HealthBites

Privacy Policy

Effective Date: 13 March 2026 | Last Updated: 13 March 2026

1. Introduction

HealthBites ("we", "us", or "our") is a digital health platform developed by BiteLabs Digital Health, Ireland. HealthBites provides AI-powered chronic condition self-management support through personalised micro-lessons, habit-building challenges, behavioural nudges, and weekly check-ins.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the HealthBites application (the "App"). We are committed to protecting your privacy in accordance with:

• The EU General Data Protection Regulation (GDPR) 2016/679
• The Data Protection Act 2018 (Ireland)
• The Irish Health Research Regulations 2018
• The ePrivacy Regulations (SI 336 of 2011, as amended)

By using HealthBites, you agree to the collection and use of information as described in this policy.

2. Who We Are (Data Controller)

Organisation: Health Bites Limited

Address: Ireland

Email: john@healthbites.ie

Data Protection Officer: To be appointed — contact us at john@healthbites.ie with any data protection queries in the interim.

If you have any questions about this policy or how your data is handled, please contact us at the address above.

3. Data We Collect

3.1 Information You Provide

• Account registration details: name, email address, date of birth
• Goals, preferences, and self-reported check-in responses
• Communications you send us (e.g. support messages)

3.2 Data Generated Through App Use

• Engagement data: lessons completed, challenges attempted, nudge responses
• Habit and behaviour tracking inputs
• Device information: device type, operating system, app version
• Usage analytics: session duration, features accessed, error logs

3.3 Data We Do Not Collect

HealthBites does not collect financial payment information directly. Payments, if applicable, are processed by third-party providers subject to their own privacy policies.

4. Special Category (Health) Data

Health data is a special category of personal data under Article 9 GDPR and requires explicit consent and heightened protection. HealthBites processes health data because the core functionality of the App — personalised chronic disease self-management — cannot operate without it.

We process your health data on the following legal bases:

• Explicit consent (Article 9(2)(a) GDPR): You will be asked to provide clear, informed, and freely given consent before any health data is collected or processed.
• Provision of health or social care (Article 9(2)(h) GDPR): Processing is necessary for the provision of preventive or occupational medicine and the management of health or social care systems.
• Scientific research (Article 9(2)(j) GDPR and the Irish Health Research Regulations 2018): Where HealthBites conducts research activities, we will obtain separate research consent and comply with the requirements of the Health Research Regulations, including ethical approval from a recognised Research Ethics Committee (REC).

You may withdraw your consent at any time by contacting us or via your in-app settings. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

5. How We Use Your Data

We use your data for the following purposes:

• To create and manage your HealthBites account
• To deliver personalised chronic disease self-management content, micro-lessons, and coaching through our systems
• To generate behavioural nudges, reminders, and weekly check-in summaries tailored to your health profile and goals
• To improve the App's algorithms, content, and user experience (in aggregated and anonymised form where possible)
• To communicate with you about your account, updates, and relevant health content
• To comply with our legal obligations
• To conduct health research, subject to ethical approval and separate consent

We do not use your data for automated decision-making that produces legal or similarly significant effects without human oversight.

6. Legal Basis for Processing

We rely on the following legal bases under GDPR Article 6:

• Contract performance (Article 6(1)(b)): Processing necessary to provide the App services you have signed up for
• Consent (Article 6(1)(a)): For health data and any optional data collection or marketing
• Legitimate interests (Article 6(1)(f)): For analytics, fraud prevention, and App improvement, where this does not override your rights and interests
• Legal obligation (Article 6(1)(c)): Where required by law

7. Data Sharing and Third Parties

We do not sell your personal data. We may share your data with:

• Technology service providers: Cloud hosting, analytics, and infrastructure providers processing data on our behalf under Data Processing Agreements (DPAs) compliant with GDPR.
• Clinical partners and research collaborators: Only where you have provided explicit research consent and ethical approval is in place under the Irish Health Research Regulations 2018.
• Your GP or healthcare provider: Only with your explicit consent, for example as part of a pilot programme.
• Regulatory and legal authorities: Where required by Irish or EU law.

We require all third parties to maintain appropriate security standards and to process your data only for the purposes we specify.

8. International Data Transfers

HealthBites stores and processes data within the European Economic Area (EEA) wherever possible. Where data is transferred outside the EEA (for example, to certain cloud service providers), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable

You can request details of any international transfers and the safeguards in place by contacting john@healthbites.ie.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account and profile data: Retained for the duration of your account plus 2 years after account deletion, to comply with legal obligations.
• Health and coaching data: Retained for the duration of your account. You may delete specific data entries at any time via the App.
• Research data: Retained in accordance with the applicable REC-approved research protocol and the Irish Health Research Regulations 2018.
• Anonymised and aggregated data: May be retained indefinitely for research and service improvement purposes.

When data is no longer required, it is securely deleted or anonymised.

10. Data Security

We take the security of your health data seriously and implement technical and organisational measures including:

• Encryption of data in transit (TLS) and at rest
• Access controls and role-based permissions for staff and system access
• Regular security assessments and penetration testing
• A Data Protection Impact Assessment (DPIA) for high-risk processing activities
• Incident response and breach notification procedures compliant with GDPR Article 33

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Data Protection Commission (DPC) within 72 hours and affected users without undue delay.

11. Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15): Request a copy of the personal data we hold about you.
• Right to rectification (Article 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Article 17): Request deletion of your data in certain circumstances ('right to be forgotten').
• Right to restriction (Article 18): Request that we limit how we use your data.
• Right to data portability (Article 20): Receive your data in a structured, machine-readable format.
• Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making (Article 22): Request human review of automated decisions that significantly affect you.
• Right to withdraw consent: Withdraw consent at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@healthbites.ie. We will respond within one month. If you are unsatisfied with our response, you have the right to lodge a complaint with the Irish Data Protection Commission (www.dataprotection.ie).

12. Children's Privacy

HealthBites is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete it promptly. If you believe a child has provided us with their data, please contact privacy@healthbites.ie.

13. Cookies and Tracking

HealthBites may use cookies and similar tracking technologies within the App and on our website to:

• Maintain your session and login state
• Analyse App usage and performance
• Improve user experience

You can control cookie settings through your device or browser settings. A full Cookie Policy is available on our website.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Notify you via email or in-app notification
• Update the 'Last Updated' date at the top of this policy
• Where required, request fresh consent

We encourage you to review this policy periodically. Continued use of HealthBites after changes are posted constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Health Bites Limited
Email: john@healthbites.ie
Website: www.healthbites.ie
Ireland

Data Protection Commission (Ireland)
Website: www.dataprotection.ie
Phone: +353 (0)761 104 800