Privacy Policy – Youcaps.ai

English Version (EN)

Effective Date: June 1, 2026 Last Revised: May 11, 2026 Language: English Jurisdiction: GDPR (EU)

Quick Access

This policy explains how Youcaps.ai collects, uses, and protects your personal data. Key sections: Health data processing (Section 4), your privacy rights (Section 6), cookies (Section 8), contact information (Section 11).

1. Introduction & Scope

1.1 Who We Are

Legal Entity	Youcaps.ai B.V.
Address	[Company Address, Netherlands]
DPA Contact	[email protected]

Youcaps.ai is a Netherlands-based supplement subscription platform that uses artificial intelligence to provide personalized supplement recommendations. This Privacy Policy explains how we collect, use, disclose, and safeguard your information.

1.2 Scope

This Privacy Policy applies to:

Our website (youcaps.ai)
Our mobile applications
Our services (AI personalization, subscription management, order fulfillment)
Data collected through integrations (wearable devices, health tracking apps)

1.3 Your Privacy Rights

You have fundamental rights under GDPR:

✓ Access, correct, or delete your data
✓ Withdraw consent at any time
✓ Receive data in portable format
✓ Lodge complaints with your data protection authority

2. Information We Collect

2.1 Health & Wellness Data (Special Category)

We collect sensitive health information with your explicit consent:

Data Category	Collection Method	Purpose	Legal Basis
Health conditions	Signup questionnaire	AI personalization	Explicit Consent (GDPR Art. 9(2)(a))
Medications	Signup questionnaire	Drug interaction safety	Explicit Consent
Allergies/intolerances	Signup questionnaire	Product safety & relevance	Explicit Consent
Wearable data (heart rate, sleep)	Device API integration	Activity/wellness insights (optional)	Explicit Consent

Important: You must provide explicit, separate consent to process this health data. Consent is never a condition of using basic service features.

3. Legal Basis for Processing

3.1 Explicit Consent (Article 6(1)(a) & Article 9(2)(a))

What: Health questionnaire, wearable data, wellness information
Why: You explicitly agreed to provide this for personalized recommendations
Your Right: Withdraw anytime via Settings > Privacy > Withdraw Consent
Effect of Withdrawal: We stop processing but may retain data 30 days per deletion request

3.2 Contractual Necessity (Article 6(1)(b))

What: Account details, mailing address, order history, subscription status
Why: Required to provide subscription service and deliver supplements
Retention: As long as you're a customer, plus 3 years for tax/legal obligations

4. Special Category Data (Health Information)

4.1 What Qualifies as "Health Data" Under GDPR?

Under GDPR Article 4(14), health data includes any data relating to:

Physical or mental health
Health services or treatments
Health status
Genetic information
Biometric information used for identification purposes

4.2 Why We Need Explicit Consent

GDPR Article 9 prohibits processing special category data unless specific conditions are met. For Youcaps.ai, explicit consent is the legal basis.

What Makes Our Consent Valid?

Freely Given: Not mandatory for basic account usage
Specific: Separate checkbox only for health data
Informed: Clear explanations of what health data means
Unambiguous: Requires active consent (checkbox unchecked by default)
Withdrawal: You can withdraw anytime

6. Your Privacy Rights

6.1 Right to Access (Article 15)

What:

You can request a copy of all personal data we hold about you.

How:

Log into your account > Settings > Privacy > Download My Data
Or email [email protected] with subject "Data Access Request"

Response Time:

Within 30 days (extendable 60 days for complex requests)

Format:

Machine-readable file (JSON/CSV) including health questionnaire, wearable data history, recommendations, and communications.

Cost:

Free (unless request is frivolous/excessive)

6.2 Right to Deletion (Article 17 – "Right to Be Forgotten")

What:

You can request permanent deletion of your data.

How:

Settings > Privacy > Request Deletion
Confirm via email link (security measure)
We delete within 30 days

Exceptions:

We retain data if:

Legal/Tax Obligation: Financial records (3 years minimum under Dutch law)
Active Dispute: If we're defending a claim related to your order
Legitimate Interest: Fraud prevention (30 days after account closure)

6.3 Right to Object (Article 21)

What:

You can object to certain data processing, particularly profiling.

How to Object:

Email [email protected] with "Objection Request" in subject line.

8. Cookies & Tracking

8.1 What Are Cookies?

Cookies are small files stored on your device when you visit our website. They enable:

Session management (keeping you logged in)
Preference storage (language, layout)
Analytics (understanding how you use the site)
Advertising (showing relevant ads on other sites)

8.2 Cookie Categories

Cookie Type	Required for Site?	Need Consent?	Purpose
Essential	YES	NO	Login, security, functionality
Analytics	NO	YES	Service improvement, user experience
Marketing	NO	YES	Retargeting ads
Functional	NO	YES	Store your preferences

8.3 Google Analytics 4 (GA4)

What We Track: Pages visited, features used, time spent, referral source — NOT health data.

Legal Basis: Your consent via cookie banner

How to Opt-Out:

Browser settings: Disable third-party cookies
Our site: Uncheck "Analytics" in cookie preferences
Google: Install Google Analytics Opt-out Extension

9. Security Measures

9.1 Technical Safeguards

Measure	Standard	Details
Encryption at Rest	AES-256	Health data encrypted in database
Encryption in Transit	TLS 1.2+	HTTPS on all pages; secure APIs
Database Security	Isolated VPC	Database not exposed to internet
Access Control	RBAC	Employees access only necessary data
Audit Logging	90-day retention	All data access logged & monitored
Vulnerability Testing	Quarterly	Penetration tests and code review

9.2 Organizational Safeguards

Employee Training: Annual GDPR & confidentiality training for all staff
Confidentiality Agreements: All employees sign data protection agreements
Incident Response Plan: Documented breach procedure; 72-hour notification timeline
Vendor Assessment: Third-party compliance verified before engagement
Annual Audit: Independent security review

Note: Despite our efforts, no system is hack-proof. You are responsible for using strong passwords and not sharing login credentials.

11. Contact & Grievance

11.1 Privacy Questions

Email	[email protected]
Response Time	Within 10 business days
Formal Requests	Include full name, email, proof of identity (government ID)

11.2 Complaints

If you're not satisfied:

First: Email us at [email protected] with detailed complaint
Response: We'll investigate and respond within 30 days
Escalation: Contact your national Data Protection Authority

Netherlands (DPA):

Authority: Autoriteit Persoonsgegevens (AP)
Website: https://www.autoriteitpersoonsgegevens.nl
Address: Bezuidenhoutseweg 63, 2594 AC Den Haag
Email: [email protected]

Appendix: Summary Table of Processing

Processing	Data Category	Legal Basis	Recipient	Retention
Account registration	Name, email, address	Contractual	None (we hold)	2 years (inactive)
AI recommendations	Health questionnaire	Consent (Art. 9)	Fulfillment partner (allergies)	2 years
Order fulfillment	Name, address, allergies	Contractual	Fulfillment partner	3 years (legal)
Analytics	Website behavior (pseudonymous)	Legitimate interest	Google Analytics	2 years
Email marketing	Email, preferences	Consent	Sendgrid (processor)	Until unsubscribe