Last Updated: December 1, 2025

GDPR Compliance Statement

Baiotek is committed to protecting personal data and ensuring full compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) for partners and users located within the European Union. This GDPR section supplements the Baiotek Privacy Policy and applies specifically to data subjects within the EU/EEA.

1. Data Controller vs Data Processor

For the purposes of GDPR:

  • Partners (wellness brands, clinics, supplement companies, or any organization integrating Baiotek technology) act as the Data Controllers.
  • Baiotek acts as the Data Processor, processing data on behalf of the Controller strictly for the agreed services.

This distinction ensures:

  • Controllers determine what data is collected and why.
  • Baiotek determines how it is technically processed for AI interpretation.

2. Lawful Basis for Processing

Under GDPR, data may be processed when one of the following applies:

  1. Consent (Article 6(1)(a)) – End users provide consent through the Controller’s application.
  2. Contractual necessity (Article 6(1)(b)) – Processing is required to provide Baiotek’s diagnostic services.
  3. Legitimate interest (Article 6(1)(f)) – Baiotek may process limited technical and anonymized data to maintain and improve the AI models.

Partners are responsible for ensuring they obtain a valid lawful basis before collecting any personal data.

3. Categories of Data Baiotek Processes

Baiotek processes:

A) Technical & Device Data

  • Device type
  • System metadata
  • Scan quality indicators
  • Calibration parameters

B) Strip & Biomarker Data

  • Color and pixel patterns
  • AI-inferred biomarker results (hydration, pH, ketones, minerals, etc.)
  • Timestamp of scan

C) Limited Partner Contact Data

(Only for business clients; not end users)

  • Name, email, job role
  • Company details
  • Contract and billing information

Baiotek does not collect end-user names, emails, addresses, or identity data unless explicitly provided by a Partner.

4. Purposes of Processing

We process personal and technical data solely for:

  • Interpreting biomarker strips
  • Delivering results to end users (via the Partner interface)
  • Improving AI accuracy
  • Supporting Partners in using Baiotek technology
  • Maintaining security and fraud prevention
  • Meeting contractual and legal obligations

We never use identifiable user data for:

  • Marketing
  • Selling to third parties
  • Profiling
  • Automated decision-making with legal effect

5. Data Storage & Retention

Baiotek stores data only for as long as necessary to:

  • Provide services to Partners
  • Improve diagnostic accuracy
  • Comply with legal requirements

Anonymized or aggregated biomarker data may be retained longer for research and model training, but this data cannot identify individuals.

Partners may request:

  • Shorter retention windows
  • Immediate deletion
  • Custom data handling terms (via DPA)

6. Data Subject Rights (EU Users)

GDPR grants Users the following rights:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (“right to be forgotten”) (Article 17)
  • Right to restrict processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

Since Baiotek is a processor, Users must contact the Partner who collected their data to exercise these rights. Baiotek will assist Partners with valid requests as required by GDPR Article 28.

7. International Data Transfers

If biomarker scans or AI interpretations are processed outside the EU:

  • Baiotek uses GDPR-approved Standard Contractual Clauses (SCCs)
  • Additional technical measures secure the data
  • Partners may request documentation of transfer safeguards

This ensures compliance with Schrems II requirements.

8. Data Protection & Security Measures

Baiotek employs strong safeguards, including:

  • End-to-end encryption
  • Secure cloud hosting environments
  • Access control, authentication, and audit logs
  • Pseudonymization of sensitive data
  • Regular security reviews and model validation
  • Strict employee confidentiality requirements

Our security approach aligns with GDPR Articles 5 and 32.

9. Sub-Processors

Baiotek may use vetted sub-processors (e.g., cloud infrastructure or AI model hosts).

Each is bound by:

  • A GDPR-compliant contract
  • Confidentiality obligations
  • Security standards equal to or exceeding Baiotek’s own

Partners may request a full, up-to-date sub-processor list.

10. Breach Notification

In the event of a personal data breach affecting Partner data:

  • Baiotek will notify the Partner without undue delay
  • Provide information needed for the Partner to fulfill their GDPR obligations
  • Cooperate with investigations and remediation

Partners remain responsible for notifying affected Users and authorities.

11. Contact Information for GDPR & Data Protection

For GDPR, privacy, or data protection questions, please contact us via our contact form.