Privacy Policy
Last updated: March 2026
Data Controller & Contact Information
Data Controller: BioNico GmbH, Zug, Switzerland
Email: hello@bionico.ch
Bionico is committed to protecting your health data with the highest level of privacy and security. This Privacy Policy explains how we collect, use, and protect your personal health information.
What Health Data We Collect
Bionico collects the following types of health information when you upload data to your profile:
- Blood biomarker data: Lab results including glucose, lipids, liver enzymes, kidney function, thyroid markers, and complete blood counts parsed from lab PDFs
- Genomic variants: Genetic variants from 23andMe exports and raw genomic data files, including APOE, SLCO1B1, MTHFR, FOXO3, and 20+ other clinically relevant polymorphisms
- Wearable metrics: Integration with Apple Health, WHOOP, Oura, and Garmin data including heart rate, sleep, recovery, activity, and HRV
- Medical records: Any additional medical records or DICOM files you upload
Where Your Health Data Is Stored
Client-side storage: Your health data is stored locally in your browser's localStorage. Bionico does not maintain databases or servers storing your personal health data.
Data sovereignty: You maintain complete control and ownership of your health data. You can clear all stored information at any time by clearing your browser's localStorage.
Backup: If you use browser sync features (iCloud, Google, etc.), your localStorage may be synced to those services according to their privacy policies.
What Is Sent to Our Servers & Third Parties
API transmission: Only the health data you actively send to Claude AI (Anthropic) for analysis is transmitted beyond your device. This data is sent directly to Anthropic's API.
Anthropic's zero-retention policy: Anthropic does not store API inputs or outputs for commercial purposes. According to Anthropic's API Terms of Service, API usage data is retained briefly for system improvements but is not used to train new models or shared with third parties.
No third-party analytics or tracking: Bionico does not use Google Analytics, Mixpanel, Segment, or any third-party analytics services. We do not track your behaviour or install tracking cookies.
No advertising or data sales: We never sell, share, or license your health data to advertisers, insurers, pharmaceutical companies, or any third party. Ever.
Hosting infrastructure: Bionico's web servers are hosted on Netlify, which provides SOC 2 Type II compliant infrastructure in Europe. Netlify does not access your health data (stored in localStorage on your device).
Your Health Data Rights Under Swiss Data Protection Law (nDSG)
Applicable regulation: Your health data is protected under the Federal Act on Data Protection (Bundesgesetz über den Datenschutz — nDSG), which came into force on January 1, 2023.
Classification as Sensitive Personal Data
Under Article 5 of the nDSG, health data — including genetic information, biomarkers, lab results, and wearable metrics — is classified as sensitive personal data. Processing sensitive personal data is only permitted when:
- Explicit consent has been obtained from the data subject (you), or
- Processing is required by law for specific purposes
Our Legal Basis
Bionico processes your health data on the basis of explicit consent (Article 5(1) nDSG). When you upload health data to Bionico, you provide explicit consent for us to:
- Store your data in browser localStorage
- Transmit data to Claude AI for analysis and personalised health insights
- Generate your Digital Health Twin and domain scores
Your Data Subject Rights
Under Article 15 of the nDSG, you have the following rights:
- Right of access: You can request confirmation of what health data Bionico holds about you and receive a copy of it
- Right of correction: You can request correction of inaccurate health data
- Right to deletion: You can request deletion of your health data by clearing your browser localStorage or by contacting us
- Right to data portability: You can request your data in a structured, machine-readable format
- Right to withdraw consent: You can withdraw your consent at any time, preventing further processing
Exercising Your Rights
To exercise any of these rights, contact us at hello@bionico.ch with "Data Subject Request" in the subject line. We will respond to your request within 30 days.
Your Health Data Rights Under GDPR (Article 9)
Applicable regulation: If you are located in the European Union or United Kingdom, your health data is also protected under the General Data Protection Regulation (GDPR).
Special Category Data
Under Article 9(1) of the GDPR, health data (including genetic information and biometric data) is classified as special category personal data. Processing special category data is prohibited unless specific conditions apply.
Our Legal Basis
Bionico processes your health data under Article 9(2)(a) GDPR — explicit consent. You provide this consent when you upload health data to Bionico and use the platform.
Your Data Subject Rights
Under Chapter III of the GDPR, you have the following rights:
- Right of access (Article 15): You can request and receive a copy of your personal data
- Right to rectification (Article 16): You can correct inaccurate data
- Right to erasure (Article 17): You can request deletion of your data
- Right to restrict processing (Article 18): You can restrict how we use your data
- Right to data portability (Article 20): You can receive your data in a portable format
- Right to object (Article 21): You can object to processing of your data
- Right to withdraw consent (Article 7): You can withdraw consent at any time
Exercising Your Rights
To exercise any of these rights, contact us at hello@bionico.ch with "Data Subject Request" in the subject line. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
Data Retention & Deletion
- Browser localStorage: Your health data persists in browser localStorage until you explicitly clear it. You can delete all data by clearing your browser cache and localStorage, or through your account settings in Bionico
- Server-side: Bionico does not maintain server-side backups of your health data. Deletion from localStorage is permanent
- API logs: Data sent to Anthropic's Claude API is retained according to Anthropic's zero-retention policy for API usage (brief retention for system monitoring, then deleted)
- Account deletion: If you delete your Bionico account, all associated metadata is deleted within 30 days. You can clear localStorage at any time to immediately delete all health data
Security Measures
- Client-side encryption: Health data is stored unencrypted in browser localStorage. For additional security, we recommend using an encrypted browser extension or device-level encryption
- Transport security: All data sent to Claude AI is transmitted over TLS 1.3, providing end-to-end encryption in transit
- Hosting infrastructure: Bionico servers are hosted on Netlify's SOC 2 Type II compliant infrastructure in Europe
- Authentication: Access to your account is protected by multi-factor authentication (2FA)
- No third-party access: We do not share encryption keys, access tokens, or authentication credentials with any third party
Children's Privacy
Bionico is not intended for individuals under 18 years of age. We do not knowingly collect health data from children. If you are aware of a child using Bionico, please contact us at hello@bionico.ch.
International Data Transfers
Your health data is stored in browser localStorage on your local device and is not transferred internationally unless you explicitly send it to Claude AI. Anthropic's servers are located in the United States. By using Bionico, you consent to this transfer. Anthropic provides appropriate safeguards under its API Terms of Service and does not use API data for training.
Policy Changes
Bionico may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. We will notify you of material changes by updating the "Last updated" date on this page and, if required, by email. Your continued use of Bionico following such changes constitutes acceptance of the updated Privacy Policy.
Contact & Data Subject Requests
Email: hello@bionico.ch
Mailing address: BioNico GmbH, Zug, Switzerland
For privacy concerns, data subject requests, or to exercise your rights under nDSG or GDPR, please contact us with "Data Subject Request" or "Privacy Inquiry" in the subject line. We will respond within 30 days.
Legal Disclaimer
This Privacy Policy is an informational overview, not legal advice. While we have made efforts to ensure accuracy, data protection law is complex and jurisdiction-specific. If you require a formal legal interpretation of how nDSG, GDPR, or other data protection regulations apply to your use of Bionico, we strongly recommend consulting with qualified legal counsel in your jurisdiction.