Privacy Policy

AINOHA, a simplified joint-stock company under French law, registered with the Grenoble Trade and Companies Register under number 940 585 953 R.C.S. Grenoble, with its registered office located at 25 rue Beethoven, 38400 Saint-Martin-d'Hères, is referred to in this policy as " Ainoha," " we," or " our."

TheAinoha™ app allows users (" you," " your," or " Users ") track their symptoms and hormonal parameters, perform biometric analysis via their smartphone camera, access blood test analysis, and interact with a chatbot that provides personalized recommendations related to well-being and hormonal balance (the " App "). 

The purpose of this policy is to inform you about how we process your personal data when you use the Application, in accordance with Regulation (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data (the " GDPR ").

1. Definitions

CNIL: National Commission for Information Technology and Civil Liberties, 3 Place de Fontenoy, 75334 Paris.

Recipient: Any natural or legal person, public authority, agency, or other body that receives personal data.

Personal data: Any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier (e.g., name, email address, online identifier).

Data controller: Natural or legal person who determines the purposes and means of personal data processing. In the context of this policy, this is Ainoha.

Subcontractor: Any natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller, in accordance with the controller's instructions.

Processing: Any operation or set of operations performed on personal data, whether automated or not, such as collection, recording, organization, storage, adaptation, consultation, use, disclosure, restriction, erasure, or destruction.

2. Why do we process your personal data? 

We collect the following categories of personal data when you use the Application:

2.1 Purpose of processing: Creation and management of user accounts

Data collected

• Name;
• First name;
• Email address;
• Date of birth.

Legal basis

Performance of the contract with the User

Shelf life

During the period of use of the Application, then for a period of

2.2 Purpose of processing: Provision of Ainoha™ Application services:

• Monitoring and hormonal profile
• Interactions with the Aino Chatbot
• Personalized recommendations
• Personalized supplements (if applicable)

Data collected

• Health information (height, weight, type and brand of contraceptive):
• Self-questionnaires (energy, sleep, symptoms);
• Biometric analyses (heart rate, respiratory rate, stress level);
• Blood tests (biomarkers);
• Text data exchanged with the Aino™ chatbot;
• User Preferences

Legal basis

• Performance of the contract with the User
• Explicit consent of the User

Shelf life

During the period of use of the Application, then for a maximum period of one (1) year

2.3 Purpose of processing: Improvement of the Chatbot (machine learning)

Data collected

Conversational and Application Usage Data

Legal basis

Data is only stored for as long as is necessary to train the model.

Shelf life

Data is only stored for as long as is necessary to train the model.

2.4 Purpose of processing: Responding to User requests

Data collected

Data transmitted in requests

Legal basis

Legitimate interest in responding to User requests

Shelf life

Processing time for the request, plus the statutory limitation period.

2.5 Purpose of processing: To ensure the proper functioning and security of the Application

Data collected

• Browsing data;
• IP address;
• Technical data (device type, logs, errors)

Legal basis

Legitimate interest in providing a functional Application

Shelf life

While browsing the Application

2.6 Purpose of processing: Compliance with legal obligations or requests from competent authorities

Data collected

Any data necessary to meet a legal requirement

Legal basis

Legal obligation

Shelf life

For the period necessary to comply with the applicable legal obligation

Ainoha retains your personal data only for as long as necessary for the purposes outlined in the table above.

After these periods, the data is deleted or anonymized.

In certain cases, data is also stored in intermediate archives for:

• comply with legal obligations such as accounting, social security, or tax requirements;
• enable us to compile evidence in the event of a dispute, within the applicable limitation periods.

‍

1. Who are the recipients of your personal data?
   
   1. Ainoha employees

Your personal data may be processed by Ainoha employees, within the limits of their respective responsibilities and exclusively for the purposes of this policy.

2. Service providers

Ainoha uses technical service providers who operate the infrastructure necessary for the proper functioning of the Application. This includes, in particular, hosting, storage, management, and maintenance services for the Application, its content, and the personal data processed.

These include the following providers:

• Amazon Web Services (AWS): application hosting, data storage, and cloud infrastructure (EU region).
• Video scan provider: analysis of physiological parameters from the video scan (heart rate, breathing, stress).
• Artificial intelligence (language model) service provider located in the EU: generation of responses from the AINO chatbot in Zero Data Retention (ZDR) mode.
• Manufacturer of dried blood collection kits: manufacturing and logistics of blood collection kits (DBS).
• Medical laboratory specializing in dried blood spot analysis: analysis of blood samples (DBS) and production of biomarker results.

‍

These service providers act as subcontractors for Ainoha. As such, they only have access to personal data to the extent strictly necessary for the performance of their services, and are contractually bound to guarantee the confidentiality, security, and compliance of the processing, in accordance with applicable regulations, in particular the GDPR.

1. Communication justified by legal reasons

Ainoha may be required to disclose certain personal data if required by law, a judicial or administrative authority, or in the context of legal proceedings.

2. Are your personal data transferred outside the European Union? 

Your data is transferred outside the European Union, in particular due to the use of certain service providers.

In this case, these transfers are subject to appropriate safeguards, such as the inclusion of service providers on the list available on the Data Privacy Framework, or the signing of standard contractual clauses adopted by the European Commission.

Data hosted by Amazon Web Services (AWS) is stored in the eu-north-1 region, in an environment certified as a Health Data Host (HDS), guaranteeing a high level of security in accordance with the requirements applicable to health data in France.

3. Your rights

To exercise the rights listed below, you can contact Ainoha at the following address dpo@ainoha.fr. 

You have the following rights:

• Right of access to your personal data: you have the right to obtain certain information from Ainoha, such as the purposes of the processing or the categories of personal data concerned.
• Right to rectification: you may ask us at any time to rectify your personal data if it is inaccurate or incomplete.

Right to erasure/right to be forgotten: you may request the deletion of your personal data, particularly when it is no longer necessary for Ainoha, when you have withdrawn your consent, or when you have objected to its processing.

• Right to restriction of processing: you may request the restriction of the processing of your personal data if you contest the accuracy of the data or if its processing is unlawful.
• Right to data portability: when your personal data is subject to automated processing based on your consent or on a contract, you may request to receive this data or have it transferred to a third party.
• Right to object: You may object to the processing of your personal data when it is based on legitimate interest, for reasons relating to your particular situation.
• Right to decide what happens to your personal data after your death: you can set guidelines or designate a trusted third party to whom Ainoha can entrust your data.
• Right to withdraw your consent: at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

‍

Before we can respond to your request to exercise one or more rights, we may ask you for additional information to verify your identity.

Ainoha undertakes to respond to your requests relating to this policy or the exercise of your rights as soon as possible, and at the latest within one (1) month of receiving the request, in accordance with the GDPR.

If your request is complex or if you have made multiple requests, the response time may be extended to three (3) months from receipt.

If you believe that the processing of your personal data is unlawful, you also have the right to lodge a complaint with:

• the main data protection authority for Ainoha: the CNIL; or
• from your local supervisory authority.

‍

1. Security of personal data

We implement appropriate technical and organizational measures to ensure the security, confidentiality, integrity, and availability of the personal data we process. These measures are regularly evaluated and updated.

These measures include, in particular:

• Strict access controls and secure authentication measures;
• Data encryption;
• Continuous monitoring of the system with anomaly detection and alerts in the event of an incident;
• Regular security tests integrated into the development cycle;
• A structured procedure for managing security incidents;
• Raising awareness and training teams in data security.

‍

1. Contact

If you have any questions or requests regarding your personal data or this Privacy Policy, you can contact us at the following address: dpo@ainoha.fr 

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍