Privacy policy

Preamble

Singular Lab SAS (hereinafter "Singular", "we", "our" or "us") places fundamental importance on protecting your personal data and your privacy.

The purpose of this privacy policy is to inform you clearly, completely and transparently about how we collect, use, store and protect your personal data when you use our nutritional personalization platform.

Regulatory qualification: Singular is a nutritional personalization service for wellness purposes. It is not a medical device within the meaning of Regulation (EU) 2017/745 and does not in any way constitute a medical diagnostic tool, a substitute for medical consultation, or a medication prescription service. The products offered are dietary supplements within the meaning of Directive 2002/46/EC.

1. Definitions

To facilitate understanding of this policy, the following terms are defined:

"Personal data": any information relating to an identified or identifiable natural person (Art. 4 GDPR).
"Health data": personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about the state of health of that person (Art. 4.15 GDPR).
"Processing": any operation performed on personal data (collection, recording, organization, storage, modification, retrieval, consultation, use, etc.).
"Data controller": the natural or legal person who determines the purposes and means of processing personal data.
"Processor": the natural or legal person who processes personal data on behalf of the data controller.
"HDS": Health Data Host (Hébergeur de Données de Santé), a French certification required for hosting health data (Art. L1111-8 French Public Health Code).
"EEA": European Economic Area (European Union + Iceland, Liechtenstein, Norway).
"GDPR": General Data Protection Regulation, Regulation (EU) 2016/679.

2. Data Controller

The data controller for your personal data is:

Company name: Singular Lab SAS;
Legal form: Simplified Joint-Stock Company (Société par Actions Simplifiée);
Trade Register: Paris 999 248 701;
EU VAT number: FR12 999 248 701;
Registered office: 60 rue François 1er, 75008 Paris, France;
Legal representative: Kilian Füg, President.

2.1. Data Protection Officer (DPO)

In accordance with Article 37 of the GDPR, and given the large-scale processing of health data, we have appointed a Data Protection Officer whom you can contact for any questions regarding your personal data:

Email: dpo@singularlab.com;
Postal address: Singular Lab SAS - DPO, 60 rue François 1er, 75008 Paris, France.

3. Personal Data Collected

As part of our service, we collect different categories of personal data. We apply the principle of data minimization (Art. 5.1.c GDPR): we only collect data that is strictly necessary for the purposes described below.

3.1. Identification and Contact Data

Email address (required for account creation);
First name (required for personalization);
Last name (optional);
Delivery address (required for orders);
Billing address (required for orders).

3.2. Health Data (special category - Art. 9 GDPR)

Important: This data is subject to enhanced protection and its processing requires your explicit consent.

Biological biomarkers: Numerical values extracted from your blood tests (vitamins, minerals, hormones, etc.), units of measurement, laboratory reference ranges;
Nutritional profile questionnaire: Biological sex, age range, wellness goals, declared particular conditions (pregnancy, food allergies, restrictions), lifestyle;
Personalized interpretations: Categorization data and reference ranges for your nutritional profile;
Nutritional formulations: Personalized composition of your dietary supplement formula (ingredients, dosages).

3.3. Transaction Data

Order and subscription history;
Payment status;
Transaction identifiers (complete banking data is processed directly by our PCI-DSS certified payment provider and is never stored on our servers).

3.4. Technical and Navigation Data

IP address (anonymized for statistics);
Browser type and operating system;
Pages visited and connection timestamps;
Technical cookies necessary for service operation.

3.5. Data We Do NOT Collect

For minimization and privacy protection purposes:

Original documents: PDF or image files of your blood tests are immediately deleted after extraction of numerical values. We never retain your original documents.
Social security number;
Complete date of birth: We only ask for your birth year or age range;
Complete banking data: Processed exclusively by our certified payment provider.

4. Legal Bases for Processing

In accordance with the GDPR, all processing of personal data must be based on a legal basis. Here are the legal bases applicable to our processing:

4.1. Explicit Consent (Art. 9.2.a GDPR)

For the processing of your health data, we collect your explicit, freely given, specific, informed and unambiguous consent. This consent is required for:

Analysis of your blood tests and biomarker extraction;
Generation of personalized interpretations of your nutritional profile;
Creation of dietary supplement formulations tailored to your profile.

You can withdraw your consent at any time from your account settings or by contacting us. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

4.2. Performance of Contract (Art. 6.1.b GDPR)

Some processing is necessary for the performance of our contract with you:

Creation and management of your user account;
Processing of your orders and subscriptions;
Delivery of your personalized products;
Sending transactional emails (order confirmations, delivery tracking, authentication magic links);
Customer service.

4.3. Legal Obligation (Art. 6.1.c GDPR)

We are required to retain certain data to comply with our legal obligations:

Retention of invoices and accounting data (10 years - Art. L123-22 French Commercial Code);
Traceability of health data access (1 year - HDS Reference Framework);
Retention of connection logs (1 year - LCEN).

4.4. Legitimate Interest (Art. 6.1.f GDPR)

In limited cases, we process data based on our legitimate interest:

Security of our information system (fraud prevention, intrusion detection);
Continuous improvement of our services (anonymized statistics).

5. Processing Purposes

Your personal data is processed for the following purposes:

5.1. Analysis of Your Blood Tests

Legal basis: Explicit consent
Description: Automated extraction of biomarker values from your blood tests to establish your nutritional profile. Original files are immediately deleted after extraction.
Retention period: Biomarkers retained for the duration of your account + 3 years.

5.2. Generation of Personalized Interpretations

Legal basis: Explicit consent
Description: Categorization of your biomarkers and association with reference ranges (laboratory and scientific literature) to visualize your nutritional profile. This data does not constitute a medical diagnosis.
Retention period: Duration of your account + 3 years.

5.3. Formulation of Nutritional Recommendations

Legal basis: Explicit consent
Description: Generation of a personalized dietary supplement formula tailored to your biological profile and questionnaire responses.
Retention period: Duration of your account + 3 years.

5.4. Management of Your User Account

Legal basis: Performance of contract
Description: Creation, secure authentication (magic links) and management of your personal space.
Retention period: Duration of the business relationship + 3 years.

5.5. Payment and Subscription Management

Legal basis: Performance of contract / Legal obligation
Description: Processing of your payments via our PCI-DSS certified provider, management of recurring subscriptions, invoice issuance.
Retention period: 10 years for billing data (legal obligation).

5.6. Transactional Emails

Legal basis: Performance of contract
Description: Sending service-related communications (authentication, order confirmations, delivery tracking, important notifications).
Data concerned: Email and first name only. No health data is ever included in emails.

5.7. Security and Audit

Legal basis: Legal obligation (HDS Reference Framework) / Legitimate interest
Description: Traceability of health data access, anomaly detection, security incident prevention.
Retention period: 1 year for audit logs.

6. Recipients and Processors

Your personal data may be transmitted to the following categories of recipients, in strict compliance with the GDPR and under appropriate contractual conditions (Art. 28 GDPR).

6.1. Processors for Health Data (HDS scope)

HDS-certified host (European Union - France): Secure storage of your health data, databases, application servers;
Document recognition provider (European Union): Extraction of numerical values from your blood tests through optical character recognition;
Anonymization provider (European Union): Masking of personally identifiable information before processing by artificial intelligence;
Artificial intelligence provider (European Union): Structured extraction of biomarkers from anonymized blood tests.

6.2. Processors Outside Health Data Scope

PCI-DSS certified payment provider (European Union): Secure processing of bank transactions. This provider never receives health data.
Transactional email provider: Sending notifications and authentication emails. Only email and first name are transmitted, never health data.
Logistics provider (European Union): Label printing and product shipping. Receives only delivery address and formula composition (which does not allow reconstruction of your biological data).

6.3. Contractual Guarantees

All our processors are bound by:

Processing contracts compliant with Article 28 of the GDPR;
Data Processing Agreements (DPA) detailing their obligations;
Appropriate security certifications (HDS, ISO 27001, SOC 2, PCI-DSS depending on their field of activity).

6.4. No Sale of Data

We never sell your personal data to third parties. Your data is never transmitted for advertising or marketing purposes by third parties.

7. Data Transfers Outside the European Economic Area

7.1. Principle: Your Health Data Stays in Europe

Your health data (biomarkers, health questionnaire, interpretations, formulations) never leaves the European Economic Area. All our processors handling health data are located in the European Union and use European infrastructure.

7.2. Exception: Technical Providers

Certain auxiliary technical providers (particularly for transactional emails) may be located outside the EEA, notably in the United States.

Safeguards in place:

Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision 2021/914);
Transfer impact assessment in accordance with EDPB recommendations;
Additional technical measures (encryption, minimization).

Data concerned: Only email address and first name. No health data is ever transferred outside the EEA.

8. Health Data Hosting (HDS)

In accordance with Article L1111-8 of the French Public Health Code, hosting personal health data collected during care activities or medical-social monitoring requires specific certification.

8.1. Certified Host

Your health data is hosted with an HDS-certified provider, located in France (Paris region). This certification guarantees:

A security level compliant with HDS certification requirements;
Regular audits by accredited organizations;
Compliance with ISO 27001 standards (information security);
Traceability of health data access.

8.2. Technical Security Measures

Encryption at rest: All health data is encrypted with AES-256 algorithm;
Encryption in transit: All communications use TLS 1.2 protocol or higher;
Antivirus analysis: All uploaded files are systematically analyzed before processing;
Anonymization: Your data is anonymized (masking of identifying information) before any processing by artificial intelligence;
Immediate deletion: Original files of your blood tests are immediately deleted after value extraction.

8.3. Organizational Security Measures

Restricted access: Only strictly authorized personnel can access health data;
Enhanced authentication: Multi-factor authentication (MFA) mandatory for administrative access;
Granular access control: Role-based system (RBAC) limiting access to what is strictly necessary;
Audit trail: Logging of all health data access;
Training: Regular staff awareness training on data protection.

9. Retention Periods

We retain your personal data only for the duration necessary for the purposes for which it was collected, in compliance with applicable legal obligations.

Data Type	Retention Period	Legal Basis
Original files (blood test PDFs)	Immediate deletion after extraction	Minimization (Art. 5.1.c GDPR)
Biomarkers, interpretations, formulations	Duration of account + 3 years	Art. L1111-7 French Public Health Code
Account data (email, name, addresses)	Duration of relationship + 3 years	Civil statute of limitations
Billing data	10 years	Art. L123-22 French Commercial Code
Audit logs (health data access)	1 year	HDS Reference Framework
Connection logs	1 year	LCEN
Authentication links (magic links)	20 minutes	Security
User sessions	30 days	Performance of contract

At the expiration of these periods, your data is deleted or irreversibly anonymized.

10. Your Rights

In accordance with the GDPR (Articles 15 to 22), you have the following rights over your personal data:

10.1. Right of Access (Art. 15)

You can obtain confirmation that data concerning you is (or is not) being processed, and access this data as well as information about the processing.

10.2. Right to Rectification (Art. 16)

You can request correction of inaccurate data or completion of incomplete data.

10.3. Right to Erasure - "Right to be Forgotten" (Art. 17)

You can request deletion of your personal data in cases provided by the GDPR (withdrawal of consent, data no longer necessary, etc.). This right may be limited by our legal retention obligations.

10.4. Right to Restriction of Processing (Art. 18)

You can request restriction of processing of your data in certain circumstances (contesting accuracy, unlawful processing, etc.).

10.5. Right to Data Portability (Art. 20)

You can receive your data in a structured, commonly used and machine-readable format (JSON), and transmit it to another data controller.

10.6. Right to Object (Art. 21)

You can object at any time to processing of your data based on legitimate interest, for reasons relating to your particular situation.

10.7. Right to Withdraw Consent

When processing is based on your consent, you can withdraw it at any time. This withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

10.8. Right to Define Post-Mortem Directives

You can define directives relating to the retention, erasure and communication of your data after your death.

10.9. How to Exercise Your Rights?

You can exercise your rights in several ways:

By email: dpo@singularlab.com;
By mail: Singular Lab SAS - DPO, 60 rue François 1er, 75008 Paris, France.

We will respond to your request within a maximum of 30 days from receipt. This period may be extended by two months in case of complex requests, in which case we will inform you.

For security reasons, we may ask you to prove your identity before processing your request.

11. Right to Lodge a Complaint

If you believe that the processing of your personal data constitutes a violation of the GDPR, you have the right to lodge a complaint with the competent supervisory authority.

In France, the competent authority is the Commission Nationale de l'Informatique et des Libertés (CNIL):

Website: www.cnil.fr/plaintes;
Address: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France;
Phone: +33 1 53 73 22 22.

We encourage you, however, to contact us first in order to find an amicable solution to any difficulty.

12. Cookies and Trackers

12.1. Strictly Necessary Cookies

These cookies are essential for the operation of the website and cannot be disabled. They are generally only set in response to actions you take that amount to a request for services.

Session cookie: Maintaining your secure connection;
CSRF cookie: Protection against cross-site request forgery attacks;
Preferences: Language, cookie consent.

12.2. Analytics Cookies

We use a self-hosted, privacy-friendly analytics solution that does not require prior consent because:

IP addresses are anonymized;
No cross-site tracking cookies are set;
Data is not transmitted to third parties;
The solution complies with CNIL recommendations.

12.3. Advertising Cookies

We do not use any advertising or commercial tracking cookies.

13. Important Warnings

13.1. Nature of the Service

Singular is a nutritional personalization service for wellness purposes. It is not a medical device within the meaning of Regulation (EU) 2017/745 and does not in any way constitute:

A medical diagnostic tool;
A substitute for medical consultation;
A medication prescription service.

13.2. Dietary Supplements

The products offered are dietary supplements within the meaning of Directive 2002/46/EC, i.e., foodstuffs intended to supplement a normal diet. They are not medicines and are not intended to diagnose, treat, cure or prevent any disease.

13.3. Medical Recommendation

In case of symptoms, known pathology, ongoing medical treatment, pregnancy or breastfeeding, we recommend consulting your doctor or a healthcare professional before starting any supplementation.

13.4. Personalized Interpretations

The interpretation texts generated by our service are provided for informational purposes and aim to contextualize your nutritional profile. They do not replace personalized medical advice and do not constitute a medical diagnosis.

14. Changes to This Policy

We may modify this privacy policy to reflect changes in our practices or applicable regulations. In case of substantial modification:

We will notify you by email and/or by a notification in your personal space;
The "last updated" date will be updated at the top of this page;
For modifications affecting the processing of your health data, we will request new consent if necessary.

We invite you to regularly consult this page to be aware of any changes.

15. Contact

For any questions regarding this privacy policy or your personal data:

DPO Email: dpo@singularlab.com;
General Email: contact@singularlab.com;
Postal Address: Singular Lab SAS, 60 rue François 1er, 75008 Paris, France.

16. Reference Texts

GDPR: Regulation (EU) 2016/679 of April 27, 2016;
French Data Protection Act: Law No. 78-17 of January 6, 1978 as amended;
French Public Health Code: Articles L1111-7 and L1111-8 (health data, HDS);
LCEN: Law No. 2004-575 of June 21, 2004 (connection data retention);
French Commercial Code: Article L123-22 (retention of accounting documents);
Directive 2002/46/EC: On dietary supplements;
Regulation (EC) 1924/2006: Nutrition and health claims.

Last updated: January 23, 2026 - Version 1.0