Privacy policy
SmartLab Health Plan
Biometric & Health Data Collection — Research Study
In accordance with EU Regulation 2016/679 (GDPR) — Art. 131. Data Controller
The Data Controller responsible for the processing of your personal data is:- Organization: MINDBE SRL
- Address: Via Fratelli Bandiera 31, 70024 Gravina in Puglia (BA), Italy
- Email: Ethicoin@pec.buffetti.it
- Phone: —
- VAT / Reg. No.: 08330830723
2. Purpose and Legal Basis of Processing
2.1 Purpose
The data collected through the wearable/biometric device is processed exclusively for scientific research purposes. Specifically:- To conduct an anonymized correlation study between the collected health metrics.
- To build a historical dataset of anonymized records for use in a subsequent Machine Learning clustering algorithm.
- No data will be used for commercial profiling, marketing, advertising, or any purpose other than those described above.
2.2 Legal Basis
The processing is based on:- Explicit consent of the data subject (Art. 6(1)(a) and Art. 9(2)(a) GDPR), freely given, specific, informed, and unambiguous.
- For special categories of data (biometric and health data), processing is permitted exclusively on the basis of explicit consent pursuant to Art. 9(2)(a) GDPR.
3. Categories of Data Collected
The following biometric and health-related data is collected via the connected wearable device:| Data Category | Classification | Reason for Collection |
|---|---|---|
| Blood Pressure | Special category — Health data (Art. 9 GDPR) | Collected to analyze cardiovascular response patterns in correlation with physical activity intensity and stress levels, as a key physiological variable within the anonymized research dataset and ML clustering model. |
| Blood Glucose | Special category — Health data (Art. 9 GDPR) | Collected to examine the relationship between glycemic levels and physical activity metrics (e.g., active hours, exercise intensity), contributing to the multi-variable correlation study. |
| SpO2 (Blood Oxygen Saturation) | Special category — Health data (Art. 9 GDPR) | Collected to monitor oxygen saturation as a physiological indicator during varying levels of physical exertion, enabling correlation analysis with activity and cardiovascular data. |
| Stress Level | Special category — Health data (Art. 9 GDPR) | Collected as an aggregated physiological index to study its correlation with activity patterns, heart rate, and other biometric variables within the anonymized research framework. |
| Exercise Goals | Health / Lifestyle data | Collected to contextualize individual activity data within the dataset, enabling the ML model to account for self-reported behavioral targets in the clustering analysis. |
| Distance Travelled | Activity data | Collected as a quantitative measure of daily physical activity, used as an input variable in the correlation and clustering analysis. |
| Ascent & Altitude | Activity data | Collected to enrich the physical activity profile of each data record, providing contextual information on exercise intensity for the research model. |
| Active Hours | Activity data | Collected to measure the daily duration of physical engagement, used as a variable to correlate with biometric indicators such as blood pressure, SpO2, and stress level. |
| Medium- and High-Intensity Activity | Activity data | Collected to distinguish between levels of physical exertion and analyze their respective impact on cardiovascular and biometric parameters within the study. |
| Daily Activity Summary | Activity data | Collected as an aggregated overview of daily movement patterns, used to support the overall correlation study and provide context to individual biometric readings. |
| Personal Information (device-level) | Pseudonymous identifier — anonymized at ingestion | A pseudonymous device-level identifier collected solely to enable consistent data aggregation during the session, immediately anonymized upon ingestion and non-traceable to any individual. |
| Step | Activity data | Collected to quantify daily step counts as a fundamental measure of physical activity, used as a primary input variable in the correlation and clustering analysis. |
| Calories | Activity data | Collected to estimate energy expenditure during physical activity, enabling the correlation study to assess the relationship between caloric burn and biometric indicators. |
| Activity Record | Activity data | Collected to capture structured records of individual physical activities (type, duration, intensity), providing detailed context for the clustering model and correlation analysis. |
| Activity | Activity data | Collected to record specific activity sessions performed by the user, supporting the research dataset with granular exercise data for multi-variable analysis. |
| Heart Health | Special category — Health data (Art. 9 GDPR) | Collected to monitor cardiac health indicators, enabling the study to analyze correlations between heart health metrics and physical activity patterns within the anonymized research framework. |
4. Anonymization Mechanism
All data collected undergoes an immediate anonymization process upon ingestion, prior to any storage or processing. The anonymization procedure includes:- Removal of all device-level personal identifiers before storage.
- Assignment of a randomized, non-reversible internal token which cannot be traced back to the original individual.
- The research dataset will contain no fields that, individually or in combination, would allow re-identification of any data subject.
- Once anonymized, the resulting data falls outside the scope of the GDPR, as it no longer constitutes personal data (Recital 26 GDPR). However, this policy is provided in full transparency.
5. Data Recipients and Third-Party Transfers
Anonymized data may be shared with:- Internal research team members involved in the study, bound by confidentiality obligations.
- Academic or scientific collaborators, if applicable, solely for the purposes described in Section 3.
6. Data Retention Period
Raw (pre-anonymization) data, if temporarily held during processing, is deleted immediately upon successful anonymization and in any case within 24 hours of collection. Anonymized research data is retained for the duration of the research project and for any mandatory period required by applicable scientific integrity standards or funding body regulations. Upon completion of the research, anonymized data may be archived or published in aggregated, non-identifiable form in accordance with open science practices.7. Rights of the Data Subject
As a data subject, and for the period prior to full anonymization, you have the following rights under the GDPR:- Right of Access (Art. 15) – You may request confirmation of whether your data is being processed and obtain a copy.
- Right to Rectification (Art. 16) – You may request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17) – You may request deletion of your data (“right to be forgotten”), subject to applicable exceptions.
- Right to Restriction (Art. 18) – You may request that processing be restricted in certain circumstances.
- Right to Portability (Art. 20) – You may receive your data in a structured, machine-readable format.
- Right to Object (Art. 21) – You may object to processing based on legitimate interests.
- Right to Withdraw Consent – You may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.
- Right to Lodge a Complaint – You may lodge a complaint with the competent supervisory authority (in Italy: Garante per la Protezione dei Dati Personali — www.garanteprivacy.it).
8. Automated Processing and Profiling
The Machine Learning algorithm described in this policy operates exclusively on fully anonymized, aggregated data. It does not involve automated decision-making or profiling of identifiable individuals as defined under Art. 22 GDPR. No decisions with legal or similarly significant effects are made on the basis of individual data.9. Security Measures
The Data Controller adopts appropriate technical and organizational measures to protect data against unauthorized access, disclosure, alteration, or destruction.- Encrypted transmission of data between device and processing infrastructure.
- Access controls limiting data access to authorized personnel only.
- Immediate anonymization pipeline to minimize the window in which personal data is retained.
- Regular review of security policies and procedures.
10. Consent to Participation
Participation in this study is entirely voluntary. By providing your explicit consent, you acknowledge that:- You have read and understood this Privacy Policy.
- You freely agree to the collection and processing of your biometric and health data as described herein.
- You are aware that you may withdraw your consent at any time by contacting the Data Controller.
- Withdrawal of consent will not result in any negative consequences for you.
11. Updates to This Policy
This Privacy Policy may be updated periodically to reflect changes in applicable law or in the research scope. Participants will be notified of any material changes prior to their entry into force.Version 1.0 — Date of issue: 01/03/2026 Prepared in compliance with EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003 as amended.
