Privacy Policy
Last Updated: June 2026
This Privacy Statement relates to the processing of your personal data as part of the services that Optimize B.V. ("we" or "us") provides to you through the Optimize app (hereinafter the "App"). Optimize has its registered office at Keizersgracht 285, 1016 ED Amsterdam, the Netherlands, and is registered in the register of the Dutch Chamber of Commerce under number 93488866.
This privacy notice explains how we collect, use, share, and protect personal data in the course of our business activities. It is intended for all external individuals whose personal data we process ("you", "your").
Optimize highly values your privacy. Therefore, we use this statement to inform you about the personal data we collect about you as part of the services we provide to you through the App, the purposes for which we do so, the parties with whom we share your personal data, how we handle your personal data and what rights you have.
Personal Data and Purposes
We process the following categories of personal data about you for the following purposes:
- Administrative data, such as name, (e-mail) address, date of birth, phone number, payment data (such as IBAN or credit card number), in-app wallet value, user-id, preferred language, push notification token, credit balance and account status:
- So that we can provide you with our services in the App, including by creating and managing user accounts for the Optimize App, authentication, management of profile, address and notification settings, and administration of business customer accounts; and to enable you to purchase laboratory tests and app credits.
- To facilitate scheduling laboratory tests and scheduling blood collection appointments at partner collection sites; tracking appointment status; and collecting your feedback (reviews) on completed appointments.
- Sending service-related e-mails to end users (such as appointment confirmations, lab result notifications and invoice confirmations).
- To handle payments for tests, bundles and business wallet top-ups; generating and storing invoices; and administering vouchers and credits.
- Health data (some of which is sensitive personal data), such as the results of your blood tests, biomarker values, your fitness and exercise habits, diet, sleep patterns, wearable device data, and any medical or health-related information you choose to provide (for example, current medications or conditions):
- To provide you personalised lifestyle advice that helps you achieve your selected lifestyle goals.
- To generate understandable interpretations of your blood values and making them available to you by translating them into personalised insights and recommendations in an understandable format.
- Executing your personal 12-week lifestyle programme by assigning actions to you, following up on your progress, and adjusting the programme weekly based on your self-reported input.
- This personal data may be provided to us by you yourself and (at your request) through third parties such as Apple Health, Fitbit and Whoop.
- We process this only with your explicit consent to give you personalised lifestyle advice as part of the service and you may withdraw your consent at any time.
- Technical and usage data (such as application error logs, audit logs of in-app interactions, and device and usage information including cookie identifiers):
- Operating our marketing website and mobile app, including by placing necessary cookies on your device.
- Creating and managing user accounts for the Optimize app; authentication; managing user account and notification settings.
- We process this data to maintain and improve the security, stability and performance of our App and website. When we use non-essential tracking or analytics cookies on our website, we do so only with your consent, which you can withdraw at any time.
If you have consented to the processing of your personal data, you may withdraw your consent at any time. As it is not possible for us to provide the services to you in that case, you can only withdraw your consent by terminating service. For individual components, such as notifications or links to external sources, you may withdraw your consent separately. This preserves the lawfulness of the processing of your personal data prior to the withdrawal of consent.
Our services are intended exclusively for individuals aged 18 or older. We do not knowingly process personal data of minors, including special categories of personal data. If we become aware that personal data of a minor has been processed, we will delete such data without undue delay.
Legal Bases for the Processing of Your Personal Data
| Legal basis | Processing purpose |
|---|---|
| Article 6(1)(b): Performance of a contract | Creating and managing your Optimize App account and providing the App's services to you, including enabling you to make purchases (e.g. buying credits for tests); and sending necessary service communications (like appointment confirmations and other in-app notifications relevant to you). |
| Article 6(1)(b): Performance of a contract and Article 9(2)(a): Explicit consent (for special-category data) | Facilitating the health-related services you request: for example, requesting and scheduling your blood tests and lab appointments; receiving, matching and storing your lab results; integrating your lifestyle and wearable data (e.g. activity, sleep, heart rate) into your profile; and analysing your biomarker results and other health data to provide personalised lifestyle advice. |
| Article 6(1)(c): Compliance with a legal obligation | Meeting our legal obligations, for instance, retaining and sharing our invoices and payment records for tax and (mandatory) financial audit compliance purposes. |
| Article 6(1)(f): Legitimate interest | Operating, securing and improving our App and website, for example, logging application errors for stability and using essential cookies that enable site/app functionality (which do not require consent). We rely on our legitimate interest in maintaining a secure and effective service for these purposes. |
| Article 6(1)(a): Consent | Conducting optional processing with your consent, for example, placing non-essential (tracking/analytics) cookies on your device to analyse website use, including to be shared with third parties for marketing purposes. |
With Whom Will Your Personal Data Be Shared?
Your privacy is a priority for us. We take your privacy very seriously and handle your personal data with the utmost care and confidentiality.
We engage third-party service providers to support the provision and operation of our services. Depending on the circumstances, such parties may act as processors or sub-processors, processing personal data on our behalf and in accordance with our instructions. These service providers may operate within one or more of the following categories:
- Laboratory and healthcare partners (including laboratories and collection services);
- Health data integration services (e.g. integration of wearable or third-party health data);
- AI-based analysis and personalisation services;
- Payment service providers; and
- Analytics and monitoring services.
A current overview of the third parties engaged by us, including further details on their role and the nature of the processing activities, is available on our sub-processors page.
We ensure that all processors and sub-processors are subject to appropriate contractual safeguards, including data processing agreements where required, and that they implement adequate technical and organisational measures to protect personal data in accordance with applicable data protection laws.
International Data Transfers
Most of your personal data is processed and stored within the European Economic Area (EEA). In some cases, however, we may (in the future) share personal data with third parties located outside the EEA, for example in the United States or the United Kingdom, where this is necessary to provide our services.
Where personal data is transferred to a country outside the EEA to a "third country", we ensure that the transfer takes place in accordance with the GDPR and that an appropriate and lawful transfer mechanism is in place to safeguard your data and ensure an adequate level of protection. Depending on the circumstances, this may include reliance on lawful transfer mechanisms such as an adequacy decision adopted by the European Commission or the use of Standard Contractual Clauses (SCCs) approved by the European Commission.
You may contact us at any time if you would like more information about international data transfers or the safeguards that apply in a specific case.
What Do We Do With Your Data?
How does your lifestyle advice come about? We provide our services by combining your health data and lifestyle preferences. We analyse this information to show you your test results, build your health profile, and provide you with targeted notifications, recommendations and advice through the App. In providing these personalised insights, we use automated analysis, including artificial intelligence ("AI"), to interpret your biomarker results and other inputs. The AI model generates tailored explanations and lifestyle recommendations for you. This automated analysis can highlight areas for improvement in your health and habits, but it does not constitute a medical diagnosis or medical advice and does not involve any decisions that have legal or similarly significant effects on you. For clarity, the Optimize services are not intended to diagnose, treat, cure or prevent any disease or medical condition.
We apply data minimisation, data separation and pseudonymisation while we provide our services to you. In order to protect your personal data, we maintain separate databases: one containing personal identifiers (such as your name, e-mail address, date of birth and contact details), and one containing your health data. These datasets are linked through a unique user ID and a private key that is only accessible to Optimize.
As a result, your health data is pseudonymised while your account is active, as it can only be linked back to you by Optimize using this key, and is not directly identifiable to third parties.
When you delete your account, we delete the database containing your personal identifiers. As a result, the remaining health data can no longer be linked back to you by Optimize or any third party. From that moment onwards, this data is considered anonymised, as there are no reasonable technical or legal means available to re-identify you.
In assessing whether data is anonymised, we take into account all means reasonably likely to be used to identify an individual, including the available technology, the costs and time required, and any legal restrictions. Where such means are not reasonably available, the data is treated as anonymous. Once your personal data is anonymised, it is no longer possible for us to delete it if you request deletion.
Retention Periods
We will not keep your personal data for longer than necessary for the purposes for which it was collected. In most cases, this means that we keep the data until you delete your account or terminate the agreement. We will then delete your personal data from our systems one year after your account is deleted. Data already processed in anonymised form will be retained. In certain cases, we are required by law to keep specific data for longer. For example, we keep your payment details in our records for seven years for tax compliance reasons.
Since you may want to see your blood results again because you need them for medical reasons, we store the results of blood diagnostics through our lab partner for one year after you delete your account. You may request those details by sending an e-mail to privacy@optimizelifestyle.io.
Security of Your Personal Data
We have taken technical and organisational measures to adequately secure your personal data against loss or any other form of unlawful processing.
Your personal data is stored encrypted. Reports and other static files are protected separately according to current encryption standards (AES-256).
Access to the App is fully protected. Your identity is first verified using OAuth 2.0 with proof key for code exchange ("PKCE"), after which your data can only be accessed using biometric authentication (such as Face ID or Touch ID) or a personal access code.
We also apply data minimisation, data separation and pseudonymisation. In the interest of optimal data protection, we maintain two separate databases: one containing personal identifiers (e.g. your name, e-mail, phone number, date of birth, and address), and one containing your health data. These two datasets can only be combined by using a unique user ID together with a private key that only Optimize possesses. Without this key, no third party (including any service provider or a malicious actor in the event of a security breach) can directly identify you from the health data alone. In effect, the health data stored separately is pseudonymised and not meaningful to anyone without the key. Only Optimize can re-link this information, so the health data only qualifies as "personal data" once it is combined with your personal identifiers by us.
We apply the principles of privacy by design and privacy by default when developing and maintaining the App. Our technical and organisational security measures are aligned with current best practices and recognised standards, including ISO/IEC 27001 (information security), the OWASP Mobile Security Guidelines and the principles and recommendations of the Dutch Data Protection Authority.
Amendments
We may amend this Privacy Statement from time to time. If we do, we will notify you. You may always — i.e. including after such an amendment — decide to stop using the App.
Your Rights
Under the GDPR and relevant data protection laws, you have a range of rights regarding your personal data. We respect these rights and have processes in place to enable you to exercise them. These rights include:
- Right to access: you have the right to request confirmation as to whether we are processing your personal data, and if so, to request a copy of the personal data we hold about you.
- Right to rectification: you have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
- Right to erasure: you have the right to request deletion of your personal data in certain circumstances (the "right to be forgotten"). This right is not absolute — sometimes we must retain certain data to comply with legal obligations or to establish or defend legal claims.
- Right to restrict processing: you have the right to request that we suspend or limit the processing of your personal data in certain scenarios.
- Right to data portability: for data that you have provided to us and that we process by automated means based on your consent or on a contract with you, you have the right to request a copy in a structured, commonly used, machine-readable format (and you have the right to transmit that data to another controller, or have us transfer it, where technically feasible).
- Right to object: you have the right to object to our processing of your personal data where we rely on legitimate interests, and an absolute right to object to processing for direct marketing purposes.
- Right to withdraw consent: where we process your personal data based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing conducted before your withdrawal.
These rights are not absolute. For instance, we might not erase data that we are required by law to keep, or we might not grant access to information that includes others' personal data. We will assess your request in accordance with the GDPR. This means that we will first have to verify your identity on the basis of your proof of identity. As soon as possible and in any case within one month of your access request, we will provide you with information on the actions we have taken. We may extend this deadline by two months due to the complexity or the number of requests we receive; in that case, we will notify you.
You have the right to file a complaint with the Dutch Data Protection Authority at any time. To exercise your rights, you may send an e-mail to privacy@optimizelifestyle.io.
Cookies
We use functional and analytical cookies. A cookie is a small file that is stored on your computer, tablet or smartphone when you first visit or use our App or website.
Functional cookies perform a purely technical function. These cookies are necessary to ensure that the App and website function properly and that, for example, your preferences are remembered. These cookies do not require your consent.
We may also use analytical cookies to obtain insights into the use of our App and website and to improve our services. Where these analytical cookies have limited impact on your privacy (for example, where data is aggregated or anonymised), they may be used without consent where permitted by applicable law. In all other cases, including where analytical or tracking technologies involve the processing of personal data that is not strictly necessary, we will request your prior consent via the App or website. Where we use cookies or similar technologies for marketing or tracking purposes, we will always request your prior consent.
Contact
If you have any questions about this Privacy Statement, please contact us by sending an e-mail to privacy@optimizelifestyle.io.
Optimize has appointed a Data Protection Officer ("DPO"). The Data Protection Officer can be contacted for any questions, requests or concerns relating to the processing of your personal data, including the exercise of data subject rights, via the contact details set out above.