← Back to Home

Privacy Policy

Last updated: December 16, 2025

1. Introduction

Optimal Range ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our health management platform.

We comply with applicable data protection and privacy laws in the jurisdictions where we operate. As a health service platform, we are committed to protecting your health information with the highest standards of security and confidentiality, regardless of your location.

If you are located in Australia: This Privacy Policy also complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For practitioners in other jurisdictions, you are responsible for ensuring your use of the Platform complies with local healthcare and privacy regulations.

1.1 Privacy Management

We have implemented a privacy management framework that includes:

  • Regular privacy training for staff
  • Privacy impact assessments for new features
  • Annual privacy policy reviews
  • Documented data handling procedures

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, password, and professional credentials (for practitioners)
  • Profile Information: Business name, subdomain, branding preferences, contact details
  • Health Information: Blood work results, biomarker data, health goals, supplement protocols, nutrition plans, and lifestyle recommendations (entered by practitioners on behalf of clients)
  • Payment Information: Billing details processed through our secure payment provider

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, time spent on the platform
  • Device Information: Browser type, operating system, IP address
  • Cookies: Session cookies for authentication and preferences

2.3 Consent for Health Information

We collect sensitive health information only with your explicit consent. We obtain your consent before collecting, using, or disclosing your health information, except where otherwise permitted by applicable law in your jurisdiction.

You may withdraw your consent at any time by contacting our Privacy Officer. However, this may limit our ability to provide services to you.

2.4 Legal Basis for Processing (GDPR)

For users in the European Union, United Kingdom, or other GDPR-covered jurisdictions, we process your personal information based on the following legal grounds:

  • Contract: Processing is necessary to provide our health management services to you
  • Consent: You have given explicit consent for processing your sensitive health data
  • Legal Obligation: Processing is required to comply with applicable laws (e.g., record retention)
  • Legitimate Interests: Processing is necessary for our legitimate business interests (e.g., fraud prevention, security)

3. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve our services
  • Create and manage your account
  • Process payments and subscriptions
  • Send transactional emails (account verification, password resets, plan notifications)
  • Provide customer support
  • Analyze usage patterns to improve the platform
  • Comply with legal obligations

3.1 Marketing Communications

We may send you marketing communications about new features or offers. You can opt out at any time by:

  • Clicking 'unsubscribe' in any marketing email
  • Contacting us at privacy@optimalrange.app
  • Updating your account preferences

We will never sell your data to third parties for marketing purposes.

4. Health Information

We understand the sensitive nature of health information. We take special care to protect all health-related data entered into the platform:

  • Health data is encrypted in transit and at rest
  • Access is restricted to the practitioner who manages the client and the client themselves
  • We do not sell, rent, or share health information with third parties for marketing purposes
  • Health data is retained only as long as necessary to provide services or as required by law

5. Data Sharing and Disclosure

We may share your information with:

  • Service Providers: Third-party services that help us operate the platform (hosting, email delivery, payment processing). These providers are contractually obligated to protect your data.
  • Practitioners and Clients: Health information is shared between practitioners and their respective clients as part of the platform's core functionality.
  • Legal Requirements: We may disclose information if required by law, court order, or governmental authority.

We do not sell your personal information to third parties.

6. Data Security

We implement industry-standard security measures to protect your information:

  • SSL/TLS encryption for all data in transit
  • Encrypted database storage
  • Secure authentication with password hashing
  • Regular security audits and updates
  • Access controls and monitoring

While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

6.1 Data Breach Notification

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) within 30 days, as required under the Notifiable Data Breaches scheme.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide services. Upon account deletion:

  • Personal account data is deleted within 30 days
  • Health records may be retained for legal compliance (typically 7 years, depending on jurisdiction)
  • De-identified analytics data may be retained indefinitely

7.1 De-identification

After deletion or upon request, we may retain de-identified health data for research and platform improvement. De-identification involves removing all personal identifiers so that individuals cannot reasonably be re-identified.

8. Your Privacy Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of your personal data within 30 days
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data (subject to legal retention requirements)
  • Portability: Request your data in a portable format (PDF or CSV)
  • Withdraw Consent: Withdraw consent for optional data processing
  • Object to Processing: Object to certain types of data processing

To exercise these rights, contact our Privacy Officer at privacy@optimalrange.app. We will respond within 30 days. We will not charge a fee for access requests unless the request is excessive or complex.

Australian users: These rights align with the Australian Privacy Principles (APPs 12 and 13).

8.1 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request disclosure of personal information collected and how it's used
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We do not sell your personal information. We will never sell your personal information to third parties.
  • Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights

To exercise these rights, contact privacy@optimalrange.app. We will respond within 45 days.

Do Not Sell My Personal Information: We do not sell, rent, or share your personal information with third parties for monetary or other valuable consideration. We have never sold personal information and have no plans to do so.

8.2 New Zealand Privacy Rights

If you are in New Zealand, your rights under the Privacy Act 2020 include:

  • Access: Request access to your personal information
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion subject to retention requirements
  • Complaints: Lodge complaints with the New Zealand Privacy Commissioner

New Zealand Privacy Commissioner: www.privacy.org.nz

9. Cookies

We use essential cookies for authentication and session management. These cookies are necessary for the platform to function. We do not use advertising or tracking cookies.

10. Data Storage and International Transfers

Primary Data Storage: Your data is stored in secure data centers in Tokyo, Japan (AWS ap-northeast-1 region) through our infrastructure provider, Supabase Inc.

Third-Party Services: Some data may be processed by third-party services located in various countries:

  • Supabase (Tokyo, Japan): Primary database and authentication
  • Vercel (Global CDN): Hosting and deployment
  • Resend (United States): Email delivery
  • Stripe (United States): Payment processing

Data Protection Standards: We ensure all service providers maintain security standards meeting or exceeding international best practices, including:

  • SOC 2 Type II compliance
  • ISO 27001 certification
  • Encryption in transit and at rest
  • Regular security audits

Each service has its own privacy policy governing their use of data. Data transfers comply with applicable cross-border data transfer regulations in your jurisdiction.

11. Children's Privacy

The Platform is not intended for users under 18 years of age. We do not knowingly collect information from children. If we become aware that we have collected data from a child without parental consent, we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Platform. Your continued use after changes constitutes acceptance.

13. Privacy Complaints

If you have a complaint about how we handle your personal information:

  1. Contact our Privacy Officer at privacy@optimalrange.app
  2. We will acknowledge your complaint within 7 business days
  3. We will investigate and respond within 30 days
  4. If you're not satisfied with our response, you may escalate to the relevant privacy authority in your jurisdiction

For Australian users: You can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

For EU/EEA users: You can lodge a complaint with your local data protection authority.

For users in other jurisdictions: Contact your local privacy or data protection authority.

14. Contact Us

For privacy-related questions or to exercise your privacy rights:

Privacy Officer: [Your Name or Role]
Email: privacy@optimalrange.app
Business Name: [Your Registered Business Name]
ABN: [Your ABN Number]
Address: [Your Australian Business Address]