Legal

Privacy Policy

Last updated: Mar 3, 2026

This Privacy Policy ("Policy") explains how Bloodwork.app ("Bloodwork.app," "we," "our," or "us") collects, uses, discloses, and protects your personal information when you use our website, platform, mobile applications, and any related services (collectively, the "Services").

This Policy applies to all users located anywhere in the world, with a primary focus on compliance with U.S. privacy requirements and general global privacy expectations. This Policy works alongside our Health Data Privacy Notice, which governs our handling of health-related data specifically.

By using the Services, you agree to the collection and use of information as described in this Policy.

If you do not agree, you must stop using the Services.

1. Information We Collect

We may collect the following categories of information:

A. Information You Provide Directly

  • Email address and account details
  • Lab results and health data (governed by the Health Data Privacy Notice)
  • Survey or questionnaire responses
  • Optional profile information
  • Messages you send to support
  • Payment information (processed by PCI-compliant third-party providers)

B. Automatically Collected Information

  • IP address
  • Device identifiers
  • Browser type
  • Operating system
  • Usage logs
  • Clickstream data
  • Session details
  • Error and crash reports
  • Cookies, tags, pixels, beacons, and similar tracking technologies

C. Information From Integrations

With your authorization, we may receive data from:

  • Wearable devices
  • Health applications
  • Third-party fitness or wellness services
  • Connected accounts

All such data is processed according to your permissions.

D. Aggregated & De-identified Data

We may create aggregated, anonymized, or de-identified datasets that cannot identify you. We may use or share these for analytics, research, or improvement.

2. How We Use Your Information

We use personal information to:

  • Provide and operate the Services
  • Deliver personalized recommendations
  • Analyze and interpret lab results
  • Maintain and secure the platform
  • Develop new features
  • Respond to customer support requests
  • Send administrative notifications
  • Process purchases and subscriptions
  • Improve user experience
  • Conduct analytics and research
  • Prevent fraud or misuse
  • Comply with legal obligations
  • Send marketing communications, personalized health content, and product recommendations — where you have provided explicit consent

We may also use aggregated or de-identified data for research, analytics, and product development.

Service communications and recommendations: As part of the Bloodwork service experience, and where you have agreed to receive communications, we send personalized health insights, results-based recommendations, and service updates by email. These communications are integral to how Bloodwork delivers value and may include health-affiliated product suggestions relevant to your health profile (for example, supplements that may address a biomarker you are tracking). We do not share your health data or personal information with third parties for their own marketing purposes. You may unsubscribe from these communications at any time by clicking "Unsubscribe" in any email or by contacting privacy@bloodwork.app. Unsubscribing will not affect your access to the core Services.

3. How We Share Information

We do not sell your personal information.

We may share personal information with:

A. Service Providers

Including:

  • Cloud hosting
  • Data storage
  • Analytics
  • Customer support platforms
  • Email and notifications
  • Payment processors
  • Security providers

AI model providers: Bloodwork uses the following third-party AI providers to process health data and generate personalized outputs. Each is engaged under a Data Processing Addendum (DPA) and does not use your data to train its models by default:

  • OpenAI, L.L.C. (United States) — large language model inference via the OpenAI API. Privacy Policy
  • Anthropic, PBC (United States) — large language model inference via the Claude API. Privacy Policy
  • Google LLC (United States) — large language model inference via the Gemini API on Google Cloud Vertex AI. Google Cloud DPA

These providers are contractually required to protect your information.

B. At Your Direction

Such as when:

  • You export data
  • You connect third-party integrations
  • You authorize data sharing

C. Legal, Compliance, and Safety Reasons

We may disclose information:

  • To comply with laws or legal process
  • To enforce our Terms of Use
  • To investigate fraud
  • To protect public safety or the rights of Bloodwork.app or others

D. Corporate Transactions

Your information may be transferred as part of:

  • Mergers
  • Acquisitions
  • Sales of assets
  • Bankruptcy
  • Financing transactions

E. Advertising and Retargeting

We may use hashed identifiers — such as a cryptographic hash of your email address or anonymized device identifiers — to create custom audiences on advertising platforms (such as Meta, Google, or similar networks) for the purpose of showing you relevant ads about Bloodwork.

We do not share your health data, lab results, biomarker values, diagnoses, medications, or any specific health attributes with advertising networks.

Retargeting is based solely on your account or engagement status with Bloodwork — not on the content of your health profile. You can opt out of interest-based advertising through your platform settings (e.g., Meta Ad Preferences, Google Ad Settings) or by contacting us.

F. Aggregated or De-identified Data

Used for research, analytics, publications, and statistical insights.

4. Cookies & Tracking Technologies

We use cookies and similar technologies (pixels, tags, web beacons) to operate and improve the Services. These fall into the following categories:

  • Strictly necessary: Required for authentication, session management, and core platform functionality. These cannot be disabled.
  • Functional: Remember your preferences and settings to provide a personalized experience.
  • Analytics: Help us understand how users interact with the Services (e.g., pages visited, time spent). Data is aggregated and anonymized where possible.
  • Marketing / advertising: Used to measure the effectiveness of our advertising and to show you relevant ads (see Section 3E). These are only placed where lawfully permitted and with appropriate disclosure.

You may manage or disable non-essential cookies through your browser settings. Disabling certain cookies may limit some functionality of the Services.

Do Not Track: Some browsers transmit "Do Not Track" (DNT) signals. We do not currently alter our data practices in response to DNT signals, as there is no uniform standard for interpreting them. We disclose our tracking practices in this Policy and in Section 3E above.

5. Your Rights and Choices

Depending on your jurisdiction, you may have rights such as:

  • Access your personal data
  • Correction of inaccurate data
  • Deletion of your data
  • Withdrawal of consent
  • Data export / portability
  • Right to Appeal — if a rights request is denied, you may escalate by replying to the denial notice or emailing privacy@bloodwork.app with the subject line "Appeal — [original request type]." We will respond within 45 days. To contest an AI-generated output specifically, use the subject line "AI Output Review Request" as described in Section 8 below.

Right to object to direct marketing (absolute right): You may opt out of marketing emails at any time, without providing a reason, by clicking "Unsubscribe" in any marketing email or by contacting us at privacy@bloodwork.app. We will action this request immediately and without charge.

California — Limit Use of Sensitive Personal Information (CPRA): Under the California Privacy Rights Act, California residents may request that we limit the use of sensitive personal information — which includes health data — to uses necessary to provide the Services. To exercise this right, email privacy@bloodwork.app with the subject line "Limit Sensitive PI."

California — Shine the Light (Civil Code § 1798.83): Bloodwork does not share personal information with third parties for their own direct marketing purposes. California residents who wish to confirm this, or who have additional questions, may contact us at privacy@bloodwork.app.

Response timelines: We will respond to rights requests within 30 days of receipt. For complex or high-volume requests, we may extend this period by up to an additional 60 days, with prior written notice. For users exercising rights under the California Consumer Privacy Act (CCPA) or similar U.S. state laws, we will respond within 45 days, with a possible 45-day extension where reasonably necessary.

To exercise any of the above rights, email: privacy@bloodwork.app

We may require identity verification before processing your request.

6. Data Retention

We retain personal information:

  • As long as needed to provide the Services
  • As required by law
  • As needed for fraud prevention or security
  • As necessary to resolve disputes

When data is no longer required, we delete or anonymize it.

7. Data Security

We use industry-standard security measures, including:

  • Encryption in transit and at rest
  • Secure hosting
  • Access controls
  • Network protections
  • Monitoring and threat detection
  • Regular security audits

No method of transmission or storage is 100% secure. We cannot guarantee absolute security.

8. International Users

Bloodwork.app is operated from the United States. If you access the Services from outside the U.S., your personal data will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we use legal mechanisms — including standard contractual clauses and other contractual safeguards — to help ensure your rights and protections travel with your data. We do not rely solely on consent as the basis for international data transfers.

By using the Services from outside the U.S., you acknowledge that your data will be processed in the United States in accordance with this Policy and applicable transfer safeguards.

GDPR Lawful Bases for Processing (EEA / UK / Switzerland)

For users in the European Economic Area, United Kingdom, or Switzerland, we process personal data under the following lawful bases:

  • Service delivery and account management: performance of a contract (Article 6(1)(b))
  • Security, fraud prevention, and mandatory service notices: legitimate interests (Article 6(1)(f)) or legal obligation (Article 6(1)(c))
  • Marketing communications: your explicit consent (Article 6(1)(a)) — withdrawable at any time
  • Health data (special category): your explicit consent (Article 9(2)(a)) — withdrawable at any time without affecting prior lawful processing
  • Research using de-identified data: scientific or statistical research with appropriate safeguards (Article 9(2)(j))

Automated processing (GDPR Article 22): Bloodwork uses AI models to process your health data and generate personalized health outputs including scores, insights, and action plans. To the extent GDPR Article 22 applies to such processing, you have the right to request human review of any AI-generated output, to express your view, and to contest any output you believe is inaccurate. To exercise this right, email privacy@bloodwork.app with the subject line "AI Output Review Request," the date of the output, and a description of your concern. We will respond within 45 days. For full details on how AI processing works, see our Health Data Privacy Notice (Section 3H).

9. Children's Privacy

The Services are not intended for children under 18 without parental consent. We do not knowingly collect personal data from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA), or under 16 where required by applicable law (including the GDPR).

If we discover that we have inadvertently collected data from a child under 13, we will delete it promptly. Parents or guardians who believe we have collected their child's data may contact us at privacy@bloodwork.app.

11. Research and De-identified Data

We may use aggregated, de-identified data derived from user activity for research, product development, publication of health insights, and training and improving our AI models. This data cannot be linked back to any individual user.

If you do not wish for your anonymized, de-identified data to be included in research, published analyses, or AI model training, you may opt out at any time by contacting us at privacy@bloodwork.app with the subject line "Research Opt-Out" (this covers both research and AI training opt-out). Opting out does not affect your access to the Services.

12. Changes to This Policy

We may update this Policy from time to time.

Material changes may be communicated via email or in-app notices.

Continued use of the Services constitutes acceptance of the updated Policy.

13. Contact Us

For privacy questions, rights requests, or complaints:

Bloodwork – Privacy Department

privacy@bloodwork.app

GDPR / EEA / UK inquiries: For data protection queries from users in the European Economic Area, United Kingdom, or Switzerland, please contact us at privacy@bloodwork.app. You also have the right to lodge a complaint with your local data protection supervisory authority.

California residents — Do Not Sell or Share: To opt out of the sale or sharing of your personal information under the CCPA, or to exercise any other California privacy rights, contact us at privacy@bloodwork.app with the subject line "CCPA Privacy Request."