Privacy Policy

Last updated: February 2026

1. Introduction

This Privacy Policy describes how BioFrame ("we", "Platform") collects, uses and protects personal data, including health data (special category under Art. 9 GDPR).

BioFrame complies with:

•EU Regulation 2016/679 (GDPR)
•Italian Legislative Decree 196/2003 (Italian Privacy Code)
•Italian Data Protection Authority Guidelines for health data

2. Data Controller

Data Controller:

2014 FITNESS S.S.D. a R.L
Registered Office: Via Trento Trieste 12, 41012 Carpi (MO), Italy
VAT: IT03587400361
Tax Code: 90037470367
Phone: 059692990
Email: privacy@bioframe.it
PEC: 2014fitness@pec.it

Data Protection Officer (DPO):
Email: dpo@bioframe.it

DUAL ROLE

•For Professional (User) data: BioFrame is an independent Data Controller
•For Patient data: BioFrame is a Data Processor (Art. 28 GDPR), the Professional is the independent Data Controller

3. Data Collected

3.1 Professional Data (Platform Users)

We collect the following data during registration and use:

•Personal data: Name, surname, email, phone
•Professional data: Specialization, professional registry number (if provided)
•Account data: Password (cryptographic hash), subscription tier, evaluation quota
•Usage data: IP address, access timestamps, activity logs
•Preferences: Interface language, UI theme (light/dark)

3.2 Patient Data (Professional's Patients) - Health Data

SPECIAL CATEGORY (Art. 9 GDPR)

The following data are classified as health-related data and require explicit consent from the data subject.

•Patient personal data: Name, surname, date of birth, gender
•Anthropometric data: Height, weight, BMI
•Postural photos: Body images (front, back, lateral)
•Postural history: Symptoms, pain, pain level (0-10), sports practiced
•Clinical data: Risser index, menarche age (if applicable), hand/foot/eye dominance
•Medical devices: Use of glasses, orthopedic insoles
•Specialist notes: Confidential professional observations
•AI Evaluations: Postural analysis reports generated via Claude API

3.3 Cookies and Tracking Technologies

We only use essential technical cookies (authentication session). We do not use profiling or marketing cookies.

4. Legal Basis for Processing

Data processing is based on:

Professional Data (Art. 6.1 GDPR)

•Contract performance (Art. 6.1.b): Platform service provision
•Legal obligation (Art. 6.1.c): Tax/accounting data retention
•Legitimate interest (Art. 6.1.f): Account security, fraud prevention

Patient Health Data (Art. 9.2 GDPR)

•Explicit consent (Art. 9.2.a): Patient provides written consent for AI postural analysis
•Preventive medicine (Art. 9.2.h): Postural evaluation for healthcare purposes
•Public health interest (Art. 9.2.i): Improving postural care

Patient Consent Form: The Professional must have the Patient sign a consent form that explicitly covers:

•Health data processing (Art. 9 GDPR)
•Use of photos for AI-powered analysis
•Storage on cloud platform (Supabase EU)
•Transfer to AI provider (Anthropic Claude - US, with Standard Contractual Clauses)

5. Processing Purposes

5.1 Primary Purposes (Service Provision)

•Professional account management (registration, authentication, profile)
•Secure storage of Patient data on encrypted database
•Generation of postural evaluations via AI (Anthropic Claude API)
•Export of evaluation reports (PDF, future)
•Subscription tier and monthly evaluation quota management

5.2 Secondary Purposes

•Technical support (troubleshooting, user assistance)
•Platform improvement (anonymous aggregate analytics, bug fixing)
•Service communications (maintenance, updates, subscription expiry)
•Tax/legal compliance (invoicing, document retention)

We do NOT use data for:

•Marketing or commercial profiling
•Sale/transfer to third parties
•AI model training (data does NOT go into Anthropic's training set)
•Automated decisions producing legal effects on the Patient (GDPR Art. 22)

6. Data Recipients

Data may be disclosed to the following recipients (all appointed as Data Processors under Art. 28 GDPR):

Supabase (Database & Storage)

Service: PostgreSQL Database, Photo Storage, Authentication
Location: EU (Frankfurt, Germany data center)
Guarantees: GDPR-compliant, ISO 27001, SOC 2 Type II

Anthropic (AI Processing)

Service: Claude API (AI evaluation generation)
Location: USA (San Francisco, California)
Extra-EU transfer guarantees: EU Commission-approved Standard Contractual Clauses (SCC)
Data Retention: API Input/output NOT retained by Anthropic (zero-retention policy)

Railway/Vercel (Backend/Frontend Hosting)

Service: Web application hosting
Location: USA (with EU CDN)
Guarantees: Standard Contractual Clauses (SCC)

No other third party has access to the data. We do not sell or transfer data to brokers/aggregators.

7. Data Retention

We retain data for the following periods:

Data Type	Period	Legal Basis
Active Professional Account	Contract duration + 1 year	Contract performance
Patient Health Data	10 years from last evaluation	Italian Legislative Decree 196/2003
Access/activity logs	6 months	Italian Legislative Decree 51/2018
Billing data	10 years	Art. 2220 Italian Civil Code

Secure deletion: At the end of the above periods, data is permanently and irreversibly deleted (cryptographic erasure + overwriting).

8. Data Subject Rights (GDPR)

Professionals and Patients (through the Professional) have the following rights:

Access (Art. 15)

Obtain a copy of all processed personal data

Rectification (Art. 16)

Correct inaccurate or incomplete data

Erasure (Art. 17)

Request data deletion (subject to legal obligations)

Restriction (Art. 18)

Temporarily block data processing

Portability (Art. 20)

Receive data in structured format (JSON/CSV)

Objection (Art. 21)

Object to processing based on legitimate interest

How to exercise your rights

Send a request to: privacy@bioframe.it
Response within 30 days (Art. 12 GDPR)

Complaint to Authority: You can file a complaint with the Italian Data Protection Authority if you believe your rights have been violated.

9. Data Security

We implement advanced technical and organizational measures to protect data:

Technical Measures

•Encryption in transit: TLS 1.3 (HTTPS) for all communications
•Encryption at rest: AES-256 for database and photo storage
•Authentication: Bcrypt password hashing, JWT tokens with expiry
•Database access: Row Level Security (RLS) - each Professional sees only their own data
•Backup: Daily encrypted backups (30-day retention)
•Network security: Firewall, rate limiting, DDoS protection

Organizational Measures

•Data access limited to authorized personnel (need-to-know basis)
•Confidentiality agreements signed by all collaborators
•Regular GDPR and cybersecurity training
•Incident response plan for data breach (notification within 72h per Art. 33 GDPR)
•Complete audit logs of every data access/modification

Shared Responsibility

The Professional must protect their credentials and not share them with third parties. BioFrame is not responsible for unauthorized access due to User negligence.

10. Cookies

BioFrame exclusively uses essential technical cookies for Platform operation:

Cookie	Purpose	Duration
sb-access-token	Supabase authentication session	24 hours
bioframe-auth	Application authentication status	Persistent
bioframe-theme	UI preferences (dark/light mode)	Persistent

We do NOT use: Analytics cookies (Google Analytics, etc.), marketing cookies, profiling cookies.

11. Privacy Policy Changes

We may update this Privacy Policy periodically to reflect regulatory changes or Platform features. Substantial changes will be communicated via email with 30 days' notice. The current version is always available on this page with the last update date.

12. Contact

Data Controller:
2014 FITNESS S.S.D. a R.L — Via Trento Trieste 12, 41012 Carpi (MO)
VAT: IT03587400361 — Tax Code: 90037470367

Privacy Email: privacy@bioframe.it
Data Protection Officer: dpo@bioframe.it
Certified Email (PEC): 2014fitness@pec.it

Complaints to Data Protection Authority:
www.garanteprivacy.it
Piazza Venezia, 11 — 00187 Rome — Phone: +39 06 696771