1. Introduction
This Privacy Policy explains how BioMaxing (“we”, “us”, or “our”) collects, uses, shares, and protects your personal data when you use our website, web application, and Telegram bots (BioMaxing Library / “BioMax”, BioMaxing Life / “BioLife”, and BioMaxing Support / “BioSupp”). We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679.
By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.
2. Data Controller
The data controller responsible for your personal data is:
| Entity | Maria Elina (Sole Proprietor) |
| Trade name | BioMaxing |
| Registered address | Keizersgracht 241, 1016EA Amsterdam, Netherlands |
| Chamber of Commerce (KVK) No. | 99611252 |
| VAT (BTW) Identification No. | NL005398711B41 |
| privacy@biomaxing.io |
Full provider-identification details are also published in our Legal Notice.
3. Personal Data We Collect
We collect and process the following categories of personal data:
3.1 Account Information
- Telegram User ID — stored only in pseudonymised form as a keyed HMAC; we do not store your raw Telegram ID in production
- Email address (for web application authentication via one-time passcode)
- Optional profile details you choose to provide on the web application: display name, sex, birth year (and optionally birth month)
- Interface language and theme preference
- Notification preferences (e.g. email notifications, weekly digest, product updates)
- Timezone
- Session metadata (IP address and browser user-agent), kept for security and abuse prevention
3.2 Wellness and Time-Management Data (Telegram bots — @BioMaxingLifeBot)
The @BioMaxingLifeBot bot is a general wellness and time-management tracker. To provide it, we process the data you record:
- Habits — binary selectors (done / not done) and numeric counters
- Tasks and their completion status
- Daily check-ins and evening reviews, scored by you on seven fixed dimensions (Energy, Mindset, Drive, Clarity, Pressure, Satisfaction, Social) on a 0–3 scale
- Optional short notes you may attach to a check-in
- Statistics derived from the above
This information is processed under Contract Performance (Art. 6(1)(b)) to deliver the tracker you signed up for. It is general wellness and productivity data and is not special-category (“health”) data under GDPR Article 9. The Telegram bots do not collect Article 9 health data (see §3.3).
3.3 Supplement and Health Data (Special Category — Art. 9)
Telegram bots do not collect Article 9 health data. In the @BioMaxingBot bot you choose from curated, admin-authored supplement stacks; the goals, selected stacks and dosages you save are treated as supplement preferences under Contract Performance (Art. 6(1)(b)), not as special-category data, and they are never sent to the AI (see §6.3).
Special-category health data is processed only on our web application (app.biomaxing.io), and only with your explicit consent (Art. 9(2)(a)) given at account setup before any such feature is used. With that consent we may process:
- Personal supplement stacks and combinations, including dosages, frequencies, timing, and duration
- Declared health conditions/indications and current medications
- Health and wellness goals (your chosen aims) and maintenance routines (how you taper or keep supplements, practices and habits after completing a goal)
- Lifestyle baselines and button-based progress check-ins
- Symptoms you log from a fixed catalog of common wellness observations (e.g. low energy, poor sleep, bloating) — button-based only, no free-text symptom entry
- Objective body measurements you choose to enter (weight, body-fat percentage, waist circumference, and a 0–3 skin-condition scale)
- Free-text journal / reflection entries you write in the web application
- AI chat conversations about supplements and health
- A psychological trait profile inferred from your activity (preference indicators on 0–100 scales), used only for personalisation
- Derived records built from the data above: daily rollups (adherence rates, day scores, check-in streaks) and the insights shown to you (see §6.4)
You can withdraw this consent at any time (see §9). Withdrawal does not affect the lawfulness of processing carried out beforehand.
3.4 Payment Information
- Subscription tier and status
- Subscription transaction history (level, duration, timestamps)
- Note: Paid subscriptions and payment processing are not yet active. When they launch, card details will be processed directly by our payment provider (planned: Stripe) and never stored on our servers.
3.5 Usage Data
- Interaction with our Telegram bots (internal analytics events)
- Website usage patterns (via self-hosted Umami analytics — see §10.2)
- Bookmarks and saved items (web application)
- Feature usage statistics
3.6 Account Linking and Bot-Data Sync
You may optionally link your web account and your Telegram identity (see Terms §4.3). Linking works through an email-verified, short-lived link code; on our side the link stores only your pseudonymised Telegram reference (keyed HMAC) next to your web account. Once linked:
- your saved BioMax stacks and your BioLife habits, check-ins and evening reviews become viewable in the web application, and
- your BioLife check-in scores are folded into your web progress records (and, with your Art. 9(2)(a) consent, into the insights described in §6.4).
You can unlink at any time in your web-app settings. Deleting your web account also cascades to your linked Telegram bot data (see §9).
4. Legal Bases for Processing
We process your personal data based on the following legal grounds under Articles 6 and 9 of the GDPR:
| Legal Basis | Purpose | Data Categories |
|---|---|---|
| Contract Performance (Art. 6(1)(b)) | Providing our services (Telegram bots and web application), managing subscriptions | Account data, wellness & time-management data, supplement preferences, subscription data |
| Explicit Consent (Art. 9(2)(a)) | Processing special-category health data on the web application and sending pseudonymised health context to our AI processor for personalized recommendations | Web-app supplement stacks/dosages, declared conditions and medications, health goals, supplement/health AI chat |
| Legitimate Interest (Art. 6(1)(f)) | Service improvement, security, abuse prevention, analytics | Usage data, session metadata, aggregated statistics |
| Legal Obligation (Art. 6(1)(c)) | Tax records, legal compliance | Transaction records (once payments are active) |
5. How We Use Your Data
We use your personal data for the following purposes:
- To provide and maintain our services, including the Telegram bots and web application
- To help you track habits, tasks and daily check-ins, and plan your day (Telegram bots)
- To personalize supplement and health recommendations on the web application (with your explicit consent)
- To provide AI-powered chat assistance
- To manage subscriptions (and, once active, process payments)
- To improve our services through aggregated, anonymized analytics
- To secure our services and prevent abuse
- To communicate with you about service updates and changes
- To comply with legal obligations
6. Data Sharing and Third-Party Processors
We share your personal data with the following categories of recipients, all of whom are bound by Data Processing Agreements (DPAs) ensuring GDPR compliance:
6.1 Sub-Processors
| Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Scaleway | Cloud infrastructure hosting, database, storage, transactional email (OTP codes) | All data | Paris, France (EU) |
| Telegram | Bot platform communication | Pseudonymised user reference, messages | UAE (SCCs) |
| Scaleway Generative API | AI chat assistance, supplement/health recommendations (web) | Chat messages, pseudonymised context (see §6.3) | Paris, France (EU) |
| Supabase (storage on AWS) | Secondary copy of database backups, encrypted on our servers before upload (provider cannot read them); deleted after 30 days | Encrypted backup archives | EU region (eu-west-1, Ireland); US parent company |
| Stripe (planned — not yet active) | Payment processing | Payment details, email | Ireland (EU) |
Our self-hosted Umami analytics runs on our own EU (Scaleway) infrastructure and is not a third-party sub-processor (see §10.2).
6.2 We Never Share Your Data
- We never sell your personal data to third parties
- We do not use third-party advertising or cross-site tracking services
- We do not share data with supplement brands or affiliates
6.3 AI Processing (What We Send to the AI)
We use the Scaleway Generative API (Paris, EU) for AI chat. In accordance with Article 50 of the EU AI Act (Regulation (EU) 2024/1689), we inform you that the chat assistant is an artificial intelligence system and its responses are AI-generated, not produced by a human. What is sent depends on where you use it:
- Telegram bots: we send no personal, supplement or health data to the AI. Only your chat message and non-personal context (your subscription plan and interface language) are sent. Your supplement preferences, check-in data and identifiers are not shared.
- Web application: with your Art. 9(2)(a) consent, we send your chat message together with pseudonymised context to generate recommendations — for example goal names, lifestyle and trait indicators, your declared health conditions/medications and supplement stacks expressed as internal slugs, your recent check-in consistency (streak and adherence rate), and short wellness themes extracted from your journal. If you write journal entries, their text is processed once by the same EU AI processor to extract structured signals (a mood score and short themes); the provider does not store your entries, and only the extracted themes — never your full journal text — are used as chat context afterwards. Your logged symptoms and objective body measurements are not sent to the AI. We never send directly-identifying identifiers; an internal account identifier (UUID or keyed HMAC) is used instead of your name, email or Telegram ID.
Scaleway processes this data within the EU under its standard data-processing terms.
6.4 Personalisation and Insights (Profiling)
On the web application, with your Art. 9(2)(a) consent, we personalise your experience and generate wellness insights from the activity you log. This involves profiling within the meaning of Art. 4(4) GDPR, and in the interest of transparency (Art. 13(2)(f)) we explain it here:
- What we use: the activity you record yourself — habit, practice and check-in completions, your self-rated outcomes, symptoms you log from the fixed catalog, and your monthly objective measurements — rolled up into daily metrics (adherence rates, your day-score, dimension scores) and your chosen goal/path. Each suggested item and each insight “driver” is also matched to the aim (“want”) it serves, so the app can show you why something is suggested.
- What it produces: suggested supplements, practices and habits, plus educational “insights” that point out correlations (“drivers”) between your own actions and your self-reported day-scores. A statistical step finds the correlations and an AI then describes each one in plain language. Only pseudonymised labels/slugs are sent to our EU AI processor — never your raw reflection text and never directly-identifying identifiers.
- No automated decisions about you: this profiling is educational suggestion only. It does not produce legal or similarly significant effects (Art. 22): it does not determine your access to the service, eligibility, or pricing (see §9).
- Your controls: you can object to this profiling (Art. 21) and withdraw your consent at any time (Art. 7(3)); doing so disables the personalised insights. The Telegram bots do not perform this profiling.
7. International Data Transfers
Your data is stored within the European Union (Scaleway, Paris, France). The only routine transfer outside the EU/EEA is to Telegram (United Arab Emirates) when you message a bot, which is necessary to deliver the messaging service you initiate. Where data is transferred outside the EU/EEA, we rely on:
- EU Commission adequacy decisions, where applicable
- Standard Contractual Clauses (SCCs) approved by the EU Commission
- Additional technical and organizational measures
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account. After a deletion request, a restore window applies during which you can cancel deletion — 30 days on the web application and 7 days in the Telegram bots — after which your data is deleted and any residual soft-deleted records are purged |
| Wellness & time-management data (habits, tasks, check-ins) | Duration of account; deleted on request |
| Web-app supplement and health data (stacks, conditions/medications, goals, check-ins, symptom logs, objective measurements, maintenance routines, journal, trait profile, derived insights) | Duration of account; deleted on request |
| AI chat history | Automatically deleted 90 days after the chat’s last activity, or sooner if you delete the chat or your account; temporary/anonymous chats are held briefly in Redis and expire automatically |
| Email one-time passcodes | Short-lived; expire within minutes |
| Payment records | 7 years (Dutch tax law requirement), once payments are active |
| Analytics data (Umami) | 24 months (aggregated, anonymized) |
| Internal analytics events (bot interactions) | 30 days, then auto-purged by MongoDB TTL |
| Audit logs (admin and user data-rights actions) | 365 days, then auto-purged — required for GDPR Art. 30 records of processing |
| Encrypted database backups (Scaleway S3, Paris; secondary encrypted copy at Supabase Storage, EU) | 30 days, then automatically deleted |
9. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
Right of Access (Art. 15) You have the right to obtain confirmation of whether we process your personal data and to request a copy of your data.
Right to Rectification (Art. 16) You have the right to have inaccurate personal data corrected and incomplete data completed.
Right to Erasure (Art. 17) You have the right to request deletion of your personal data. On the web application you can delete your account (a 30-day restore window applies, during which you can cancel the deletion; after that your data is deleted and any residual soft-deleted records are purged); deleting your account also cascades to your linked Telegram bot data. In the bots you can delete your account from Profile → Settings → Privacy & Rights → Delete account (a 7-day grace period applies before deletion is finalized).
Right to Restrict Processing (Art. 18) You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data.
Right to Data Portability (Art. 20) You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON). On the web application you can request an export of your data; in the bots you can export your data from Profile → Settings → Privacy & Rights → Export data — the export includes your saved stacks/bookmarks, assistant chats, subscription history, and consent records.
Right to Object (Art. 21) You have the right to object to processing based on legitimate interests or for direct marketing purposes.
Automated Decision-Making (Art. 22) We do not make decisions producing legal effects concerning you, or similarly significantly affecting you, based solely on automated processing. Our AI assistant provides educational suggestions only; it does not make automated decisions about your access to services, eligibility, or pricing. We do carry out limited profiling to personalise the web application and generate wellness insights — this has no legal or similarly significant effect and is described in §6.4.
Right to Withdraw Consent (Art. 7(3)) Where processing is based on consent, you have the right to withdraw it at any time without affecting the lawfulness of prior processing. In the bots: Profile → Settings → Privacy & Rights → Withdraw consent. On the web application: from your account settings (consent revocation). Withdrawing consent for special-category health-data processing disables the features that rely on it.
Right to Lodge a Complaint You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at www.autoriteitpersoonsgegevens.nl, or with the supervisory authority of your country of residence, place of work, or place of the alleged infringement. A list of EU/EEA national data protection authorities is available at edpb.europa.eu.
How to exercise your rights: Contact us at privacy@biomaxing.io. We will respond within 30 days.
10. Cookies and Analytics
10.1 Essential Cookies
We use strictly necessary cookies only:
biomaxing.session_token— authentication session (HttpOnly, Secure, SameSite=Lax; expires after 30 days). Holds a hashed session token, not your credentials.__Host-csrf— protects forms and API calls against cross-site request forgery (Secure; session-scoped). Contains a random token, no personal data.theme— remembers your light/dark theme preference (expires after 1 year). It does not track you and contains no personal data.
The web application also uses your browser’s local storage for functional preferences only (theme, interface language, panel state, recently-viewed pages); nothing in local storage is used for tracking. See the Cookie Policy for the full list.
These cookies are essential for the website to function or to remember a basic preference. They do not track you across websites or collect personal data for marketing purposes.
10.2 Analytics (Umami)
We use Umami, a privacy-focused, open-source analytics platform that we self-host on our own EU-based (Scaleway) servers. Umami:
- Does not use cookies for tracking
- Does not collect personally identifiable information
- Does not track users across websites
- Is fully GDPR compliant by design
- Provides only aggregated, anonymous website statistics
We do not use: Google Analytics, Facebook Pixel, or any third-party tracking services.
11. Security Measures
We implement appropriate technical and organizational measures to protect your personal data, following privacy by design and by default principles:
Technical Measures
- Encryption in transit (modern TLS, 1.2+)
- Encryption at rest: the database runs on a LUKS full-disk-encrypted (AES-256) volume; backups are encrypted
- Pseudonymisation of Telegram User IDs via keyed HMAC
- TLS-secured, certificate-authenticated database connections
- Regular automated, encrypted backups
- Secure secrets management
- Infrastructure as Code with security best practices
Organizational Measures
- Privacy by design architecture
- Data minimization (we only collect necessary data)
- Access controls and authentication requirements
- Regular security assessments
12. Children’s Privacy
Our services are not intended for individuals under 18 years of age, and we ask users to confirm they are 18+ during onboarding. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that information promptly.
13. Medical Disclaimer
BioMaxing provides educational information about supplements and wellness practices, and tools for tracking habits and daily routines. Our services are not intended to diagnose, treat, cure, or prevent any disease, and are not a medical device. The information provided should not be considered a substitute for professional medical advice. Always consult with a qualified healthcare professional before making changes to your supplement regimen or health practices.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on our website and updating the “Last Updated” date. For significant changes, we will provide notice through our Telegram bots or by email and, where required, ask you to review and re-accept the updated policy.
15. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
| privacy@biomaxing.io | |
| Response Time | Within 30 days (as required by GDPR) |
| Supervisory Authority | Autoriteit Persoonsgegevens (Dutch DPA) |
Our full provider-identification and contact details are published in our Legal Notice.
Appendix A: List of Sub-Processors
This appendix provides detailed information about our sub-processors as required by GDPR Article 28:
| Name | Processing Activities | Transfer Mechanism | DPA Status |
|---|---|---|---|
| Scaleway SAS | Cloud hosting, database, storage, transactional email (OTP) | N/A (EU processor) | Standard DPA in ToS |
| Telegram FZ-LLC | Bot platform, messaging | SCCs (user-initiated) | Telegram Privacy Policy |
| Scaleway Generative API | AI/LLM chat processing (Mistral, Qwen models) | N/A (EU processor) | Standard DPA in ToS |
| Supabase, Inc. | Secondary storage of client-side-encrypted database backups (AES-256, encrypted before upload) | EU region (AWS eu-west-1, Ireland); SCCs/DPF for any US access | Supabase DPA |
| Stripe, Inc. (planned — not yet active) | Payment processing, fraud prevention | EU entity (Stripe Ireland) | Stripe DPA available |
— End of Privacy Policy —