Salubase Terms & Privacy Policy
Effective Date:
By using Salubase, you agree to these terms and acknowledge our data practices described below. Salubase acts as the data controller for your personal data under the General Data Protection Regulation (GDPR).
Medical Disclaimer
Salubase is for informational purposes only and does not provide medical advice, diagnosis, or treatment. AI-generated analysis is based on general reference ranges and is not a substitute for professional medical judgement. Always consult a qualified healthcare provider before acting on any information from Salubase.
What We Collect
- Your email address when you create an account
- Blood test PDFs you upload for processing
- Personal details extracted from your PDFs during processing, including age and sex (used to determine appropriate biomarker reference ranges)
- Usage data such as device type and page interactions
How We Process Your Data
- Uploaded PDFs are sent to LLM APIs (Google Gemini, OpenAI, or Anthropic) to extract structured biomarker data
- Extracted personal details (age, sex) are sent to LLM APIs to determine appropriate reference ranges for your biomarkers
- After successful processing, all intermediate data (raw PDF text, extracted tables, and personal details such as age and sex) is deleted — only encrypted biomarker-specific measurements are retained
- LLM providers do not use your data for model training and retain it only briefly for abuse monitoring: OpenAI, Google Gemini, Anthropic
Automated Decision-Making
Salubase uses AI language models (LLMs) to automatically extract biomarker data from your uploaded PDFs, match biomarkers to reference ranges, and determine whether values fall within normal ranges. These automated processes determine the data you see in your dashboard.
- No medical diagnoses or treatment decisions are made — results are informational only
- You can review all extracted data in the app and contact us at support@salubase.com to request human review of any automated processing
Third-Party Services
- LLM providers — Google Gemini, OpenAI, Anthropic (PDF data extraction)
- Supabase — hosting, database, authentication
- Stripe — payment processing
- Google Analytics — anonymous usage analytics
- Resend — transactional email delivery (processing notifications)
Each third-party service processes your data under a Data Processing Agreement (DPA) that governs their obligations as data processors under GDPR Article 28. These agreements include Standard Contractual Clauses (SCCs) for international data transfers:
- Google Gemini API Terms & Data Processing
- OpenAI Data Processing Addendum
- Anthropic Data Processing Addendum
- Supabase Data Processing Addendum
- Stripe Data Processing Agreement
- Resend Data Processing Addendum
Data Security
- Measurement data is encrypted at rest using envelope encryption (AES-256-GCM + RSA-2048-OAEP)
- Zero-knowledge key architecture — the server never has access to your private decryption key
- Your data is isolated so that only your account can access it
Data Retention
- Your data is retained while your account is active
- All data is fully deleted when you delete your account, including stored PDFs, measurements, and encryption keys
International Transfers
Your data may be processed outside the European Economic Area (EEA) via third-party services based in the United States, including LLM providers (Google, OpenAI, Anthropic), Supabase, and Stripe. These transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the providers' compliance with recognised data protection frameworks.
Lawful Basis for Processing
We process your personal data on the following legal grounds:
- Explicit consent (GDPR Article 6(1)(a) and Article 9(2)(a)) — Your health data (blood test results, biomarker values, age, and sex) is special category data under GDPR. We process it only with your explicit consent, which you provide at sign-up. You may withdraw your consent at any time (see "Your Rights" below).
- Contract performance (GDPR Article 6(1)(b)) — Processing your email address, account credentials, and payment information is necessary to provide you with the Salubase service.
- Legitimate interest (GDPR Article 6(1)(f)) — We collect anonymous usage analytics to improve the service, balanced against your privacy through anonymisation and minimal data collection. This processing does not apply to children — Salubase is not intended for users under the age of 16.
Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access — View your data within the app at any time
- Right to rectification — Request correction of inaccurate personal data
- Right to erasure — Delete your account and all associated data from your account settings
- Right to restrict processing — Request that we limit how we use your data
- Right to data portability — Request your data in a structured, machine-readable format
- Right to object — Object to processing based on legitimate interest
- Right to withdraw consent — You may withdraw your consent to health data processing at any time from your Account Settings on the dashboard. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Right to lodge a complaint — You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data is being processed unlawfully
To exercise any of these rights, contact us at support@salubase.com. We will respond within 30 days.
Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours as required by GDPR Article 33. If the breach poses a high risk to you, we will also notify you directly without undue delay as required by Article 34, including a description of the breach and the measures taken to address it.
Your Responsibilities
- Keep your account credentials secure
- Only upload your own blood test data
- Do not use Salubase for any illegal purposes
Service Terms
- Salubase is provided "as-is" without warranties of any kind
- We are not liable for inaccuracies in extracted data or for any direct, indirect, incidental, or consequential damages resulting from your use of the service
- You agree to indemnify and hold harmless Salubase and its affiliates from any claims arising from your use of the service
Changes
We may update these terms from time to time. Significant changes will be communicated via email.
Governing Law
These terms are governed by and construed in accordance with the laws of the European Union.
Contact
For questions about these terms or your data, contact us at support@salubase.com.