Legal

Privacy Policy

Effective: 2026-06-01Last updated: 2026-06-01

This Privacy Policy describes how we collect, use, disclose, and protect personal data when you use the Blood Pressure Scanner mobile application and any related services (together, the "Service"). It applies to all users of the Service, regardless of where you reside.

This Policy has been prepared to meet the substantive requirements of:

Where the protections afforded by your local law differ from those set out below, the more protective standard applies to your data.

1. Who we are

The controller responsible for your personal data is:

izzy-app

Lepsiusstraße 48 12163 Berlin Germany

Contact: support@bloodpressure.my

EU and UK residents may exercise data-subject rights at the contact address above. California residents may exercise CCPA/CPRA rights at the same address.

2. The personal data we collect

We collect only what is needed to provide the Service. The categories below describe what we receive and why. Specific technical implementations may change over time without altering the substance of our collection.

CategoryDescriptionPurpose
Account identifiers Your email address and an authentication credential To create, secure, and authenticate access to your account
Health-related data Blood pressure readings (systolic, diastolic, pulse), the date and time you recorded them, and any notes you choose to add The core function of the Service: maintaining your personal record of readings
Photographic data Images you capture or upload through the in-app scan feature To extract numeric values from your blood pressure monitor's display, and (if you choose to save them) to attach a low-resolution reference image to a saved reading
Subscription metadata Your subscription tier, billing period, renewal status, and entitlement state To confirm your access level. We do not receive, process, or store your payment-card details — payment is handled entirely by the app store and our subscription-management provider
Technical and diagnostic data Pseudonymised event logs, error codes, model identifiers, and approximate response times associated with the scan feature To detect and resolve service errors, monitor operational health, and identify cost drift

We do not collect or process your precise location, your contacts, your photo library beyond images you actively select for use with the Service, advertising identifiers, biometric identifiers (as defined under applicable law), or activity from other apps or websites you use.

3. Special-category (sensitive) data

The blood pressure readings we hold constitute health data and are treated as a special category of personal data under GDPR Article 9 and equivalent provisions of UK GDPR, Swiss FADP, and CCPA/CPRA (which defines health information as "sensitive personal information").

We process this data on the lawful basis of your explicit consent, which you provide when you create an account and record your first reading, and which you may withdraw at any time by deleting your account. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

4. How we use your data

We use personal data only for the following purposes, each tied to a specific lawful basis under GDPR (and equivalent under UK GDPR and FADP):

PurposeLawful basis
Operating the Service: storing, displaying, exporting, and synchronising your readings across your devicesPerformance of a contract (Art. 6(1)(b)) and your explicit consent for health data (Art. 9(2)(a))
Authenticating your account and protecting it from unauthorised accessPerformance of a contract (Art. 6(1)(b)) and our legitimate interest in security (Art. 6(1)(f))
Detecting abuse, fraud, and infrastructure misuseOur legitimate interest in maintaining service integrity (Art. 6(1)(f))
Processing your subscription and confirming entitlementsPerformance of a contract (Art. 6(1)(b))
Sending transactional email (account confirmation, password reset, important security or service notices)Performance of a contract (Art. 6(1)(b))
Complying with legal obligations, including responding to lawful requests from authoritiesLegal obligation (Art. 6(1)(c))

We do not use your data for advertising, behavioural profiling, marketing communications from third parties, or any other purpose not described in this Policy.

5. Automated processing of scan images

When you use the scan feature to capture a photograph of your blood pressure monitor, the image is transmitted to an automated image-recognition service operated by Google (located in the United States) to extract the displayed numeric values. That service operates under data-processing terms that prohibit it from using your image for its own purposes and does not retain the image after the request completes.

To monitor and improve the accuracy of our reading-recognition feature, we may retain a copy of the scanned image on our own systems. Any image retained for this purpose is held in access-restricted storage available only to authorised personnel; is stored separately from your account, without your name or account identifier attached; is used solely to evaluate and improve recognition accuracy; and is never used for advertising, nor sold, nor shared with third parties for their own purposes. These images are retained only for as long as necessary for that purpose (see Section 8) and cease to be associated with you when your account is deleted. This is optional and off by default — we retain images for this purpose only if you opt in (you are asked when you create your account), and you can turn it off at any time in the app's settings, which stops any further retention.

This processing involves an international transfer of personal data outside the European Economic Area. See Section 7.

Under GDPR Article 22 and equivalent provisions, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. The values extracted by the scan feature are always presented to you for confirmation before any reading is saved; the Service does not make any consequential decision about your health on the basis of automated extraction alone, and the scan feature is optional — you can always enter readings manually.

6. Recipients of your data

We share personal data only with the following categories of recipients, each bound by contractual obligations to process your data only as we instruct and only for the purposes described:

We do not sell or share your personal data within the meaning of the CCPA/CPRA, and we do not use it for cross-context behavioural advertising. No financial or other consideration is exchanged for access to your data.

7. International data transfers

The Service is offered globally. Personal data may be processed in jurisdictions outside the one in which you reside:

Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, we rely on transfer mechanisms approved under the applicable law, including:

You may request a copy of the relevant safeguards by writing to us at the address in Section 13.

8. Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy:

9. Security

We implement administrative, technical, and organisational measures appropriate to the nature of the data and the risks involved, including: encryption of personal data in transit using TLS; encryption at rest; access controls limiting access to personnel with a legitimate need; segregation of administrative credentials; logging and monitoring of administrative actions; and procedures for assessing and responding to suspected personal-data breaches.

No system can be guaranteed completely secure. If we become aware of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach (under GDPR Art. 33) and, where required, you, in accordance with the timeframes prescribed by applicable law.

10. Your rights

Depending on the law applicable to you, you have the following rights regarding your personal data. You may exercise any of them by writing to support@bloodpressure.my from the email address associated with your account. We will respond within the timeframe required by applicable law (one (1) month under GDPR, extendable by two (2) further months for complex requests; forty-five (45) days under CCPA/CPRA, extendable by a further forty-five (45) days on notice).

We may need to verify your identity before processing certain requests. We will request only the minimum information necessary for that purpose and we will not use it for any other purpose.

Under GDPR, UK GDPR, and Swiss FADP

Under CCPA/CPRA and other US state privacy laws

If you reside in California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or another US state with a comprehensive privacy law:

You may submit verifiable consumer requests through the contact address above.

11. Children

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under that age.

If you are a parent or guardian and you believe that a child has provided us with personal data, please contact us at the address in Section 13 and we will delete the account and the associated data without undue delay.

In jurisdictions where a lower age threshold applies under sectoral law (for example, age 13 under the United States Children's Online Privacy Protection Act), the higher of the applicable thresholds is the operative standard for our purposes.

12. Changes to this Policy

We may update this Policy from time to time to reflect changes in the Service, applicable law, or our practices. Material changes will be communicated through the Service or by email to the address associated with your account, with at least thirty (30) days' advance notice where required by law. The "Last updated" date at the top of this Policy will always reflect the most recent revision.

Your continued use of the Service after a material change takes effect constitutes acceptance of the revised Policy. If you do not agree, you may delete your account before the effective date of the change.

13. Contact

For questions, requests, or concerns about this Policy or about how we handle your personal data:

izzy-app

Lepsiusstraße 48 12163 Berlin Germany

Email: support@bloodpressure.my

You also have the right to lodge a complaint with the supervisory authority of your country of residence; in Germany, this is the Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin, www.datenschutz-berlin.de.