BioTRK Privacy Architecture & Data Stewardship Policy

1. The BioTRK Data Taxonomy (Information Collection)

To provide you with personalized longevity outcomes, our ecosystem ingests specific categories of information:

• Administrative Endpoints: Standard identifiers such as your name, contact email (hello@biotrk.io), and the secure authentication credentials required for account provisioning.
• Physiological Telemetry: Continuous biometric streams, including heart rate variability and sleep architecture, collected passively via integrations with third-party wearable Application Programming Interfaces (APIs).
• Deep Clinical Biomarkers: Extensive serology and epigenetic markers transmitted securely from our independent laboratory partners, strictly upon your secondary authorization.
• System Interaction Analytics: Navigational heuristics, session durations, and IP addresses collected via operational cookies to ensure platform stability and security.

2. Processing Justifications and Utilization

BioTRK processes your data primarily to execute our core service: synthesizing actionable health optimization protocols. Under the frameworks established by the Singapore PDPA and parallel international statutes, processing is heavily reliant on your explicit, opt-in consent. We also process necessary interaction analytics under legitimate business interest exemptions specifically for cybersecurity defense and fraud prevention.

3. Strict Prohibition on Data Monetization

We maintain an absolute prohibition on the sale, rental, or unauthorized commercial leasing of your personal or physiological data to any third party. Furthermore, to comply with FTC regulations, we strictly forbid the unauthorized disclosure of your health information to external platforms for targeted advertising purposes. Disclosures are limited solely to essential, contractually bound infrastructure providers and clinical laboratories.

4. Cross-Border Infrastructure and Global Compliance

As a transnational platform, your data may be cryptographically stored and processed in secure infrastructure across the United States and Singapore.

• United States Compliance: BioTRK operates as a direct-to-consumer platform and is generally not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). Instead, we adhere to the FTC’s Health Breach Notification Rule (HBNR). We also enforce the stringent opt-in consent and anti-geofencing mandates of the Washington My Health My Data Act (MHMDA), and honor universal opt-out mechanisms and sensitive data deletion rights mandated by the California Privacy Rights Act (CPRA) and other emerging state laws.
• Singapore Compliance: Biotrk PVT. LTD. adheres to the PDPA by ensuring all overseas data transfers meet a comparable standard of protection to Singaporean law. Additionally, we are actively aligning our cybersecurity and clinical data protocols with the strict requirements of the newly passed Health Information Bill, ensuring our infrastructure meets the highest national standards for healthcare data security.

5. HIPAA Compliance & Protected Health Information (PHI)

BioTRK takes the security of Protected Health Information (PHI) with the utmost seriousness. We have voluntarily adopted the Health Insurance Portability and Accountability Act (HIPAA) as our data protection standard, implementing the full spectrum of Technical, Administrative, and Physical Safeguards required by the HIPAA Security Rule (45 CFR §164.302–318).

All PHI is encrypted at rest using AES-256-GCM and in transit via TLS 1.2+. A comprehensive audit trail records every access, modification, and transmission of health data. Automatic session termination, strict input validation, rate limiting, and role-based access controls further ensure the confidentiality, integrity, and availability of your data. For a complete description of our compliance program, please visit our HIPAA Compliance & PHI Protection page.

6. Security Safeguards and Incident Response

BioTRK employs technical and administrative encryption protocols for data both in transit and at rest. In the highly improbable event of a systemic security failure, we are legally bound by rigorous reporting timelines. For individuals under US jurisdiction, we will notify affected users and the FTC without unreasonable delay, and strictly within 60 calendar days of discovery, as mandated by the FTC HBNR. For incidents affecting Singapore, any breach posing a risk of significant harm will be reported to the Personal Data Protection Commission (PDPC) and affected individuals within three calendar days.

7. Data Sovereignty and Individual Rights

You retain unassailable control over your digital footprint. Depending on your jurisdiction, you possess the right to:

• Access a structured, portable copy of all collected health data.
• Demand the rectification of inaccurate records.
• Mandate the permanent cryptographic erasure of your data, subject only to superseding legal retention mandates.
• Revoke previously granted consent for specific device integrations without prejudice to your foundational account access.

8. Information Lifecycle and Disposal

We retain your physiological data solely for the duration necessary to fulfill our service objectives. Upon account termination or a validated erasure request, BioTRK initiates secure disposal protocols to render the information permanently irretrievable, compliant with global data disposal mandates.

9. Contact the Data Protection Officer

To exercise your privacy rights, withdraw consent, or submit inquiries regarding our data stewardship, please contact the Data Protection Officer of Biotrk PVT. LTD. via email at hello@biotrk.io. We will process all authenticated requests within the timelines dictated by prevailing statutory laws.