Biometric & Consumer Health Data Privacy Policy

This is a standalone privacy policy for the biometric and consumer health data Beneat processes through BioSync — our program that connects wearables such as WHOOP to the Beneat platform. It supplements, and where it conflicts controls over, our general Privacy Policy.

The data controller is Beneat Inc., a Delaware corporation. This policy exists separately so that health data is governed by its own clear, dedicated terms, consistent with laws such as Washington's My Health My Data Act.

When you connect WHOOP (or another supported wearable) through OAuth, we receive only the data covered by the scopes you authorize. This may include:

• Recovery — recovery score, heart-rate variability (HRV, RMSSD), resting heart rate, blood oxygen (SpO2), skin temperature
• Sleep — sleep stages, duration, performance, disturbances
• Cycles & workouts — strain score, average/max heart rate, energy expenditure
• Body measurements — height, weight, maximum heart rate
• Profile — name, email, and wearable user ID

You choose which scopes to grant, and you can revoke them at any time.

• Readiness signals — surfacing your recovery, HRV, and sleep alongside your trading in the BioSync interface
• Correlation analysis — studying whether your physiological state relates to your trading outcomes
• Research — aggregated and anonymized analysis of pilot participants as a group

These signals are informational. They do not make automated decisions that produce legal or similarly significant effects on you, and they are never used to take or custody your funds.

We collect biometric and health data only after you give clear, affirmative, opt-in consent. That consent is requested separately from our general terms, and we describe what we collect and why before you grant it.

You may withdraw consent at any time by disconnecting the wearable or emailing info@beneat.ai. Withdrawing consent stops further collection and triggers deletion as described below.

We do not sell your biometric or health data. We do not share it with advertisers. We share it only:

• Service providers — trusted processors under contract who help us operate the platform
• Aggregated research — anonymized, non-identifying statistics only
• Legal requirements — where required by law or valid legal process

WHOOP data is handled in accordance with the WHOOP API Terms of Use: we do not resell, sublicense, or build permanent databases of WHOOP data, and we cache it only as permitted.

• On disconnection — biometric and health data deleted within 30 days of disconnecting the wearable or the pilot ending
• Maximum retention — never retained beyond 3 years from your last interaction
• Aggregated data — anonymized, non-identifying research data may be retained indefinitely

We maintain a documented destruction schedule for biometric and health data.

• Encryption — TLS 1.3 in transit, AES-256 at rest
• Standard of care — protections at least as strict as those we apply to financial data
• Access controls — restricted, authenticated internal access

No method is 100% secure, but we treat health data with our highest level of care.

Regardless of where you live, you may:

• Access — request a copy of your biometric/health data
• Correct — fix inaccurate data
• Delete — request deletion
• Withdraw consent — at any time
• Portability — receive your data in a machine-readable format

Depending on your residence, you may have additional rights under laws such as the Illinois Biometric Information Privacy Act (BIPA), the Washington My Health My Data Act, and the California Consumer Privacy Act (CCPA/CPRA). We honor verified requests under these laws and respond within 30 days. Contact info@beneat.ai.

BioSync participants may be located anywhere in the world. Your data is processed and stored in the United States. Where required, we apply appropriate safeguards for international transfers. By connecting a wearable, you understand your data will be processed in the United States.

WHOOP is a trademark of WHOOP, Inc. Beneat is an independent developer and is not affiliated with, sponsored by, or endorsed by WHOOP. We access WHOOP data solely under the WHOOP API Terms of Use and only with your authorization.

BioSync is for individuals 18 and older. We do not knowingly collect biometric or health data from children. If discovered, we delete it promptly.

We may update this policy. Material changes will be posted here with a revised date.

Questions or requests about biometric and health data: info@beneat.ai