GDPR Privacy Notice

Introduction

This GDPR Privacy Notice supplements our general Privacy Policy and provides additional information for individuals located in the European Union (“EU”), European Economic Area (“EEA”), and the United Kingdom (“UK”) about how Function Bone Health LLC (“Company,” “we,” “us,” or “our”) processes your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR.

1. Data Controller

The data controller responsible for your personal data is:

2. Legal Basis for Processing

We process your personal data only when we have a valid legal basis to do so. The legal bases we rely on include:

• •Consent (Article 6(1)(a)): Where you have given us clear, affirmative consent to process your personal data for a specific purpose. This includes consent for analytics cookies, marketing communications, and processing of health-related data. You may withdraw your consent at any time.
• •Contractual necessity (Article 6(1)(b)): Where processing is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract. This includes processing data to schedule appointments, deliver our bone health assessment services, and communicate with you about your booking.
• •Legitimate interests (Article 6(1)(f)): Where processing is necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include website security, fraud prevention, service improvement, and internal analytics.
• •Legal obligation (Article 6(1)(c)): Where processing is necessary to comply with a legal obligation to which we are subject.
• •Explicit consent for special category data (Article 9(2)(a)): Where we process health-related data (such as bone health assessment results or body composition analysis), we do so based on your explicit consent.

3. Categories of Personal Data Collected

We may collect and process the following categories of personal data:

• •Identity data: First name, last name, date of birth, gender.
• •Contact data: Email address, phone number, mailing address.
• •Health data (special category): Bone health assessment results (T-scores, Fragility Scores), body composition analysis data, wellness education consultation notes, medical history provided by you.
• •Financial data: Payment information (processed by Stripe; we do not store full payment card details).
• •Technical data: IP address, browser type and version, operating system, device information, time zone setting.
• •Usage data: Pages visited, links clicked, time spent on pages, referring websites, and other browsing behavior on our website.
• •Communication data: Content of emails, forms submissions, chat messages, and other communications with us.

4. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including satisfying legal, accounting, or reporting requirements. The specific retention periods depend on the type of data:

• •Health and assessment data: Retained for a minimum of 7 years from the date of service, or longer as required by applicable law, to support your ongoing wellness journey and for legal compliance.
• •Contact and identity data: Retained for the duration of our relationship and for 5 years following your last interaction with us.
• •Financial and transaction data: Retained for 7 years as required by tax and accounting regulations.
• •Technical and usage data: Retained for up to 26 months (Google Analytics default) or shorter periods as configured.
• •Communication data: Retained for 3 years from the date of the communication unless a longer retention period is required by law or ongoing business need.

5. International Data Transfers

Function Bone Health LLC is based in the United States. If you are located in the EU/EEA or UK and interact with our website or services, your personal data will be transferred to and processed in the United States.

The United States does not currently have an adequacy decision from the European Commission for all data transfers. To ensure adequate protection of your personal data, we rely on the following safeguards:

• •Your explicit consent: By voluntarily providing your personal data and using our services, you consent to the transfer of your data to the United States.
• •Standard Contractual Clauses (SCCs): Where applicable, we use EU-approved Standard Contractual Clauses with our third-party service providers to ensure adequate data protection.
• •EU-U.S. Data Privacy Framework: Certain third-party service providers we use (such as Google) are certified under the EU-U.S. Data Privacy Framework.

You may request information about the specific safeguards we apply to international data transfers by contacting us at info@functionbonehealth.com.

6. Your Rights Under the GDPR

Under the GDPR, you have the following rights in relation to your personal data:

• •Right of access (Article 15): You have the right to request a copy of the personal data we hold about you and information about how we process it.
• •Right to rectification (Article 16): You have the right to request that we correct any inaccurate personal data or complete any incomplete personal data.
• •Right to erasure (Article 17): You have the right to request that we delete your personal data in certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected, or you withdraw your consent.
• •Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
• •Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller where technically feasible.
• •Right to object (Article 21): You have the right to object to the processing of your personal data based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• •Right to withdraw consent (Article 7): Where we rely on your consent to process personal data, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

7. Automated Decision-Making

We use technology, including AI-based analysis, to process your health data as part of our bone health assessment and body composition analysis services. This may include:

• •Automated calculation of bone density scores (T-scores) and Fragility Scores from REMS assessment data.
• •AI-assisted analysis of body composition data.
• •Generation of educational reports based on assessment results.

These automated processes are used to generate educational and informational reports and do not constitute medical diagnoses. No decisions with legal or similarly significant effects are made solely based on automated processing. All assessment results are reviewed by qualified professionals, and you always have the right to request human intervention, express your point of view, and contest the outcome.

8. Data Protection Officer

For any questions or concerns regarding the processing of your personal data or to exercise your rights under the GDPR, please contact our designated data protection contact:

9. Right to Lodge a Complaint with a Supervisory Authority

If you are located in the EU/EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with applicable data protection laws. You can find your local supervisory authority at:

• •EU/EEA: European Data Protection Board - Members
• •UK: Information Commissioner's Office (ICO)

We encourage you to contact us first so that we can try to resolve any concerns directly.

10. How to Exercise Your Rights

To exercise any of the rights described above, please contact us at:

• •Email: info@functionbonehealth.com
• •Phone: (239) 544-4114
• •Mail: Function Bone Health LLC, Naples, FL 34102, United States

We will respond to your request within one month of receiving it. If your request is complex or we receive a large number of requests, we may extend this period by an additional two months, in which case we will inform you of the extension and the reasons for the delay.

We may need to verify your identity before processing your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

11. Changes to This Notice

We may update this GDPR Privacy Notice from time to time. Changes become effective upon posting to this page. If we make material changes, we will provide notice through our website. We encourage you to review this notice periodically.