Privacy Policy

Biostar CMA — biostarcma.com
Effective Date: 1 February 2026
Last Updated: 14 February 2026

1. Introduction

This Privacy Policy explains how Biostar Technology International ("Biostar," "we," "us," or "our"), operated by Ulysses Angulo, collects, uses, stores, and protects personal data through the Biostar CMA platform ("Platform") available at biostarcma.com.

Biostar CMA is an AI-assisted health technology platform that enables health practitioners to conduct structured patient interviews and generate analysis reports. Given the nature of our services, we process special categories of personal data, including health data, and we take our obligations under applicable data protection law extremely seriously.

This Policy applies to all users of the Platform, including health practitioners ("Practitioners"), patients and clients ("Patients"), and guest users ("Guests").

Data Controller:
Biostar Technology International
Owner: Ulysses Angulo
Email: privacy@biostartechnology.com

2. Legal Framework

We process personal data in compliance with:

Regulation (EU) 2016/679 — General Data Protection Regulation ("GDPR")
Directive 2002/58/EC — ePrivacy Directive
Applicable national implementing legislation of EU Member States
Other applicable data protection laws in jurisdictions where we operate

3. Data We Collect

3.1 Account and Identity Data

Data Category	Examples	Applies To
Registration data	Name, email address, professional credentials, licence number	Practitioners
Authentication data	Hashed passwords, session tokens, multi-factor authentication data	Practitioners, Patients
Profile data	Professional specialty, practice information, profile preferences	Practitioners
Patient account data	Name, email address, date of birth	Patients
Guest session data	Temporary session identifiers	Guests

3.2 Health Data (Special Category — GDPR Article 9)

When Practitioners use the Platform to conduct structured interviews, the following health-related data may be processed:

Patient-reported symptoms, medical history, and health concerns
Structured interview responses
AI-generated analysis reports and summaries
Practitioner notes and annotations
Any other health information voluntarily provided during a session

This data constitutes special category data under Article 9 GDPR and is subject to enhanced protections as described in this Policy.

3.3 Technical and Usage Data

IP addresses — logged at each login and associated with your account for quality assurance, security monitoring, data integrity verification, and data recovery purposes. IP addresses are stored alongside your account identifier to enable technical support and access issue resolution.
Browser type, device information, operating system
Pages visited, features used, session duration
Error logs and performance data
Referring URLs

3.4 Communication Data

Support requests and correspondence
Feedback and survey responses

4. Legal Bases for Processing

4.1 Standard Personal Data

Purpose	Legal Basis (GDPR)
Account creation and management	Article 6(1)(b) — Performance of contract
Platform operation and service delivery	Article 6(1)(b) — Performance of contract
Security and fraud prevention	Article 6(1)(f) — Legitimate interest
Legal compliance	Article 6(1)(c) — Legal obligation
Analytics and service improvement	Article 6(1)(f) — Legitimate interest
Marketing communications (where applicable)	Article 6(1)(a) — Consent

4.2 Health Data (Special Category)

Processing of health data requires an additional legal basis under Article 9(2) GDPR. We rely on:

Article 9(2)(a) — Explicit consent: Patients provide explicit, informed consent before any health data is processed through the Platform. This consent is collected separately from general terms acceptance and may be withdrawn at any time.
Article 9(2)(h) — Health care purposes: Where processing is necessary for the provision of health care under the responsibility of a licensed health professional bound by professional secrecy obligations.

4.3 Practitioner as Joint or Independent Controller

In many cases, the Practitioner who uses Biostar CMA to conduct patient interviews acts as an independent data controller or joint controller with respect to their patients' health data. Practitioners are responsible for:

Obtaining appropriate patient consent before initiating sessions
Ensuring they have a lawful basis to process patient health data
Complying with their own professional and regulatory obligations
Informing patients about data processing via Biostar CMA

A Data Processing Agreement ("DPA") is available to Practitioners upon request at privacy@biostartechnology.com.

5. AI Processing and Sub-Processors

5.1 AI-Assisted Analysis

Biostar CMA uses artificial intelligence to assist Practitioners in analysing structured interview data and generating reports. Specifically, we use the Anthropic Claude API as our AI processing engine.

Important: AI-generated outputs are assistive tools only and do not constitute medical diagnoses, medical advice, or clinical decisions. All outputs are subject to Practitioner review and professional judgment.

5.2 Sub-Processor: Anthropic

Detail	Information
Sub-processor	Anthropic, PBC
Location	United States
Purpose	AI language model processing for interview analysis and report generation
Data processed	De-identified or pseudonymised interview content as submitted by the Practitioner
Safeguards	Standard Contractual Clauses (SCCs); Anthropic's data processing terms; data is not used to train Anthropic's models under our commercial API agreement

5.3 Additional Sub-Processors

We may engage additional sub-processors for hosting, payment processing, email delivery, and analytics. A current list of sub-processors is available upon request at privacy@biostartechnology.com. We will notify Practitioners of any material changes to our sub-processor list with at least 30 days' advance notice.

5.4 Data Minimisation in AI Processing

We apply the principle of data minimisation to AI processing:

Only data necessary for the specific analysis is transmitted to the AI sub-processor
We use pseudonymisation where technically feasible
We do not transmit patient identity data (name, date of birth, contact details) to the AI sub-processor unless strictly necessary for the analysis context
AI processing outputs are stored on our infrastructure, not retained by the sub-processor beyond the API request lifecycle

6. International Data Transfers

6.1 Transfers Outside the EEA

Certain sub-processors, including Anthropic, are located outside the European Economic Area ("EEA"). When personal data is transferred outside the EEA, we ensure adequate protection through one or more of the following mechanisms:

EU-U.S. Data Privacy Framework (where the recipient is certified)
Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914)
Adequacy decisions issued by the European Commission under Article 45 GDPR
Supplementary measures as recommended by the EDPB, including encryption in transit and at rest, access controls, and contractual restrictions

6.2 Transfer Impact Assessments

We conduct Transfer Impact Assessments for transfers to jurisdictions without an adequacy decision, evaluating the legal framework of the recipient country and implementing supplementary measures where necessary.

Copies of the relevant transfer safeguards are available upon request at privacy@biostartechnology.com.

7. Data Retention

7.1 Retention Periods

Data Category	Retention Period	Rationale
Practitioner account data	Duration of account + 2 years after deletion	Contract performance; legal obligations
Patient account data	Duration of account + 1 year after deletion	Contract performance
Health data (sessions & reports)	As configured by the Practitioner (default: 12 months), or until deletion is requested	Practitioner's clinical and legal requirements
Guest session data	30 days	Temporary access; no ongoing relationship
Technical/usage logs	12 months (anonymised thereafter)	Security and service improvement
Payment records	7 years	Tax and legal compliance
Support correspondence	3 years after resolution	Service quality and legal defence

7.2 Practitioner-Controlled Retention

Practitioners may configure retention periods for patient session data within the Platform, subject to minimum periods required by applicable healthcare regulations. Practitioners are responsible for ensuring their configured retention periods comply with their own regulatory obligations.

7.3 Deletion

Upon expiry of the applicable retention period, or upon valid deletion request, personal data is:

Removed from active systems within 30 days
Purged from backups within 90 days
Anonymised data derived for statistical purposes may be retained indefinitely

8. Data Subject Rights

8.1 Rights Overview

Right	Description
Access (Art. 15)	Obtain confirmation of processing and a copy of your personal data
Rectification (Art. 16)	Correct inaccurate or incomplete personal data
Erasure (Art. 17)	Request deletion of your personal data ("right to be forgotten")
Restriction (Art. 18)	Restrict processing in certain circumstances
Portability (Art. 20)	Receive your data in a structured, commonly used, machine-readable format
Objection (Art. 21)	Object to processing based on legitimate interests or direct marketing
Withdraw consent (Art. 7)	Withdraw previously given consent at any time
Automated decisions (Art. 22)	Not be subject to solely automated decisions with legal or significant effects

8.2 How to Exercise Your Rights

Submit requests to: privacy@biostartechnology.com

We will:

Acknowledge your request within 72 hours
Respond substantively within one calendar month (extendable by two months for complex requests, with notification)
Verify your identity before processing the request
Provide responses free of charge (except for manifestly unfounded or excessive requests)

8.3 Data Portability

You may export your data in the following formats:

JSON — structured session and report data
PDF — formatted analysis reports
CSV — tabular data exports

Export functionality is available within your account settings or by contacting privacy@biostartechnology.com.

8.4 Patients of Practitioners

If you are a Patient whose data was processed via a Practitioner's use of Biostar CMA, you may exercise your rights by contacting either:

Your Practitioner directly (as they may be an independent controller), or
Biostar at privacy@biostartechnology.com

We will coordinate with the relevant Practitioner to fulfil your request.

9. Cookies and Tracking Technologies

9.1 Categories of Cookies

Category	Purpose	Consent Required
Strictly necessary	Authentication, security, load balancing	No (legitimate operation)
Functional	Language preferences, saved settings	No (legitimate interest)
Analytics	Anonymised usage statistics, performance monitoring	Yes
Marketing	Third-party advertising (if applicable)	Yes

9.2 Cookie Management

Upon your first visit, we present a cookie consent banner allowing you to accept or reject non-essential cookies. You may update your preferences at any time via the cookie settings link in the Platform footer.

9.3 Analytics

We may use privacy-focused analytics tools to understand Platform usage. Where analytics tools are used:

Data is anonymised or aggregated where possible
No personal data is shared with third-party advertisers
You may opt out at any time via cookie settings

10. Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
Access controls: Role-based access, multi-factor authentication for Practitioners
Pseudonymisation: Applied to health data before AI processing where feasible
Monitoring: Automated intrusion detection, access logging, and anomaly detection
Incident response: Documented breach response procedures with notification to supervisory authorities within 72 hours and to affected data subjects without undue delay where required
Staff: Access to personal data is limited to authorised personnel under contractual confidentiality obligations
Testing: Regular security assessments and vulnerability testing

11. Data Protection Impact Assessment

Given that Biostar CMA processes health data at scale using AI technologies, we have conducted a Data Protection Impact Assessment (DPIA) in accordance with Article 35 GDPR. This assessment is reviewed annually or when significant changes to processing activities occur. A summary is available upon request to supervisory authorities.

12. Children's Data

Biostar CMA is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. Where a Practitioner treats minor patients, the Practitioner is responsible for obtaining appropriate parental or guardian consent and ensuring compliance with applicable laws regarding minors' data.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

Email notification to registered users
Prominent notice on the Platform
Updated "Last Updated" date at the top of this document

Continued use of the Platform after notification constitutes acceptance of the updated Policy. If you do not agree with any changes, you may close your account and request deletion of your data.

14. Data Protection Officer

For questions, concerns, or requests regarding this Privacy Policy or our data protection practices:

Data Protection Contact
Biostar Technology International
Email: privacy@biostartechnology.com

15. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

16. Contact

Biostar Technology International
Email: privacy@biostartechnology.com
Website: biostarcma.com

This Privacy Policy is provided for informational purposes and should be reviewed by qualified legal counsel to ensure compliance with all applicable laws in your jurisdiction.

← Back to Biostar CMA