This Privacy Policy describes how Certifications ('Certifications', 'we', 'us', or 'our') collects, uses, stores, and shares your personal information when you use the Certifications mobile application and related services (collectively, the 'Service'). This policy is written to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Brazil's LGPD.
1. Who We Are
Certifications is a technology company incorporated in Delaware, United States. We operate the Certifications mobile application — a behavioral longevity optimization platform.
| Role | Details |
|---|---|
| Legal entity | Certifications |
| Data Controller (GDPR) | Certifications |
| Contact | privacy@certifications.test |
| Response time | Within 30 days of any rights request |
2. Data We Collect
2.1 Account and Identity Data
- Full name
- Date of birth (to calculate relative age context — not displayed as biological age)
- Biological sex (male, female, or prefer not to say) — used only for scoring calibration
- Email address (via email authentication, Apple Sign-In, or Google Sign-In — we do not store passwords)
- Timezone (for check-in scheduling — not precise GPS location)
2.2 Health and Behavioral Data (Special Category Under GDPR)
The following data is classified as special category health/biometric data under GDPR Article 9. We only collect it with your explicit, informed consent obtained during onboarding.
- Sleep duration and bedtime consistency (self-reported or wearable-synced)
- Heart rate variability (HRV) and resting heart rate (RHR) — from wearable devices or manual entry
- Physical activity type, duration, and metabolic intensity (MET-based)
- Meal quality, eating window, sugar consumption, and alcohol intake
- Perceived stress level (self-reported on a continuous 1–10 scale)
- Illness and travel status (scoring modifiers only — not stored as medical diagnoses)
- Derived Longevity Score (300–900), aging rate multiplier, and four sub-scores: Recovery, Metabolic, Activity, Resilience
2.3 Wearable Device Data
If you connect a wearable device (Apple Health, Fitbit, Garmin, or Whoop), we receive data synchronized from that device according to the permissions you explicitly grant. We do not store raw wearable data beyond what is necessary to calculate your daily scores. Device type is recorded to apply appropriate cross-device calibration weighting in our scoring engine.
2.3a Google Health Integration (Google OAuth)
When you choose to connect your Fitbit / Google Health account, Certifications uses Google OAuth 2.0 to request your explicit permission to access a limited, read-only set of your health and fitness data. We request only the following scopes, and only the data each scope covers:
- Activity (
fitness.activity.read): daily step count and active-calorie totals, used to compute your movement and longevity sub-scores. - Heart rate (
fitness.heart_rate.read): resting heart rate and heart-rate variability, used as core inputs to your biological-age and recovery scoring. - Sleep (
fitness.sleep.read): sleep duration and sleep-stage summaries (deep / REM), used to score sleep quality and consistency. - Identity (
openid,email,profile): used solely to securely link the connection to your existing Certifications account.
This access is read-only. Certifications never writes, modifies, or deletes data in your Google Health / Fitbit account.
Limited Use disclosure
Certifications's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google health and fitness data only to provide and improve the features you have explicitly requested — calculating your daily longevity score and biological-age estimate.
- We do not transfer or sell this data to third parties for advertising, marketing, credit-worthiness, lending, or any unrelated purpose.
- We do not allow humans to read this data, except: (a) with your explicit consent for a specific support request, (b) where required for security or to comply with applicable law, or (c) where the data has been aggregated and de-identified for internal operations.
- We do not use this data to serve advertisements.
Retention and deletion of Google health data
We retain only the derived daily summaries (e.g. resting heart rate, sleep minutes, step totals) needed to compute and display your scores — we do not retain raw Google API responses beyond the processing required to produce those summaries. When you disconnect Fitbit / Google Health in the app, we revoke the OAuth tokens and stop all further syncing. You may delete your account and all associated health data at any time from within the app or by contacting us at the address in Section 12; deletion is completed within 30 days.
2.4 On-Device Research Data (CosinorAge)
Certifications runs the CosinorAge circadian rhythm algorithm silently on your device via the CLAID Flutter package. This computation uses your continuous accelerometry data and is processed entirely on your device. The computed CosinorAge output is stored locally for post-beta scientific validation only. It is never transmitted to our servers and is never shown to you. This on-device computation is covered by separate disclosure during onboarding consent.
2.5 Media and Content
If you opt in to the media system, we store photos and short video clips you upload. Media is private by default and is never shared with other users without your explicit action. Media is deleted from our servers after 90 days from upload, unless you opt in to extended storage.
2.6 Technical and Usage Data
- App usage patterns and feature interactions
- Device type and operating system version
- Push notification tokens
- Error logs and crash reports (anonymized)
2.7 Data We Do Not Collect
- Biological age — we never calculate or display biological age to users
- Height or weight
- Medical history, diagnoses, or prescriptions
- Precise GPS location
- Financial account numbers, payment card details, or government ID numbers (payments handled entirely by Apple/Google)
3. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), UK, and Switzerland:
| Legal Basis | Data Categories | Notes |
|---|---|---|
| Explicit Consent (Art. 6(1)(a) + Art. 9(2)(a)) | All health and biometric data in Section 2.2 | Obtained via explicit opt-in during onboarding. Withdrawable at any time. |
| Contract Performance (Art. 6(1)(b)) | Account data, score calculations, usage data | Necessary to provide the Service you signed up for. |
| Legitimate Interests (Art. 6(1)(f)) | Technical logs, crash reports, security monitoring | For app stability and fraud prevention. Balancing test confirms no override of fundamental rights. |
| Legal Obligation (Art. 6(1)(c)) | Data required by applicable law | Retained only for the period legally required. |
4. How We Use Your Data
- Calculate your daily Longevity Score, aging rate multiplier, and four pillar sub-scores
- Generate personalized behavioral insights through Zen, our AI guide
- Track your streaks, rank progression, and challenge achievements
- Recommend protocols and challenges aligned with your behavioral patterns
- Generate shareable recap videos (if you opt in)
- Send push notifications for check-in reminders, milestone achievements, and weekly recaps
- Conduct internal scientific validation of our scoring engine against peer-reviewed benchmarks
- Improve the accuracy and calibration of our behavioral aging model
We do not use your data for advertising. We do not sell your data to third parties. We do not use your personal data to train external AI models without your explicit consent.
5. Data Sharing and Processors
5.1 Third-Party Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Secure cloud storage for media and generated videos | Media files only |
| ElevenLabs (secondary/limited use) | AI voice generation for Zen insights | Check-in response summaries — no raw health data |
| Apple Inc. | Authentication and app distribution | Apple ID only |
| Google LLC | Authentication and app distribution | Google account email only |
| Pusher | Real-time push notification delivery | Device push token only |
| Apple App Store / Google Play | Subscription billing and payment processing | No health data — payment handled entirely by them |
5.2 Scientific Collaborators
We collaborate with academic researchers including Dr. Filipe Barata (ETH Zurich) and Dr. Jinjoo Shim (Harvard T.H. Chan School of Public Health) for scientific validation of our scoring methodology. Any data shared for research purposes is aggregated and de-identified — no individual user data is shared without additional explicit consent from you.
5.3 Legal Requirements
We may disclose your data if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Certifications, our users, or the public.
5.4 Business Transfers
If Certifications is acquired, merged, or undergoes a change of control, your data may be transferred as part of that transaction. We will notify you via email and in-app notification at least 30 days before your data becomes subject to a different privacy policy, and you will have the option to delete your account before the transfer.
6. International Data Transfers
Certifications is based in the United States. If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the lawful transfer mechanism. A copy of the applicable SCCs is available upon request at privacy@certifications.test.
7. Your Rights
7.1 Rights for All Users
- Access: Request a copy of all personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your account and all associated personal data
- Portability: Request your data in a structured, machine-readable format
7.2 Additional Rights for EEA/UK Users (GDPR)
- Withdraw consent at any time — this does not affect lawfulness of prior processing
- Object to processing based on legitimate interests
- Restrict processing in certain circumstances defined by GDPR
- Lodge a complaint with your local data protection authority (supervisory authority)
7.3 California Users (CCPA)
California residents have the right to know what personal information is collected, disclosed, or sold; the right to delete personal information; the right to opt out of sale of personal information (we do not sell personal information); and the right to non-discrimination for exercising CCPA rights. To submit a CCPA request: privacy@certifications.test.
7.4 How to Exercise Your Rights
Submit a request to privacy@certifications.test. We will respond within 30 days and provide written confirmation of deletion within the same period. You may also delete your account directly from the app via Settings > Deactivate Account, which initiates immediate data deletion.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Check-in and score data | Duration of account + 30 days after deletion request |
| Media uploads (photos/clips) | 90 days from upload, or duration of account if extended storage opted in |
| Generated recap videos | 90 days from creation |
| Account and profile data | Duration of account + 30 days after deletion request |
| Usage and technical logs | 12 months rolling |
| On-device CosinorAge data | Stored on device only — deleted when app is uninstalled or account deleted |
| Aggregated, de-identified research data | Indefinitely (cannot be linked to individuals) |
9. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a user is under 18, we will promptly delete their account and all associated data. If you believe we have collected data from a minor, contact us immediately at privacy@certifications.test.
10. Security
We implement industry-standard technical and organizational security measures, including:
- Encryption in transit (TLS 1.2 or higher) and at rest (AES-256)
- Access controls limiting data access to authorized personnel only
- Regular security assessments and vulnerability reviews
- Incident response procedures with defined escalation paths
No system is 100% secure. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and relevant regulatory authorities within the timeframes required by applicable law (72 hours under GDPR).
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email and in-app notification at least 30 days before changes take effect. Your continued use of the Service after the effective date constitutes acceptance. If you do not agree, you may delete your account before the changes take effect.
12. Contact and Complaints
For privacy questions, data requests, or to exercise your rights:
Email: privacy@certifications.test · Response time: Within 30 days
Legal entity: Certifications · Incorporated in Delaware, United States