Last updated: May 9, 2026
This Privacy Policy applies to the FixMyAge website (fixmyage.com), the public provider directory at fixmyage.com/providers, the FixMyAge web application, and the FixMyAge iOS application (together, the “Service”). The data controller for personal data processed in connection with the Service is FixMyAge Ltd., established in Sofia, Bulgaria. This policy describes what we collect, how and why we use it, the lawful bases on which we rely under the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), and your rights. It is designed to align with the data declarations we publish in the App Store and in the iOS app’s privacy manifest.
Information you provide:
Information collected automatically:
We do not use third-party tracking SDKs, advertising identifiers, or cross-app/cross-site tracking. The iOS app’s privacy manifest declares no tracking and an empty list of tracking domains. We do not sell your personal data, and we do not share it for behavioural advertising.
For users in the EU, the UK, and other jurisdictions with comparable laws, we rely on the following lawful bases under Articles 6 and 9 GDPR:
| Processing | Article 6 | Article 9 (where health data) |
|---|---|---|
| Account, billing, and customer support | Contract (Art. 6(1)(b)) | — |
| AI-assisted protocol generation on uploaded biomarkers | Contract + explicit consent | Explicit consent (Art. 9(2)(a)) |
| Storing the textual review you write | Contract (Art. 6(1)(b)) | — |
| Publishing the textual review on the public web | Consent (Art. 6(1)(a)) given on submission | Not applicable unless you choose to disclose health information in the body of the review, which we discourage |
| Publishing a data-backed badge and before/after marker delta | Explicit, separable consent (Art. 6(1)(a)) | Explicit, separable consent (Art. 9(2)(a)) |
| Aggregate research and “State of Longevity Providers” reports | Legitimate interests (Art. 6(1)(f)), balancing test on file | Scientific or statistical purposes on irreversibly pseudonymised data (Art. 9(2)(j) and Art. 89) |
| Anti-fraud, anti-spam, astroturfing detection, security logging | Legitimate interests (Art. 6(1)(f)) | — |
| Provider claim verification and response feature | Contract / legitimate interests in operating the directory | — |
| Marketing and product emails (where applicable) | Consent (Art. 6(1)(a)) | — |
Where we rely on legitimate interests, we have carried out a balancing test which is available on request from support@fixmyage.com. Where we rely on consent, you may withdraw it at any time; withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Your health data is treated with the highest level of care. All biomarker results, epigenetic data, and physical-assessment records are encrypted at rest and in transit. We never sell your health data to third parties. Access is restricted to authorized personnel necessary for providing our services. Health-related information you enter is treated as a special category of personal data under Article 9 GDPR and is processed only on the lawful bases set out in Section 5.
If you choose to link a bloodwork panel to a review, the marker-level before/after delta and the name(s) of the marker(s) become publicly visible alongside your display-name and hash suffix. We surface this on the linking screen and obtain your explicit, separable opt-in consent before publication. Anonymisation in this context is partial: where a provider has few reviewers, where the published delta is unusual, or where you publicly disclose elsewhere that you reviewed that provider, identification may be possible. You may withdraw your data-backed consent at any time, and we will remove the badge and the published delta within 7 days; the underlying textual review remains unless you also delete it.
We share personal data only with vendors who help us operate the Service, under contracts that restrict their use of your data:
Public disclosure through the directory. Reviews, ratings, structured fields, helpful/unhelpful counts, provider responses, and (if consented) data-backed deltas are published on the public web at fixmyage.com/providers and are indexed by search engines. Once published, content is likely to be cached by third parties (including search-engine snippets and the Internet Archive) which we cannot comprehensively purge. Public attribution uses your display-name plus a stable hash suffix; we do not publish your real name unless you choose to include it in the body of a review.
We do not sell personal information to third parties.
Your data may be processed in countries other than your own. Where required, we use appropriate safeguards (such as the European Commission’s Standard Contractual Clauses, and the UK International Data Transfer Addendum where relevant) for transfers out of the EEA and the UK. A copy of the relevant transfer mechanism is available on request.
We retain your personal and health data for as long as your account is active. If you delete your account, we delete or anonymise your personal data within 30 days, except where we are legally required to keep it longer (for example, financial records).
Reviews you publish remain visible on the public web for as long as your account is active. You may delete an individual review at any time without deleting your account; we will remove it from active services within 7 days. Deletion of a review or of your account does not retroactively remove that review’s contribution to aggregated, irreversibly anonymised statistics computed before deletion (such as provider averages or research-report figures), which may continue to be used and published. Moderation logs and audit logs may be retained for up to 12 months for the purpose of safety, abuse-prevention, and compliance with the DSA.
Depending on your jurisdiction, you have the right to:
To exercise these rights, email support@fixmyage.com from the address associated with your account.
You can delete your account at any time from the in-app Profile screen, or by emailing support@fixmyage.com. Deletion removes your profile, authentication identifiers, uploaded files, the health data associated with your account, and the reviews you have published, subject to the retention rules in Section 9.
The Service is intended for individuals aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has provided us with personal data, please contact us and we will delete it.
We use industry-standard measures including TLS encryption, bcrypt password hashing, HTTP-only refresh-token cookies, optional two-factor authentication, regular security audits, and access controls. While no system is 100% secure, we take every reasonable step to protect your information.
When we remove, demote, or restrict a review or other Submitted Content you have published, we will provide you with a Statement of Reasons identifying the action, the legal or contractual ground, the facts relied upon, and any automated means used. You may appeal as described in Section 10. We publish at least an annual transparency report on moderation activity in line with Article 15 DSA.
Our single point of contact for users and authorities under Articles 11 and 12 of the Digital Services Act is support@fixmyage.com. The Member State of establishment of FixMyAge Ltd. is Bulgaria. Communications may be addressed in English or Bulgarian.
For California residents, the categories of personal information described in Section 2 include “sensitive personal information” under the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CCPA/CPRA”), specifically health information. We do not “sell” or “share for cross-context behavioural advertising” this information. We use sensitive personal information solely to provide the Service and for the purposes set out in this policy. You have the right to limit our use of your sensitive personal information to those purposes; to know, access, correct, and delete your personal information; to opt out of any sale or sharing (none currently occurs); and to non-discrimination for exercising these rights. To exercise any of these rights, contact support@fixmyage.com.
For Washington State residents, this section serves as the consumer health data privacy notice required by the Washington My Health My Data Act (RCW 19.373). The categories of consumer health data we collect, the purposes for which we collect them, the categories of sources, the categories of third parties with whom we share them, and our retention practices are set out in Sections 2, 4, 5, 6, 7, and 9 of this policy. We do not sell consumer health data. We do not share consumer health data for advertising. You have the right to confirm whether we are collecting, sharing, or selling your consumer health data; to access it; to withdraw consent; to delete it; and to appeal a denial of these rights. To exercise these rights, contact support@fixmyage.com.
We may update this policy from time to time. If the changes are material, we will notify you by email and/or via the Service. The “Last updated” date at the top of this page reflects the most recent revision.
For any privacy-related questions or requests, contact us at support@fixmyage.com.