Pheno Health

Pheno AB (“we,” “our,” or “us”) operates the website https://www.pheno.health. We are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the General Data Protection Regulation (GDPR) and other applicable laws.

Language availability. This Privacy Policy is published in English. A full Swedish translation is in preparation. In the meantime, the sections most material to Swedish data subjects — Section 5a (Product Analytics) and Section 12 (Automated Decision-Making or Profiling) — include a parallel Swedish version. You may also request a Swedish translation of any section by writing to team@pheno.health.

Språkversion. Denna integritetspolicy publiceras på engelska. En fullständig svensk översättning är under utarbetande. Tills vidare finns parallella svenska versioner av de avsnitt som har störst betydelse för svenska registrerade — avsnitt 5a (Produktanalys) och avsnitt 12 (Automatiserat beslutsfattande eller profilering). Du kan också begära en svensk översättning av valfritt avsnitt via team@pheno.health.

1. Information We Collect

We collect and process the following types of personal data:

Identity & Contact Information: Name, email address, phone number.
Analytics & Usage Data: IP address, device details, browsing behavior (collected via Google Analytics and similar tracking tools).

Some of this data is strictly necessary for providing our services (for example, creating an account or fulfilling user requests). If you choose not to provide the required data, you may be unable to access certain features or services. Providing other data (such as information for marketing communications) is voluntary, and you can opt out at any time.

2. Identity of the Data Controller

Pheno AB is the data controller responsible for processing your personal data.

If you have any questions about this Privacy Policy or your personal data, you can contact us at:

Email: team@pheno.health
Address: Pheno AB, Döbelnsgatan 16B, 113 58 Stockholm, Sweden
Web Form: https://www.pheno.health/contact

(Please mention “Data Protection” in your query.)

Pheno AB is registered in Sweden and acts as the data controller for all personal data processed via this website.

3. Legal Basis for Processing Data

Under GDPR, we process personal data based on the following legal bases:

Consent – For marketing communications and optional data collection.
Legitimate Interest – For improving our services, security, and fraud prevention.
Contractual Obligation – For fulfilling service agreements.
Legal Compliance – When required by law.

Examples:

Identity & Contact Data: Processed primarily to fulfill service agreements (contractual obligation) and, with your consent, for marketing communications.
Analytics & Usage Data: Processed under our legitimate interest to improve the website and user experience.

4. How We Use Your Data

We use the data we collect for the following purposes:

To provide and improve our services – Including website performance optimization.
Marketing & Communication – Sending relevant updates, promotions, and content (with user consent).
Analytics & Research – Understanding user behavior to enhance user experience.
Security & Fraud Prevention – Detecting, investigating, and preventing unauthorized access or breaches.

5. Cookies & Tracking Technologies

We use cookies and tracking technologies such as Google Analytics to collect anonymized usage data. You can manage cookie preferences through your browser settings.

5a. Product Analytics

In addition to the cookies described above, Pheno operates its own first-party product analytics inside the application. These analytics are used solely to understand how the platform is used so we can improve performance, fix bugs, and prioritise features. They are kept entirely separate from your clinical data, AI conversation content, and the Pheno Score.

Lawful basis. GDPR Article 6(1)(f) — legitimate interest in operating and improving the product.
What is captured. Session metadata (a reduced user-agent — browser family, OS family, device class — and the country code derived from your request, never the IP address); page-view route templates with dynamic segments replaced by placeholders such as :id; and a strict allow-list of named events (for example onboarding step started, result viewed, chat message sent) with bucketed properties only. We never store the text of your questions, answers, or chat responses.
What is NOT captured. No third-party analytics SDKs, no session replay, no IP addresses, no query strings, no clinical data, no biomarker values, and no free-text content.
Retention. Raw rows are deleted after 90 days. Aggregated rollups (daily totals, retention cohorts, funnel steps) are kept for up to 24 months and never contain a user identifier. A small per-user engagement summary is kept for the lifetime of your account and removed when you delete the account.
Opt-out. You can pause product analytics at any time from Profile → Notifications → Pause product analytics. The toggle takes effect immediately on both the client and the server, and no further events are recorded for your account.
DSAR. On request via team@pheno.health we will export (Article 15 / 20) or delete (Article 17) the analytics rows associated with your account. Aggregated rollups do not contain identifiers and are therefore not included in DSAR responses.

An admin-internal descriptive summary may be generated from this metadata to help our product team understand the shape of usage. The summary is descriptive only, never used for clinical decisions, and never surfaced back to you. See Section 12. Automated Decision-Making or Profiling — this summary does not produce legal or similarly significant effects.

Produktanalys (svensk version)

Utöver de cookies som beskrivs ovan driver Pheno egen, intern produktanalys i applikationen. Den används enbart för att förstå hur plattformen används så att vi kan förbättra prestanda, åtgärda fel och prioritera nya funktioner. Den hålls helt åtskild från dina kliniska data, AI-samtal och din Pheno Score.

Laglig grund. GDPR artikel 6.1 f — berättigat intresse att driva och förbättra produkten.
Vad samlas in. Sessionsmetadata (en reducerad user-agent — webbläsarfamilj, operativsystem, enhetsklass — samt landskod, aldrig IP-adressen), routemallar för sidvisningar där dynamiska segment ersatts av platshållare som :id, samt en strikt tillåtlista av namngivna händelser (till exempel onboarding step started, result viewed, chat message sent) med endast bucketiserade egenskaper. Vi sparar aldrig texten i dina frågor, svar eller chattsvar.
Vad samlas INTE in. Inga tredjeparts-analysverktyg, ingen sessionsinspelning, inga IP-adresser, inga query-strängar, inga kliniska data, inga biomarkörvärden och ingen fritext.
Lagring. Råa rader raderas efter 90 dagar. Aggregerade sammanställningar (dagliga summor, retentionskohorter, trattsteg) sparas i upp till 24 månader och innehåller aldrig en användaridentifierare. En liten per-användar-sammanfattning sparas under kontots livstid och raderas när kontot tas bort.
Avregistrering. Du kan när som helst pausa produktanalysen från Profil → Notiser → Pausa produktanalys. Inställningen träder i kraft omedelbart både i klienten och på servern, och inga ytterligare händelser registreras för ditt konto.
Begäran om utdrag eller radering. Vid begäran via team@pheno.health exporterar (artikel 15/20) eller raderar (artikel 17) vi de analyselrader som hör till ditt konto. Aggregerade sammanställningar saknar identifierare och ingår därför inte i utdragen.

En intern, beskrivande sammanfattning kan genereras av denna metadata för att hjälpa vårt produktteam förstå användningsmönster. Sammanfattningen är endast beskrivande, används aldrig i kliniska beslut och visas aldrig för dig. Se Avsnitt 12. Automatiserat beslutsfattande eller profilering — denna sammanfattning ger inga rättsliga eller liknande betydande effekter.

6. Data Sharing & Third-Party Processors

We do not sell or trade your personal data. However, we may share data with:

Service Providers: Google Analytics, cloud hosting providers, and payment processors.
Legal Authorities: If required to comply with legal obligations.

These third parties process data under GDPR-compliant agreements ensuring security and privacy.

7. Data Retention

We retain personal data for as long as necessary for its intended purpose or as required by law. Retention periods vary:

Marketing Data: Until users withdraw consent.
Account Data: While the user has an active account.
Analytics Data: Retained for up to 26 months, after which it is anonymized.

If we cannot specify an exact retention period, we determine it based on criteria such as the nature of our relationship with you, the sensitivity of the data, and any legal or regulatory requirements. Once the applicable period has expired, we will either securely delete or anonymize your data.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

Access – Request a copy of the personal data we hold.
Correction – Request corrections to inaccurate data.
Deletion – Request data deletion (subject to legal obligations).
Objection – Object to data processing for marketing purposes.
Portability – Request a structured copy of your data for transfer.
Withdraw Consent – Opt out of marketing communications at any time.

To exercise any of these rights, please contact us at team@pheno.health or via https://www.pheno.health/contact. Please specify the right you wish to exercise and provide details to help us respond efficiently.

If you believe your data protection rights have been breached, you have the right to lodge a complaint with a supervisory authority, such as the Swedish Authority for Privacy Protection (IMY). You can find their contact details at https://imy.se.

9. Data Security Measures

We implement technical and organizational safeguards to protect your data from unauthorized access, alteration, or misuse. However, no online service is completely secure, and we encourage users to take precautions when sharing personal data.

10. Children's Privacy

Our services are not intended for users under 18 years old. We do not knowingly collect personal data from minors. If a minor has provided us with data, we will take steps to delete it.

11. International Data Transfers

If we transfer data outside the European Economic Area (EEA), we ensure adequate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Other GDPR-compliant mechanisms ensuring lawful cross-border data processing.

You may contact us at team@pheno.health to request more information or a copy of the relevant transfer safeguards (e.g., SCCs) if applicable.

12. Automated Decision-Making or Profiling

Pheno Health Platform uses automated processing of your personal data to produce personalised health information. Specifically:

Biomarker scoring. Your blood-test results are scored against published reference ranges using a deterministic rule engine to produce per-marker categorisations (for example low / optimal / elevated).
Pheno Score and biological-age estimates. These are derived from your biomarker results and your demographic data using documented formulas. The methodology is described in our Algorithm Transparency document, available on request via team@pheno.health.
AI-generated lifestyle and supplementation suggestions. When you interact with the Pheno AI, your scored results plus your conversation context are used to generate non-prescriptive lifestyle and supplementation suggestions. These are framed as educational guidance, not as a clinical diagnosis or treatment decision.

Article 22 GDPR position. This processing constitutes profiling under Article 4(4) GDPR, but it does not produce legal effects on you or similarly significantly affect you within the meaning of Article 22(1). The outputs are informational and educational; they do not, by themselves, deny you a service, an employment opportunity, an insurance product, or any other legally significant outcome. We do not share individual Pheno Scores, biological-age estimates, or AI conversation content with employers, insurers, or any other third party for decision-making purposes.

Legal basis. Where automated processing is used, we rely on (a) the performance of the user agreement under which you receive the service (Article 6(1)(b)) and (b) explicit consent for the processing of health data (Article 9(2)(a)).

Safeguards and your rights. A licensed clinician reviews flagged or out-of-range results before they are surfaced to you, and you can request a clinician review of any individual result at any time. You also retain the rights described in Section 8 — including the right to obtain meaningful information about the logic involved, to express your point of view, and to contest any output you consider inaccurate. Contact team@pheno.health to exercise any of these rights.

If our use of automated decision-making changes — for example, if outputs are ever used as the basis for a decision with legal or similarly significant effects — we will update this Privacy Policy and obtain a separate, freely-given, informed consent before doing so.

Avsnitt 12. Automatiserat beslutsfattande eller profilering (svensk version)

Pheno Health Platform använder automatiserad behandling av dina personuppgifter för att ge dig personlig hälsoinformation. Närmare bestämt:

Biomarkörspoäng. Dina blodprovsresultat poängsätts mot publicerade referensintervall via en deterministisk regelmotor och kategoriseras per markör (till exempel låg / optimal / förhöjd).
Pheno Score och biologisk-åldersuppskattningar. Dessa beräknas utifrån dina biomarkörsresultat och dina demografiska uppgifter med dokumenterade formler. Metodbeskrivningen finns i vårt dokument om algoritmtransparens och kan begäras via team@pheno.health.
AI-genererade livsstils- och kosttillskottsförslag. När du interagerar med Pheno AI används dina poängsatta resultat och samtalskontexten för att generera icke-preskriptiva livsstils- och kosttillskottsförslag. Dessa är utformade som utbildande vägledning, inte som klinisk diagnos eller behandlingsbeslut.

Position enligt artikel 22 GDPR. Behandlingen utgör profilering enligt artikel 4.4 GDPR, men den ger varken rättsliga effekter eller på liknande sätt betydande effekter för dig i den mening som avses i artikel 22.1. Resultaten är informativa och utbildande; de leder inte i sig till att du nekas en tjänst, en anställning, en försäkring eller något annat rättsligt betydelsefullt utfall. Vi delar inte individuella Pheno Scores, biologisk-åldersuppskattningar eller AI-samtalsinnehåll med arbetsgivare, försäkringsbolag eller andra tredje parter för beslutsfattande syften.

Laglig grund. Vid automatiserad behandling stödjer vi oss på (a) fullgörande av användaravtalet enligt vilket du får tjänsten (artikel 6.1 b) och (b) uttryckligt samtycke till behandling av hälsodata (artikel 9.2 a).

Skyddsåtgärder och dina rättigheter. En legitimerad kliniker granskar markerade eller avvikande resultat innan de visas för dig, och du kan när som helst begära en klinikergranskning av ett enskilt resultat. Du behåller också rättigheterna som beskrivs i avsnitt 8 — inklusive rätten att få meningsfull information om logiken bakom behandlingen, framföra din ståndpunkt och bestrida resultat du anser felaktiga. Kontakta team@pheno.health för att utöva någon av dessa rättigheter.

Om vår användning av automatiserat beslutsfattande förändras — till exempel om resultat någon gång används som grund för beslut med rättsliga eller på liknande sätt betydande effekter — uppdaterar vi denna integritetspolicy och inhämtar separat, frivilligt och informerat samtycke innan så sker.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The latest version will always be available at https://www.pheno.health. We will notify users of significant changes.

14. Contact Us

For any privacy-related inquiries, you can contact us at:

Email: team@pheno.health
Address: Pheno AB, Döbelnsgatan 16B, 113 58 Stockholm, Sweden
Web Form: https://www.pheno.health/contact

Last Updated: May 5, 2026

Integritetspolicy