Privacy Policy · Longevity Switzerland

Notice: Longevity Germany and the international chapters (Longevity Cities) are community brands of Valteris GmbH. This privacy policy applies uniformly to all services offered by Valteris GmbH under these brands.

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data with which you can be personally identified. Detailed information on the subject of data protection can be found in our privacy policy listed below this text.

Data Collection on this Website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. You can find their contact details in the 'Information on the responsible party' section of this privacy policy.

How do we collect your data?

On the one hand, your data is collected when you provide it to us. This can be, for example, data that you enter in a contact form. Other data is collected automatically or after your consent when you visit the website by our IT systems. This is mainly technical data (e.g. internet browser, operating system or time of page access). This data is collected automatically as soon as you enter this website.

What do we use your data for?

Some of the data is collected to ensure error-free provision of the website. Other data may be used to analyze your user behavior, but only after your explicit consent. If contracts can be concluded or initiated via the website, the transmitted data will also be processed for contract offers, orders or other service requests.

2. Hosting

We host the content of our website with the following provider:

External Hosting

This website is hosted externally. The personal data collected on this website is stored on the servers of the host(s). This may include IP addresses, contact requests, meta and communication data, contract data, contact data, names, website accesses and other data generated via a website.

External hosting is carried out for the purpose of contract fulfillment towards our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR). If a corresponding consent has been requested, the processing takes place exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG (German law), insofar as the consent includes the storage of cookies or access to information on the user's end device. The consent can be revoked at any time.

Our host(s) will only process your data to the extent necessary to fulfill their performance obligations and follow our instructions regarding this data.

We use the following hosting and infrastructure providers:

Hetzner Online GmbH (registered office: Industriestraße 25, 91710 Gunzenhausen, Germany). Personal data is stored and processed in Hetzner's Nuremberg data center, Germany (EEA). Processed data includes IP addresses, request logs, session data and database connections. A Data Processing Agreement (DPA) under Art. 28 GDPR is in place with Hetzner. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation).

Content Delivery Network (CDN) and Reverse Proxy

Cloudflare, Inc. (registered office: 101 Townsend Street, San Francisco, CA 94107, USA). Cloudflare sits in front of our website as a CDN, reverse proxy and DDoS-protection layer. For visitors from the EEA, requests are primarily terminated at Cloudflare edge nodes in the EU (notably Frankfurt and Amsterdam) and then forwarded via HTTPS re-encryption to our Hetzner server in Nuremberg. Data processed: IP addresses (transient, for routing), TLS handshake data, request headers, user-agent and browser-integrity checks. Cloudflare sets the strictly necessary cookie __cf_bm (Cloudflare Bot Management, 30 minutes) to distinguish humans from bots. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security, availability and DDoS protection), and § 25(2) no. 2 TDDDG for the __cf_bm cookie. As Cloudflare, Inc. is a US entity, any onward transfers are safeguarded by the EU Standard Contractual Clauses (SCCs) and the Cloudflare Data Processing Addendum (DPA): https://www.cloudflare.com/cloudflare-customer-dpa/.

Server Log Files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

Browser type and browser version
Operating system used
Referrer URL
Hostname of the accessing computer
Time of the server request
IP address

This data is not merged with other data sources. The IP addresses are anonymized or deleted after 7 days at the latest, unless there is a security-relevant event that requires longer storage for evidence purposes.

The collection of this data takes place on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of his website – for this purpose, the server log files must be recorded.

3. General Information and Mandatory Information

Data Protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the legal data protection regulations and this privacy policy. When you use this website, various personal data is collected. Personal data is data with which you can be personally identified. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this happens.

We point out that data transmission on the Internet (e.g. when communicating by e-mail) can have security gaps. A complete protection of data against access by third parties is not possible.

Information on the responsible party

The responsible party for data processing on this website is:

Valteris GmbH Am Kaiserkai 59 20457 Hamburg Germany Managing Director: Christian Ziegert Phone: +49 (0) 151 720 419 97 Email: [email protected]

The responsible party is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (e.g. names, e-mail addresses, etc.).

Storage Duration

Unless a more specific storage period is mentioned within this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke consent for data processing, your data will be deleted, unless we have other legally permissible reasons for storing your personal data (e.g. tax or commercial law retention periods); in the latter case, deletion will take place after these reasons no longer apply.

SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or requests that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

General information on the legal basis for data processing on this website

If you have consented to data processing, we process your personal data on the basis of Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, insofar as special categories of data are processed according to Art. 9 para. 1 GDPR. In the case of explicit consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Art. 49 para. 1 lit. a GDPR. If you have consented to the storage of cookies or to the access to information on your end device, data processing is additionally carried out on the basis of § 25 para. 1 TDDDG. The consent can be revoked at any time.

If your data is required for contract fulfillment or for the implementation of pre-contractual measures, we process your data on the basis of Art. 6 para. 1 lit. b GDPR.

Furthermore, we process your data if this is necessary to fulfill a legal obligation on the basis of Art. 6 para. 1 lit. c GDPR.

Data processing can also take place on the basis of our legitimate interest according to Art. 6 para. 1 lit. f GDPR. Information on the relevant legal basis in each individual case is provided in the following paragraphs of this privacy policy.

Recipients of personal data

In the course of our business activities, we work together with various external parties. In some cases, this also requires the transmission of personal data to these external parties. We only pass on personal data to external parties if this is necessary for the fulfillment of a contract, if we are legally obliged to do so (e.g. passing on data to tax authorities), if we have a legitimate interest in the transfer according to Art. 6 para. 1 lit. f GDPR or if another legal basis permits the data transfer. When using processors, we only pass on personal data of our customers on the basis of a valid contract for data processing. In the case of joint processing, a contract for joint processing is concluded.

Revocation of your consent to data processing

Many data processing operations are only possible with your express consent. You can revoke consent that has already been given at any time. The lawfulness of data processing carried out until the revocation remains unaffected by the revocation.

Right to object to data collection in special cases and to direct advertising (Art. 21 GDPR)

IF DATA PROCESSING IS CARRIED OUT ON THE BASIS OF ART. 6 PARA. 1 LIT. E OR F GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA, UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS OR THE PROCESSING SERVES TO ASSERT, EXERCISE OR DEFEND LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21 PARA. 1 GDPR). IF YOUR PERSONAL DATA IS PROCESSED FOR THE PURPOSE of DIRECT ADVERTISING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH ADVERTISING; THIS ALSO APPLIES TO PROFILING INSOFAR AS IT IS CONNECTED WITH SUCH DIRECT ADVERTISING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR THE PURPOSE OF DIRECT ADVERTISING (OBJECTION PURSUANT TO ART. 21 PARA. 2 GDPR).

Right to complain to the competent supervisory authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the member state of their habitual residence, their place of work or the place of the alleged violation. The right to lodge a complaint exists without prejudice to other administrative or judicial remedies.

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place insofar as it is technically feasible.

Information, correction and deletion

Within the framework of the applicable legal provisions, you have the right to free information about your stored personal data, its origin and recipient and the purpose of data processing and, if applicable, a right to correction or deletion of this data. You can contact us at any time with regard to this and other questions on the subject of personal data.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. You can contact us at any time for this purpose. The right to restriction of processing exists in the following cases:

If you dispute the accuracy of your personal data stored by us, we usually need time to verify this. For the duration of the verification, you have the right to request the restriction of the processing of your personal data.
If the processing of your personal data was/is unlawful, you can request the restriction of data processing instead of deletion.
If we no longer need your personal data, but you need it to exercise, defend or assert legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
If you have lodged an objection pursuant to Art. 21 para. 1 GDPR, a balance must be struck between your and our interests. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, this data - apart from its storage - may only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the European Union or a member state.

Data Protection Officer

In accordance with the requirements of § 38 BDSG and Art. 37 GDPR, we have not appointed a Data Protection Officer, as we currently neither meet the personnel threshold of staff continuously engaged in automated processing nor carry out processing operations requiring a Data Protection Impact Assessment under Art. 35 GDPR. We review these conditions regularly and will appoint a Data Protection Officer as soon as the statutory thresholds are exceeded.

For all data protection enquiries, please contact us at:

Email: [email protected]

We are committed to protecting your personal data and ensuring compliance with all applicable data protection regulations.

Competent Supervisory Authority

The competent data protection supervisory authority for our company is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit

Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany

Phone: +49 (0)40 428 54-4040

Email: [email protected]

Website: https://datenschutz-hamburg.de/

You have the right to lodge a complaint with this supervisory authority if you believe that the processing of your personal data violates the GDPR.

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you without undue delay. We will inform you about:

The nature of the personal data breach
The likely consequences of the breach
The measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects
Contact point for more information and support

We will notify the competent supervisory authority within 72 hours of becoming aware of a breach, as required by Article 33 GDPR. If the notification is not made within 72 hours, we will provide reasons for the delay.

We have implemented appropriate technical and organizational measures to prevent data breaches and to detect them promptly should they occur.

Minimum Age for Use of Our Service

Minimum Age Requirement

Our service is directed at adult users. When you register, you must actively confirm that you have reached the minimum age applicable in your country of residence for giving independent consent to information-society services. In Germany this minimum age is 16 years (Art. 8(1) GDPR in conjunction with § 22(1)(1) BDSG); in Austria it is 14 years (§ 4(4) DSG). In Switzerland the minimum age for independent consent is generally 16 years. In the United States, COPPA requires a minimum age of 13 years for the collection of personal data from children; some U.S. states may set different thresholds (see regional notes). Confirmation of the minimum age takes place via your express self-attestation at registration. We do not currently deploy any technical age-verification mechanism. Should we become aware that a user does not meet the minimum age, we will delete the relevant account immediately.

Parental Consent

If you are below the applicable age threshold for your country, you may only use our services with the explicit consent of your parent or legal guardian. Parents or guardians must provide consent for any personal data collection or processing.

No Knowing Collection

We do not knowingly collect, use, or disclose personal information from children below the applicable regional threshold without appropriate parental consent.

Deletion of Children's Data

If we become aware that we have collected personal data from a child below the applicable age threshold without proper parental consent, we will take immediate steps to delete that information from our servers as quickly as possible.

If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at [email protected].

Records of Processing Activities (Article 30 GDPR)

We maintain detailed records of all processing activities under our control, as required by Article 30 GDPR. These records document:

Name and contact details of the controller and, where applicable, the joint controller and data protection officer
Purposes of the processing
Categories of data subjects and categories of personal data
Categories of recipients to whom personal data have been or will be disclosed
Where applicable, transfers of personal data to third countries or international organizations
Envisaged time limits for erasure of different categories of data
General description of technical and organizational security measures

These records are available for review by the supervisory authority upon request.

We regularly review and update our processing records to ensure they accurately reflect our current data processing activities.

Data Minimization Principle

We adhere strictly to the principle of data minimization as required by Article 5(1)(c) GDPR. This means:

We only collect personal data that is adequate, relevant, and limited to what is necessary for the specific purpose for which it is processed
We do not collect excessive or irrelevant data
We regularly review the data we hold to ensure it remains necessary for the intended purpose
Once data is no longer needed for its original purpose, it is either deleted or anonymized

Our commitment to data minimization helps protect your privacy and reduces the risk of data breaches.

Automated Decision-Making and Profiling

We do not employ automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR.

The Photo Age Test, rPPG heart-rate scanner and all other tests serve purely as informative self-assessments. The results have no effect on your access to platform features, membership tiers, visibility to other members or any other material aspect of our service. Should we introduce features in the future that could fall under Art. 22 GDPR (e.g. gating certain premium features by biomarker outcomes), we will inform you in advance, ensure human review, and obtain the legal basis required under Art. 22(2) GDPR.

We use analytics tools (such as Google Analytics) for aggregate statistical analysis, service improvement, product development and feature-usage analytics. They do not result in automated decisions that significantly affect individual users.

Any decisions that may affect you (such as responding to contact form inquiries, moderation actions, or certification decisions) involve human review and are not made automatically by algorithms.

4. Data Collection on this Website

Cookies

Our website uses so-called "cookies". Cookies are small data packages and do not cause any damage to your end device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your end device. Session cookies are automatically deleted after the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or an automatic deletion by your web browser occurs. Cookies can come from us (first-party cookies) or from third-party companies (so-called third-party cookies). This website uses our proprietary consent management technology to obtain your consent to the storage of certain cookies on your end device or to the use of certain technologies and to document this in compliance with data protection regulations.

Cookies that are required to carry out the electronic communication process, to provide certain functions you have requested (e.g. for user authentication) or to optimize the website (e.g. cookies for measuring web traffic) are stored on the basis of Art. 6 para. 1 lit. f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies for the technically error-free and optimized provision of its services.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted. You can find out which cookies and services are used on this website in this privacy policy.

Profile Visibility Defaults (Privacy by Default)

Upon registration, your profile visibility defaults are configured to allow appropriate participation in the community aspects of the service. You can adjust every individual visibility setting at any time in your profile settings.

Important note on health data: Health data (bioMetrics entries such as heart rate, HRV, Pace of Aging and Health Stack values) are not publicly visible by default. They are only displayed publicly if you actively enable this in your profile settings. You can withdraw this setting at any time.

Contact Form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact data you provided there, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this data without your consent.

The processing of this data takes place on the basis of Art. 6 para. 1 lit. b GDPR, insofar as your inquiry is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; the consent can be revoked at any time.

The data you enter in the contact form will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your inquiry has been processed). Mandatory legal provisions - in particular retention periods - remain unaffected.

Inquiry by e-mail, telephone or fax

If you contact us by e-mail, telephone or fax, your inquiry including all resulting personal data (name, inquiry) will be stored and processed by us for the purpose of processing your request. We do not pass on this data without your consent.

The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory legal provisions - in particular legal retention periods - remain unaffected.

Newsletter Subscription

If you subscribe to our newsletter, we will process your email address and city information to send you regular updates about longevity events, articles, and insights.

Legal Basis for Processing

The processing of your personal data for newsletter purposes is based on your explicit consent (Art. 6 para. 1 lit. a GDPR). You can withdraw your consent at any time by clicking the unsubscribe link in any newsletter email or by contacting us directly.

After you unsubscribe from the newsletter, we delete your subscription data from our newsletter database within 30 days. To make sure that you are not accidentally contacted again after unsubscribing, we retain a minimal suppression record indefinitely (hashed email address and timestamp of unsubscription). Processing of this suppression record is based on a legal obligation (Art. 6(1)(c) GDPR in conjunction with Art. 21(3) GDPR) and a legitimate interest in honouring advertising opt-outs (Art. 6(1)(f) GDPR).

Health Stack & Sensitive Data

If you use our 'Health Stack' feature to track supplements, devices, or interventions, you are processing health-related data (Article 9 GDPR). Your data is stored in MongoDB Atlas with processing on EU servers (Frankfurt, eu-central-1). MongoDB Inc. is a US entity; transfers are safeguarded by Standard Contractual Clauses (SCCs) and MongoDB's Data Processing Agreement. By adding data to your Health Stack, you explicitly consent to this processing in accordance with Art. 9(2)(a) GDPR (explicit consent for health data).

By adding items to your Health Stack, you explicitly consent to the processing of this health data for the purpose of providing your personal tracking dashboard.

You can revoke this consent at any time by deleting items from your Health Stack or deleting your account.

Pace of Aging Test

Our Pace of Aging Test allows you to measure your rate of aging based on lifestyle factors such as diet, exercise, and sleep.

Local Calculation

The calculation of your Pace of Aging takes place initially in your browser. The questionnaire answers you enter are used only for the calculation.

Result Storage

If you are logged in, your calculated results (Pace of Aging) can be saved to your user profile. This data is stored in our database (MongoDB Atlas) and is private by default.

Optional Newsletter Subscription

If you choose to subscribe to our newsletter via the Age Test, only your email address and opt-in status are transmitted to our email provider (Brevo).

Processing is based on your consent (Art. 6 para. 1 lit. a GDPR) through active use of the test. Saved results can be deleted at any time in your profile settings.

Photo Age Test

Privacy and Data Processing

Our Photo Age Test uses the MiVoLo (Multi-input Vision Transformer for Age and Gender Estimation) model for age estimation. The model is operated by Valteris itself on Amazon Web Services (AWS eu-central-1, Frankfurt, Germany). The uploaded photo is processed exclusively for age estimation and is never stored persistently at any point.

Note on Special Categories of Data (Art. 9 GDPR): The processing of facial images for age estimation and the resulting estimated values constitute health data within the meaning of Art. 9(1) GDPR. Because the photo is processed only briefly and is not used for the unique identification of a person, it does not constitute biometric data within the meaning of Art. 4(14) GDPR. Processing is based on your explicit consent (Art. 9(2)(a) GDPR).

Privacy Guarantees

Your privacy is our top priority. The Photo Age Test is designed with Privacy by Design principles:

No Storage: Your photo is processed exclusively in volatile memory (RAM) and is never written to disk, database, or cloud storage.
Short-lived Processing: After the analysis completes (typically within a few seconds), all image data is immediately removed from memory.
No Image Logging: Your photo is never logged or stored. Only technical metadata (processing status, errors) is logged for system maintenance.
Secure Processing: Each analysis runs in an isolated environment. Your data is never shared with other users or third parties.

If you are logged in and choose to save the result to your profile, only the estimated age value (a number, not an image) is stored as part of your bioMetrics data in our database.

Legal Basis: Processing of the photo is based on your explicit consent (Art. 6(1)(a) GDPR and Art. 9(2)(a) GDPR) by actively uploading. Consent can be revoked at any time.

rPPG Heart Rate & HRV Scanner

Webcam-Based Vital Signs Measurement

Our rPPG (remote Photoplethysmography) scanner uses your device's camera to estimate your heart rate (BPM) and heart rate variability (HRV/RMSSD) by analyzing subtle color changes in your skin caused by blood flow.

Note on Special Categories of Data (Art. 9 GDPR): Heart rate and HRV data constitute health data under Art. 9 GDPR. Processing is based on your explicit consent (Art. 9 para. 2 lit. a GDPR), given by actively granting camera access and starting the scan.

How It Works & Data Processing

Client-Side Processing: All video analysis happens entirely in your browser. No video frames or camera images are transmitted to our servers.
Camera Access: The scanner requires access to your device's camera. You grant this permission through your browser's built-in permission dialog. You can revoke camera access at any time through your browser settings.
Face Detection: We use Google's MediaPipe Face Landmarker library to identify facial regions for pulse signal extraction. This library is loaded from external CDNs (cdn.jsdelivr.net and storage.googleapis.com) — see 'Third-Party Services' below.
No Video Storage: No video frames, camera images, or facial data are ever stored, transmitted, or logged. Only the final numeric results (BPM, HRV) may be saved if you choose.

If you are logged in and choose to save the result to your profile, the heart rate value (BPM) is stored as part of your bioMetrics data in our database. No video, images, or facial data are ever transmitted or stored.

External Resources Loaded

cdn.jsdelivr.net: Hosts the MediaPipe WebAssembly (WASM) runtime. When loaded, your IP address and browser metadata are transmitted to jsDelivr (Prospectone Sp. z o.o., Poland/Global CDN).
storage.googleapis.com: Hosts the MediaPipe Face Landmarker ML model file. When loaded, your IP address and browser metadata are transmitted to Google LLC (USA).

Note on DNS prefetches: When the page loads, DNS-prefetch hints are issued for the external resources listed above to avoid latency when the scanner is later activated. DNS prefetches only resolve the IP addresses of the hostnames and do not transmit any personal content. The actual resources (WebAssembly runtime, ML model) are only loaded once you actively start the scan.

Legal Basis: Processing is based on your explicit consent (Art. 6 para. 1 lit. a GDPR for camera access and Art. 9 para. 2 lit. a GDPR for health data) by granting camera permission and starting the scan. Consent can be revoked at any time by denying camera access or leaving the page.

Contributor Submissions

If you submit a story or article proposal via our 'Submit Your Story' form, we collect your name, email, role, social links, and proposal details.

Purpose: This data is used solely for reviewing your submission and contacting you regarding potential publication.

The processing is based on Art. 6 para. 1 lit. b GDPR (pre-contractual measures) or our legitimate interest in content curation (Art. 6 para. 1 lit. f GDPR).

If your proposal is not accepted, your data will be deleted after 6 months. If accepted, it will be retained as part of our content records.

Event Registration and Payments via Lu.ma

Our website embeds an event-registration button provided by Lu.ma (Lu.ma Inc., USA). When you click this button, a script from Lu.ma (embed.lu.ma/checkout-button.js) is loaded and the registration takes place directly on the Lu.ma platform.

Lu.ma Inc. (independent controller)

We do not transmit any user data from our servers to Lu.ma. Lu.ma collects your registration and payment data independently and processes it as an independent controller. The processing of your data in this step is therefore governed exclusively by Lu.ma's privacy policy.

Lu.ma privacy policy: https://lu.ma/privacy

When loaded, the Lu.ma script may set its own cookies and tracking mechanisms. These are loaded only after your active click interaction on the button.

International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place for all international transfers:

MongoDB, Inc. / Amazon Web Services (Database) · European Union (Frankfurt, eu-central-1) · Storage of user accounts, profiles, and application data

Processing in an EU region. MongoDB Inc., headquartered in the USA, is the parent entity; data processing takes place exclusively on EU servers. Standard Contractual Clauses (SCCs) and MongoDB Data Processing Agreement · Privacy

Amazon Web Services (Photo Age Test) · European Union · Photo analysis performed entirely within the EU - no international transfer

EU-based processing (Frankfurt, Germany) · Privacy

Google LLC (Google Analytics, Google Tag Manager) · United States

EU-US Data Privacy Framework + Standard Contractual Clauses (SCCs) · Google is certified under the EU-US Data Privacy Framework · Privacy

IPinfo / ipapi.co (IP Geolocation Services) · United States · IP-based location detection for map centering and location-based content

Standard Contractual Clauses (SCCs) + Appropriate Technical and Organizational Measures · Privacy

Hetzner Online GmbH (Hosting Provider) · Germany (EU) · Website hosting, database connections and server infrastructure

EU-based servers (Nuremberg data center, Germany); German provider, natively GDPR-aligned; Data Processing Agreement under Art. 28 GDPR · Privacy

Cloudflare, Inc. (CDN / reverse proxy / DDoS protection) · United States (Cloudflare, Inc.) — EU edges for EEA traffic · Reverse proxy, TLS termination, DDoS and bot protection for the delivery of the website

EU Standard Contractual Clauses (SCCs) + Cloudflare Data Processing Addendum (DPA). EEA traffic is primarily terminated at EU edges (Frankfurt/Amsterdam); only transient routing metadata leaves the EEA. · Privacy

Brevo (Sendinblue SAS, Paris) · France (EU) · Newsletter delivery and email marketing

Brevo's primary processing infrastructure is in the EU; transfers to US sub-processors are covered by Standard Contractual Clauses · Privacy

ImageKit · United States / Global CDN · Image optimization and content delivery

Standard Contractual Clauses (SCCs) · Privacy

jsDelivr (Prospectone Sp. z o.o.) — MediaPipe WASM runtime · Poland / Global CDN · Delivery of WebAssembly runtime for the rPPG heart rate scanner — loaded only when the user activates the scanner

EU-based company (Poland); global CDN nodes covered by appropriate safeguards · Privacy

Google LLC (Google Cloud Storage) — MediaPipe ML model · United States · Delivery of the Face Landmarker ML model for the rPPG heart rate scanner — loaded only when the user activates the scanner

EU-US Data Privacy Framework + Standard Contractual Clauses (SCCs) · Privacy

Safeguards in Place

All transfers to countries outside the EEA are protected by one or more of the following safeguards:

EU-US Data Privacy Framework (for certified US companies)
Standard Contractual Clauses (SCCs) approved by the European Commission
Appropriate technical and organizational security measures
Binding Corporate Rules (where applicable)

For transfers to countries that have been granted an adequacy decision by the European Commission, no additional safeguards are required.

You have the right to obtain information about the safeguards we have implemented for international transfers and to receive a copy of the Standard Contractual Clauses where applicable. Please contact us if you would like to exercise this right.

Affiliate Programs

We do not currently operate any affiliate program. Discount codes and product links shown on the /products page are not monetised — Valteris receives no commission, click-through fee, or per-redemption payment from the partners listed there.

Should we ever introduce commercial affiliate links, they will be clearly marked "Werbung", "Anzeige", or "Ad" in line with § 6 DDG, § 5a UWG, and § 8 MStV; this Privacy Policy will be updated accordingly, and any cookies or comparable technologies for affiliate purposes will only be deployed on the basis of your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG.

5. Social Media Profiles

Facebook / Instagram / LinkedIn / TikTok

We maintain profiles on social networks. Our website includes simple links to these profiles (not plugins). No data is transferred to these networks when you visit our website. Data transfer only occurs if you actively click on one of the links and are redirected to the respective network.

The operation of our social media profiles is based on our legitimate interest in an effective information and communication presence (Art. 6 para. 1 lit. f GDPR).

If you visit our profiles on these platforms, we may be jointly responsible with the platform operator for data processing. For details, please refer to the privacy policy of the respective platform.

6. Plugins and Tools

Google Fonts (local hosting)

This page uses so-called Google Fonts, provided by Google, for the uniform display of fonts. The Google Fonts are installed locally. A connection to Google servers does not take place. Further information on Google Fonts can be found at https://developers.google.com/fonts/faq and in Google's privacy policy: https://policies.google.com/privacy?hl=en.

ImageKit (Image CDN)

User-generated images (avatars, banners, spot images, article covers) are delivered via ImageKit (United States). When you load a page containing ImageKit images, your IP address is transmitted to ImageKit. A DNS-prefetch hint is issued already on the initial page load, which resolves only the IP address of the hostname and does not transmit any personal content. The legal basis is our legitimate interest in performant image delivery (Art. 6(1)(f) GDPR).

Map tiles (OpenStreetMap/CARTO)

This website displays maps using OpenStreetMap data rendered via the Leaflet library and CARTO basemap tiles (basemaps.cartocdn.com). When tiles are loaded, the tile providers receive your IP address and standard technical request data. We do not use cookies for these tiles.

The use of map tiles is based on our legitimate interest in providing a functional, user-friendly map (Art. 6(1)(f) GDPR).

Location Services

This website offers location-based services to help you find longevity-related spots near your location. We use different methods to determine your location, always prioritizing your privacy and requiring your explicit consent for precise location data.

What location data do we collect?

IP-based location: We may determine your approximate location based on your IP address to provide city-level location services without requiring permission.
Browser location: Only when you explicitly click the location button, we may request access to your device's GPS location for more precise positioning.
Local storage: We store your location preferences locally in your browser's localStorage to improve your experience on subsequent visits. This includes:

Legal basis for location data processing

Precise location access requires your explicit consent (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG). You can revoke this consent at any time by denying location access in your browser settings.

How we protect your location data

All location data is processed locally in your browser and never transmitted to our servers

Detailed Cookie Information

Below is specific information about the cookies used on our website, including their purpose, type, and lifespan:

Name	Purpose	Type	Lifespan
__session	Authentication and session management - maintains your logged-in state	Necessary (Essential)	180 days
_ga	Google Analytics - Distinguishes unique users and tracks website usage	Analytics (Requires Consent)	2 years
_gid	Google Analytics - Distinguishes users for 24-hour analytics	Analytics (Requires Consent)	24 hours
_gat	Google Analytics - Used to throttle request rate	Analytics (Requires Consent)	1 minute

localStorage: In addition to cookies, we use browser localStorage to store: (i) your cookie consent choice (cookie_consent) and your granular cookie category preferences (cookie_preferences); (ii) location preferences (IP-detected location, manually selected city, precise GPS coordinates if granted), notification dismissal status, and voting status for community spots (voted_{spotId}). localStorage entries persist until you clear browser data or revoke consent and, except for the consent record itself, are not transmitted to our servers.

You can manage cookie preferences through our cookie consent banner or through your browser settings. Note that disabling necessary cookies may affect website functionality.

Data Processors (Article 28 GDPR)

We engage the following data processors who process personal data on our behalf. All processors are bound by written data processing agreements compliant with Article 28 GDPR:

MongoDB, Inc. / Amazon Web Services

Services: Database hosting and storage

Location: United States (AWS Cloud)

DPA: Data Processing Agreement in place pursuant to Article 28 GDPR

Standard Contractual Clauses are incorporated into MongoDB Atlas terms

Purpose: Storage of user accounts, profiles, health stack data, and all application data

Processing Terms

Amazon Web Services (AWS)

Services: Cloud infrastructure on which Valteris operates the Photo Age Test API

Location: AWS eu-central-1 (Frankfurt, Germany); photo data is processed only briefly in RAM and is not stored

DPA: AWS Data Processing Addendum in place pursuant to Article 28 GDPR

Purpose: RAM-only processing of photo age estimation — no data stored. Heart-rate measurement (rPPG) runs entirely in the browser and is not sent to AWS.

Processing Terms

Google LLC

Services: Google Analytics, Google Tag Manager

Location: United States

DPA: We have concluded a data processing agreement with Google pursuant to Article 28 GDPR

Standard Contractual Clauses are incorporated into Google's data processing terms

Processing Terms

CARTO

Services: Map tile delivery

Location: United States / Global CDN

DPA: Service terms include data protection provisions

Purpose: Delivery of map tiles for location features

Processing Terms

Hetzner Online GmbH

Services: Web hosting, server infrastructure and database connectivity

Location: Germany, EU (Nuremberg data center)

DPA: Data Processing Agreement under Art. 28 GDPR (Hetzner standard DPA)

Purpose: Hosting of the application, processing of IP addresses, request logs and session data

Processing Terms | Privacy

Cloudflare, Inc.

Services: Content Delivery Network (CDN), reverse proxy, TLS termination, DDoS and bot protection

Location: United States (corporate seat); EEA traffic primarily handled at EU edges (Frankfurt/Amsterdam)

DPA: Cloudflare Data Processing Addendum (DPA) together with EU Standard Contractual Clauses (SCCs)

Purpose: Protection of the website infrastructure, bot detection and delivery of static assets; sets the strictly necessary __cf_bm cookie (30 min).

Processing Terms | Privacy

IPinfo / ipapi.co

Services: IP geolocation services

Location: United States

DPA: Service terms include processor obligations and data protection clauses

Purpose: IP-based location detection for map centering only

Processing Terms

Brevo (Sendinblue SAS, Paris, France)

Services: Newsletter and email delivery services

Location: France (EU); transfers to US sub-processors covered by Standard Contractual Clauses

DPA: Data Processing Agreement under Article 28 GDPR via Brevo's Terms of Service

Purpose: Processing of newsletter subscriptions and email delivery

Processing Terms

Google LLC (Gmail)

Services: Contact form email delivery

Location: United States

DPA: Google Workspace Data Processing Amendment

Purpose: Delivery of contact form submissions to our team

Processing Terms

ImageKit

Services: Image CDN and optimization

Location: United States / Global CDN

DPA: Service terms include data processing provisions

Purpose: Optimized delivery of user-uploaded images

Processing Terms

jsDelivr (Prospectone Sp. z o.o.)

Services: CDN for MediaPipe WebAssembly runtime

Location: Poland / Global CDN

DPA: Service terms include data processing provisions

Purpose: Delivery of MediaPipe WASM runtime for the rPPG heart rate scanner — loaded only when the user activates the scanner

Processing Terms

Google LLC (Google Cloud Storage)

Services: Hosting of MediaPipe Face Landmarker ML model

Location: United States

DPA: Google Cloud Data Processing Addendum

Purpose: Delivery of the Face Landmarker model file for the rPPG heart rate scanner — loaded only when the user activates the scanner

Processing Terms

You have the right to request information about our data processing agreements and the safeguards we have implemented. Contact us at [email protected].

Our processors may engage sub-processors. We ensure that all sub-processors are bound by equivalent data protection obligations.

Data Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. Specific retention periods are:

Data Category	Retention Period	Legal Basis
User account data	Immediate deletion upon account deletion. Encrypted backups retained for up to 90 days, then irreversibly overwritten.	Contract fulfillment (Art. 6(1)(b) GDPR)
Health Stack data	Until consent is revoked or account is deleted	Explicit consent for health data (Art. 9(2)(a) GDPR)
Gamification data (XP, achievements, streaks)	Duration of account existence	Contract fulfillment (Art. 6(1)(b) GDPR)
Accountability partnerships and check-ins	Duration of account existence or until partnership is ended	Contract fulfillment (Art. 6(1)(b) GDPR)
Certification application data and issued certificates	6 years (German commercial/tax retention §§ 257 HGB / 147 AO); earlier deletion on request where no legal retention applies	Legal obligation (Art. 6(1)(c) GDPR) and legitimate interest (Art. 6(1)(f) GDPR)
Community voting records	Retained in pseudonymised aggregate form; individual vote records are deleted 12 months after the certification decision	Legitimate interest (Art. 6(1)(f) GDPR)
Newsletter subscription data	Until unsubscription plus 30 days for processing the unsubscription request	Consent (Art. 6(1)(a) GDPR)
Contact form inquiries and email correspondence	6 months after conclusion of correspondence, or 3 years if related to a contractual relationship	Legitimate interest (Art. 6(1)(f) GDPR) or Contract (Art. 6(1)(b) GDPR)
Photo Age Test images	0 seconds - images are processed in RAM only and immediately deleted	Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR)
rPPG heart rate scanner video frames	0 seconds - processed client-side in the browser only, never transmitted to servers	Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR)
Saved heart rate / HRV results (bioMetrics)	Duration of account existence plus 30 days after account deletion	Explicit consent for health data (Art. 9(2)(a) GDPR)
Analytics data (Google Analytics)	14 months from the date of collection	Consent (Art. 6(1)(a) GDPR)
Article likes (anonymous) — IP address	IP truncated to /24 at write time; full-record retention 12 months	Legitimate interest in abuse prevention (Art. 6(1)(f) GDPR)
Spot flag reporter IP address	IP truncated to /24; retention 24 months	Legitimate interest in moderation and abuse prevention (Art. 6(1)(f) GDPR)
In-product notifications	30 days (MongoDB TTL)	Contract (Art. 6(1)(b) GDPR) / legitimate interest (Art. 6(1)(f) GDPR)
Activity requests (run, yoga, sauna, cold-plunge lobbies)	Deleted 7 days after the scheduled expiry timestamp (MongoDB TTL)	Contract (Art. 6(1)(b) GDPR)
LongevityCheckResult — anonymous event participants	12 months after the event date	Explicit consent for health data (Art. 9(2)(a) GDPR)
ScheduledNewsletter campaign statistics	Retained for the lifetime of the campaign record	Legitimate interest in campaign reporting (Art. 6(1)(f) GDPR)
Server logs and IP addresses	7 days for security and fraud prevention purposes	Legitimate interest in IT security (Art. 6(1)(f) GDPR)
Contract and billing data (if applicable)	10 years in accordance with German commercial and tax law requirements	Legal obligation (Art. 6(1)(c) GDPR per § 147 AO, § 257 HGB)
Cookie consent records	1 year or until consent is withdrawn	Legal obligation to maintain proof of consent (Art. 7(1) GDPR)
ConsentLog (consent audit trail)	Indefinite (pseudonymised; hashed IP / user agent)	Legal obligation (Art. 6(1)(c) in conjunction with Art. 7(1) GDPR)

After expiry of the applicable retention period, personal data will be deleted automatically unless deletion is prevented by mandatory legal retention obligations. You can request earlier deletion where permissible by law.

How to Exercise Your Data Protection Rights

To exercise any of your rights under the GDPR (access, rectification, deletion, restriction, portability, objection), please follow this procedure:

Special Note on Your Right to Object (Art. 21 GDPR)

IF WE PROCESS DATA ON THE BASIS OF A LEGITIMATE INTEREST (ART. 6 PARA. 1 LIT. F GDPR), YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION. THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS.

IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA UNLESS WE CAN PROVE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS OR THE PROCESSING SERVES THE ASSERTION, EXERCISE OR DEFENSE OF LEGAL CLAIMS.

IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING.

Step-by-Step Procedure

Send an email to [email protected] with the subject line: 'GDPR Rights Request'
Clearly state which specific right(s) you wish to exercise (e.g., 'Request for Access to Personal Data' or 'Request for Deletion')
Provide sufficient information for us to identify you: your name, email address, and (if applicable) your username or account details
If acting on behalf of someone else, provide proof of authorization

Identity Verification

For security reasons and to prevent unauthorized disclosure of personal data, we may need to verify your identity before processing your request. This may involve:

Requesting proof of identity (e.g., copy of ID document with sensitive data redacted)
Sending a verification email to the registered email address
Asking security questions related to your account

Response Timeline

Initial Response: We will acknowledge receipt of your request within 3 business days
Full Response: We will provide a full response without undue delay and in any event within one month of receipt of your request
Extension: If your request is complex or we receive multiple requests, we may extend this period by two further months. We will inform you of any extension within one month of receiving your request, together with the reasons for the delay

Exercising your rights is free of charge. Under Art. 12(5) GDPR we reserve the right, in cases of manifestly unfounded or excessive requests (in particular repeated bulk-export requests within short intervals), to charge a reasonable fee or refuse to act; we will explain our reasoning when invoking this provision.

For complex requests, particularly data portability requests or requests involving large volumes of data, we may contact you to clarify the exact scope of information you require and the preferred format for delivery.

7. Analysis Tools

Google Tag Manager

This website uses Google Tag Manager (GTM) from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is a tool that allows us to manage website tags through an interface. GTM itself is a cookie-free domain and does not set any cookies. It ensures that other tags are triggered, which in turn may collect data. GTM does not collect personal data itself. We have no influence on the data processing of the tags managed through GTM.

The use of Google Tag Manager is based on your consent according to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. The consent can be revoked at any time.

Google Analytics

After you grant analytics consent in our cookie banner, this website uses Google Analytics, a web analysis service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses so-called "cookies". These are text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. IP Anonymization: We have activated the IP anonymization function on this website. As a result, your IP address will be truncated by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area prior to transmission to the United States. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

The use of Google Analytics takes place exclusively on the basis of your consent according to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. The consent can be revoked at any time.

The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/. More information on how Google Analytics handles user data can be found in Google's privacy policy: https://policies.google.com/privacy?hl=en.

The company has certification according to the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that ensures compliance with European data protection standards for data processing in the USA. Every company certified according to the DPF undertakes to comply with these data protection standards. You can find more information about this from the provider at the following link: https://www.dataprivacyframework.gov/participant/5780.

We use Google Analytics exclusively client-side after active consent via our cookie banner. No analytics cookies are set before consent is given; Google Consent Mode v2 is configured with the default status "denied".

Transactional & Notification Emails

We send a small number of operational emails to support the community features of the platform. You can granularly opt out of non-essential notifications in your account settings (emailPreferences).

Email Templates in Use

partnerRequestApplication — someone applies to be your accountability partner
partnerRequestAccepted — your partner request was accepted
challengeEnded — a 1-on-1 challenge you took part in has ended
mutualMatch — you and another member liked each other (Heart match)
challengeCheckInReminder — reminder to check in on an active challenge
communityChallengeCompleted — your community challenge is complete

Legal Basis: Transactional emails directly tied to a feature you actively use (partner requests, challenge lifecycle) are processed on the basis of Art. 6(1)(b) GDPR (contract). Notifications and reminders are processed on the basis of Art. 6(1)(f) GDPR (legitimate interest) and can be opted out of at any time via the 'Email preferences' card in Settings.

Processor: Emails are delivered by Brevo (Sendinblue SAS, Paris, France) under a DPA — see Data Processors section above.

You can manage these preferences at any time at /settings under 'Email preferences'.

Full List of Biometric & Health Data Categories (bioMetrics)

Where you explicitly choose to save a test or measurement to your profile, it is stored as a typed entry in the bioMetrics collection. These are special-category data under Art. 9 GDPR and are processed only on the basis of your explicit consent (Art. 9(2)(a) GDPR), given by actively taking the test and saving the result.

Types Actually Stored

pace — Pace of Aging questionnaire score
photo — Photo Age Test estimated age (image is never stored)
lifestyle — Lifestyle self-assessment score
clinical — Self-reported clinical markers you enter
heartRate — BPM from the rPPG scanner
hrv — Heart-rate variability (RMSSD)
stress — Stress self-report
vascularAge — Vascular age estimate
vo2max — VO₂max estimate
grip — Grip-strength test score
balance (open/closed eyes) — single-leg balance test
sitRise — Sit-to-rise test score
sitStand — 30-second sit-to-stand test
plank — Plank duration
reactionTime — Reaction-time test
pushup / pushupOpen — push-up tests

Legal Basis: Explicit consent (Art. 9(2)(a) GDPR). You can delete any individual biomarker entry, or all of them at once, from your profile at any time.

Retention: Stored for the lifetime of your account, plus 30 days after account deletion, unless you delete entries earlier.

In-Person Longevity Checks (LongevityCheckResult)

At physical events (e.g. chapter meetups, fairs), participants can complete a short battery of fitness and biomarker tests administered by a chapter lead.

Data Collected

Age
Gender
Body weight
Fitness test scores (grip, sit-to-rise, plank, push-ups, balance, reaction time, etc.)
Optional leaderboard display name

Legal Basis: Processing is based on your explicit consent (Art. 9(2)(a) GDPR), given at the event before the test begins.

Retention: For anonymous event participants (no linked account), raw identifiable results are retained for 12 months after the event date and then deleted. Anonymised derivatives (pseudonymised, non-re-identifiable) may be retained indefinitely for statistical and research purposes under Art. 89 GDPR. For participants linked to an account, results become part of their bioMetrics and follow the account-lifetime retention rule.

Matching & 'Heart' Affinity

The platform offers a mutual-match feature ('Hearts') that lets members express interest in another member. A match is only revealed when both sides have expressed interest.

Data Collected

Heart records (from-user, to-user, timestamp)
Mutual-match state (for notification fan-out, capped at 3 notifications per user per day)

Legal Basis: Contract (Art. 6(1)(b) GDPR) — providing the social feature you opted into.

Retention: Hearts persist until you remove them or delete your account.

Activity Lobbies (ActivityRequest)

You can post short-lived activity lobbies (e.g. morning run, yoga session, sauna, cold-plunge) that other members can join.

Data Collected

Activity type (run, yoga, sauna, cold-plunge, etc.)
Location (city / chapter; optional precise location if you add it)
Scheduled start time and expiry
Your user ID as host and the user IDs of joiners

Legal Basis: Contract (Art. 6(1)(b) GDPR).

Retention: Lobbies are automatically deleted 7 days after their expiresAt timestamp via a MongoDB TTL index.

Moderation State (isGhosted / isBanned)

To keep the community safe and welcoming, moderators may mark an account as 'ghosted' (reduced visibility in feeds) or 'banned' (access revoked). We are transparent that these flags exist.

You have a right under Art. 15 GDPR to know whether any moderation flag has been applied to your account and on what basis. To exercise this right, contact [email protected] and reference 'Moderation state request'.

Legal Basis: Legitimate interest in community safety and Terms-of-Service enforcement (Art. 6(1)(f) GDPR).

Retention: Moderation flags persist for the lifetime of the account and are removed when the account is deleted.

Onboarding & Engagement Telemetry

We record a small amount of onboarding state so the product does not repeat tutorials or show dismissed introduction cards again.

Data Collected

onboardingStep — which step of the onboarding flow you last completed
dismissedIntroCards — IDs of introduction cards you have dismissed
lastActiveAt — timestamp of your most recent active session

Legal Basis: Legitimate interest in improving onboarding and not repeatedly showing dismissed content (Art. 6(1)(f) GDPR).

Opt-out: You can reset all of these values, or opt out of onboarding telemetry entirely, from your account settings.

Anonymous Likes & Flags (IP handling)

Some interactions are available without an account: liking an article (ArticleLike) and flagging a map spot for moderation (SpotFlag).

To prevent abuse (ballot-stuffing, vandalism) while still protecting you, we only store a truncated form of the IP address — the last octet is discarded (/24 truncation) at the moment of writing. We do not log the full IP for these actions.

ArticleLike: truncated IP retained for 12 months, then the full record is deleted.
SpotFlag reporter IP: truncated IP retained for 24 months, then the full record is deleted.

Legal Basis: Legitimate interest in moderation and abuse prevention (Art. 6(1)(f) GDPR).

Certification Program

If you apply for certification as a longevity provider, speaker, or partner, we collect and process company information, application answers, and qualification data.

Data We Collect

Company name, website, and contact email
Category and subcategory of services
Description and certification reason
Company logo (if provided)
Questionnaire answers and scores

Community Voting

Applications may be subject to community voting. If you vote on certification applications, we store your voter ID, your vote responses, and the timestamp of your vote.

Legal Basis: Processing is based on Art. 6(1)(b) GDPR (pre-contractual measures for application processing) and Art. 6(1)(f) GDPR (legitimate interest in community-driven quality assurance for voting).

Retention: Application data is retained for audit purposes. You may request deletion after your application has been processed.

Gamification & Social Features

To enhance community engagement, we track activity points (XP), achievement badges, login streaks, and levels.

Data We Collect

Experience points (XP) and current level
Achievement badges earned
Login streak and last login date
Activity history (XP earning events)

Accountability Features

If you use accountability features, we store partnership connections between users, check-in records, and activity requests.

Legal Basis: Art. 6(1)(b) GDPR (service provision) and Art. 6(1)(f) GDPR (legitimate interest in community engagement)

Visibility: Your XP, level, and activity can be hidden via privacy settings in your profile.

Referral Program

If you participate in our referral program, we track your referral code, who referred you, and your registration type (open, referral, or beta).

Legal Basis: Processing is based on Art. 6(1)(b) GDPR (service provision) and Art. 6(1)(f) GDPR (legitimate interest in community growth).

Data Export (Right to Data Portability)

You can export all your personal data at any time through your account settings. The export includes your profile information, health stack data, activity history, achievements, and all other personal data we store about you.

Data is provided in JSON format, which is machine-readable and can be imported into other services.

This feature implements your right to data portability under Article 20 GDPR.

Account Deletion and Data Export

You can delete your account at any time via your profile settings. Deletion is performed immediately and includes:

Full deletion: account data, Health Stack, activities, achievements, notifications, Heart connections, Longevity Check results, challenge participations, partnership requests.
Anonymisation instead of deletion: contributions to community articles and suggested spots are anonymised (your name is replaced with a placeholder) to preserve the integrity of public community content.
Brevo contact: your newsletter data is deleted at Brevo.

Retention of consent records (ConsentLog): Due to our accountability obligation under Art. 7(1) GDPR, we retain a reduced audit record of consents you have granted and revoked even after account deletion. This contains only hashed/pseudonymised technical metadata (hashed IP, hashed user agent, timestamp, consent type, version). Direct personal identifiers are removed. The legal basis is compliance with a legal obligation (Art. 6(1)(c) GDPR).

Data Export: You can request an export of your personal data in machine-readable JSON format at any time via your profile settings (Art. 20 GDPR).

Health Information Disclaimer

The information provided on this website, including but not limited to health stack tracking, lifestyle age tests, photo age tests, and longevity-related content, is for general informational and educational purposes only.

Not Medical Advice

Nothing on this website constitutes professional medical advice, diagnosis, or treatment. The content is not intended to be a substitute for professional medical advice, diagnosis, or treatment from a qualified healthcare provider.

No Reliance

You should not rely on any information on this website as a substitute for, nor does it replace, professional medical advice, diagnosis, or treatment. Always seek the advice of your physician or other qualified health provider with any questions you may have regarding a medical condition.

User Responsibility

Any actions you take based on the information provided on this website are strictly at your own risk. We are not responsible for any health decisions you make based on information found on our platform.

In case of a medical emergency, contact your local emergency services immediately.

Limitation of Liability

To the fullest extent permitted by applicable law, Valteris GmbH and its officers, directors, employees, and agents shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, use, goodwill, or other intangible losses, resulting from:

Your access to or use of (or inability to access or use) our services
Any conduct or content of any third party on our services
Any content obtained from our services
Unauthorized access, use, or alteration of your transmissions or content
Decisions made or actions taken based on information provided through our services

In no event shall our total liability to you for all claims exceed the amount you have paid us, if any, in the twelve (12) months preceding the claim.

These limitations do not affect your statutory rights under applicable consumer protection laws or mandatory provisions of the GDPR that cannot be limited by contract.

Warranty Disclaimer

Our services are provided on an 'as is' and 'as available' basis, without any warranties of any kind, either express or implied.

We do not warrant that:

Our services will meet your specific requirements
Our services will be uninterrupted, timely, secure, or error-free
The results obtained from using our services will be accurate or reliable
Any errors in our services will be corrected

We are not responsible for the accuracy, reliability, or completeness of any third-party content, including but not limited to user-generated content, external links, or information from third-party services integrated into our platform.

User Responsibilities

When using our services, you are responsible for:

Providing accurate and truthful information when creating an account or using our features
Maintaining the confidentiality of your account credentials
Ensuring that your use of our services complies with applicable laws and regulations
Not using our services for any unlawful or harmful purposes
Promptly notifying us of any unauthorized access to your account

Data Accuracy

We rely on the accuracy of information you provide. You are responsible for ensuring that all personal data you submit is accurate, complete, and up-to-date. We cannot be held liable for consequences arising from inaccurate information you provide.

Changes to This Privacy Policy

We review and update this privacy policy as our services and legal obligations evolve. The current version always reflects our actual processing practices.

Material changes will be announced with at least 30 days' prior notice via email (if we have your address) or an in-product banner. If consent-based processing is affected, we will request fresh consent rather than relying on continued use. The 'Last updated' date at the top of this page indicates when the current version took effect.

Where new or expanded processing materially widens the scope of what you previously consented to under Art. 6(1)(a) or Art. 9(2)(a) GDPR, we will obtain fresh consent. For other changes (including additions of processors, minor feature adjustments, legal-basis clarifications, and editorial rewording), we will update this policy and, where required by law, notify you; your continued use of the Service after the effective date of the change constitutes acknowledgement of non-consent-based changes, without prejudice to your right to object under Art. 21 GDPR or to withdraw any existing consent.

Previous versions of this privacy policy are available on request via [email protected].

Regional Privacy Notes

We operate a multi-region platform (Germany, Austria, Switzerland, USA, China). The GDPR/BDSG framework above applies to all users because the controller is established in the EU. In addition, the following region-specific notes apply.

Germany

Competent supervisory authority: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI), Ludwig-Erhard-Str. 22, 20459 Hamburg, [email protected], https://datenschutz-hamburg.de/

Minimum age for independent consent to information-society services: 16 (Art. 8(1) GDPR).

Applicable national law: BDSG (Bundesdatenschutzgesetz) and TDDDG (for cookies and access to information stored on end devices).

Austria

Competent supervisory authority: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Wien, [email protected], https://www.dsb.gv.at

Minimum age for independent consent: 14 (§ 4(4) DSG).

Applicable national law: DSG (Datenschutzgesetz).

Switzerland(your region)

Competent authority: Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB / FDPIC), Feldeggweg 1, 3003 Bern, https://www.edoeb.admin.ch

Parental consent is required for users below approximately 16 years of age under nFADP guidance.

Applicable national law: revised Federal Act on Data Protection (nFADP / revDSG), in force since 1 September 2023.

Where Swiss personal data is transferred to US processors, we rely on the Swiss-US Data Privacy Framework alongside the EU-US Data Privacy Framework, supplemented by Standard Contractual Clauses where applicable.

United States

We do not 'sell' your personal information and we do not 'share' it for cross-context behavioural advertising as those terms are defined in applicable US state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA and equivalents).

Subject to applicable state law, US residents may have the right to: (i) know/access the personal information we hold, (ii) request deletion, (iii) request correction, (iv) opt out of targeted advertising, (v) limit use of sensitive personal information, and (vi) appeal a denial of a rights request.

To submit a Data Subject Access Request (DSAR), email [email protected] with the subject line 'US Privacy Request'. We will verify your identity before responding.

COPPA: our services are not directed at children under 13 and we do not knowingly collect personal information from children under 13.

China (PIPL)

For users in Mainland China, the Personal Information Protection Law (PIPL) applies alongside GDPR where relevant.

Processing of sensitive personal information (biometric, health, minors' data) is carried out only on the basis of separate, explicit consent, provided at the point of use (Art. 29 PIPL).

Domestic China representative: No local representative is currently appointed. A representative will be designated if and when the threshold for appointment under PIPL Art. 53 is met. Until then, all PIPL-related enquiries should be directed to [email protected].

Separate parental/guardian consent is required for users under 14 (Art. 31 PIPL).

Public Profile as a Publication Act

By keeping your profile visibility set to 'public' (the default), you consent to the display of your profile data to any visitor of the Service. Public profile data includes: username, display name, avatar, banner, bio, location at city/country level, XP, level, login streak, interests, goals and routine (if your privacy settings allow), services you offer, badges, partnership history, community-challenge participation, authored articles, chapter-lead role (if any), and any biometric results you have marked as public. Public profile data may also appear on the community landing page, chapter pages, community directory, leaderboards, and in auto-generated social-media share preview images (Open Graph and Twitter Card tags). You can switch your profile to private at any time in Settings (profileVisibility = private). Legal basis: Art. 6(1)(a) GDPR (consent, given by choosing public visibility), with Art. 9(2)(a) GDPR for any biometric data you have marked as public. You may revoke consent at any time by switching to private or deleting specific items.

Possible Future Use of Public Profile Content

Should we wish to use publicly visible profile content (avatar, bio excerpts, public achievements) for marketing purposes (e.g. newsletters, social media), we will do so only in a factual, non-endorsing manner and within the scope of the public visibility you have actively configured. For use in investor presentations, editorial pieces quoting health-related claims, or commercials, we will obtain your separate, dedicated consent in advance. You may object at any time by emailing [email protected].

Aggregated and Anonymised Statistics

We may create, publish and use aggregated and fully anonymised statistics derived from Service data (for example: 'X% of Munich members reported a vascular age under 40', or 'average grip strength by chapter'). Such outputs do not permit re-identification of individual users and are not considered personal data within the meaning of the GDPR. Aggregated outputs may be used indefinitely for editorial, research, marketing, and partnership purposes. Legal basis for the production of such outputs: Art. 6(1)(f) GDPR (legitimate interest in statistical and editorial reporting) and Art. 89 GDPR.

Service Improvement and Future Model Training

We may evaluate pseudonymised and aggregated usage data to improve the quality, accuracy and performance of our service. At present, we do not train our own models on pseudonymised user data. Should we introduce such processing in the future, we will update this privacy policy accordingly and, where a change in legal basis is required, obtain fresh consent. We do not share user content with external generative-AI providers for their own model training.

A/B Testing and Product Experiments

We may assign you to product experiments (A/B tests) to evaluate changes to the user interface, onboarding flows, copy variants, and recommendation heuristics. The assignment uses pseudonymous identifiers. To the extent that tracking data is collected, it is captured exclusively client-side via Google Analytics (after active consent). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in service improvement). You may object by disabling analytics consent in our cookie banner or by emailing [email protected].

Changes to Our Processors

We may engage, change, or remove processors and sub-processors at any time to operate, improve, secure, or scale the Service. Changes to our processor list will be reflected in this Privacy Policy. Where a change does not alter the category of processing or the legal basis, no fresh consent is required; your right to object under Art. 21 GDPR is unaffected. An up-to-date list of processors is always available in this Policy, and specific details of any individual processor can be requested at [email protected].

Anonymisation as an Alternative to Deletion

When you request deletion of your account (Art. 17 GDPR), you may choose between: (a) complete deletion of your personal data (subject to mandatory retention for legal and tax purposes), or (b) anonymisation, in which we replace your username and identifiers in our database with a non-identifying marker while preserving the pseudonymised record of your contributions to community outputs (for example: authored articles, chapter-lead role history, community voting records, leaderboard entries, and historical challenge participation). Anonymised records are retained indefinitely for community integrity, scientific research and statistical purposes under Art. 17(3)(d) and Art. 89 GDPR. The default in our deletion UI is complete deletion; anonymisation must be expressly chosen.

Transfer of Personal Data in Merger, Acquisition or Restructuring

In the event of a merger, acquisition, asset transfer, reorganisation, bankruptcy or similar transaction involving Valteris GmbH or the Service, personal data may be transferred to the successor entity as a business asset, provided that the successor accepts obligations no less protective of your rights than those set out in this Privacy Policy. We will notify you in advance via email or in-product banner where feasible. You will retain your Art. 17 erasure and Art. 20 portability rights against the successor.

Encrypted Backups and Deletion Latency

Personal data may persist in encrypted backup snapshots for up to ninety (90) days after an active deletion in the live system. During that window, backups are logically inaccessible and would only be restored in disaster-recovery scenarios. Once the relevant snapshot expires, the data is irreversibly erased. Backup media is rotated continuously.

Retention of Consent Records

We retain consent records — including cookie consent receipts (ConsentLog), newsletter double-opt-in records, biometric and health-data consent timestamps, and account-creation consent — indefinitely, for the purpose of demonstrating compliance under Art. 5(2), Art. 7(1), and Art. 24 GDPR. Consent records are stored in a segregated table and are not used for any other purpose. A consent record is your proof that your rights were respected; keeping it benefits you.

Third-Party Personal Data in Your Submissions

You warrant that any content you submit to the Service — including bio text, goals, routines, activity descriptions, event photos, spot submissions — does not contain the personal data of identifiable individuals other than yourself unless you have their permission to publish. You act as an independent controller for any such third-party data under the GDPR. Our Terms of Service contain a corresponding indemnity provision.

Severability

If any provision of this privacy policy is found to be unenforceable or invalid under applicable law, such unenforceability or invalidity shall not render this privacy policy unenforceable or invalid as a whole. Such provisions shall be modified or deleted to the minimum extent necessary to make them enforceable, and the remaining provisions shall continue in full force and effect.

Governing Law and Jurisdiction

This privacy policy and any disputes arising from it shall be governed by the laws of the Federal Republic of Germany, without regard to its conflict of law provisions.

For all disputes arising from or in connection with this privacy policy, the courts of Hamburg, Germany shall have exclusive jurisdiction, unless mandatory statutory provisions require a different venue.

This choice of law and jurisdiction does not deprive you of the protection afforded by provisions that cannot be derogated from by agreement under the law of your country of habitual residence.

Contact

If you have questions about this privacy policy or the processing of your personal data, you can contact us at any time:

Company:: Valteris GmbH
Managing Director:: Christian Ziegert
Register Court:: Local Court of Hamburg
Commercial Register:: HRB 192405
Email:: [email protected]
Phone:: +49 (0) 151 720 419 97
Address:: Am Kaiserkai 59, 20457 Hamburg, Germany

This privacy policy was last updated on 5/18/2026.