Privacy Policy

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data with which you can be personally identified. Detailed information on the subject of data protection can be found in our privacy policy listed below this text.

2. Hosting

We host the content of our website with the following provider:

3. General Information and Mandatory Information

Data Protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the legal data protection regulations and this privacy policy. When you use this website, various personal data is collected. Personal data is data with which you can be personally identified. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this happens.

We point out that data transmission on the Internet (e.g. when communicating by e-mail) can have security gaps. A complete protection of data against access by third parties is not possible.

Data Protection Officer

We have not formally appointed a Data Protection Officer; data-protection questions should be sent to privacy@valteris.com. Due to the size and nature of our business operations, we have not appointed a Data Protection Officer under Art. 37 GDPR. We continue to review the applicable statutory thresholds and will appoint a DPO promptly if we become legally required to do so.

For all questions regarding data protection, please contact:

Email: hello@valteris.com

We are committed to protecting your personal data and ensuring compliance with all applicable data protection regulations.

Given the processing of biometric and health data (Photo Age Test, rPPG heart-rate / HRV, in-person fitness tests, biomarker inputs), we maintain an internal Data Protection Impact Assessment (Art. 35 GDPR). A summary of the DPIA is available on request via hello@valteris.com.

Competent Supervisory Authority

The competent data protection supervisory authority for our company is:

You have the right to lodge a complaint with this supervisory authority if you believe that the processing of your personal data violates the GDPR.

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you without undue delay. We will inform you about:

• The nature of the personal data breach
• The likely consequences of the breach
• The measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects
• Contact point for more information and support

We will notify the competent supervisory authority within 72 hours of becoming aware of a breach, as required by Article 33 GDPR. If the notification is not made within 72 hours, we will provide reasons for the delay.

We have implemented appropriate technical and organizational measures to prevent data breaches and to detect them promptly should they occur.

Children's Privacy

Records of Processing Activities (Article 30 GDPR)

We maintain detailed records of all processing activities under our control, as required by Article 30 GDPR. These records document:

• Name and contact details of the controller and, where applicable, the joint controller and data protection officer
• Purposes of the processing
• Categories of data subjects and categories of personal data
• Categories of recipients to whom personal data have been or will be disclosed
• Where applicable, transfers of personal data to third countries or international organizations
• Envisaged time limits for erasure of different categories of data
• General description of technical and organizational security measures

These records are available for review by the supervisory authority upon request.

We regularly review and update our processing records to ensure they accurately reflect our current data processing activities.

Data Minimization Principle

We adhere strictly to the principle of data minimization as required by Article 5(1)(c) GDPR. This means:

• We only collect personal data that is adequate, relevant, and limited to what is necessary for the specific purpose for which it is processed
• We do not collect excessive or irrelevant data
• We regularly review the data we hold to ensure it remains necessary for the intended purpose
• Once data is no longer needed for its original purpose, it is either deleted or anonymized

Our commitment to data minimization helps protect your privacy and reduces the risk of data breaches.

Automated Decision-Making and Profiling

We do not engage in automated decision-making that produces legal or similarly significant effects within the meaning of Art. 22 GDPR.

Current uses of the Photo Age Test and the rPPG heart-rate scanner produce automated estimates for informational and entertainment purposes only. These uses do not produce legal or similarly significant effects within the meaning of Art. 22 GDPR. Where we introduce features that could trigger Art. 22 GDPR (for example, gating a premium tier or a membership benefit by biometric outcomes), we will disclose them separately, provide human review, and obtain the basis required by Art. 22(2).

While we use analytics tools (such as Google Analytics and our first-party analytics) to understand website usage patterns, these are used for aggregate statistical analysis, service improvement, product development, feature-usage analytics, and the purposes described in the Service Improvement and Product Experiments sections of this Policy. They do not result in automated decisions that significantly affect individual users.

Any decisions that may affect you (such as responding to contact form inquiries, moderation actions, or certification decisions) involve human review and are not made automatically by algorithms.

4. Data Collection on this Website

International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place for all international transfers:

For transfers to countries that have been granted an adequacy decision by the European Commission, no additional safeguards are required.

You have the right to obtain information about the safeguards we have implemented for international transfers and to receive a copy of the Standard Contractual Clauses where applicable. Please contact us if you would like to exercise this right.

Affiliate Programs

We participate in affiliate partner programs. If you click on an affiliate link on our website and make a purchase, we receive a commission from the respective merchant. This does not change the price for you.

The storage of "affiliate cookies" or tracking measures is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in optimizing our affiliate revenues.

5. Social Media Profiles

6. Plugins and Tools

Detailed Cookie Information

Below is specific information about the cookies used on our website, including their purpose, type, and lifespan:

localStorage: In addition to cookies, we use browser localStorage to store location preferences locally on your device. This data includes IP-detected location, manually selected city, precise GPS coordinates (if granted), notification dismissal status, and voting status for community spots (voted_{spotId}). This data is never transmitted to our servers and can be cleared through your browser settings.

You can manage cookie preferences through our cookie consent banner or through your browser settings. Note that disabling necessary cookies may affect website functionality.

Data Processors (Article 28 GDPR)

We engage the following data processors who process personal data on our behalf. All processors are bound by written data processing agreements compliant with Article 28 GDPR:

You have the right to request information about our data processing agreements and the safeguards we have implemented. Contact us at hello@valteris.com.

Our processors may engage sub-processors. We ensure that all sub-processors are bound by equivalent data protection obligations.

Data Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. Specific retention periods are:

After expiry of the applicable retention period, personal data will be deleted automatically unless deletion is prevented by mandatory legal retention obligations. You can request earlier deletion where permissible by law.

How to Exercise Your Data Protection Rights

To exercise any of your rights under the GDPR (access, rectification, deletion, restriction, portability, objection), please follow this procedure:

Exercising your rights is free of charge. Under Art. 12(5) GDPR we reserve the right, in cases of manifestly unfounded or excessive requests (in particular repeated bulk-export requests within short intervals), to charge a reasonable fee or refuse to act; we will explain our reasoning when invoking this provision.

For complex requests, particularly data portability requests or requests involving large volumes of data, we may contact you to clarify the exact scope of information you require and the preferred format for delivery.

7. Analysis Tools

First-Party Analytics

In addition to (or instead of) Google Analytics, we operate a lightweight first-party analytics pipeline backed by our own MongoDB instance. No third party receives this data.

Legal Basis: Processing is based on your consent (Art. 6(1)(a) GDPR), captured through our cookie/consent banner. You can withdraw this consent at any time via the consent settings.

Retention: Events are stored in an AnalyticsEvent collection with a 90-day TTL index — individual event documents are automatically deleted after 90 days.

Processing Location: Processing takes place on EU-based infrastructure (Namecheap Amsterdam) and our MongoDB cluster in Frankfurt (eu-central-1).

Transactional & Notification Emails

We send a small number of operational emails to support the community features of the platform. You can granularly opt out of non-essential notifications in your account settings (emailPreferences).

Legal Basis: Transactional emails directly tied to a feature you actively use (partner requests, challenge lifecycle) are processed on the basis of Art. 6(1)(b) GDPR (contract). Notifications and reminders are processed on the basis of Art. 6(1)(f) GDPR (legitimate interest) and can be opted out of at any time via the 'Email preferences' card in Settings.

Processor: Emails are delivered by Brevo (Sendinblue SAS, Paris, France) under a DPA — see Data Processors section above.

You can manage these preferences at any time at /settings under 'Email preferences'.

Full List of Biometric & Health Data Categories (bioMetrics)

Where you explicitly choose to save a test or measurement to your profile, it is stored as a typed entry in the bioMetrics collection. These are special-category data under Art. 9 GDPR and are processed only on the basis of your explicit consent (Art. 9(2)(a) GDPR), given by actively taking the test and saving the result.

Legal Basis: Explicit consent (Art. 9(2)(a) GDPR). You can delete any individual biomarker entry, or all of them at once, from your profile at any time.

Retention: Stored for the lifetime of your account, plus 30 days after account deletion, unless you delete entries earlier.

In-Person Longevity Checks (LongevityCheckResult)

At physical events (e.g. chapter meetups, fairs), participants can complete a short battery of fitness and biomarker tests administered by a chapter lead.

Legal Basis: Processing is based on your explicit consent (Art. 9(2)(a) GDPR), given at the event before the test begins.

Retention: For anonymous event participants (no linked account), raw identifiable results are retained for 12 months after the event date and then deleted. Anonymised derivatives (pseudonymised, non-re-identifiable) may be retained indefinitely for statistical and research purposes under Art. 89 GDPR. For participants linked to an account, results become part of their bioMetrics and follow the account-lifetime retention rule.

Matching & 'Heart' Affinity

The platform offers a mutual-match feature ('Hearts') that lets members express interest in another member. A match is only revealed when both sides have expressed interest.

Legal Basis: Contract (Art. 6(1)(b) GDPR) — providing the social feature you opted into.

Retention: Hearts persist until you remove them or delete your account.

Activity Lobbies (ActivityRequest)

You can post short-lived activity lobbies (e.g. morning run, yoga session, sauna, cold-plunge) that other members can join.

Legal Basis: Contract (Art. 6(1)(b) GDPR).

Retention: Lobbies are automatically deleted 7 days after their expiresAt timestamp via a MongoDB TTL index.

Moderation State (isGhosted / isBanned)

To keep the community safe and welcoming, moderators may mark an account as 'ghosted' (reduced visibility in feeds) or 'banned' (access revoked). We are transparent that these flags exist.

You have a right under Art. 15 GDPR to know whether any moderation flag has been applied to your account and on what basis. To exercise this right, contact hello@valteris.com and reference 'Moderation state request'.

Legal Basis: Legitimate interest in community safety and Terms-of-Service enforcement (Art. 6(1)(f) GDPR).

Retention: Moderation flags persist for the lifetime of the account and are removed when the account is deleted.

Onboarding & Engagement Telemetry

We record a small amount of onboarding state so the product does not repeat tutorials or show dismissed introduction cards again.

Legal Basis: Legitimate interest in improving onboarding and not repeatedly showing dismissed content (Art. 6(1)(f) GDPR).

Opt-out: You can reset all of these values, or opt out of onboarding telemetry entirely, from your account settings.

Anonymous Likes & Flags (IP handling)

Some interactions are available without an account: liking an article (ArticleLike) and flagging a map spot for moderation (SpotFlag).

To prevent abuse (ballot-stuffing, vandalism) while still protecting you, we only store a truncated form of the IP address — the last octet is discarded (/24 truncation) at the moment of writing. We do not log the full IP for these actions.

• ArticleLike: truncated IP retained for 12 months, then the full record is deleted.
• SpotFlag reporter IP: truncated IP retained for 24 months, then the full record is deleted.

Legal Basis: Legitimate interest in moderation and abuse prevention (Art. 6(1)(f) GDPR).

Certification Program

If you apply for certification as a longevity provider, speaker, or partner, we collect and process company information, application answers, and qualification data.

Legal Basis: Processing is based on Art. 6(1)(b) GDPR (pre-contractual measures for application processing) and Art. 6(1)(f) GDPR (legitimate interest in community-driven quality assurance for voting).

Retention: Application data is retained for audit purposes. You may request deletion after your application has been processed.

Gamification & Social Features

To enhance community engagement, we track activity points (XP), achievement badges, login streaks, and levels.

Legal Basis: Art. 6(1)(b) GDPR (service provision) and Art. 6(1)(f) GDPR (legitimate interest in community engagement)

Visibility: Your XP, level, and activity can be hidden via privacy settings in your profile.

Referral Program

If you participate in our referral program, we track your referral code, who referred you, and your registration type (open, referral, or beta).

Legal Basis: Processing is based on Art. 6(1)(b) GDPR (service provision) and Art. 6(1)(f) GDPR (legitimate interest in community growth).

Data Export (Right to Data Portability)

You can export all your personal data at any time through your account settings. The export includes your profile information, health stack data, activity history, achievements, and all other personal data we store about you.

Data is provided in JSON format, which is machine-readable and can be imported into other services.

This feature implements your right to data portability under Article 20 GDPR.

Health Information Disclaimer

The information provided on this website, including but not limited to health stack tracking, lifestyle age tests, photo age tests, and longevity-related content, is for general informational and educational purposes only.

In case of a medical emergency, contact your local emergency services immediately.

Limitation of Liability

To the fullest extent permitted by applicable law, Valteris GmbH and its officers, directors, employees, and agents shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, use, goodwill, or other intangible losses, resulting from:

• Your access to or use of (or inability to access or use) our services
• Any conduct or content of any third party on our services
• Any content obtained from our services
• Unauthorized access, use, or alteration of your transmissions or content
• Decisions made or actions taken based on information provided through our services

In no event shall our total liability to you for all claims exceed the amount you have paid us, if any, in the twelve (12) months preceding the claim.

These limitations do not affect your statutory rights under applicable consumer protection laws or mandatory provisions of the GDPR that cannot be limited by contract.

Warranty Disclaimer

Our services are provided on an 'as is' and 'as available' basis, without any warranties of any kind, either express or implied.

We do not warrant that:

• Our services will meet your specific requirements
• Our services will be uninterrupted, timely, secure, or error-free
• The results obtained from using our services will be accurate or reliable
• Any errors in our services will be corrected

We are not responsible for the accuracy, reliability, or completeness of any third-party content, including but not limited to user-generated content, external links, or information from third-party services integrated into our platform.

User Responsibilities

When using our services, you are responsible for:

• Providing accurate and truthful information when creating an account or using our features
• Maintaining the confidentiality of your account credentials
• Ensuring that your use of our services complies with applicable laws and regulations
• Not using our services for any unlawful or harmful purposes
• Promptly notifying us of any unauthorized access to your account

Data Accuracy

We rely on the accuracy of information you provide. You are responsible for ensuring that all personal data you submit is accurate, complete, and up-to-date. We cannot be held liable for consequences arising from inaccurate information you provide.

Changes to This Privacy Policy

We review and update this privacy policy as our services and legal obligations evolve. The current version always reflects our actual processing practices.

Material changes will be announced with at least 30 days' prior notice via email (if we have your address) or an in-product banner. If consent-based processing is affected, we will request fresh consent rather than relying on continued use. The 'Last updated' date at the top of this page indicates when the current version took effect.

Where new or expanded processing materially widens the scope of what you previously consented to under Art. 6(1)(a) or Art. 9(2)(a) GDPR, we will obtain fresh consent. For other changes (including additions of processors, minor feature adjustments, legal-basis clarifications, and editorial rewording), we will update this policy and, where required by law, notify you; your continued use of the Service after the effective date of the change constitutes acknowledgement of non-consent-based changes, without prejudice to your right to object under Art. 21 GDPR or to withdraw any existing consent.

Previous versions of this privacy policy are available on request via hello@valteris.com.

Regional Privacy Notes

We operate a multi-region platform (Germany, Austria, Switzerland, USA, China). The GDPR/BDSG framework above applies to all users because the controller is established in the EU. In addition, the following region-specific notes apply.

Public Profile as a Publication Act

By keeping your profile visibility set to 'public' (the default), you consent to the display of your profile data to any visitor of the Service. Public profile data includes: username, display name, avatar, banner, bio, location at city/country level, XP, level, login streak, interests, goals and routine (if your privacy settings allow), services you offer, badges, partnership history, community-challenge participation, authored articles, chapter-lead role (if any), and any biometric results you have marked as public. Public profile data may also appear on the community landing page, chapter pages, community directory, leaderboards, and in auto-generated social-media share preview images (Open Graph and Twitter Card tags). You can switch your profile to private at any time in Settings (profileVisibility = private). Legal basis: Art. 6(1)(a) GDPR (consent, given by choosing public visibility), with Art. 9(2)(a) GDPR for any biometric data you have marked as public. You may revoke consent at any time by switching to private or deleting specific items.

Marketing Use of Public Profile Content

We may use your public profile content (username, display name, avatar, bio excerpts, badges, public achievements, check-ins you have made public, and event photos where you have not exercised your opt-out right) in promotional materials of the Service, including landing pages, newsletters, social-media posts, Open-Graph and Twitter-card share previews, blog posts, and investor or partnership presentations, in each case in a factual and non-endorsing manner. For the quotation of specific health-related claims or biometric results (for example, before/after vascular age numbers), we will obtain a separate testimonial release under Art. 9(2)(a) GDPR before publication. You may object at any time by emailing privacy@valteris.com; upon receipt we will cease further use going forward and use reasonable efforts to remove material from current owned placements.

Aggregated and Anonymised Statistics

We may create, publish and use aggregated and fully anonymised statistics derived from Service data (for example: 'X% of Munich members reported a vascular age under 40', or 'average grip strength by chapter'). Such outputs do not permit re-identification of individual users and are not considered personal data within the meaning of the GDPR. Aggregated outputs may be used indefinitely for editorial, research, marketing, and partnership purposes. Legal basis for the production of such outputs: Art. 6(1)(f) GDPR (legitimate interest in statistical and editorial reporting) and Art. 89 GDPR.

Service Improvement and Future Model Training

We may analyse pseudonymised usage data and the outputs of our own tools (for example, HRV distributions produced by the rPPG scanner) to improve the quality, accuracy and performance of the Service. We reserve the right — not currently exercised — to use aggregated and pseudonymised Service data to train our own internal models (for example, the rPPG signal-processing pipeline and the Pace-of-Aging scoring heuristic). If and when we begin to exercise this right, we will update this Policy and, where a change in legal basis is required, obtain fresh consent. We do not share User Content with third-party generative-AI providers for their own model training; any such future sharing would require your separate opt-in consent. Legal basis for currently-exercised analysis: Art. 6(1)(f) GDPR (legitimate interest in service improvement and product development) combined with Art. 5(1)(b) GDPR (compatibility of secondary purposes); you may object under Art. 21 GDPR.

A/B Testing and Product Experiments

We may assign you to product experiments (A/B tests) to evaluate changes to the user interface, onboarding flows, copy variants, and recommendation heuristics. The assignment uses pseudonymous identifiers and is logged through our first-party analytics pipeline. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in service improvement). You may object by disabling analytics consent in our cookie banner or by emailing privacy@valteris.com.

Changes to Our Processors

We may engage, change, or remove processors and sub-processors at any time to operate, improve, secure, or scale the Service. Changes to our processor list will be reflected in this Privacy Policy. Where a change does not alter the category of processing or the legal basis, no fresh consent is required; your right to object under Art. 21 GDPR is unaffected. An up-to-date list of processors is always available in this Policy, and specific details of any individual processor can be requested at privacy@valteris.com.

Anonymisation as an Alternative to Deletion

When you request deletion of your account (Art. 17 GDPR), you may choose between: (a) complete deletion of your personal data (subject to mandatory retention for legal and tax purposes), or (b) anonymisation, in which we replace your username and identifiers in our database with a non-identifying marker while preserving the pseudonymised record of your contributions to community outputs (for example: authored articles, chapter-lead role history, community voting records, leaderboard entries, and historical challenge participation). Anonymised records are retained indefinitely for community integrity, scientific research and statistical purposes under Art. 17(3)(d) and Art. 89 GDPR. The default in our deletion UI is complete deletion; anonymisation must be expressly chosen.

Transfer of Personal Data in Merger, Acquisition or Restructuring

In the event of a merger, acquisition, asset transfer, reorganisation, bankruptcy or similar transaction involving Valteris GmbH or the Service, personal data may be transferred to the successor entity as a business asset, provided that the successor accepts obligations no less protective of your rights than those set out in this Privacy Policy. We will notify you in advance via email or in-product banner where feasible. You will retain your Art. 17 erasure and Art. 20 portability rights against the successor.

Encrypted Backups and Deletion Latency

Personal data may persist in encrypted backup snapshots for up to ninety (90) days after an active deletion in the live system. During that window, backups are logically inaccessible and would only be restored in disaster-recovery scenarios. Once the relevant snapshot expires, the data is irreversibly erased. Backup media is rotated continuously.

Retention of Consent Records

We retain consent records — including cookie consent receipts (ConsentLog), newsletter double-opt-in records, biometric and health-data consent timestamps, and account-creation consent — indefinitely, for the purpose of demonstrating compliance under Art. 5(2), Art. 7(1), and Art. 24 GDPR. Consent records are stored in a segregated table and are not used for any other purpose. A consent record is your proof that your rights were respected; keeping it benefits you.

Third-Party Personal Data in Your Submissions

You warrant that any content you submit to the Service — including bio text, goals, routines, activity descriptions, event photos, spot submissions — does not contain the personal data of identifiable individuals other than yourself unless you have their permission to publish. You act as an independent controller for any such third-party data under the GDPR. Our Terms of Service contain a corresponding indemnity provision.

Severability

If any provision of this privacy policy is found to be unenforceable or invalid under applicable law, such unenforceability or invalidity shall not render this privacy policy unenforceable or invalid as a whole. Such provisions shall be modified or deleted to the minimum extent necessary to make them enforceable, and the remaining provisions shall continue in full force and effect.

Governing Law and Jurisdiction

This privacy policy and any disputes arising from it shall be governed by the laws of the Federal Republic of Germany, without regard to its conflict of law provisions.

For all disputes arising from or in connection with this privacy policy, the courts of Hamburg, Germany shall have exclusive jurisdiction, unless mandatory statutory provisions require a different venue.

This choice of law and jurisdiction does not deprive you of the protection afforded by provisions that cannot be derogated from by agreement under the law of your country of habitual residence.

Contact

If you have questions about this privacy policy or the processing of your personal data, you can contact us at any time: