EFORTO PRIVACY POLICY

Last updated: 24 June 2025

Updates Summary (24 June 2025): Added clinical‑study clause, clarified data ownership & consent, standardised contact email to compliance@eforto.com. Added clinical‑study & third‑party marketing projects clause (§ 5A), clarified data ownership & consent, noted EU‑vs‑US server locations, and set minimum user age to 18.


This Privacy Policy explains how UniWeb BV and its U.S. affiliate Eforto Health Inc. (“Eforto”, “we”, “us”, “our”) collect, use, disclose, and protect your personal data when you visit our websites, use our mobile apps, interact with our cloud platform (Eforto Metrics), purchase or use any Eforto Devices (R1 wellness device or M1 medical‑device ecosystem), or otherwise engage with us (collectively, the “Services”).

1  Who is responsible for your data?
Role Entity Address Registration Contact
Data Controller
(EU/UK GDPR)		 UniWeb BV ’s Herenweg 16, 
1860 Meise, Belgium

VAT BE0472383367

 compliance@eforto.com
Representative
USA		 Eforto Health Inc. 530, 7th Ave, Suite 902,
New York NY 10018, USA		 EIN 33-1384803 compliance@eforto.com
Data Protection Officer
(DPO)		 compliance@eforto.com


When we provide third‑party enterprise services, we act as processor and the enterprise customer is the controller. In all other cases (direct‑to‑consumer, marketing, support) UniWeb BV is the controller.

2  What personal data do we collect?
Category Examples Source
Account data Name, email, password, language preference You
Profile & demographics Year of birth, gender, height, dominant hand You
Wellness / health metrics Grip‑strength raw values, fatigue index, self‑perceived fatigue answers Sensors & questionnaires
Device & log data Serial number, firmware version, IP addresses, crash logs Device / App
Payment & shipping Address, last four digits of card, VAT/Tax ID Checkout provider
Support records Emails, call notes, bug screenshots You
Marketing analytics Cookie IDs, session heatmaps Cookies / pixels
Clinical study data (M1 only) Investigator site, subject ID, study arm Investigator /

No diagnosis  Our R1 wellness Services and the M1 platform only supply objective metrics; we do not interpret results to diagnose, cure, or prevent disease.


3  Why and on what legal basis do we process your data?
Purpose Legal basis (EU GDPR Art. 6) U.S. / HIPAA equivalent
Account registration & authentication Contract (Art. 6 b) N/A
Provide device readings & dashboards Contract (Art. 6 b) HIPAA “treatment” / business‑associate
Research analytics (aggregated, de‑identified) Legitimate interests (Art. 6 f) HIPAA §164.514(b) de‑identification
Marketing newsletters Consent (Art. 6 a) CAN‑SPAM
Compliance with MDR/FDA vigilance Legal obligation (Art. 6 c) 21 CFR part 803
Payment & fraud prevention Contract + legit. interests GLBA fraud‑exception
Age gate & COPPA compliance Legal obligation COPPA § 6502

Where we rely on legitimate interests we balance your privacy with our need to keep the platform secure and improve it. You may object at any time (Art. 21 GDPR).

4  How long do we keep your data?
Data set Default retention Rationale
Account & device data While account is active + 24 months Guarantee warranty & allow data export
Health metrics User‑controlled; deleted upon account closure User autonomy
Regulatory vigilance records 10 years after last market placement EU MDR Art. 10(8)
Payment records & invoices 7 years Belgian bookkeeping law
Support tickets 3 years Defend legal claims

Back‑ups are overwritten on a 6‑month rolling basis.

5  Who do we share data with?

If applicable

  • Payment processors – Stripe; we never store full card numbers.

  • Analytics – Matomo (self‑hosted, EU), Google Analytics 4 (IP‑anonymised).

  • Healthcare providers & study sponsors (M1 only) – under HIPAA BAAs / GDPR DPAs.

  • Regulators – FDA, when required by law.

  • Corporate reorganisation – buyers or investors, subject to confidentiality.

We never sell your personal data.


5A  Clinical studies & third‑party marketing projects

When we run a clinical study, research project, or marketing campaign for a hospital, university, life‑science company, or wellness brand (“Project Sponsor”):

  1. Explicit consent or contract. We collect or share personal and study data only after you have signed or accepted an informed‑consent form (ICF) or equivalent agreement that clearly states what data is collected, why, who will see it, and how long it will be kept.

  2. Controller / processor roles. The Project Sponsor is usually the data controller; Eforto acts as processor (GDPR) or business associate (HIPAA) under a Data‑Processing Agreement (DPA) or Business‑Associate Agreement (BAA).

  3. Data ownership. You remain the owner of your identifiable data unless the ICF states otherwise. Eforto will never reuse your identifiable data outside the project scope without new consent.

  4. Anonymised analytics. We may create de‑identified, aggregated statistics (e.g., average grip‑strength per cohort) for scientific publications or marketing materials; individuals are never identifiable.

  5. Withdrawal. You can withdraw from the project at any time by contacting the Project Sponsor or Eforto. We will stop new data collection and, where legally allowed, delete or anonymise existing data.


6  International transfers

We do not transfer Data from EU user data outside of the EEA.
Data may be transferred outside the United States to jurisdictions such as the EEA. We rely on:

  1. EU–U.S. Data Privacy Framework (self‑certification in progress)

  2. Standard Contractual Clauses (2021/914/EU) with additional technical measures (encryption‑at‑rest, key management in EU)

  3. BCR‑equivalent policies for intra‑group transfers.


7  Your rights (GDPR, UK‑GDPR, CCPA/CPRA, VCDPA)
Right EU/UK California Virginia How to exercise
Access & copy compliance@eforto.com
Rectification In‑app profile or email
Erasure Delete “Delete account” in app or email
Data portability Export CSV in dashboard
Opt out of sale/sharing Do Not Sell/Share link
Automated decision‑making Email DPO

We respond within 30 days (45 days in California). If you are unhappy with our response, you may lodge a complaint with your local supervisory authority (for example, the Belgian Data Protection Authority).



8  Cookies & tracking

We use only:

  • Essential cookies – session management, security.

  • Analytics cookies – Matomo (self‑hosted); consent banner shown in the EU/UK.

  • Marketing pixels – Meta, Google Ads – loaded only if you opt in.

Full cookie list & lifetimes is published at https://www.eforto.com/cookies.


9  Security

  • ISO 27001‑aligned controls; audited annually.

  • Data centres located in Belgium (primary EU servers) and United States (secondary); EU user data remains in EU servers by default.

  • TLS 1.3 encryption in transit; AES‑256 encryption at rest.

  • Role‑based access control & mandatory multi‑factor authentication for staff.

  • Public summary of our latest Data‑Protection Impact Assessment (DPIA) available on request.

  • 72‑hour breach notice to EU/UK authorities and affected users (Art. 33 GDPR).


10  Age limits & children’s privacy

Our Services are intended for adults aged 18 years and over. We do not knowingly allow persons under 18 to create accounts.

We also do not knowingly collect data from children under 13 (U.S.) or under 16 (EU/UK) without verifiable parental consent. If you believe we have done so, please email compliance@eforto.com and we will delete the data promptly. (COPPA, GDPR Art. 8)


11  Changes to this Privacy Policy

We will post any changes on this page and, for material changes, notify you by email or in‑app alert at least 14 days before they take effect. The “Last updated” date at the top lets you know when this Policy was last revised.


12  Contact us

UniWeb BV – Eforto® (EU)
’s Herenweg 16, 1860 Meise, Vlaams Brabant, Belgium
Email: compliance@eforto.com Tel: +32 (0)2 306 00 00

Eforto Health inc (USA)
530, 7th Ave, Suite 902, New York NY 10018, USA
Email: compliance@eforto.com

© 2025 UniWeb BV. All rights reserved.