Privacy Policy

Effective Date: February 1, 2026 | Last Updated: February 3, 2026

1. Introduction and Scope

1.1 About This Policy

This Privacy Policy ("Policy") describes how PLA ("Personal Longevity Advisor," "the App," "we," "our," or "us"), developed and operated by Geo Nicolaidis, an individual residing in Limassol, Cyprus, collects, uses, discloses, and protects information in connection with the PLA mobile application available on iOS.

1.2 Acceptance of This Policy

By downloading, installing, accessing, or using PLA, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Policy, you must not use the App.

1.3 Relationship to Terms of Service

This Privacy Policy is incorporated into and forms part of our Terms of Service. Capitalized terms not defined herein have the meanings ascribed to them in the Terms of Service.

2. Data Controller Information

For the purposes of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the data controller is:

Geo Nicolaidis
Limassol, Cyprus
Email: geo@geonicolaidis.com

As PLA operates on a local-first, privacy-by-design architecture, we act as a data controller only for limited operational data as described in Section 4. For health data stored locally on your device, you retain full control as the data owner.

3. Categories of Information

3.1 Health and Biometric Data (Locally Stored Only)

The following categories of sensitive personal information are processed and stored exclusively on your device and are never transmitted to, collected by, or accessible to us:

• Biomarker measurements and laboratory test results
• Health scores and derived health metrics
• Data imported via OCR from lab result documents
• Data synchronized from Apple HealthKit (with your permission)
• AI-generated health insights, recommendations, and conversation history
• Medical history, conditions, or diagnoses you choose to record
• Any other health-related information you input into the App

3.2 Information We May Collect

We may collect limited information as follows:

3.2.1 Device and Technical Information

When you use the App, we may automatically collect:

• Device type, model, and operating system version
• App version and build number
• General geographic region (country-level, derived from IP address during app updates or crash reports)
• Anonymized crash reports and performance diagnostics

3.2.2 Analytics Data (Optional)

If you have not opted out of Apple's analytics sharing, we may receive aggregated, anonymized analytics through Apple's App Analytics, including:

• App launches and session duration
• Feature usage patterns (anonymized)
• App Store engagement metrics

This data is aggregated by Apple and does not include personal identifiers or health information. You can disable this by going to iOS Settings → Privacy & Security → Analytics & Improvements → Share iPhone Analytics.

3.2.3 Voluntary Communications

If you contact us for support or feedback, we may collect:

• Your email address
• Name (if provided)
• Content of your communications
• Any attachments you choose to send

3.2.4 Waitlist Information

If you join our waitlist, we collect your email address solely for the purpose of notifying you about app availability and updates. This information is stored separately from any app usage data.

4. Third-Party Services and Data Processing

4.1 Anthropic (Claude AI) — Anonymized Data Only

When you use the AI-powered features of PLA:

• You provide your own Anthropic API key, which you obtain directly from Anthropic (anthropic.com)
• Data is transmitted directly from your device to Anthropic's servers in the United States
• We do not intermediate, proxy, log, or have any access to these communications

What Is Sent to Anthropic (Anonymized Data Only)

• Basic demographics: age and biological sex (e.g., "39-year-old male")
• Biomarker values without context (e.g., "HDL: 54 mg/dL, LDL: 110 mg/dL")
• Health questions you ask about your data

What Is NEVER Sent to Anthropic

• Your name, email address, or contact information
• Your physical address or location
• Your device identifiers or Apple ID
• Laboratory names, doctor names, or healthcare provider information
• Dates of tests or medical visits
• Any other information that could identify you personally

Anthropic's Data Practices

• Anthropic retains API data for approximately 30 days for abuse monitoring, then deletes it
• Your anonymized data may be used to improve Anthropic's models unless you opt out through Anthropic's settings
• Review Anthropic's policies:
  • Privacy Policy: anthropic.com/privacy
  • Terms of Service: anthropic.com/legal/terms
  • Acceptable Use Policy: anthropic.com/legal/aup

API Key Security

• You are solely responsible for securing your Anthropic API key
• If your API key is compromised, unauthorized parties may access Anthropic's services and incur charges to your account
• Treat your API key as you would a password — do not share it
• PLA stores your API key securely in iOS Keychain, encrypted on your device

4.2 Apple Services

• Apple HealthKit: If you grant permission, the App reads data from Apple Health. This data is processed locally and never transmitted to us. Apple's privacy practices apply to HealthKit data.
• App Store: Apple processes your App Store transactions and may share limited analytics with us.
• iCloud: If you use iCloud backup, your device backup (which may include app data) is subject to Apple's privacy policy. We do not have access to your iCloud data.

4.3 Website Technologies

Our website is designed with privacy in mind:

• Self-Hosted Fonts: Typography is served directly from our servers. No third-party font services are used, so your IP address is not transmitted to external parties when loading fonts.
• No Tracking: We do not use cookies, tracking pixels, or analytics on our website.
• No Third-Party Scripts: Our website does not load external scripts that could track your browsing behavior.

The only external data sharing that may occur is through Apple's App Store Connect for users who download our iOS app.

4.4 Future Third-Party Integrations

We may introduce additional third-party integrations in the future. Any such integrations will be clearly disclosed, will require your explicit consent before activation, and this Privacy Policy will be updated accordingly.

5. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases:

Data Type	Legal Basis
Device/technical information	Legitimate interest (app functionality and improvement)
Crash reports	Legitimate interest (maintaining app stability)
Analytics (if enabled)	Consent (via iOS settings)
Support communications	Contractual necessity; legitimate interest
Waitlist email	Consent
Health data (local)	Not applicable (not collected by us)

6. Your Rights Under GDPR and Other Privacy Laws

6.1 GDPR Rights (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:

• Right of Access: Request confirmation of whether we process your personal data and obtain a copy
• Right to Rectification: Request correction of inaccurate personal data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restriction: Request limitation of processing in certain circumstances
• Right to Data Portability: Receive your data in a structured, commonly used format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, contact us at geo@geonicolaidis.com. We will respond within 30 days.

Note: For health data stored locally on your device, you exercise these rights directly through the App's data management features (export, delete) since we do not have access to this data.

6.2 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of personal information collected, used, disclosed, or sold
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt out of the sale or sharing of personal information
• Right to Non-Discrimination: Not be discriminated against for exercising your rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: Limit the use and disclosure of sensitive personal information

We do not sell or share personal information as defined by the CCPA/CPRA.

To submit a request, contact us at geo@geonicolaidis.com with the subject line "California Privacy Rights Request" or use the data controls within the App.

Verification for Privacy Requests

To protect your privacy, we must verify your identity before fulfilling CCPA/CPRA requests. We will verify using:

• Email confirmation: For access and portability requests, we will send a verification email to the address associated with your request
• Additional information: For deletion requests involving sensitive information, we may require a signed declaration under penalty of perjury confirming your identity

Note: Because we collect minimal personal information and do not have access to your health data (stored locally on your device), verification requirements are typically minimal.

Authorized Agents

You may designate an authorized agent to submit privacy requests on your behalf. The authorized agent must:

• Provide written authorization signed by you (or a valid power of attorney)
• Verify their own identity to our satisfaction
• Provide proof of their authorization to act on your behalf

We may require you to directly confirm the authorized agent's authority and verify your own identity before processing the request.

6.3 Other Jurisdictions

We respect privacy rights globally. If you are located in a jurisdiction with specific privacy laws (such as Brazil's LGPD, Canada's PIPEDA, or Australia's Privacy Act), we will honor applicable rights upon request. Contact us for assistance.

7. Data Security

7.1 On-Device Security Measures

• Encryption at Rest: All health data is encrypted using iOS Data Protection APIs with your device passcode as part of the encryption key
• Keychain Storage: Sensitive credentials (API keys) are stored in the iOS Keychain, Apple's secure credential storage
• Biometric Authentication: The App requires Face ID or Touch ID (where available) to access health data
• No Plain Text Storage: Sensitive data is never stored in plain text or in easily accessible locations

7.2 Network Security

• TLS Encryption: All network communications (when applicable) use TLS 1.2 or higher
• Certificate Pinning: The App implements certificate pinning for critical connections
• No Unnecessary Transmission: Health data is not transmitted unless you explicitly use AI features

7.3 Security Limitations

Despite our security measures, no system is completely secure. We cannot guarantee absolute security. You are responsible for:

• Maintaining the security of your device and passcode
• Keeping your Anthropic API key confidential
• Using the App on devices you trust
• Maintaining device software updates

8. Data Retention

8.1 Locally Stored Data

Health data stored on your device is retained until you delete it through the App or uninstall the App. We have no control over or access to this data.

8.2 Data We Collect

• Support communications: Retained for 3 years after last contact, then deleted
• Waitlist emails: Retained until you unsubscribe or 2 years after app launch, whichever is earlier
• Crash reports: Retained for 90 days
• Analytics: Aggregated and anonymized; individual data not retained

8.3 Third-Party Retention

Data processed by Anthropic is subject to Anthropic's data retention policies (approximately 30 days). We have no control over their retention practices.

9. Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will take the following actions:

9.1 For GDPR-Covered Data (EEA/UK/Swiss Users)

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where legally required)
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to your rights and freedoms
• Provide information about the nature of the breach, likely consequences, and measures taken or proposed

9.2 For CCPA/CPRA-Covered Data (California Users)

• Provide notice as required under California Civil Code Section 1798.82 for breaches of unencrypted personal information
• Notify the California Attorney General if the breach affects more than 500 California residents

9.3 Notification Methods

• We will notify you via email (if we have your email address on file)
• We will provide notice through the App where possible
• We will describe the breach, affected data categories, and steps you should take
• We will inform you of remedial measures implemented

10. International Data Transfers

10.1 Our Processing

We are based in Cyprus (EU member state). Any data we collect is processed within the EEA. We do not transfer personal data outside the EEA unless required by law or with appropriate safeguards.

10.2 Third-Party Transfers

When you use Anthropic's AI services, your data is transferred to Anthropic's servers, which may be located in the United States. This transfer is initiated by you when you use these features. Anthropic may rely on mechanisms such as Standard Contractual Clauses for lawful data transfer. Review Anthropic's privacy policy for details.

11. Special Categories of Data

11.1 Health Data Classification

Health and biometric data constitute "special category data" under GDPR and "sensitive personal information" under various privacy laws. PLA is designed so that:

• Such data is processed locally on your device
• We never collect, access, or store this data on our systems
• Processing is under your sole control

11.2 HIPAA Notice (United States)

12. Children's Privacy

PLA is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at geo@geonicolaidis.com. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information.

13. Do Not Track Signals

The App does not track users across third-party websites or services. We honor Do Not Track signals to the extent applicable, though our privacy-by-design architecture means we perform minimal tracking regardless of signal status.

14. Automated Decision-Making

PLA's AI features provide informational insights based on your data. These insights are:

• Generated by third-party AI (Anthropic Claude) based on data you provide
• Informational and educational in nature only
• Not automated decisions with legal or similarly significant effects
• Not a substitute for professional medical judgment

You have the right not to be subject to decisions based solely on automated processing that produce legal effects. The AI insights in PLA do not constitute such decisions.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Last Updated" date at the top of this Policy
• We will notify you through the App or via email (if you've provided one)
• Material changes will not apply retroactively
• For significant changes affecting health data processing, we will obtain fresh consent where required

We encourage you to review this Policy periodically. Your continued use of the App after changes indicates acceptance of the updated Policy.

16. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:

Geo Nicolaidis
Data Controller
Limassol, Cyprus
Email: geo@geonicolaidis.com

We aim to respond to all inquiries within 30 days. For GDPR-related requests, we will respond within the legally required timeframe.

16.1 Supervisory Authority

If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. For Cyprus residents:

Office of the Commissioner for Personal Data Protection
www.dataprotection.gov.cy

17. Jurisdiction-Specific Privacy Provisions

The following provisions supplement and, where necessary, supersede the general provisions above for users in specific jurisdictions:

17.1 United States Users

State Privacy Laws

In addition to California (CCPA/CPRA), the following states have comprehensive privacy laws. Residents of these states have similar rights to access, correct, delete, and port their personal data:

• Virginia (CDPA)
• Colorado (CPA)
• Connecticut (CTDPA)
• Utah (UCPA)
• Oregon, Montana, Texas, Delaware, and other states with enacted privacy legislation

Contact us at geo@geonicolaidis.com to exercise your rights under any applicable state privacy law.

17.2 United Kingdom Users

• This Privacy Policy complies with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
• UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk to lodge complaints
• The data controller for UK users is Geo Nicolaidis, Limassol, Cyprus

17.3 Australian Users

• This Privacy Policy complies with the Privacy Act 1988 and Australian Privacy Principles (APPs)
• Australian users may lodge privacy complaints with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au
• APP 8 Disclosure: When you use AI features, your anonymized health data is transferred to Anthropic in the United States. This is a user-initiated transfer essential for providing the AI analysis service you have requested.

17.4 Canadian Users

• This Privacy Policy complies with PIPEDA (Personal Information Protection and Electronic Documents Act)
• Canadian users may lodge complaints with the Office of the Privacy Commissioner of Canada at priv.gc.ca
• We identify purposes for personal information collection at or before the time of collection

17.5 Brazilian Users

• This Privacy Policy complies with the Lei Geral de Proteção de Dados (LGPD)
• Brazilian users may contact the National Data Protection Authority (ANPD) at gov.br/anpd
• Legal bases for processing under LGPD correspond to those listed in Section 5 above

17.6 EEA/Swiss Users

• All GDPR provisions in this Policy apply fully
• Swiss users may contact the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch

18. Policy Versioning

This is version 1.1 of our Privacy Policy.

Version	Date	Summary of Changes
1.0	February 1, 2026	Initial release
1.1	February 3, 2026	Enhanced Anthropic anonymization disclosures; added data breach notification procedures; added CCPA verification and authorized agent procedures; added jurisdiction-specific provisions for UK, Australia, Canada, Brazil, and EEA/Swiss users