ByoMapBeta

Privacy Policy

Last updated: March 4, 2026

ByoMap Health (“ByoMap,” “we,” “us,” or “our”) operates the website byomap.com and associated services. This Privacy Policy explains how we collect, use, store, and protect your personal and health information.

By using ByoMap, you agree to this policy. If you disagree, please do not use our services.

1. Information We Collect

Account Information

  • Email address (for authentication and communication)
  • Password (hashed with bcrypt, never stored in plaintext)
  • Date of birth, gender, ethnicity (for personalized health ranges)
  • Timezone and display preferences

Health Data (User-Provided)

  • Blood biomarker results (uploaded via CSV, PDF, or manual entry)
  • DNA analysis results (from Nutrigenomix, 23andMe, AncestryDNA, SelfDecode)
  • Gut microbiome test results (from Gut Function.io, BugSpeaks, Viome, Sun Genomics)
  • Supplement and medication information
  • Apple Health data (if imported)

Important: All health data is self-uploaded by you. We do not pull data from medical providers, hospitals, or labs without your explicit action. You decide what data enters ByoMap.

Automatically Collected

  • IP address and approximate location (for rate limiting and security)
  • Browser type, device type, operating system
  • Pages visited, features used, session duration (via PostHog analytics)
  • Error reports and performance data

2. How We Use Your Information

  • Provide personalized health scores, ranges, and recommendations based on your data
  • Power the AI Chat feature — your health data is sent to Anthropic Claude for analysis on each query
  • Calculate clinical scores (HOMA-IR, FIB-4, etc.) and biological age estimates
  • Send transactional emails (verification, password reset, billing receipts)
  • Improve the product through anonymous usage analytics
  • Detect and prevent fraud, abuse, and security threats

3. AI Processing

When you use the AI Chat feature, your biomarker data, DNA results, gut microbiome data, and supplement information are sent to Anthropic's Claude API for analysis. This is necessary to provide personalized, context-aware responses.

Anthropic does not use API inputs to train their models (per their data usage policy). Your health data is processed for your query only and is not retained by Anthropic beyond their standard API processing window.

4. Data Storage & Security

  • Database: Neon PostgreSQL, hosted in Singapore (ap-southeast-1) with AES-256 encryption at rest
  • Application: Hosted on Vercel's edge network with TLS 1.3 encryption in transit
  • Passwords: Hashed with bcrypt (12 salt rounds), never stored or logged in plaintext
  • Backups: Automated, encrypted database backups
  • Access: Role-based access controls, admin health data access requires justification and is audit-logged

5. Data Sharing

We share your information only with:

  • Anthropic — AI chat processing (health data sent per-query, not stored for training)
  • Resend — Transactional email delivery (email address only)
  • PostHog — Anonymous product analytics (no health data, no PII beyond user ID)
  • Razorpay / Stripe — Payment processing (billing info only, no health data)
  • Vercel — Application hosting and edge delivery
  • Neon — Database hosting

We never sell your data to advertisers, data brokers, or any third party. We never use your health data for advertising purposes.

6. Cookies & Tracking

  • Essential cookies: NextAuth session token (authentication). Cannot be disabled.
  • Analytics cookies: PostHog anonymous usage tracking. Can be disabled via browser settings.
  • Theme preference: localStorage key for dark/light mode. Not a cookie, not sent to server.

We do not use advertising cookies or third-party tracking pixels.

7. Your Rights

For All Users

  • Access all data we hold about you (Settings → Export Data)
  • Correct inaccurate personal information
  • Delete your account and all associated data permanently
  • Download your data in machine-readable format (GDPR export)

GDPR (EU/EEA Users)

  • Right to erasure (“right to be forgotten”)
  • Right to data portability
  • Right to restrict processing
  • Right to object to processing
  • Right to withdraw consent at any time

CCPA (California Users)

  • Right to know what personal information we collect
  • Right to delete personal information
  • Right to opt out of sale of personal information (we don't sell data)
  • Right to non-discrimination for exercising your rights

8. Data Retention

  • Account data: Retained while your account is active
  • Health data: Retained while your account is active
  • Audit logs: Retained for 2 years for compliance
  • After deletion: All personal and health data is permanently deleted within 30 days. Anonymized aggregate statistics may be retained.

9. Children

ByoMap is not intended for users under 16 years of age. We do not knowingly collect information from children. If you believe a child has provided us with data, contact us and we will delete it.

10. International Transfers

Your data is stored in Singapore. If you are located outside Singapore, your data will be transferred to and processed in Singapore. By using ByoMap, you consent to this transfer. We ensure appropriate safeguards are in place per applicable data protection laws.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or an in-app notice. Continued use after changes constitutes acceptance.

12. Contact

For privacy-related questions or to exercise your rights:
Email: privacy@byomap.com
Company: ByoMap Health