Privacy Policy

The controller of your personal data is:

Marthe Michoux — The Body Tell
Belgium
Privacy contact: hello@thebodytell.com

Data you provide directly: answers to the assessment (symptoms, cycle, sleep, energy, skin, mood, metabolism), first name (if you provide one), email address (at payment), and entries you choose to add to your Health Files (blood work, supplements, medications, notes).

Technical data: IP address, browser user agent, session timestamps, essential authentication cookies. No advertising cookies, no third-party tracking pixels.

Payment data: handled entirely by Stripe — we never see your card number. We receive only a transaction ID and payment status.

We do not ask for your full legal name, date of birth, or national identity number. The free assessment can be completed without creating an account.

In accordance with GDPR Article 6:

Performance of a contract: to generate and store your Pattern Report after payment, and to give you access to your dashboard.

Consent: to send you post-purchase educational emails (access reminder, content around your pattern). You can unsubscribe at any time via the link at the bottom of every email.

Legitimate interest: to analyse aggregated and anonymised data to improve product quality (never for advertising).

Legal obligation: to keep payment records for 7 years (Belgian accounting requirement).

We use your answers only to generate your educational Pattern Report. Your Health Files and entries are stored securely for your personal use.

Your answers and health files stay private. We do not sell, rent, or share them with third parties for commercial purposes. We never match your health data against external public or commercial databases.

Automated decision-making: your Pattern Report is generated by a scoring algorithm that clusters your answers into educational hormonal patterns. It is not a medical diagnosis and has no legal effect on you. You retain the right to request human intervention or to contest the result — please contact us.

To operate the service, we use the following processors. Each is bound by a GDPR-compliant Data Processing Agreement (DPA):

• Supabase (EU — Frankfurt) — stores your account, answers, reports, and health files. Encryption in transit and at rest.
• Stripe (Ireland, Stripe Payments Europe Ltd) — payment processing. See Stripe’s policy.
• Resend (EU) — sends the post-purchase email with access to your report.
• MailerLite (Lithuania, EU) — post-purchase educational email sequence. You can unsubscribe at any time.
• Vercel (EU — Frankfurt) — website hosting and compute infrastructure.

None of these processors is allowed to use your data for their own commercial purposes.

We prioritise processors that host data inside the EU. Where non-EU transfers occur (e.g. Stripe’s US infrastructure for some technical operations), they are governed by EU Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework.

Account + answers + report: kept while your account is active. Deleted within 14 days of your deletion request.

Payment records (invoices, Stripe IDs): kept for 7 years (Belgian accounting requirement).

Marketing emails: until you unsubscribe.

Technical logs (IP, sessions): 30 days then automatically deleted.

Under GDPR you have the following rights — exercised free of charge, response within 30 days:

• Access — obtain a copy of all data we hold about you.
• Rectification — correct inaccurate data.
• Erasure (“right to be forgotten”) — delete your account and all associated data (except where legal retention obligations apply).
• Restriction — freeze processing of your data.
• Portability — receive your data in a structured format.
• Object — object to processing based on legitimate interest.
• Withdraw consent — withdraw consent at any time, without retroactive effect.
• Automated decision-making — request human review of your Pattern Report.

To exercise any of these rights: hello@thebodytell.com with the subject “GDPR request”.

You can also delete your account directly from your account settings.

TLS 1.3 in transit, at-rest encryption on Supabase storage, Row Level Security enabled — only your own data is accessible to you. Magic-link authentication (no password to remember or compromise). In case of a data breach affecting your rights, we will notify you within 72 hours as required by GDPR Article 34.

We use only essential cookies:

• Authentication session (Supabase) — to keep you logged in. Duration: 7 days.
• NEXT_LOCALE — to remember your language choice (EN/FR). Duration: 1 year.

No advertising cookies, no Facebook/Google pixels, no third-party trackers.

The service is intended for users aged 18 and over. We do not knowingly collect data from minors. If you believe a minor has submitted data to us, contact us and we will delete it immediately.

The Body Tell is an educational tool, not a medical diagnosis. The report does not replace clinical evaluation. Always confirm findings with a qualified healthcare professional before changing medication, supplements, or treatment plans.

If you believe your rights are not being respected, you have the right to lodge a complaint with the Belgian Data Protection Authority (APD/GBA):

Autorité de protection des données / Gegevensbeschermingsautoriteit
Rue de la Presse 35, 1000 Brussels, Belgium
www.autoriteprotectiondonnees.be

We may update this policy. Any material change will be notified by email (if you have an account) or via a site banner before it takes effect. The “last updated” date at the top of this page reflects the latest revision.

Questions about your data or this policy: hello@thebodytell.com