AnyBio

LEGAL

Website Privacy Policy

This Privacy Policy explains how Any Biosignal, Inc. (AnyBio) collects, uses, and safeguards data provided by Business Users, End Users, Representatives, and Visitors. Depending on the activity, AnyBio acts as a data controller and/or data processor.

Effective date

Jan 1, 2026

Last updated

Jan 1, 2026

At Any Biosignal, Inc. ("AnyBio," "we," "us," or "our"), we provide software development kits, application programming interfaces, and a hosted platform for business customers to collect and store their users' data.

Key Definitions

  • Business User: Any AnyBio customer, including Healthcare Providers and Wellness Providers, who uses our portal to gather information from End Users.
  • End User: An individual who provides Personal Data or Sensitive Personal Data to a linked Healthcare Provider or Wellness Provider.
  • Healthcare Providers: Licensed medical professionals, hospitals, clinics, medical practices, telehealth providers, or other entities that provide healthcare services.
  • Wellness Providers: Companies or organizations that offer health, fitness, or wellbeing services (for example fitness centers, nutrition counselors, wellness coaches, meditation apps, corporate wellness programs, and health insurance companies).
  • Personal Data: Information that identifies, relates to, describes, is reasonably capable of association with, or could be linked to an individual.
  • Sensitive Personal Data: Data such as biometric information, health information, and other legally protected categories.
  • Data Subject: The User whose Personal Data is collected and processed.
  • Data Controller: The entity that determines the purposes and means of processing Personal Data.
  • Data Processor: The entity that processes Personal Data on behalf of a Data Controller.
  • Representative: A person acting on behalf of an existing or potential Business User (including account administrators, contracting parties, or payment contacts).
  • User or you: Representatives and Visitors.
  • Visitor: Any individual visiting the Site without logging into an account.

Scope and Applicability

This Privacy Policy applies to Users in the United States, European Economic Area, United Kingdom, and other jurisdictions where we operate, subject to applicable local privacy laws.

Legal Basis for Collection and Use of Personal Data

AnyBio provides an intermediary platform for Healthcare Providers and Wellness Providers that allows End Users to share biometric data to inform care.

AnyBio does not own or directly interface with End User data. The AnyBio software development kit is embedded in a Business User's application. Collection, use, and retention of End User data are determined and controlled by the Business User under the Business User's own terms and privacy policies.

In this context:

  • The Business User is the Data Controller.
  • AnyBio is the Data Processor.

Business Users may connect third-party integrations to the AnyBio platform. It is the Business User's responsibility to review and authorize those integrations.

For Site visits and direct contact with us (for example by Representatives or Visitors), AnyBio acts as Data Controller and may collect Personal Data and usage data.

Personal Data We Collect

We may collect the following categories of Personal Data:

Identifiers

  • Full name and preferred name
  • Email address and other electronic contact information
  • Phone number
  • Postal address
  • Account credentials (username and password)
  • Unique identifiers assigned by us or our clients

Internet or Other Electronic Network Activity

  • IP address and device identifiers
  • Browser type and version
  • Operating system information
  • Browsing and search history within our portal
  • Session duration and interaction data
  • Cookies and similar tracking technologies

Geolocation Data

  • GPS coordinates
  • Location tracking data
  • Proximity information

Professional and Employment Information

  • Employer information
  • Job title and department
  • Professional certifications and qualifications

How We Collect Personal Data

Direct Collection

  • Information submitted when creating an account or profile
  • Data submitted through forms, questionnaires, or surveys
  • Communications with customer support

Automated Collection

  • Cookies and similar tracking technologies
  • Server logs and analytics tools
  • Mobile device sensors and features

Sharing and Disclosure of Personal Data

AnyBio does not disclose Personal Data to third parties unless instructed or authorized by a User.

For business purposes, we may share Personal Data with:

  • Affiliates and subsidiaries within the AnyBio group, under appropriate data protection agreements
  • Service providers supporting our Services, including:
    • Cloud hosting and storage providers
    • Security and authentication service providers
    • Analytics and business intelligence platforms
    • Customer support and communication tools
    • Payment processors (for subscription services)
  • Regulatory bodies, law enforcement, and government entities when legally required
  • Professional advisors (lawyers, auditors, insurers) where needed for legal, compliance, or insurance matters

We require third parties to process data only for authorized purposes and to apply appropriate safeguards and contractual protections.

International Data Transfers

We may transfer Personal Data across international borders.

When transferring data from the EEA, UK, Switzerland, or other jurisdictions with transfer restrictions, we rely on applicable legal safeguards, including:

  • Transfers to countries/recipients recognized as providing adequate protection
  • EU Standard Contractual Clauses and the UK International Data Transfer Addendum
  • Other lawful transfer mechanisms available under applicable law

AnyBio states compliance with:

  • EU-U.S. Data Privacy Framework
  • UK Extension to the EU-U.S. Data Privacy Framework
  • Swiss-U.S. Data Privacy Framework
  • Cross Border Privacy Rules (CBPR) and Privacy Rules for Processor (PRP) systems

User Rights

Under applicable laws (including CCPA, GDPR, and state privacy laws), Users may have the following rights:

Access Rights

  • Confirmation of whether Personal Data is processed
  • Access to Personal Data and related processing information
  • A copy of Personal Data in a structured, commonly used, machine-readable format

Correction Rights

  • Correct inaccurate Personal Data
  • Complete incomplete Personal Data
  • Update Personal Data for accuracy

Deletion Rights

  • Delete Personal Data when no longer necessary for collection purposes
  • Request erasure where consent is withdrawn, processing is unlawful, or no overriding legitimate grounds exist
  • Subject to exceptions (for example legal obligations or legal claims)

Restriction Rights

  • Restrict processing in certain circumstances
  • Limit use while correction/objection requests are pending
  • Restrict processing when data accuracy is contested or processing is unlawful

Portability Rights

  • Receive Personal Data in a structured, commonly used, machine-readable format
  • Transmit Personal Data to another controller
  • Request direct transfer to another controller where technically feasible

Objection Rights

  • Object to processing based on legitimate interests
  • Object to direct marketing (including profiling)
  • Object to processing for scientific/historical research or statistical purposes

Opt-Out Rights

  • Opt out of sale or sharing of Personal Data
  • Opt out of targeted advertising
  • Opt out of automated decision-making (including profiling) with legal/similarly significant effects

Data Subject Rights Response Procedures

Data Subjects may submit requests by:

  • Email: privacy@anybiosignal.com
  • Mail: Postal address listed in "How to Contact Us"

Verification Process

Before processing requests, we may verify identity by:

  • Confirming account email address
  • Requesting additional identity information
  • Requiring authentication through login
  • Applying additional steps for sensitive requests

Response Timelines

  • Acknowledgment: within 5 business days
  • Substantive response: within 30 calendar days
  • Extension (if needed and notified): up to an additional 60 calendar days

Limitations and Exceptions

Limitations may apply, including:

  • Legal retention obligations
  • Technical limitations
  • Manifestly unfounded, excessive, or repetitive requests
  • Conflicts with others' rights/freedoms
  • Information protected by legal privilege or confidentiality

If full compliance is not possible, we provide reasons and appeal/complaint information.

Universal Opt-Out Mechanisms

We honor universal opt-out mechanisms where required (including under Colorado, California, and similar laws).

Opt-Out of Sale or Sharing

  • Use "Do Not Sell or Share My Personal Information" in the Privacy Preferences Center
  • Enable Global Privacy Control (GPC) in supported browsers
  • Contact our Data Protection Officer

Opt-Out of Targeted Advertising

  • Adjust preferences in the Privacy Preferences Center
  • Enable Do Not Track signals where supported
  • Use industry tools such as Digital Advertising Alliance WebChoices

Opt-Out of Automated Decision-Making

  • Use "Opt-Out of Automated Processing" in the Privacy Preferences Center
  • Contact our Data Protection Officer to request human review for significant decisions

We process opt-out requests within 15 calendar days and keep records as required by law.

Grievance Mechanism

We maintain a formal process for privacy complaints and disputes.

Internal Complaint Process

  1. Submission by email (privacy@anybiosignal.com) or mail
  2. Acknowledgment within 5 business days
  3. Investigation by our Privacy Team
  4. Substantive response within 30 calendar days
  5. Appeal to the Data Protection Officer if unresolved

External Dispute Resolution

If unresolved internally, Data Subjects may:

  • File with relevant supervisory authorities (for example EU data protection authorities or U.S. HHS OCR for HIPAA matters)
  • Seek mediation through an independent provider
  • Pursue other legal remedies

We cooperate with regulators and do not retaliate for complaints or rights exercises.

Data Security and Retention

We implement technical and organizational safeguards.

Technical Safeguards

  • End-to-end encryption in transit and at rest
  • Multi-factor authentication for sensitive systems
  • Intrusion detection and prevention systems
  • Regular patching and vulnerability management
  • Secure development and code review practices
  • Biometric data protections (including template encryption and secure storage)

Organizational Safeguards

  • Information security policies and procedures
  • Regular security awareness training
  • Background checks for personnel with sensitive-data access
  • Role-based access controls and least privilege
  • Vendor security assessment and management
  • Incident response and breach notification procedures

Data Retention Periods

  • Account information: active account duration plus 7 years
  • Biometric data: active account duration plus 3 years, or as required by state biometric laws
  • Health information: generally 6 years under HIPAA retention expectations
  • Transaction data: 7 years for tax/accounting
  • Communications: 3 years
  • Server logs and security data: 1 year

When no longer needed, data is securely deleted or anonymized using industry-standard methods. Earlier deletion requests may be honored subject to legal obligations.

Children's Privacy

Our Services are not directed to individuals under age 18, and we do not knowingly collect their Personal Data. If we learn we collected such data, we will delete it promptly.

Parents/guardians who believe a child submitted data should contact us.

Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in practices, laws, or other factors. We post updates on our website and indicate the most recent revision date.

For material changes, we provide notice by:

  • Prominent notice on the Site
  • Email notifications to registered Users
  • Other appropriate communication channels

Continued use of the Site after a revised policy effective date constitutes acceptance.

How to Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or Personal Data processing, contact:

Data Protection Officer
c/o Stephen Saine
Any Biosignal, Inc.
2261 Market Street STE 86985
San Francisco, CA 94114
privacy@anybiosignal.com
(415) 323-6275

For urgent or time-sensitive matters, email or phone is recommended.

Additional Information for Specific Jurisdictions

California Residents

California residents may have rights under CCPA/CPRA, including:

  • Right to know what Personal Data is collected, used, disclosed, or sold/shared
  • Right to delete Personal Data (subject to exceptions)
  • Right to opt out of sale/sharing
  • Right to non-discrimination for exercising rights
  • Right to limit use/disclosure of Sensitive Personal Data

California residents may designate an authorized agent to submit requests.

EEA and UK Residents

EEA/UK residents may have rights under GDPR/UK GDPR, including:

  • Right to lodge a complaint with a supervisory authority
  • Right to withdraw consent
  • Right to object to processing based on legitimate interests
  • Right to restrict processing in certain circumstances

For cross-border transfers, safeguards are described in "International Data Transfers."

Customization Notice

This Privacy Policy may be customized by Business Users to align with their branding and business practices while maintaining core legal and regulatory compliance elements. Customized versions are expected to be clearly identified and dated.

Official copy and questions

Download the official AnyBio Privacy Policy (PDF)

Questions: privacy@anybiosignal.com