Privacy Policy

Last updated: March 17, 2026

Introduction to Our Privacy Policy

Welcome to BloodSense! Smart Medical Care Ltd (“SMC”, “we”, “us”, “our”) is deeply committed to protecting the privacy and security of your personal data. BloodSense is a trade name of SMC, a company registered in England and Wales (Company Number: 15309552).

This Privacy Policy explains how we collect, use, share, store, and protect your personal data when you use our website bloodsense.ai (the “Site”) and our AI-powered lab result explanation services (the “Services”). It also informs you about your data protection rights and available remedies.

We encourage you to read this entire Privacy Policy carefully. By using our Services, you acknowledge that you have reviewed this policy. The processing of your health data is based on your explicit consent, obtained separately.

1. Data Controller and Privacy Contact

Our Role as Data Controller

The data controller responsible for your personal data is:

  • Company: Smart Medical Care Ltd
  • Company Type: English “Private limited company”
  • Registered Office: 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom
  • Registration Number: 15309552
  • Contact email: contact@bloodsense.ai

Your Privacy Contact

For any question relating to this policy, to your personal data, or to exercise your rights, you may contact our Privacy Contact. Email: contact@bloodsense.ai

Presence in the European Economic Area

SMC operates in coordination with Smart Medical Care SAS (société par actions simplifiée under French law, RCS Nice 932 924 194), with its registered office at 37 Avenue Maréchal Foch, 06000 Nice, France. Smart Medical Care SAS supports operations within the European Economic Area (EEA) and may also serve as a point of contact for EEA users regarding questions relating to the protection of your data.

For users residing in the EEA, all health data processed through the BloodSense service is hosted exclusively on Microsoft Azure servers located in France, benefiting from the French Health Data Hosting certification. This ensures compliance with the strictest European regulatory requirements for sensitive health data.

Important note: SMC has not, at this stage, designated a Data Protection Officer (DPO) within the meaning of Articles 37 to 39 of the GDPR. Julien P. acts as our Privacy Contact and principal point of contact for all questions relating to the protection of your personal data.

2. Scope of this Policy

This Privacy Policy applies to all personal data processed through the BloodSense website (bloodsense.ai) and the BloodSense Services, regardless of your country of residence. It applies to users in the European Economic Area (EEA), the United Kingdom (UK), the United States (US), and all other jurisdictions from which the Services may be accessed.

Where specific provisions apply to users in certain jurisdictions (e.g., additional rights under the GDPR for EEA/UK users, or state-specific rights for US users), these are clearly identified in the relevant sections.

3. Personal Data We Collect

We collect the following categories of personal data to provide and improve our Services:

  • Identification and Contact Data: Name and email address. We use your name primarily to facilitate the pseudonymization (removal of direct identifiers) of your analysis report before AI processing. We use your email address to send you the generated AI report.
  • Health and Contextual Data (Special Categories of Data): This includes the file of your lab analysis report (blood, urine, stool) that you upload, and contextual information you provide via our online form to help us generate a more relevant explanation: age, sex, height, weight, personal and family medical history, allergies, medications, symptoms, lifestyle habits, and reason for the analysis. This information constitutes health data and is subject to enhanced protections under applicable data protection laws.
  • Transaction Data: Information related to your purchase of the Service, processed directly by our payment provider Stripe, Inc. We do not store your full credit card information. Your transaction history is maintained with us for accounting and legal compliance purposes.
  • Technical Usage and Interaction Data: Information about how you interact with our Site and Services, collected via analytics tools like Microsoft Clarity and Google Analytics (subject to your consent via our cookie banner). This may include your IP address (truncated where possible), browser type, pages visited, time spent, clicks, and user journey.
  • Data from Cookies and Similar Technologies: Information collected via cookies when you browse our Site, in accordance with your consent choices expressed via our cookie banner. This includes data for audience analysis and, if you consent, for analyzing the performance of advertising campaigns (Google Ads). For detailed information on the types of cookies used, their purposes, and how to manage your preferences, please refer to Section 11 of this Privacy Policy.
  • Communication Data: Any information you provide when you contact our customer support or give us feedback.

4. How We Use Your Personal Data (Purposes and Legal Bases)

  • To provide the BloodSense service: We use your Identification Data, Health and Contextual Data, and the information you upload to analyze your report and generate the requested AI explanation. The primary legal basis for processing health data is your Explicit Consent (required under GDPR Art. 9(2)(a)), which we collect via a mandatory checkbox before your report processing begins. For non-health data involved, the basis is the necessity for the performance of a contract (GDPR Art. 6(1)(b)).
  • To facilitate pseudonymization of your information: We use your name to enable the removal of direct identifiers from the document before AI analysis. This process constitutes pseudonymization as defined by Article 4(5) of the GDPR: your health data can no longer be attributed to you without the use of additional information (your email address), which is kept separately. This processing is necessary for the performance of the contract (GDPR Art. 6(1)(b)) and falls within the scope of processing based on your explicit consent for the health data (GDPR Art. 9(2)(a)).
  • To send the generated AI report: We use your email address and the generated report to deliver the result of our Service. The legal basis is the necessity for the performance of a contract (GDPR Art. 6(1)(b)).
  • To manage your user account and customer relationship: We use your Identification, Contact, and Transaction Data to manage your account and our business relationship. The legal basis is the necessity for the performance of a contract (GDPR Art. 6(1)(b)).
  • To process payments: We use your Identification, Contact, and Transaction Data to enable secure payment processing via our provider Stripe. The legal basis is the necessity for the performance of a contract (GDPR Art. 6(1)(b)).
  • To analyze site and service usage for improvement and security: We use Usage Data and data from Cookies (Analytics like Microsoft Clarity, Google Analytics). The legal basis for using non-essential cookies is your Consent (GDPR Art. 6(1)(a)), collected via the cookie banner. For aspects related to service security, the legal basis is our Legitimate Interest (GDPR Art. 6(1)(f)).
  • To improve our AI models: To help us improve our service for everyone, we may use your data after a process of irreversible aggregation and anonymization (rendering it impossible to re-identify you, even by cross-referencing) to train and improve our algorithms. As detailed in our Terms of Service, you always have the right to opt-out of this process by contacting us at contact@bloodsense.ai. This processing is based on our Legitimate Interest (GDPR Art. 6(1)(f)), subject to your right of opposition.
  • To analyze marketing campaign effectiveness: We may use data from Cookies (Advertising/Marketing like those from Google Ads). The legal basis is your Consent (GDPR Art. 6(1)(a)).
  • To respond to your requests: We use your Identification, Contact, and Communication Data when you contact customer support or ask questions. The legal basis is the necessity for the performance of a contract (GDPR Art. 6(1)(b)) or our Legitimate Interest (GDPR Art. 6(1)(f)).
  • To comply with legal and regulatory obligations: We may process personal data to comply with legal obligations (GDPR Art. 6(1)(c)).

Pseudonymization and AI Improvement

Our internal tool removes your direct identifiers (name) from your lab test before any AI analysis. This process constitutes pseudonymization as defined by Article 4(5) of the GDPR: your health data is no longer directly identifying, but remains personal data within the meaning of applicable data protection laws as long as it can be linked to you via your email address. The additional information needed to re-identify the data (your email address) is kept separately and subject to technical and organizational measures to ensure non-attribution.

We may subsequently use this pseudonymized data, after a further process of irreversible aggregation and anonymization (rendering it truly impossible to re-identify you, even by cross-referencing), to train and improve our AI models in order to make our explanations more accurate and useful. Once data has been irreversibly anonymized, it is no longer considered personal data under the GDPR and may be retained indefinitely. This processing is based on our Legitimate Interest. You have the right to object to the use of your data for AI model improvement at any time by emailing contact@bloodsense.ai, as mentioned in our Terms of Service.

5. Sharing Your Personal Data

We do not sell your personal data. We may share your personal data with third parties only in the following cases and with appropriate safeguards:

Service Providers (Sub-processors)

  • Hosting: Microsoft Azure (Microsoft Ireland Operations Limited for EEA users, with servers located in France benefiting from the Health Data Hosting — HDS — certification; Microsoft Corporation for users outside the EEA, with servers located in the United States), for secure hosting of our systems and your data.
  • Payment Processing: Stripe, Inc. (based in the United States), to process your payments securely. Stripe may collect your payment data directly.
  • AI Infrastructure Provider: OpenRouter, Inc. (based in the United States), to access third-party AI models for generating your report. We send only pseudonymized data to OpenRouter — your name and direct identifiers are removed by our internal systems before any transfer. OpenRouter and the underlying AI model providers never have access to your personal identification information.
  • Transactional Email Delivery: We use a SendGrid (Twilio Inc.) email service provider to deliver your generated AI report by email. This provider acts as a sub-processor and temporarily processes your email address and the content of your report (which constitutes health data) strictly for routing and delivery purposes.
  • Audience and Interaction Analysis: Google LLC (Analytics, Ads) and Microsoft Corporation (Clarity), subject to your cookie consent choices expressed via our cookie banner.

Other Disclosures

  • Legal obligations: We may disclose your data if required by law.
  • Business transfers: In the event of a merger, acquisition, or sale, data may be transferred under equivalent confidentiality commitments.

Please note that data sent to AI infrastructure providers is pseudonymized by our systems (direct identifiers removed) before the transfer. These providers process data on our behalf and are contractually prohibited from using it for their own purposes, including for training their own AI models.

6. International Data Transfers

Your data may be processed outside the UK/EEA, in particular in the United States, by our service providers (OpenRouter, Stripe, Google). These transfers are carried out using appropriate safeguards, including:

  • The EU-US Data Privacy Framework (DPF) and its UK extension, for certified companies such as Stripe, Google, and Microsoft.
  • Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK Information Commissioner’s Office, accompanied by transfer impact assessments where necessary.
  • Pseudonymization measures for data sent to AI providers, ensuring that directly identifying personal data is removed before any transfer outside the EEA.

7. Data Security

We have implemented appropriate technical and organizational security measures to prevent accidental loss, unauthorized use, access, modification, or disclosure of your personal data. These include:

  • Hosting on secure, certified servers (Microsoft Azure — HDS-certified in France for EEA users; ISO 27001 and SOC 2 Type II compliant for all users). Our infrastructure is designed with security practices aligned with HIPAA technical safeguards.
  • Pseudonymization of reports (removal of your direct identifiers) before processing by the AI.
  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Strict access controls to limit access to personal data to only those persons who need it to perform their duties.
  • Procedures for handling suspected data breaches, in compliance with GDPR Articles 33 and 34.

8. Data Retention Period

We retain different types of data for specific periods, based on legal requirements and operational needs:

  • Original Lab Test (PDF): For a maximum of 90 days after successful generation and delivery of the AI report, after which it is securely deleted. This aligns with the data minimization principle (GDPR Art. 5(1)(c)).
  • Account and Contact Data: For the duration of the active account relationship, plus a maximum of 3 years after the last interaction or account deactivation, after which it is permanently deleted.
  • Generated AI Report and Contextual Health Data: For the duration of the active account, plus a maximum of 3 years after account deactivation, to allow account reactivation and access via a future patient portal.
  • Transaction Data: For at least 6 years to comply with UK accounting and tax laws, and up to 10 years for invoices and accounting records in compliance with the French Commercial Code (Art. L123-22) where applicable.
  • Analytics Cookies Data (Google Analytics): For a maximum of 14 months, in accordance with the recommendations of the CNIL and equivalent data protection authorities.
  • Advertising and Consent Cookies Data (Clarity, Google Ads): For a maximum of 6 months.
  • Server Logs (IP): For a maximum of 90 days, based on our Legitimate Interest in ensuring service security.
  • Irreversibly Anonymized and Aggregated Data for AI Improvement: Data that has been irreversibly anonymized (making it impossible to re-identify you, even by cross-referencing) is no longer considered personal data under the GDPR and may be retained indefinitely for research and AI model improvement.

A request for definitive account deletion will result in the erasure of all data listed above, except for data we are legally required to retain (e.g., transaction data for tax compliance) and data that has already been irreversibly anonymized.

9. Your Data Protection Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Rights for All Users

  • Right of access: Request a copy of your personal data.
  • Right to rectification: Correct inaccurate or incomplete data.
  • Right to erasure: Request deletion of your data (“right to be forgotten”), subject to legal retention obligations.
  • Right to restrict processing: Limit how we process your data in certain circumstances.
  • Right to object: Object to processing based on our legitimate interest (including the use of your data for AI model improvement), or to direct marketing.
  • Right to data portability: Receive your data in a structured, machine-readable format.
  • Right to withdraw consent: Withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

Additional Rights for EEA and UK Users

Under the GDPR and UK GDPR, you benefit from all the rights listed above. We will respond to your request within one month, extendable by two months for complex requests. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.

Additional Rights for US Users

Depending on your state of residence, you may have additional rights under applicable state privacy laws (such as the California Consumer Privacy Act, as amended by the CPRA, or similar laws in Virginia, Colorado, Connecticut, and other states). These may include the right to know what personal information we collect and share, the right to delete, the right to opt-out of the sale of personal information (we do not sell your data), and the right to non-discrimination for exercising your rights.

To exercise any of these rights, please email our Privacy Contact at contact@bloodsense.ai. We are here to help.

10. Children and Minors

Our Services are not intended for individuals under 18. We implement age verification and do not knowingly collect data from minors. If we become aware that we have collected personal data from a person under 18, we will take steps to delete this information promptly.

11. Cookies and Similar Technologies

We use cookies and similar technologies on our Site. Cookies are small text files stored on your device when you visit the Site, subject to your consent choices.

Types of Cookies We Use

  • Strictly Necessary Cookies: These cookies are essential for the functioning of our Site (e.g., session management, security). They do not require your consent.
  • Analytics Cookies: We use Google Analytics and Microsoft Clarity to understand how visitors interact with our Site. These cookies are placed only with your consent, expressed via our cookie banner.
  • Advertising/Marketing Cookies: We may use Google Ads cookies to analyze the effectiveness of our marketing campaigns. These cookies are placed only with your consent, expressed via our cookie banner.

Managing Your Preferences

When you first visit our Site, a cookie banner allows you to accept or refuse non-essential cookies. You can change your preferences at any time by clearing your browser cookies and revisiting the Site, or by using the cookie settings available on the Site. You can also configure your browser to refuse all cookies, although this may affect some functionalities of the Site.

12. Changes to This Privacy Policy

We may update this policy from time to time. The last updated date is indicated at the top. If we make material changes, we will provide notice before they become effective. Please check regularly.

13. Right to Lodge a Complaint

If you have concerns about how we process your data, please contact our Privacy Contact first. You may also lodge a complaint with supervisory authorities:

  • UK: Information Commissioner’s Office (ICO) — www.ico.org.uk
  • France (for EEA users): Commission Nationale de l’Informatique et des Libertés (CNIL) — www.cnil.fr
  • Other EEA countries: You have the right to lodge a complaint with the supervisory authority in your country of residence.
  • US: Federal Trade Commission (FTC) for general privacy issues — www.ftc.gov, or your state Attorney General.

BloodSense
AI Blood Test Analysis

Your data stays secure. We are fully HIPAA and GDPR compliant.