BioForge

Privacy Policy

Last updated: June 2026

1. Data Controller

BioForge is a product of A-X Software ("we," "us," or "our"). A-X Software is the data controller responsible for processing your personal data as described in this Privacy Policy.

Data Protection Officer: For any data protection inquiries, please contact our DPO at dpo@bioforge.science.

2. Categories of Data Collected

BioForge collects and processes the following categories of personal data:

  • Account Information: Name, email address, and authentication credentials required to create and maintain your account.
  • Training Data: Activity recordings, workout sessions, training programs, completed sessions, GPS tracks, heart rate data, power data, and performance metrics synced from connected devices and platforms (e.g., Garmin Connect, Intervals.icu).
  • Health Records: Medical conditions, medications, allergies, and other health information you choose to provide.
  • Genetic Data: Genomic data uploaded from services such as 23andMe or AncestryDNA, including single nucleotide polymorphisms (SNPs), variant classifications, risk profiles, and pharmacogenomic information.
  • Blood Work: Blood test results, biomarker values, reference ranges, and historical trends from laboratory panels you upload.
  • Microbiome Data: Gut microbiome composition profiles, diversity scores, and taxonomic distributions from microbiome testing services.
  • Wellness Data: Heart rate variability (HRV), sleep metrics, mood indicators, readiness scores, Body Battery, and other wellness markers synced from wearable devices.
  • Device and Usage Data: Browser type, IP address, device identifiers, and usage patterns necessary for service operation and security.

3. Special Category Data (Article 9 GDPR)

BioForge processes special category data as defined by Article 9 of the GDPR, including:

  • Genetic data (genomic variants, risk profiles, pharmacogenomics)
  • Health data (blood work, medical conditions, medications, microbiome composition)
  • Biometric data (heart rate variability, physiological metrics from wearable devices)

We process this data exclusively on the basis of your explicit consent (Article 9(2)(a) GDPR). You provide this consent when you voluntarily upload health data to the platform. You may withdraw consent at any time by deleting the relevant data or contacting our DPO.

4. Purposes of Processing

We process your personal data for the following purposes:

  • Providing and operating the BioForge platform and its features
  • Cross-domain health analysis using AI (genetics, blood work, microbiome, training, and wellness)
  • Generating personalized training programs and recommendations
  • AI coach interactions and health insights
  • Scientific claim extraction and verification from user-provided content
  • Syncing data from connected devices and third-party platforms
  • Account management and authentication
  • Service improvement and bug resolution
  • Compliance with legal obligations

5. Legal Bases for Processing

  • Explicit Consent (Art. 6(1)(a) and Art. 9(2)(a)): For processing health, genetic, and biometric data. You provide consent when uploading this data and may withdraw it at any time.
  • Performance of Contract (Art. 6(1)(b)): For providing the core BioForge service, including training programs, session analysis, and AI coaching.
  • Legitimate Interest (Art. 6(1)(f)): For account management, service security, abuse prevention, and service improvement. Our legitimate interests do not override your fundamental rights and freedoms.
  • Legal Obligation (Art. 6(1)(c)): For compliance with applicable laws and regulations, including data protection law.

6. Recipients and Sub-Processors

We share your data only with the following categories of sub-processors, strictly for service operation:

RailwayUS (Standard Contractual Clauses in place)

Backend hosting and database infrastructure

VercelUS (Standard Contractual Clauses in place)

Frontend hosting and content delivery

Anthropic (Claude)US (Standard Contractual Clauses in place)

AI-powered health analysis and coaching. Zero-retention policy: data is processed in real-time and not stored or used for model training.

Voyage AIUS (Standard Contractual Clauses in place)

Vector embeddings for knowledge base semantic search. Processes text excerpts only, not raw health data.

We do not sell your data to any third party. We do not share your data for advertising or marketing purposes with any third party.

7. International Transfers

Some of our sub-processors are located in the United States. For these transfers, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal mechanism to ensure an adequate level of data protection. We assess the data protection practices of all sub-processors before engagement and on an ongoing basis.

8. Retention Periods

  • Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
  • Training and wellness data: Retained for the duration of your account. Exportable and deletable at any time.
  • Health data (blood work, genetic, microbiome): Retained for the duration of your account or until you delete specific records. Individual records can be deleted independently.
  • AI processing data: Not retained. Anthropic's Claude processes data in real-time with zero retention.
  • Server logs: Retained for up to 90 days for security and debugging purposes.

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): You can request a copy of all personal data we process about you.
  • Right to Rectification (Art. 16): You can request correction of inaccurate personal data.
  • Right to Erasure (Art. 17): You can request deletion of your personal data. We will comply without undue delay unless we have a legal obligation to retain it.
  • Right to Data Portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format.
  • Right to Restriction (Art. 18): You can request that we restrict processing of your data in certain circumstances.
  • Right to Object (Art. 21): You can object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority.

To exercise any of these rights, contact our DPO at dpo@bioforge.science. We will respond within 30 days.

10. AI Processing Transparency

BioForge uses Large Language Models (LLMs) for the following purposes:

  • Cross-domain health analysis (correlating genetics, blood work, microbiome, training, and wellness data)
  • Generating personalized training programs and recommendations
  • AI coaching conversations with full health context
  • Scientific claim extraction and verification
  • Session analysis and performance insights

Data shared with the LLM: Only aggregate fitness metrics computed within BioForge's own infrastructure (training-load indices such as TSS, ATL, CTL and TSB; recovery trends; weekly volume and zone distributions; periodization variables) and non-device health context (blood work summaries, genetic insights, microbiome composition, health records and aggregated wellness markers) are transmitted to the LLM provider's API for real-time analysis when you request coaching, recommendations or insights.

Coach Chat and health-analysis features: When you interact with the in-app Coach or trigger a cross-domain health analysis, we additionally transmit the medical context required for safe personalization — including diagnosed medical conditions, current medications (name, dose and frequency), known allergies, flagged blood-work markers (value and reference range), microbiome diversity scores, and a 14-day rolling window of wellness entries (sleep, HRV, mood, soreness).

Genetic analysis: When you request a genetic analysis, we transmit your variant data (genotypes, gene symbols, dbSNP/RSID identifiers, functional impact scores) and category-level phenotype assessments to the LLM provider. Generated interpretations are cached on our infrastructure and are not re-transmitted on subsequent requests.

Sports-product photos in Coach chat: If you attach a photo to a Coach message, the image is transmitted to the LLM provider for visual analysis. We restrict image analysis to sports-related products (supplement and nutrition labels, energy gels and bars, sports drinks, hydration products, training apparel, race bibs, training equipment) via an automated pre-classification step. Images are not stored after analysis. Please do not attach photos showing personally identifying information, medical documents, other people, or any content unrelated to sports nutrition or training equipment.

Personal identifiers: Only your first name, age, weight, height, sex, experience level, dietary preference and race goal are transmitted as athlete context. We never transmit your email address, surname, postal address, phone number, payment information or precise location to the LLM provider.

Data obtained via third-party device APIs: Raw data obtained via third-party device APIs — including, without limitation, the Garmin Connect Developer Program API — is nevershared with, processed by, or otherwise made available to any external AI provider. This applies to raw activity records, individual session details, splits and lap data, GPS tracks, heart-rate samples, beat-to-beat intervals (BBI), power, cadence, sleep-stage details and any other field obtained directly via such APIs. Raw device data is processed exclusively within BioForge's own infrastructure for the purposes of computation, display and storage. Only aggregate metrics derived from this data within BioForge may subsequently be shared with the LLM.

LLM provider data handling: The LLM processes data in real time and returns results. Under our contractual terms with the LLM provider, your data is not retained after processing and is never used to train AI models.

Genomic foundation model: In addition to the LLM described above, BioForge uses Evo 2 — a genomic foundation model served by NVIDIA via the NVIDIA BioNeMo NIM API — to score the predicted functional impact of individual genetic variants and to generate variant embeddings. Only short DNA sequence windows derived from your uploaded variants (reference allele, alternate allele and the surrounding genomic context) are transmitted; no athlete identifier accompanies these sequences. Inference is real-time and the request is governed by NVIDIA's NIM API terms.

No automated decision-making: BioForge provides AI-generated recommendations and insights, but does not make automated decisions that produce legal or similarly significant effects. All recommendations are advisory in nature.

11. Cookies

BioForge uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking cookies, or analytics cookies. For more details, see our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting a notice on the platform or sending you an email. The "Last updated" date at the top of this policy indicates when it was last revised.

13. Contact

Data Protection Officer: dpo@bioforge.science

Security Team: security@bioforge.science

General Contact: support@bioforge.science