← Back to home

Privacy Policy

Effective date: February 24, 2026 · Last updated: March 25, 2026

1. Introduction and Data Controller

This Privacy Policy describes how Iris360 SA collects, uses, and protects your personal information when you use our health and wellness application, website, and services (collectively, the "Services").

Data Controller: The controller responsible for processing your personal data is:

Iris360 SA
Ch. Davel 14, 1009 Pully, Switzerland
Email: info@iris360.me
Contact: Mike Nolet

Where this policy refers to "we," "our," or "us," it means Iris360 SA as the data controller. We operate under the Swiss Federal Act on Data Protection (FADP), the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 and UK GDPR, and other applicable international privacy laws.

2. Our Privacy Commitment

Your health data is deeply personal. We are committed to the highest standards of privacy protection and operate under these core principles:

  • Data Minimization: We collect only data essential to provide our services
  • User Control: You maintain complete control over your health information
  • Transparency: We clearly communicate all data practices in plain language
  • Security First: We employ industry-leading security measures
  • No Sale of Data: We will never sell your personal health information
  • Purpose Limitation: Data is used only for explicitly stated purposes
  • Swiss Privacy Standards: We adhere to Swiss data protection principles and international best practices

3. Data We Collect

3.1 Information You Provide Directly

  • Account Information: Name, email address, date of birth, gender
  • Health Metrics: Weight, height, body measurements, activity levels, nutrition intake, symptoms, vital signs
  • Health Goals: Target weight, fitness objectives, dietary preferences
  • Profile Information: Profile photo, bio, dietary restrictions, allergies
  • User-Generated Content: Journal entries, notes, photos, food logs, exercise logs, comments
  • Communication Data: Customer support inquiries, feedback, survey responses

3.2 Automatically Collected Data

  • Device Information: Device type, operating system, unique device identifiers, mobile network information
  • Usage Analytics: Features accessed, session duration, interaction patterns, click paths
  • Technical Logs: IP address, browser type, time zone, crash reports, error logs
  • Location Data: Approximate location based on IP address (precise location only with explicit consent)

3.3 Data from Integrated Services

With your explicit permission, we may access:

  • Health Platforms: Apple Health (HealthKit), Google Fit, Samsung Health
  • Wearable Devices: Fitbit, Garmin, Withings, Oura, Whoop, and other connected devices
  • Third-Party Apps: Connected fitness apps, nutrition databases, medical platforms
  • Social Media: Profile information if you connect social accounts

You control all integrations and can revoke access at any time.

3.4 Sensitive Health Data

We may collect sensitive health information including:

  • Medical conditions and diagnoses
  • Medications and supplements
  • Dietary restrictions and allergies
  • Menstrual cycle and reproductive health data
  • Mental health and mood tracking
  • Sleep patterns and quality
  • Blood glucose levels, blood pressure, heart rate

This data receives enhanced protection and requires explicit, separate consent.

3.5 AI-Generated Data

When you use AI features, we collect:

  • Your prompts and questions to AI systems
  • AI-generated responses and recommendations
  • Feedback on AI outputs (thumbs up/down, corrections)
  • Interaction patterns with AI features

4. Legal Basis for Processing

We process your data based on legal grounds required by both the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP). Note that the FADP and GDPR use different legal frameworks: GDPR requires a specific legal basis for each processing activity, while the FADP permits processing unless it unlawfully violates a person's personality rights (Art. 30 FADP), which can be justified by consent (Art. 31 FADP), overriding private or public interest, or law.

4.1 Consent (GDPR Art. 6(1)(a) / Art. 9(2)(a); FADP Art. 31(1))

  • Sensitive health data processing (requires explicit consent under both GDPR and FADP)
  • AI feature usage and third-party AI API processing
  • Marketing communications
  • Third-party integrations
  • Non-essential cookies and analytics

4.2 Contract Performance (GDPR Art. 6(1)(b))

Under Swiss law, contract performance constitutes an overriding interest justifying data processing (Art. 30–31 FADP). This applies to:

  • Account creation and management
  • Providing core app functionality
  • Delivering requested services and processing payments
  • Customer support

4.3 Legitimate Interests (GDPR Art. 6(1)(f); FADP Art. 30(2))

Under Swiss law, processing that does not disproportionately harm personality rights is permitted where justified by an overriding interest. Under GDPR, we rely on legitimate interests where our interests are not overridden by your rights. This applies to:

  • Improving app functionality and user experience
  • Fraud prevention and security
  • Analytics and service optimization
  • Direct marketing (where permitted, with opt-out)

4.4 Legal Obligations (GDPR Art. 6(1)(c); FADP Art. 30(2)(b))

  • Compliance with applicable Swiss, EU, and other laws
  • Responding to valid legal requests
  • Tax and financial regulatory reporting

You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. To withdraw consent, use your in-app settings or contact us at info@iris360.me.

5. How We Use Your Data

5.1 Primary Uses

  • Provide personalized health insights, recommendations, and progress tracking
  • Calculate nutritional values, caloric intake, and macronutrient distribution
  • Generate personalized health investigations and insights
  • Provide AI-powered nutrition guidance and health analysis
  • Send notifications, reminders, and motivational messages (with permission)
  • Enable social features and community interaction (if you opt in)
  • Provide customer support and respond to inquiries
  • Detect and prevent fraud, abuse, and security threats
  • Improve app functionality through usage analysis

5.2 AI and Machine Learning Uses

  • Generate personalized health investigations and recommendations
  • Provide conversational AI assistance for health questions
  • Analyze patterns in your health data for insights
  • Predict progress trajectories and goal achievement timelines
  • Create custom content based on your preferences
  • Improve Iris360's performance and accuracy

5.3 Aggregated and De-Identified Data

We may use aggregated, anonymized data that cannot identify you for:

  • Research and development of health insights
  • Statistical analysis and trend identification
  • Service improvement and feature development
  • Publication of health and wellness research
  • Industry benchmarking and reporting

We ensure this data cannot be re-identified using technical and organizational measures that meet FADP and GDPR standards.

5.4 What We Do NOT Do

  • Sell, rent, or trade your personal health information
  • Share identifiable health data for third-party marketing
  • Use your data for purposes beyond those stated here
  • Access your data without legitimate operational need
  • Make your health data publicly visible without explicit consent
  • Share your data with insurance companies or employers without permission
  • Train external AI models with your identifiable data

6. AI and Third-Party AI Services

6.1 Our Use of AI Technology

We use artificial intelligence to enhance your experience, including:

  • Personalized health investigations and recommendations
  • Conversational AI assistants for health guidance
  • Nutritional analysis and suggestions
  • Progress predictions and goal optimization
  • Content personalization and health insights
  • Pattern recognition in your health data

AI Models We Use: Our Services incorporate AI technology from:

  • Anthropic Claude (via API)
  • OpenAI (ChatGPT/GPT-4 via API)
  • Google Gemini (via API)
  • Proprietary machine learning models

6.2 How Third-Party AI APIs Work

When you use AI features:

  1. Your Input: Your prompt and relevant context (your health data, preferences, goals) may be sent to third-party AI providers
  2. API Processing: The AI provider processes your request and generates a response
  3. Response Delivery: The AI-generated response is returned to you through our app
  4. Data Handling: See below for how your data is handled by AI providers

6.3 Data Sharing with AI Providers

What Data is Shared: When you use AI features, we may share with AI providers:

  • Your specific questions or prompts
  • Relevant health context (weight, goals, dietary preferences) needed to generate accurate responses
  • Conversation history within AI sessions
  • Feedback on AI responses (to improve accuracy)

What is NOT Shared:

  • Your full name or email address
  • Payment information
  • Your complete health history (only relevant context)
  • Data from other users

6.4 Third-Party AI Provider Data Practices

Anthropic (Claude):

  • Privacy Policy: https://www.anthropic.com/privacy
  • Data Usage: Anthropic does NOT use API data to train their models
  • Data Retention: API requests may be retained for up to 30 days for trust & safety, then deleted
  • Location: Data processed in United States

OpenAI (ChatGPT/GPT-4):

  • Privacy Policy: https://openai.com/privacy
  • Data Usage: OpenAI does NOT use API data to train their models (as of their API terms)
  • Data Retention: API data may be retained for up to 30 days for abuse monitoring, then deleted
  • Location: Data processed in United States

Google (Gemini):

  • Privacy Policy: https://policies.google.com/privacy
  • Data Usage: Review Google's current API terms for training practices
  • Data Retention: Per Google's data retention policies
  • Location: Data processed globally per Google infrastructure

Your Consent: By using AI features, you explicitly consent to your data being processed by these third-party AI providers according to their respective privacy policies and our agreement with them.

You can opt out of AI features at any time by disabling them in Settings → AI Features.

6.5 AI Accuracy and Limitations

CRITICAL DISCLAIMER: AI systems can make mistakes. Responses generated by AI may contain errors, provide misleading or outdated information, reflect biases, hallucinate, or misunderstand context. You must verify important health information with qualified professionals and never rely solely on AI for medical decisions.

6.6 Your Rights Regarding AI

You have the right to:

  • Opt Out: Disable AI features entirely
  • Request Human Review: Ask for human verification of important AI recommendations
  • Understand: Request explanation of how AI makes recommendations
  • Contest: Challenge automated decisions affecting you
  • Limit: Choose which health data AI can access
  • Delete: Remove your AI conversation history

Access Controls: Settings → AI Features → Enable/Disable AI, Manage AI Data Access, Delete AI History

6.7 Automated Decision-Making (GDPR Art. 22 / FADP Art. 21)

Our Services use AI to generate personalized health insights and recommendations. These AI-generated outputs are informational and do not constitute decisions with legal or similarly significant effects on you. We do not use fully automated decision-making that produces legal effects or significantly affects you without human involvement.

Under GDPR Art. 22 and FADP Art. 21, you have the right to: not be subject to a decision based solely on automated processing that produces legal effects or significantly affects you; request human review of any automated recommendation; obtain an explanation of the logic involved in automated processing; and contest any automated decision. To exercise these rights, contact us at info@iris360.me.

6.8 AI Security Measures

We implement special protections for AI interactions:

  • Encrypted transmission of all AI requests
  • Rate limiting to prevent abuse
  • Content filtering for harmful requests
  • Prompt injection protection
  • Output validation and safety checks
  • Audit logging of AI interactions
  • Regular security assessments

7. Data Security

7.1 Technical Safeguards

  • End-to-End Encryption: AES-256 encryption for data in transit (TLS 1.3) and at rest
  • Zero-Knowledge Architecture: Where feasible, encrypted data that we cannot access
  • Secure Key Management: Hardware security modules (HSM) for encryption key storage
  • Database Security: Encrypted databases with access controls and audit logging
  • Secure Authentication: Multi-factor authentication, password hashing (bcrypt/Argon2)
  • API Security: Rate limiting, authentication tokens, input validation
  • Regular Security Audits: Annual third-party penetration testing and vulnerability assessments
  • AI-Specific Security: Encrypted AI API communications, prompt filtering, output validation

7.2 Organizational Safeguards

  • Access Controls: Role-based access with least-privilege principle
  • Employee Training: Mandatory data protection and security training
  • Confidentiality Agreements: All employees sign strict NDAs
  • Vendor Management: Data processing agreements with all third parties including AI providers
  • Incident Response Plan: Documented procedures for security incidents
  • Swiss Data Hosting: Primary data storage in Swiss data centers (ISO 27001 certified)

7.3 Data Protection Impact Assessments and Records

We conduct Data Protection Impact Assessments (DPIAs) as required by GDPR Art. 35 and FADP Art. 22 for processing activities that pose a high risk to your rights, including the processing of health data at scale and the use of AI systems for personalized health recommendations. We maintain a register of processing activities as required by GDPR Art. 30 and FADP Art. 12. A summary of our processing activities is available upon request by contacting info@iris360.me.

7.4 Data Breach Protocol

In the event of a data breach that poses a risk to your rights:

  • GDPR (EU/EEA users): We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR), and affected users without undue delay where the breach poses a high risk (Art. 34 GDPR)
  • FADP (Swiss users): We will notify the FDPIC as soon as possible (Art. 24 FADP), and affected users where necessary for their protection
  • UK users: We will notify the ICO within 72 hours per UK GDPR requirements
  • Notifications will include: the nature of the breach, data affected, likely consequences, and measures taken or proposed to address the breach
  • Post-incident review and additional safeguards implementation

8. Data Sharing and Disclosure

8.1 When We Share Data

With Your Explicit Consent:

  • Third-party services you connect (nutrition databases, fitness platforms)
  • Social features and community sharing (only data you explicitly choose to share)
  • AI providers for AI feature functionality

Service Providers (Data Processors): We engage carefully vetted service providers for cloud hosting, AI services, analytics, customer support, payment processing, and communication services. All must sign comprehensive data processing agreements per GDPR Art. 28 / FADP.

Legal Requirements: We may disclose information when required by law (valid legal processes, protection of rights, enforcement of terms, emergency situations, regulatory compliance). We verify legitimacy of requests, notify users unless legally prohibited, and disclose minimum necessary information.

Business Transfers: If our company undergoes reorganization, merger, or acquisition, you will be notified at least 30 days in advance. Your data rights remain fully protected.

8.2 No Sale of Personal Information

CCPA/CPRA Disclosure: We do NOT sell personal information as defined by California law. We have not sold personal information in the preceding 12 months. We do not share personal information for cross-context behavioral advertising.

9. International Data Transfers

9.1 Primary Data Location

Your data is primarily stored in Switzerland and the European Economic Area on ISO 27001-certified servers.

9.2 Transfers to AI Providers

When you use AI features, your data is transferred to:

  • United States: For Anthropic Claude and OpenAI processing
  • Global Locations: For Google Gemini processing per Google's infrastructure

Safeguards include Standard Contractual Clauses with AI providers, their commitments not to train models on API data, additional contractual protections for health data, encryption in transit, and your explicit consent for AI feature use.

9.3 Other International Transfers

Where we transfer data internationally, we use Standard Contractual Clauses (SCCs), adequacy decisions, Swiss-US Data Privacy Framework participation, and supplementary measures per Schrems II. We maintain a list of countries where data may be transferred (available upon request). You may object to transfers lacking adequate protection.

10. Your Privacy Rights

10.1 Universal Rights (All Users)

  • Access: Request a copy of all personal data we hold about you in structured, machine-readable format
  • Correction: Correct inaccurate or incomplete information
  • Deletion: Request complete deletion of your account and data ("Right to be Forgotten")
  • Control: Manage privacy settings, third-party integrations, AI features, and marketing preferences

10.2 GDPR/FADP Rights (EEA/Swiss Users)

  • Restriction of Processing: Limit how we process your data during disputes
  • Data Portability: Receive your data in portable format and transfer to another service where feasible
  • Object: Object to processing based on legitimate interests, direct marketing, automated decision-making, or AI processing
  • Lodge a Complaint: Swiss Users → Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland (www.edoeb.admin.ch). EU Users → Your local supervisory authority (edpb.europa.eu)

10.3 UK Data Protection Rights (UK Users)

  • You have the same rights as described in Section 10.2, as provided under the UK GDPR and the Data Protection Act 2018
  • Lodge a Complaint: UK users may contact the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. ico.org.uk
  • International Transfers: Where your data is transferred outside the UK, we ensure adequate protection through UK International Data Transfer Agreements or other lawful mechanisms

10.4 CCPA/CPRA Rights (California Users)

  • Right to Know: Categories and specific pieces of personal information collected
  • Right to Delete: Request deletion of personal information
  • Right to Correct: Request correction of inaccurate information
  • Right to Opt-Out: Opt out of sale/sharing (though we don't sell data), targeted advertising, limit use of sensitive personal information
  • Right to Non-Discrimination: No denial of service or different prices for exercising rights

10.5 How to Exercise Your Rights

  • In-App: Settings → Privacy & Data — download your data, delete account, manage integrations
  • Email: Data Protection Officer at info@iris360.me — include full name, email, specific request, verification information
  • Response Timeline: GDPR/FADP: within 30 days (extendable to 60 for complex requests). CCPA: within 45 days (extendable to 90 with notice)
  • No Fee: First request per year is free

11. Data Retention

11.1 Retention Periods

  • Active Accounts: Health and usage data retained while account active. AI conversation history retained per your settings (can be deleted anytime)
  • Inactive Accounts: Accounts inactive for 24 months receive notification; 30 days after notification: account deactivation
  • Deleted Accounts: Data retained for 30 days for recovery, then permanently deleted
  • AI Provider Retention: Anthropic and OpenAI retain API data up to 30 days, then delete. Google: per Google's retention policies
  • Legal Hold: Data subject to legal proceedings retained until resolution. Financial records: 7 years. Tax records: 10 years in Switzerland

11.2 Deletion Procedures

When you delete your account:

  1. Immediate (0–24 hours): Account deactivated, data inaccessible
  2. Within 30 days: Complete deletion from production databases
  3. Within 90 days: Deletion from backup systems
  4. Anonymized data: Retained for research (cannot identify you)

Your AI conversation history is deleted immediately upon request. Data already sent to AI providers is deleted per their retention policies (typically 30 days max).

12. Cookies and Tracking

12.1 What We Use

  • Essential Cookies: Authentication, session management, security, core functionality. Lifespan: Session or up to 1 year. Legal basis: Legitimate interest
  • Analytics Cookies: Usage statistics, error tracking, feature usage analysis. Lifespan: Up to 2 years. Legal basis: Consent. IP anonymization enabled
  • Preference Cookies: Language selection, display preferences, saved settings. Lifespan: Up to 1 year
  • Marketing Cookies: Personalized content, campaign effectiveness. Lifespan: Up to 1 year. Legal basis: Explicit consent required

12.2 Your Cookie Choices

  • Granular consent options at first visit via cookie banner
  • Settings → Privacy → Cookies to toggle categories, view active cookies, clear cookies
  • Browser controls: block third-party cookies, clear cookies, use private/incognito browsing

12.3 Do Not Track (DNT)

We respect Do Not Track signals. When DNT is enabled, we disable non-essential tracking, do not use behavioral advertising, and limit analytics to aggregated data only.

12.4 Mobile App Tracking

  • Device Identifiers: Advertising ID (IDFA/AAID) only with consent. Device ID for core functionality and fraud prevention
  • App Permissions: Location, health data, camera/photos, notifications — only with explicit permission
  • iOS App Tracking Transparency: Clear explanation before tracking request; no disadvantage for declining

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website with a new "Last updated" date
  • Sending an email notification to your registered email address
  • Displaying an in-app notice when you next access the Services

Your continued use of the Services after the effective date of changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

14. Contact Information

Iris360 SA
Ch. Davel 14
1009 Pully, Switzerland

Contact: Mike Nolet, info@iris360.me

For regulatory complaints: Swiss users may contact the Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch. EU/EEA users may contact their local data protection supervisory authority (edpb.europa.eu). UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk.