanumeric Kit ID, which is then linked to your account via an anonymous Client ID in our system. This allows us to analyze samples without directly exposing your identity during laboratory processing.

4. How and Why We Use Your Data

We use your personal data for various purposes related to the provision, improvement, and regulation of our Services. Depending on your location, the applicable legal basis for processing this data may vary. This section explains both the legal grounds and the purposes behind our data processing.

4.1 Legal Basis for Processing

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction that requires a legal basis for data processing, we rely on one or more of the following legal grounds:

• Contractual Necessity: To fulfill our contractual obligations, such as delivering your test kit, processing your sample, and providing access to your results.
• Consent: Where required, we rely on your explicit consent—for example, when you register a test kit, authorize us to process sensitive data, or opt into marketing communications. You may withdraw your consent at any time.
• Legal Obligation: To comply with applicable laws, regulations, or lawful governmental requests.
• Legitimate Interests: To operate and improve our business, prevent fraud, maintain security, and analyze usage—provided these interests do not override your rights and freedoms.

If you are located in a region that does not require a specified legal basis (such as some U.S. jurisdictions), we still handle your data responsibly and in line with applicable data protection standards.

Although Biostarks is not a “Covered Entity” as defined under the U.S. Health Insurance Portability and Accountability Act (HIPAA), we treat all health-related data with a high standard of confidentiality and apply appropriate administrative, technical, and organizational safeguards in line with applicable data protection laws.

4.2 Purposes of Data Use

We may use your data for the following purposes:

• To process orders, ship kits, and communicate about your purchase
• To analyze biological samples and deliver personalized test results
• To provide account management and customer support
• To improve the functionality, accuracy, and usability of our Services
• To conduct internal research and development, including data aggregation and statistical analysis (using anonymized or pseudonymized data where possible)
• To communicate with you about updates, changes to services, or policy changes
• To comply with legal obligations, such as health regulations or financial reporting
• To detect, investigate, and prevent fraud or misuse of our Services
• To send optional marketing communications, if you have given consent

5. Sharing of Personal Data

We treat your personal data with care and confidentiality. We only share it when necessary to deliver our Services, comply with legal obligations, or protect our rights. We do not sell your personal data to third parties.

Your personal data may be shared with the following categories of recipients:

• Authorized personnel within Biostarks: Only employees or agents with a legitimate need to access your data will be granted access, and they are subject to confidentiality obligations.
• Laboratory and scientific staff: Your biological samples are analyzed in our own laboratory. These are processed pseudonymously using a Kit ID system to protect your identity.
• IT and cloud service providers: We use secure platforms to host and process data. These providers act as data processors under strict contractual terms.
• Payment service providers: To process transactions securely, we share relevant billing and payment data with verified payment platforms.
• Regulatory or legal authorities: Where required by law, court order, or legal process, we may disclose your data to government or enforcement bodies.
• Affiliated entities and business partners: If you access our Services via a corporate wellness program, healthcare provider, or other authorized partner, we may share limited data as needed to deliver the service you enrolled in—always in compliance with applicable laws and your consent.
• Research and scientific partners (where applicable): In some cases, and only in pseudonymized or anonymized form, we may share data with research institutions or collaborators to support scientific, clinical, or wellness research. No personally identifiable information is shared unless you have explicitly consented to such use.

In all cases, we require that any third parties handling your data maintain appropriate technical and organizational safeguards and comply with applicable data protection laws.

6. Retention and Storage of Data

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by applicable law. Data retention periods vary depending on the type of data and the legal context in which it is processed.

Specifically:

• Account and personal contact data: Retained for the duration of your active relationship with Biostarks, and for a reasonable period afterward to support customer service, legal compliance, or system integrity.
• Test results and wellness data: Retained to allow historical comparisons, access to past results, and user-requested reanalysis. This data is deleted upon request unless retention is required under applicable law.
• Biological samples: Typically destroyed shortly after analysis is complete. In some cases, samples may be retained temporarily for quality assurance, regulatory compliance, or internal validation purposes—always under secure, restricted conditions.
• Anonymized or aggregated data: Health data that has been anonymized and can no longer identify you may be retained indefinitely for scientific research, service improvement, or statistical analysis.
• Financial and transaction data: Retained as required under accounting and tax laws, even if you request deletion of your other personal data.

All personal data is stored on secure infrastructure located in the European Union and Switzerland, both of which are compliant with the EU General Data Protection Regulation (GDPR). These regions offer a high level of data protection, and storage complies with applicable international frameworks.

You may request deletion of your personal data at any time by contacting us (see Section 11). Upon such request, we will delete or anonymize your data unless retention is required by law or justified under legitimate interests. We never retain identifiable personal data longer than necessary.

7. International Data Transfers

Biostarks stores and processes the majority of personal data on secure infrastructure located in the European Union and Switzerland—both of which provide adequate levels of data protection in accordance with the EU General Data Protection Regulation (GDPR).

However, to deliver our Services globally, some of your personal data may be accessed or processed in other countries, including the United States, the Middle East, or other regions where our authorized partners, logistics providers, or service vendors are located. These partners may process data such as your shipping details, order information, or customer service interactions.

In all such cases, we ensure that appropriate safeguards are in place to protect your personal data in accordance with applicable data protection laws. These safeguards may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with binding confidentiality and security obligations
• Access limitations and encryption for data in transit and at rest

Regardless of where your data is processed, we apply consistent protections and ensure your rights are respected under this Privacy Policy.

8. Your Privacy Rights

We believe in giving all users meaningful control over their personal data. Depending on your country of residence and applicable data protection laws, you may have the right to access, manage, or delete the data we hold about you.

8.1 For Residents of the European Union (EU), European Economic Area (EEA), Switzerland, and the United Kingdom

If you are located in the EU, EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and similar regional laws:

• Right of Access: Request confirmation of whether we process your personal data and obtain a copy of that data.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data (“right to be forgotten”), subject to legal or contractual obligations.
• Right to Restrict Processing: Request a temporary or permanent halt to certain types of data processing.
• Right to Data Portability: Receive your data in a structured, commonly used format and transmit it to another provider.
• Right to Object: Object to processing of your data based on our legitimate interests, including for direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

8.2 For Residents of the United States

Depending on your state of residence (e.g., California, Colorado, Virginia, etc.), you may have rights under applicable privacy laws such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These may include:

• Right to Know: Request information about the categories and specific pieces of personal data we have collected about you.
• Right to Delete: Request deletion of your personal data, subject to legal exceptions.
• Right to Opt-Out: Request that we do not sell or share your personal information (note: Biostarks does not sell personal data).
• Right to Correct: Request correction of inaccurate personal data.
• Right to Non-Discrimination: You will not be treated unfairly for exercising your rights.

8.3 For Residents of Other Regions

If you are located outside of the jurisdictions mentioned above, we will still take reasonable steps to allow you to access, review, and request deletion of your personal data, in accordance with applicable laws in your country.

8.4 How to Exercise Your Rights

You may exercise your privacy rights at any time by contacting us at hello@biostarks.com. We may ask for identity verification before processing your request. We aim to respond within one month, or as required by applicable law.

If you believe that your data rights have been violated, you also have the right to lodge a complaint with your local data protection authority or regulator.

9. Cookies and Tracking Technologies

Like most websites, we use cookies and similar tracking technologies to improve your browsing experience, understand how users interact with our Services, and support essential website functions such as language preferences, product interactions, and shopping cart management.

Cookies are small text files stored on your device when you visit a website. Some cookies are necessary for the site to function properly (“strictly necessary cookies”), while others are used for analytics, personalization, or marketing.

We may also use third-party tools and embedded technologies that help us understand user behavior, personalize content, improve site performance, and measure the effectiveness of our marketing. These technologies may collect information such as your device type, IP address, browser, pages visited, interactions, or purchase behavior.

Where required by law, such as in the European Union, we request your explicit consent before using any non-essential cookies or tracking technologies. You can manage your cookie preferences at any time through our cookie banner or via your browser settings.

10. Children’s Privacy

Our Services are not intended for use by individuals under the age of 18 (or the age of digital consent in your country of residence, if different). We do not knowingly collect personal data from children without verifiable parental or legal guardian consent.

If we learn that we have inadvertently collected personal data from a child without appropriate authorization, we will take steps to delete that information as soon as possible.

If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us at hello@biostarks.com.

In cases where a child’s sample or data is submitted as part of a parental purchase or under medical supervision, appropriate consent and authorization must be provided before the sample is processed.

11. How to Contact Us / Exercise Your Rights

If you have any questions about this Privacy Policy or would like to exercise any of your privacy rights, you can contact us at:

Email: hello@biostarks.com
Postal address: Biostarks, La Voie-Creuse 16, 1202 Geneva, Switzerland

We may ask for proof of identity or additional information to verify your request, particularly when it concerns access to or deletion of sensitive data.

We aim to respond to all valid privacy requests within one month, or within any shorter or longer period required under applicable law.

If you are located in the European Union, United Kingdom, or another jurisdiction that provides for it, you also have the right to lodge a complaint with your local data protection authority or regulator.

12. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or data handling practices. When we do, we will revise the "Last Updated" date at the top of this page.

If the changes are significant, we may also notify you through our website, by email, or through your account, where appropriate. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

Your continued use of our Services after an update indicates your acceptance of the revised Privacy Policy.

This Privacy Policy is effective as of April 2025 and replaces all previous versions.