Privacy & Medical Data Processing Notice

1. Data Controller

Optimise is operated by Optimise Your Health, incorporated in Hong Kong.

For the purposes of applicable data protection legislation, we act as the data controller of your personal data unless otherwise stated.

Contact: info@optimiseurhealth.com

2. Scope of This Notice

This Notice applies to all users of the Optimise platform, regardless of geographic location.

We process personal data in accordance with applicable data protection and privacy legislation that may apply based on:

• Your country of residence;
• The location from which you access the platform;
• The jurisdictions in which we operate.

Where mandatory local data protection, healthcare, or consumer protection legislation applies, such laws shall prevail over any conflicting provisions of this Notice.

3. Categories of Data Collected

We may collect and process the following categories of data:

A. Personal Data

• Name
• Email address
• Date of birth
• Contact details

B. Sensitive Health Data

• Blood test results
• Medical history including interventions of all kinds, medications, supplements
• Biometrics
• Health scores generated by the platform
• Lifestyle and wellness information provided by you

C. Technical and Usage Data

• IP address
• Device information
• Log files
• Platform interaction records

We collect only data necessary for the purposes described below.

4. Legal Basis for Processing

We process:

• Personal data for the performance of contract (provision of services under our Terms of Service);
• Sensitive health data based on your explicit consent;
• Data where required to comply with legal or regulatory obligations.

You may withdraw consent at any time. Withdrawal may limit or prevent continued access to services requiring health data processing.

Withdrawal does not affect processing lawfully conducted prior to withdrawal.

5. Purpose of Processing

We process your data to:

• Provide digital health dashboards and tracking;
• Enable practitioner consultations where applicable;
• Generate health insights, including AI-assisted analysis;
• Maintain platform security and integrity;
• Improve functionality and user experience;
• Comply with legal, medical, and regulatory obligations.

We process data only for specified and legitimate purposes and do not use it in a manner incompatible with those purposes.

6. AI and Automated Processing

Optimise may use artificial intelligence systems and automated analytical tools to interpret laboratory results and generate health insights.

AI-generated outputs:

• Are assistive analytical tools;
• May involve automated processing;
• Do not constitute medical diagnosis unless reviewed by a licensed practitioner.

Where required by applicable law, you may request human review of significant automated outputs.

7. Data Sharing

We may share your data with:

• Licensed healthcare practitioners;
• Accredited laboratories;
• Secure hosting, cloud, and technology service providers;
• Professional advisers;
• Regulatory or governmental authorities where legally required.

We do not sell personal or medical data.

All third-party service providers are required to implement appropriate confidentiality and security safeguards.

8. International Data Transfers

Your data may be processed or stored outside your country of residence.

Where cross-border transfers occur, we implement appropriate safeguards consistent with applicable data protection legislation, which may include contractual protections or other lawful transfer mechanisms.

9. Data Retention

We retain personal and health data only for as long as necessary to:

• Provide the services requested by you;
• Comply with applicable legal, medical, and regulatory obligations;
• Resolve disputes and enforce agreements.

Where statutory medical record retention periods apply, we retain health data for the minimum period required by applicable law.

Where no statutory retention period applies, retention is determined based on:

• The nature and sensitivity of the data;
• The purpose of processing;
• Legal and regulatory requirements;
• Risk management and accountability considerations.

Data that is no longer required is securely deleted or irreversibly anonymised.

10. Account Deletion and Data Erasure

You may request deletion of your account at any time through your account settings or by contacting us.

Upon account deletion:

• Your access to the platform will be permanently disabled;
• Your personal and health data will be securely deleted or irreversibly anonymised; except where retention is required by applicable medical, legal, or regulatory obligations.
• Where retention is legally required, data will be restricted from active processing and retained solely for compliance purposes.

Deletion of your account constitutes withdrawal of consent for future processing of your health data.

11. Data Security

We implement appropriate technical and organisational measures designed to protect personal and sensitive health data, including:

• Encryption in transit and, where applicable, at rest;
• Role-based access controls;
• Secure hosting infrastructure;
• Audit logging and monitoring;
• Restricted internal access to sensitive data.

While no system can guarantee absolute security, we apply industry-standard safeguards.

12. Your Rights

Depending on applicable law, you may have the right to:

• Access your personal data;
• Request correction of inaccurate data;
• Request deletion (subject to legal retention requirements);
• Withdraw consent;
• Request data portability;
• Object to certain processing;
• Lodge a complaint with a relevant supervisory authority.

To exercise your rights, contact: info@optimiseurhealth.com

We may require identity verification before processing requests.

13. Updates to This Notice

We may update this Notice periodically.

The latest version will be available on the platform. Where required by applicable law, material changes may require renewed consent.