.svg){kind=logo}
This Privacy Policy explains how Eforto BV (Belgian Crossroads Bank for Enterprises no. BE1030.787.326) and its U.S. affiliate Eforto Health Inc. (“Eforto”, “we”, “us”, “our”) collect, use, disclose, and protect your personal data when you visit our websites, use our mobile apps, interact with our cloud platform (Eforto Metrics), purchase or use any Eforto Devices (R1 wellness device or M1 medical-device ecosystem), or otherwise engage with us (collectively, the “Services”). For the avoidance of doubt, “Services” has the same meaning as in our Terms of Service.
| Role | Entity | Address | Registration | Contact |
|---|---|---|---|---|
| Data Controller (EU/UK GDPR) | Eforto BV | ’s Herenweg 16, 1860 Meise, Belgium | BE0472383367 | compliance@eforto.com |
| U.S. Affiliate (separate controller for U.S.-resident users; processor/business associate when acting for Covered Entities under HIPAA) | Eforto Health Inc. | 530, 7th Ave, Suite 902, New York NY 10018, USA | EIN 33-1384803 | compliance@eforto.com |
| Data Protection Officer (DPO) | Rudi Tielemans | ’s Herenweg 16, 1860 Meise, Belgium | dpo@eforto.com |
When we provide third-party enterprise services, we act as processor and the enterprise customer is the controller. Details of joint-controller arrangements (where applicable) under Art. 26 GDPR are available on request. In all other cases (direct-to-consumer, marketing, support) Eforto BV is the controller.
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email, password, language preference | You |
| Profile & demographics | Year of birth, gender, height, dominant hand | You |
| Wellness / health metrics (special category under Art. 9 GDPR; “sensitive personal information” under CPRA § 1798.140(ae)) | Grip-strength raw values, Muscle fatigability, self-perceived fatigue answers | Sensors & questionnaires |
| Device & log data | Serial number, firmware version, IP addresses, crash logs, advertising identifiers | Device / App |
| Payment & shipping | Address, last four digits of card, VAT/Tax ID | Checkout provider |
| Support records | Emails, call notes, bug screenshots | You |
| Marketing analytics | Cookie IDs, session heatmaps | Cookies / pixels |
| Clinical study data (M1 only) | Investigator site, subject ID, pseudonymised outcome measures | Investigator / Study sponsor / Device |
| Post-market surveillance data (M1 only) | Adverse event reports, device complaints, performance trend data — processed under EU MDR Art. 83-86 and 21 CFR Part 803 | Clinicians / Patients / Device |
No diagnosis. Our R1 wellness Services and the M1 platform only supply objective metrics; we do not interpret results to diagnose, cure, or prevent disease. Clinical interpretation of M1 outputs remains solely with the qualified healthcare professional.
| Purpose | Legal basis (EU GDPR Art. 6) | Art. 9 basis (special-category data) | U.S. / HIPAA equivalent |
|---|---|---|---|
| Account registration & authentication | Contract (Art. 6 b) | N/A | N/A |
| Provide device readings & dashboards | Contract (Art. 6 b) | Explicit consent (Art. 9(2)(a)) for R1; health/social-care provision (Art. 9(2)(h)) for M1 | HIPAA “treatment” / business-associate |
| Research analytics (aggregated, de-identified) | Legitimate interests (Art. 6 f) | Scientific research (Art. 9(2)(j)) with Art. 89 safeguards — pseudonymisation, access controls | HIPAA §164.514(b) de-identification |
| Marketing newsletters | Consent (Art. 6 a) | N/A (no health data in newsletters) | CAN-SPAM; CASL (Canada) where applicable |
| Compliance with MDR/FDA vigilance | Legal obligation (Art. 6 c) | Reasons of public interest in public health (Art. 9(2)(i)) | 21 CFR part 803 and Part 820 |
| Payment & fraud prevention | Contract + legit. interests | N/A | GLBA fraud-exception |
| Age gate & COPPA compliance | Legal obligation (Art. 6 c) | N/A | COPPA § 6502 (15 U.S.C. § 6501 et seq.) |
Where we rely on legitimate interests we balance your privacy with our need to keep the platform secure and improve it. You may object at any time (Art. 21 GDPR). You may withdraw consent at any time (Art. 7(3) GDPR) without affecting the lawfulness of processing based on consent before its withdrawal.
| Data set | Default retention | Rationale |
|---|---|---|
| Account & device data | While account is active + 24 months | Guarantee warranty & allow data export |
| Health metrics | User-controlled during account lifetime; raw identifiable metrics deleted within 30 days of account closure. Pseudonymised aggregates may be retained for research and product improvement per Art. 9(2)(j) / Art. 89 GDPR. | User autonomy; research continuity |
| Regulatory vigilance records | 10 years after last market placement | EU MDR Art. 10(8) (non-implantable devices; 15 years for implantable). For the U.S. market, 21 CFR Part 820.180 — 2 years after release or expected device life, whichever is longer. |
| Payment records & invoices | 7 years | Belgian bookkeeping law (Art. III.86 Code of Economic Law) |
| Support tickets | 3 years | Defend legal claims |
| Marketing / newsletter data | Until consent withdrawn + 6 months | Evidence of consent (Art. 7(1) GDPR) |
| Website analytics & cookies | 13 months (Matomo); session-only for essential cookies | Belgian DPA 2023 cookie guidelines; data minimisation |
| Clinical investigation data (M1) | Up to 25 years post-study (ICH-GCP E6(R3)); at least 15 years for CE-marked devices (MDR Annex XV) | Regulatory, sponsor and GCP obligations |
Back-ups are overwritten on a 6-month rolling basis. Data in backups follows the retention schedule once the rolling cycle completes and is not actively accessed or processed in the interim.
If applicable
• Payment processors – Stripe; we never store full card numbers. Stripe processes some data in the U.S.; transfers are safeguarded by SCCs.
• Analytics – Matomo (self-hosted, EU),(Google Analytics 4 is not used in the EU/UK build following 2022-2023 DPA rulings in AT, FR, IT; we rely solely on self-hosted Matomo for EU/UK traffic).
• Hosting & infrastructure - Self hosted at Interxion Belgium
• CRM and communications: HubSpot (EU data residency, Frankfurt); Google Workspace (Google Ireland Ltd). SCCs apply where data touches U.S. servers.
• Healthcare providers & study sponsors (M1 only) – under HIPAA BAAs / GDPR DPAs.
• Regulators – FDA, Belgian FAMHP, EU Notified Bodies, when required by law.
• Corporate reorganisation – buyers or investors, subject to confidentiality and data-minimisation safeguards.
We do not sell or share (as defined by CPRA § 1798.140(ad)/(ah)) your personal data.
A full, up-to-date sub-processor register is available on request.
5A Clinical studies & third-party marketing projects
When we run a clinical study, research project, or marketing campaign for a hospital, university, life-science company, or wellness brand (“Project Sponsor”): All clinical investigations are conducted under Ethics-Committee / IRB approval, EU Clinical Trials Regulation 536/2014 (where applicable), ICH-GCP E6(R3), MDR Art. 62 et seq., and 45 CFR 46 (Common Rule) / 21 CFR Part 11 in the U.S.
1. Explicit consent or contract. We collect or share personal and study data only after you have signed or accepted an informed-consent form (ICF) or equivalent agreement that clearly states what data is collected, why, who will see it, and how long it will be kept.
2. Controller / processor roles. The Project Sponsor is usually the data controller; Eforto acts as processor (GDPR) or business associate (HIPAA) under a Data-Processing Agreement (DPA) or Business-Associate Agreement (BAA).
3. Data ownership. You remain the owner of your identifiable data unless the ICF states otherwise. Eforto will never reuse your identifiable data outside the project scope without new consent.
4. Anonymised analytics. We may create de-identified, aggregated statistics (e.g., average grip-strength per cohort) for scientific publications or marketing materials; individuals are never identifiable. De-identification follows HIPAA Safe Harbor (§164.514(b)(2)) and ISO/IEC 20889 techniques.
5. Withdrawal. You can withdraw from the project at any time by contacting the Project Sponsor or Eforto. We will stop new data collection and, where legally allowed, delete or anonymise existing data.
6. Pseudonymisation by default. Subject identifiers are replaced with study codes prior to Eforto's systems receiving the data; the re-identification key is held by the Project Sponsor.
EU and UK user data is not transferred outside the EEA / UK by default and is hosted on servers located in Belgium and other EU jurisdictions.
Where transfers are necessary (for example, use of the M1 ecosystem by U.S. healthcare partners, or intra-group support between Eforto BV and Eforto Health Inc.), we rely on one or more of the following lawful transfer mechanisms, supported by a documented Transfer Impact Assessment (TIA):
1. EU–U.S. Data Privacy Framework (Eforto Health Inc. will rely on the DPF only after its certification is published on dataprivacyframework.gov; until then, DPF is not a relied-upon transfer mechanism)
2. Standard Contractual Clauses (2021/914/EU) with additional technical measures (encryption-at-rest, key management in EU); the UK Addendum to the EU SCCs (or the UK IDTA) applies for UK transfers; Swiss amendments apply for Switzerland.
3. Intra-group transfers between Eforto BV and Eforto Health Inc. are governed by an intra-group Data-Transfer Agreement incorporating the EU SCCs (Controller-to-Controller / Controller-to-Processor modules as appropriate). Binding Corporate Rules may be pursued in future subject to approval by the lead supervisory authority.
and other U.S. state privacy laws including Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA
| Right | EU/UK | California | Virginia / other U.S. | How to exercise |
|---|---|---|---|---|
| Access & copy | ✓ | ✓ | ✓ | compliance@eforto.com / in-app “Privacy Dashboard” |
| Rectification | ✓ | ✓ (CPRA) | ✓ | In-app profile or email |
| Erasure | ✓ | Delete | ✓ | “Delete account” in app or email |
| Restriction of processing (Art. 18 GDPR) | ✓ | — | — | Email DPO |
| Withdraw consent (Art. 7(3) GDPR) | ✓ | — | — | In-app toggle / email |
| Data portability | ✓ | \~\~—\~\~✓ (CPRA) | \~\~—\~\~✓ (VCDPA / CPA) | Export CSV in dashboard |
| Opt out of sale/sharing | — | ✓ | ✓ | Do Not Sell/Share link; we also honour Global Privacy Control (GPC) signals |
| Limit use of sensitive PI (CPRA § 1798.121) | N/A | ✓ | — | Limit Use link in cookie banner |
| Non-discrimination (CCPA § 1798.125) | N/A | ✓ | ✓ | Automatic |
| Appeal a denied request (VCDPA / CPA) | N/A | — | ✓ | appeals@eforto.com |
| Automated decision-making (Art. 22 GDPR) | ✓ | \~\~—\~\~✓ (profiling opt-out, CPRA 2024 regs) | \~\~—\~\~✓ (VCDPA profiling opt-out) | Email DPO |
We respond within 30 days (45 days in California). We verify requester identity proportionately to the sensitivity of the data. Authorised agents may submit requests with a written authorisation. If you are unhappy with our response, you may lodge a complaint with your local supervisory authority (for example, the Belgian Data Protection Authority, Rue de la Presse 35, 1000 Brussels — https://www.dataprotectionauthority.be
We use only:
• Essential cookies – session management, security.
• Analytics cookies – Matomo (self-hosted); prior, granular, opt-in consent is required in the EU/UK under the ePrivacy Directive and the Belgian Law of 13 June 2005. Rejecting non-essential cookies is as easy as accepting them; no pre-ticked boxes; consent is refreshed at least annually.
• Marketing pixels – Meta, Google Ads – loaded only if you opt in.
• Global Privacy Control (GPC) and Do Not Track (DNT) signals are honoured for EU/UK and California users as an opt-out of non-essential tracking.
Full cookie list & lifetimes is published at https://www.eforto.com/cookies.
• ISO 27001-aligned controls (ISO/IEC 27001 certification planned for Q[X] 2026; ISO/IEC 27701 privacy extension under evaluation); audited annually.
• Data centres located in Belgium (primary EU servers) and United States (secondary); EU user data remains in EU servers by default.
• TLS 1.3 encryption in transit; AES-256 encryption at rest.
• Role-based access control & mandatory multi-factor authentication for staff.
• Independent penetration testing at least annually; internal vulnerability scanning on a continuous basis; formal incident-response plan rehearsed twice a year.
• Public summary of our latest Data-Protection Impact Assessment (DPIA) available on request.
• In the event of a personal-data breach we notify the competent EU/UK supervisory authority within 72 hours (Art. 33 GDPR / DPA 2018), and where the breach is likely to result in a high risk to your rights and freedoms, we notify you without undue delay (Art. 34 GDPR). U.S. notifications follow the HIPAA Breach Notification Rule (45 CFR § 164.400-414) and applicable state breach-notification statutes.
Our Services are intended for adults aged 18 years and over. We do not knowingly allow persons under 18 to create accounts.
Because the Services are 18+ only, no parental-consent flow is operated for minors. Should our age gate be bypassed, we will delete any personal data of persons under 18 promptly upon notification to compliance@eforto.com. For Belgian users, we follow the digital-consent age of 13 under Art. 7 of the Belgian Data Protection Act of 30 July 2018, and COPPA (15 U.S.C. § 6501 et seq.) for U.S. users.
We will post any changes on this page and, for material changes, notify you by email or in-app alert at least 14 days before they take effect. Non-material changes (typographical corrections, contact updates) take effect on posting. The “Last updated” date at the top lets you know when this Policy was last revised. Previous versions are available on request at compliance@eforto.com.
Eforto BV (EU)
’s Herenweg 16, 1860 Meise, Vlaams Brabant, Belgium
Email: compliance@eforto.com Tel: +32 (0)2 306 00 00
Eforto Health Inc. (USA)
530, 7th Ave, Suite 902, New York NY 10018, USA
Email: compliance@eforto.com
Belgian supervisory authority: Gegevensbeschermingsautoriteit (GBA) / Autorité de protection des données (APD), Rue de la Presse 35, 1000 Brussels — https://www.dataprotectionauthority.be