Privacy Policy - BreathWise Research

Last updated: January 3, 2026

Quick Summary:

We collect symptom data to validate our AI tool concept
Your data is never sold or shared with third parties
You can delete your data anytime by emailing us
We use cookies only with your consent
All data is encrypted and stored securely

1. Data Controller Information

Data Controller:

Name: Thomas Van Troostenberghe
Address: Zwanenlaan 45
City: 8400 Oostende, BELGIUM

2. What Data We Collect

Survey Data (Voluntary)

Health symptoms (type, frequency, severity)
Medical history (doctors, treatments, diagnoses)
Lifestyle factors (stress, digestive issues)
Treatment preferences and willingness to pay
Email address (ONLY if you opt-in for interview)

Analytics (With Cookie Consent)

Pages visited, time on site
Browser and device info
Anonymized IP address
Referral source

3. Legal Basis (GDPR)

Article 6(1)(a) - Consent: For survey and analytics

Article 9(2)(a) - Explicit Consent: For health data processing

Article 9(2)(j) - Scientific Research: Public interest research with safeguards

4. Purpose

Research validation and market analysis
Product development and feature prioritization
Optional: Follow-up interviews (with consent)

5. Data Retention

Survey responses: 3 years
Interview recordings: 2 years
Website analytics: 14 months
Cookie consent: 12 months

After: Permanent deletion or full anonymization

6. Security Measures

TLS 1.3 encryption (HTTPS)
AES-256 encryption at rest
Two-factor authentication (2FA)
Access controls and audit logs
Regular security audits

7. Third-Party Processors

Google LLC (USA)

Services: Forms, Sheets, Analytics
Protection: Standard Contractual Clauses + EU-US Privacy Framework
DPA: Google DPA

Vercel Inc. (USA)

Services: Website hosting
Protection: Standard Contractual Clauses
DPA: Vercel DPA

8. Your Rights

Access: Request copy of your data
Rectification: Correct inaccurate data
Erasure: Delete your data ("right to be forgotten")
Portability: Export data in machine-readable format
Object: Stop processing based on legitimate interests
Withdraw consent: Anytime, affects future processing only

How to exercise: Email troostberg@gmail.com

Response time: Within 1 month (up to 3 months for complex requests)

9. Complaints

You can lodge a complaint with your national supervisory authority:

Find your authority: EDPB Member List

10. Cookies

Necessary (Always Active):

breathwise_cookie_consent - Stores your cookie preferences (1 year)

Analytics (Requires Consent):

Google Analytics cookies (_ga, _gid) - Anonymous statistics (14 months)

Manage: Use cookie banner, footer "Cookie Settings" link, or browser settings

11. Age Restriction

Minimum age: 16 years
No knowingly collecting data from children
If under 16: Do NOT complete survey

12. Data Breaches

Authority notification within 72 hours
Individual notification if high risk
Full incident disclosure with remedial actions

13. Policy Updates

Posted on website with "Last updated" date
Material changes: Email notification
30-day grace period to review/withdraw consent

14. Contact

Email: troostberg@gmail.com

Response time: 5 business days (1 month for GDPR requests)

Subject lines for requests:

"GDPR Access Request" - Get copy of data
"GDPR Deletion Request" - Delete all data
"Data Portability Request" - Export data
"Withdraw Consent" - Stop processing

GDPR Compliance:

✅ All Article 13-14 information provided
✅ Legal basis documented (Articles 6 & 9)
✅ Full data subject rights (Articles 15-22)
✅ Processor agreements (Article 28)
✅ Security measures (Article 32)
✅ Breach procedures (Articles 33-34)