Policies

Our privacy notice

Privacy, security, and safety first.

Jean-Francois Legourd
Feb 18, 2026

Effective Date: 01-Jan-2021
Last Updated: 18-Feb-2026

1. Introduction and Data Controller

Whenever this Privacy Notice refers to “we,” “our,” or “Elfie,” it refers to the entity Elfie Pte. Ltd.. Our registered office is located at Wishart Road, #05-27, The Foresta @ Mount Faber, Singapore 098752, and we are registered in Singapore under registration number 202035381C.

Elfie is the designated responsible entity and the data controller under data protection regulations. In other words, we are the company that decides the purpose and the means of processing your personal data (hereinafter referred to as “User Data”). As such, we are legally responsible for their security, their integrity, and strict compliance with applicable laws.

The following sections of this Privacy Notice contain detailed information on the processing of your personal data, as well as your extended rights. If your country of residence provides for additional or specific requirements (as is the case for France, Germany, Singapore, or Brazil), you will find detailed and localized information on this subject in Section 12 of this notice.

This Privacy Notice applies comprehensively to all User Data processed in connection with our products and services. As the responsible entity, we are subject to strict information obligations that we wish to fulfill fully and in total transparency through this document.

In addition to this notice, we also provide additional and contextual information directly within our products. For example, we may ask you for a specific new consent during a device pairing process or explain the precise consequences of a revocation of consent at the appropriate time. The information provided in our products does not contradict this general privacy notice but complements it with brief, targeted, and easy-to-read details to facilitate your decision-making.

This Privacy Notice, as well as all associated additional information, are accessible at any time from our products and on our website.

2. Glossary and Definitions

In order to guarantee total transparency and avoid any confusion in the interpretation of this Privacy Notice, the following terms are defined as follows:

  • User Data (or Personal Data): Refers to any information relating to an identified or identifiable natural person. A natural person is considered “identifiable” as soon as they can be identified, directly or indirectly, notably by reference to an identifier such as a name, an identification number, location data, or an online identifier.
  • Health Data: Refers to personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about the health status of this person. At Elfie, this notably includes blood glucose measurements, blood pressure, medication logs, and medical history.
  • Processing: Refers to any operation or set of operations performed on personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, or communication by transmission.
  • Data Controller: Refers to the company (Elfie Pte. Ltd.) which, alone or jointly with others, determines the purposes and the means of the processing of your personal data.
  • Data Processor: Refers to the natural or legal person, public authority, service, or other body that processes personal data on behalf of and according to the specific instructions of Elfie (for example, our cloud hosting or analysis service providers).
  • Pseudonymization: Refers to the processing of personal data in such a way that it can no longer be attributed to a specific data subject without having recourse to additional information. This additional information is kept separately and subjected to technical and organizational measures to guarantee non-attribution.
  • Anonymization: Refers to the result of processing personal data aiming to prevent, irreversibly, any identification of the data subject by any means whatsoever. Anonymized data are no longer considered personal data within the meaning of the law.
  • Ancestral Heritage: Refers to the information relating to ancestral origin provided by the user. This data is treated as sensitive health data and is used exclusively to apply appropriate medical reference thresholds (notably for Body Mass Index - BMI) and adjust clinical recommendations according to established scientific standards.
  • Consent: Refers to any manifestation of will, free, specific, informed, and unequivocal by which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning them be subject to processing.

3. Consent Structure and Legal Bases

3.1 Processing necessary for the performance of the contract

This category concerns the processing of your User Data indispensable to establish the contractual relationship and provide you with our services.

  • Purpose: Allow technical access to the application, the securing of your account, and the provision of basic services defined in our General Terms of Use (Element 1 and 2 of our registration interface).
  • Necessity: Without this processing, the use of our products is not possible from a legal and factual point of view, as the technical infrastructure and the management of your account depend on it directly.

3.2 Processing of health data

Due to the sensitivity of the information processed, Elfie applies a reinforced consent protocol for all medical data.

  • Explicit consent: We only process your health data (glucose measurements, blood pressure, medications, ancestral origin, etc.) with your explicit consent.
  • Condition of use: This consent is mandatory for the use of the medical tracking functionalities of the Elfie application. If you do not consent to this processing, you will not be able to access the pathology management services provided by the application.

3.3 Processing for product improvement

This processing aims to optimize the therapeutic effectiveness of the application for you and for the entire community of users.

  • Purpose: Develop algorithms for therapy management, improve the user interface, and validate the clinical effectiveness of our tools.
  • Optional nature: This consent is strictly optional. You can use the entirety of the medical functions of Elfie without granting this consent.
  • Mechanism: This consent is collected via our Cookie Policy. It authorizes us to use pseudonymized usage data (for example via Mixpanel) to analyze navigation and retention statistics.

3.4 Processing for marketing purposes

This category concerns promotional and informative communication outside the contractual framework.

  • Channels: Sending newsletters, push notifications, or personalized offers concerning new services (ex: coverage by your health insurance).
  • Optional nature: This consent is optional. You can use our products without this consent and you will not receive advertising communications.

3.5 Processing based on legal obligations

In some cases, the processing of your data may take place independently of your consent on the basis of mandatory legal principles.

  • Medical devices: Compliance with regulations on medical devices, including the vigilance system and post-market surveillance.
  • Public interest: Processing necessary for reasons of public interest in the field of public health (ex: patient safety).

3.6 Management and Revocation of consents

Elfie guarantees that you retain control at all times over your confidentiality choices:

  • Procedures: You can provide or modify your consents during registration, or later via your account settings.
  • Right of revocation: You can revoke any consent at any time, either via the application settings or by email to dpo@elfie.co.
  • Effects: In case of revocation, we will inform you of the associated functional consequences. The legality of the processing carried out before the revocation remains unchanged.

4. Collection of User Data

The processing of data below rests on the legal basis of the performance of the contract for identification data and for health data.

4.1 Mandatory data for account creation

To create your profile and guarantee the security of your data, the following information is required:

  • Authentication methods:
    • Email and password: Your personal email address and a secure password (stored in a cryptographic manner).
    • Third-party services (Social Login): You can choose to create an account via “Continue with Google” or “Continue with Apple”. In this case, we receive the email address associated with this service (or a masked address provided by Apple) as well as your third-party connection identifiers.
  • Identity and communication:
    • Pseudonym (Nickname): A pseudonym or usage name is required to allow us to address you in the interface (for example: “Hello [Pseudonym]”).
  • Compliance and Security of minors:
    • Date of birth: This information is mandatory to verify if you are 16 years or older. It allows us to apply specific protection measures for minors or to prohibit access if the guardianship conditions are not met.
  • Fundamental clinical parameters:
    • Biological sex at birth: This data is mandatory because it is indispensable for applying medical guidelines and the clinical analysis thresholds appropriate to your physiology.

4.2 Medical and health data (Optional)

Once the account is created, you can choose to provide the following data to benefit from personalized monitoring:

  • Ancestral Origin (Ancestry): Contrary to biological sex, this data is optional. It is used to refine medical recommendations and Body Mass Index (BMI) thresholds according to scientific standards specific to certain populations.
  • Monitoring of pathologies: Chronic diseases, measurements of blood glucose, blood pressure, cholesterol, weight, and height.
  • Management of treatment: Prescribed medication, doses taken, basal settings, and correction factors.
  • Lifestyle: Physical activities (type, duration), food intake (meals), number of steps, and personal notes.

4.3 Technical data collected automatically

During the use of the application, we collect data related to technical functioning:

  • System information: Device ID, manufacturer, type of device, version of the operating system, language, and time zone.
  • Location: IP address used to determine your region and the location of data storage (France, Australia, or Singapore).

5. Detailed purposes of the processing

The processing of data for the provision of the service rests on the performance of the contract; product improvements, product information, and scientific studies rest on distinct optional consents.

5.1 Provision and performance of the service

We process your data to ensure the technical and functional provision of the application:

  • Account management: Use of your identifiers to create your account ID and secure your access.
  • Clinical configuration: Processing of your health data to configure the user interface and adapt medical advice to your profile.
  • Location and storage: Use of the IP address only to confirm your region and guarantee that your data are stored on the appropriate server (France for Europe/Africa, Australia, or Singapore).

5.2 Support, Security, and Maintenance

These activities are essential to service continuity and are performed as part of the performance of the contract:

  • Technical assistance: Processing of data exchanged with our support service (support@elfie.co) for troubleshooting.
  • Essential communications: Sending push notifications or emails concerning critical updates and security. These messages are sent independently of your optional subscriptions because they are an integral part of the product.
  • Diagnostic: Collection of information on the device and bug reports to diagnose and resolve potential problems.

5.3 Product information and Scientific studies

This processing rests on a specific, independent, and optional consent of the main privacy policy:

  • Education on the product: Informing you on existing or new functionalities within Elfie to maximize the utility of the tool made available to you.
  • Access to services: Informing you if new free services (ex: via your health insurance) are accessible in the application.
  • Research: Inviting you to participate in surveys or clinical research studies.

5.4 Product improvement and innovation

This processing is governed by a separate Cookie Policy and requires a distinct optional consent:

  • Usage analysis: Use of technical identifiers (pseudonymization via Mixpanel hosted in Europe) to understand how the application is used and improve therapy algorithms.
  • Tests: Realization of usage and security tests for new versions of the product.

5.5 Artificial Intelligence (AI)

The processing by AI rests on a prior anonymization process:

  • Total anonymization: Before any processing by our AI models, your data are subjected to an irreversible anonymization.
  • Confidentiality: No identifiable personal data, nor any user identifier (User ID), is shared with our AI systems.

5.6 Research, Legal obligations, and Commercial purposes

  • Scientific research: Use of anonymized data for statistical purposes in accordance with ethical standards.
  • Regulatory compliance: Monitoring of product functionality (vigilance) in accordance with legislation on medical devices (where applicable).
  • Commercial purposes: Sharing of strictly anonymized data with partners (health organizations, insurers, pharmaceutical groups) for public health research and performance management.

6. Security, Encryption, and Technical Measures

The processing of data under security rests on the legal obligation to guarantee the security of the processing.

6.1 Principles of security and confidentiality

Elfie guarantees at all times adequate security and confidentiality of your personal data. This covers protection against unauthorized and illegal processing, as well as against loss, destruction, or involuntary damage using appropriate technical and organizational measures. We use strict internal processes, advanced security functionalities, and the latest encryption methods, taking into account the state of the art of technology.

6.2 Encryption of data

  • Data in transit: Each transfer of personal data, without exception and by default, is encrypted during transfer. By using the HTTPS protocol (Hypertext Transfer Protocol Secure), we ensure that your data are not intercepted by unauthorized third parties.
  • Data at rest: All data stored on our servers (GCP France, Australia, or Singapore) are subject to secure encryption at rest to prevent any unauthorized access to storage media.

6.3 Pseudonymization and Anonymization

We use specific processing processes to minimize risks:

  • Pseudonymization: For the activities of analysis and improvement of products (via Mixpanel), we use pseudonymization. This guarantees that the data can no longer be attributed to a specific data subject without additional information stored separately.
  • Anonymization: Data not requiring a personal reference for processing, notably for research, global statistics, or processing by Artificial Intelligence (AI), are subjected to an irreversible anonymization. This process prevents any connection or attribution to a specific person in all cases.

6.4 Technical and Organizational Measures (TOM)

Elfie deploys a complete set of administrative, technical, and physical measures:

  • Administrative Measures: Presence of a security and compliance officer, of a Data Protection Officer (DPO), rigorous management of assets, regular training of employees on confidentiality issues, and respect for secure software development principles.
  • Technical Measures: Logical access control, robust password policy, backup policy (backups), disaster recovery procedure, regular update of security patches (patch policy), continuous monitoring of the infrastructure, and regular penetration tests.
  • Physical Measures: Strict control of physical access to the infrastructures hosting the data.

7. Recipients of data and Subcontracting

The transfer of data to our partners and subcontractors rests on the legal basis of the performance of the contract for technical provision, and on the respect for contractual obligations framing subcontracting.

7.1 Principles of transfer and control

Elfie transfers User Data to subcontractors exclusively within the framework of this Privacy Notice and only to fulfill the declared objectives.

  • Strict instructions: Subcontractors work according to our specifications and instructions.
  • Limited usage: They are not authorized to use the personal data of our users for their own purposes or for other purposes.
  • Contractual guarantees: We conclude binding contracts meeting the strict requirements of applicable laws regarding the protection of personal data.
  • Subcontracting chain: Third-party providers can only use other subcontractors with our prior consent and subject to respect for the same data protection obligations.

7.2 Categories of recipients of data

We provide our users' data solely to fulfill the respective contracts associated with the following categories:

  • Hosting and Cloud Services: Used to store data in a secure and certified manner.
  • Maintenance and Technical Reliability: Tools ensuring the application remains operational and bug-free.
  • Authentication and Security: Services that protect access to your account.
  • Customer Support Services: Tools for managing user assistance requests.
  • Analytics Service Providers [optional]: Partners helping us understand usage to improve clinical effectiveness.
  • Marketing Service Providers [optional]: They support us in the creation, personalization, and distribution of newsletters and informative messages regarding our products.

7.3 List of Sub-processors and Tracking Technologies

These tools are essential for service delivery, security, and user support.

  • Name: Branch SDK
    • Description: Linking of two users (family link) and friend referrals.
    • Type: Necessary.
    • Source / Provider: Branch.
  • Name: Firebase API
    • Description: Authentication services to protect and access your account.
    • Type: Necessary.
    • Source / Provider: Firebase.
  • Name: Google API
    • Description: Account authentication services to secure your access.
    • Type: Necessary.
    • Source / Provider: Google.
  • Name: Facebook Login
    • Description: Simplified account creation and authentication.
    • Type: Necessary.
    • Source / Provider: Facebook.
  • Name: Sentry
    • Description: Ensuring the application remains operational and functional (bug diagnostics).
    • Type: Technical.
    • Source / Provider: Sentry.
  • Name: Apple CDN
    • Description: Ensuring the availability of application services.
    • Type: Technical.
    • Source / Provider: Apple.

B. Analytical and Improvement Technologies (Legal Basis: Explicit Consent)

These technologies are activated only if you provide your consent via the cookie policy.

  • Name: MixPanel SDK
    • Description: Session and event analysis tool (Hosted in Europe).
    • Type: Analytical.
    • Source / Provider: MixPanel.
  • Name: Adjust SDK
    • Description: Referral and campaign analysis.
    • Type: Analytical.
    • Source / Provider: Adjust.
  • Name: app.measurement.com
    • Description: Session and event analysis tool for application optimization.
    • Type: Analytical.
    • Source / Provider: Firebase.
  • Name: Facebook SDK
    • Description: Technical session tracking.
    • Type: Advertising.
    • Source / Provider: Facebook.

7.4 Sharing under user responsibility

Certain functions of our application, such as the Elfie coach or the health report, allow you to directly share certain User Data with a third party from our products.

  • User discretion: You decide, at your sole discretion, what data you share, with which party, and at what time.
  • Responsibility: These data transfers fall under your sole responsibility.

8. Hosting and International Transfers

The processing and hosting of your data rest on the legal basis of the performance of the contract in order to provide the service in your geographical area, as well as on the legitimate interest of Elfie in ensuring the security and compliance of data flows.

8.1 Manual choice of the hosting region

In order to guarantee respect for local regulations and to meet data sovereignty requirements, Elfie allows the user to manually select their region of residence during account creation.

  • Selection at registration: This choice is made at the moment of creating the user account.
  • Final character: Once the region is selected, this parameter is not modifiable for reasons of compliance and security.
  • Use of the IP address: We use your IP address only to evaluate from which country or region you access our services and to help you select the appropriate storage location for your account.

8.2 Location of servers and HDS certification

Your User Data are stored both on your mobile device and on our secure servers provided by Google Cloud Platform (GCP). The physical location of the servers depends strictly on the region chosen during your registration:

  • Europe and Africa: For users of these regions, the entirety of the data is hosted on Google Cloud Platform (GCP) servers located in France.
  • Health Compliance (France): To meet the requirements of the French Public Health Code, Elfie uses HDS (Health Data Host) certified infrastructures for the storage of health data of European residents. This hosting rests on advanced security protocols compliant with ISO 27001 standards and the specific requirements of the CNIL.
  • Australia: The data of Australian users are hosted on GCP Australia.
  • Rest of the world: Data for other regions are currently located on GCP Singapore.

8.3 Guarantees of protection during transfers

Although we prioritize subcontractors based in the user's area, transfers toward third countries may exceptionally take place for technical support operations.

  • High level of protection: Whatever the place of storage or processing, Elfie ensures that a level of protection equivalent to the GDPR is guaranteed at all times.
  • Legal instruments: These transfers are framed either by an adequacy decision of the UE or by the Standard Contractual Clauses (SCC) approved by the European Commission.
  • Analysis services: Usage analysis data are hosted exclusively on our provider's servers located within the European Union.
  • Remote access transfer: Although data hosting is localized in France, remote access to data may be performed by authorized personnel of Elfie Pte. Ltd. based in Singapore for technical support and maintenance purposes. These remote access transfers are strictly governed by the European Commission's Standard Contractual Clauses (SCCs) to ensure a level of protection equivalent to that of the GDPR.

8.4 Security of data at rest and in motion

Independently of the place of storage, we guarantee the security of your information at each stage:

  • Data at rest: Information stored on regional servers is subject to systematic encryption.
  • Data in transit: Any temporary transfer necessary for processing is protected by state-of-the-art encryption protocols (HTTPS).
  • Access to support: In exceptional cases of troubleshooting, Elfie may designate third-party providers located outside your geographical area, but these are subjected to the same strict security requirements.

9. Storage and Deletion Policy

The processing of data relative to conservation and deletion rests on the legal basis of the performance of the contract, on the legitimate interest of ensuring a responsible management of the data life cycle, as well as on respect for legal conservation obligations.

9.1 General principles of storage

Your User Data are stored in a secure manner both locally on your mobile device and on our remote servers. Elfie only conserves your personal data during the duration necessary for the performance of the contract and for the provision of services.

9.2 Life cycle and Inactivity Policy

In order to guarantee respect for the right to be forgotten and data minimization, Elfie applies the following procedure in case of prolonged inactivity:

  • Inactivity alert: After a period of one (1) year without any connection or activity registered on your account, Elfie will send you a notification by email. This message aims to inform you that your account is considered inactive and that an automatic deletion will occur if no action is taken.
  • Automatic deletion: If no activity is registered during a total period of three (3) years, the entirety of your User Data and health data will be deleted from our servers in a definitive and irreversible manner.

9.3 Legal conservation and Archiving

In certain specific cases, storage longer than the life of the account may be necessary for the following reasons:

  • Legal obligations: Comply with obligations of conservation, disclosure, or specific regulations (notably regarding medical devices).
  • Defense of rights: Assert, exercise, or defend legal rights within the framework of a potential dispute.
  • Processing of archives: Data having to be retained for these legal motives are transferred toward a distinct and secure archive storage. They are then no longer used for other purposes than that of conservation, unless the law expressly requires it.

9.4 Methods of deletion and destruction

Elfie ensures that the deletion of data is total and secure:

  • Electronic data: Personal data stored in electronic file form are deleted by using a rigorous technical method that does not allow reproducing or restoring the file.
  • Physical documents: Although our processes are mostly digital, all personal data recorded on paper documents are destroyed by shredding.

10. Protection of Minors

The processing of data relative to minors rests on the legal basis of the consent of the holders of parental authority, as well as on respect for our legal obligations to protect the privacy of children.

10.1 Age of digital majority and registration in autonomy

  • To register and use Elfie products in an autonomous manner, you must be aged at least 16 years.
  • From 16 years, we consider that you have the legal capacity to consent alone to the processing of your personal and health data within the framework of using our services.
  • During account creation, validation of the date of birth is a mandatory mechanism to prevent unsupervised access to minors under 16 years.

10.2 Specific compliance for the United States (COPPA)

  • In accordance with the American law Children’s Online Privacy Protection Act (COPPA), Elfie does not knowingly collect any personal information from children under 13 years residing in the United States without a prior and verifiable parental consent.
  • If we learn that data of a child under 13 years have been collected without legal supervision, we will proceed to their immediate deletion.

10.3 Use by minors under 16 years

  • Minors under 16 years can benefit from Elfie health monitoring, but the account must be created and managed exclusively by the parent or legal guardian.
  • The processing of data of the minor is only lawful if the consent is provided by the holder of parental authority on behalf of the child.

10.4 Rights of parents and guardians

  • Parents or legal guardians have a permanent right of oversight over the data of their children processed via their account.
  • You have the right to request access, modification, or deletion of the personal data of your child at any time by contacting us at dpo@elfie.co.
  • Any reporting of an unauthorized registration of a minor will be treated as a priority absolute.

11. Your Rights as a Data Subject

The processing related to the exercise of your rights rests on the legal obligation of the data controller to respond to requests from data subjects.

11.1 Right of access and information

You have the right to obtain confirmation that personal data concerning you are or are not being processed. If they are, you have the right to access these data and to receive detailed information on:

  • The purposes of processing.
  • The categories of data concerned.
  • The recipients or categories of recipients.
  • The duration of conservation or the criteria allowing to determine it.

11.2 Right of rectification

You have the right to demand that we correct without delay any inaccurate personal data concerning you. Taking into account the purposes of processing, you also have the right to request that incomplete data be completed.

11.3 Right to erasure (“Right to be forgotten”)

You have the right to request the deletion of your personal data as soon as possible, notably when:

  • The data are no longer necessary with regard to the purposes for which they were collected.
  • You revoke your consent and there does not exist another legal basis for processing.
  • You object to the processing (see section 11.6).
  • The data have been the subject of an illegal processing.

Note: This right can be limited if the processing is necessary to respect a legal obligation (ex: medical vigilance) or for the establishment, exercise, or defense of rights in court.

11.4 Right to restriction of processing

You can request the limitation of processing if:

  • You contest the accuracy of the data (during the duration of verification).
  • The processing is illegal but you object to erasure.
  • We no longer need the data, but they are necessary for you for the defense of rights in court.

11.5 Right to data portability

You have the right to receive the personal data that you have provided us in a structured format, commonly used and machine-readable. You also have the right to transmit these data to another data controller without us obstructing it.

11.6 Right to object

You have the right to object at any time, for reasons related to your particular situation, to a processing of your data based on our legitimate interest. We will then cease the processing, unless demonstrating that there exist legitimate and compelling reasons which prevail over your interests.

11.7 Specific rights for American residents (CCPA/CPRA)

If you reside in the United States, notably in California, you dispose of additional rights:

  • Right to know: Know what personal data we have collected, used, or shared during the last 12 months.
  • Right to refuse sale or sharing (Opt-out): Elfie does not sell your identifiable personal data. However, you can exercise your right of refusal concerning certain usage data sharing (Analytics) via our cookie settings.
  • Right to non-discrimination: We will not discriminate against you (price, service) for having exercised one of your rights to privacy.

11.8 Procedures for exercise and contact

To exercise one of these rights, you can:

  1. Use the profile management functions directly in the Elfie application.
  2. Contact our Data Protection Officer (DPO) by email: dpo@elfie.co.
  3. Address a postal letter to the registered office of Elfie Pte. Ltd. in Singapore.

We will respond to your request within a period of one month (able to be extended by two months in case of complexity, in accordance with applicable laws). For reasons of security, we will be able to ask you for a proof of identity before processing certain requests.

12. Specific Provisions by Country

The processing of data under this section rests on the legal obligation to comply with specific local regulations.

12.1 European Union and European Economic Area (GDPR)

  • EU Representative: In accordance with Article 27 of the GDPR, Elfie (established outside the EU) has designated Prighter Group as its representative for data protection in the European Union. You can contact them for any question relative to privacy via their dedicated portal: https://prighter.com/q/18718275968.
  • Hosting: For all residents of the UE, your data are hosted exclusively on Google Cloud Platform (GCP) servers located in France.
  • AI Compliance: Elfie commits to respecting the requirements of the Regulation on Artificial Intelligence (AI Act) of the UE, notably by guaranteeing a total transparency on the use of AI models for the analysis of health data.

12.2 France (Mon Espace Santé, CNIL & HDS)

  • Certified Hosting (HDS): In accordance with article L. 1111-8 of the Public Health Code, your health data benefit from a reinforced level of protection via HDS certified hosting located in France. This framework guarantees the confidentiality, integrity, and availability of your medical data under the surveillance of French authorities.
  • Interoperability: Elfie strives to maintain technical compatibility with Mon Espace Santé (MES) to allow, at your request, exportation or synchronization of your health measurements.
  • Deletion and Right to be forgotten: In compliance with the recommendations of the CNIL for health applications, we apply a strict purge rule: your account and your data are deleted after 3 years of inactivity, following an alert sent after 1 year of inactivity.
  • Specific consent for Health Data: In compliance with article 9, we request your explicit consent for the management of health data.
  • Post-mortem directives: In accordance with the Data Protection Act (loi Informatique et Libertés), you have the right to define directives relative to the fate of your personal data after your death by contacting our DPO.

12.3 Germany (DiGA & SGB V)

  • Reimbursement and Performance: For certified DiGA versions, Elfie respects the new obligations of the DiGAV 2026 regulation, including the measurement of treatment success (performance-based) and mandatory interoperability with the electronic patient record (ePA).
  • Data Residency: In accordance with § 4 (3) DiGAV, the processing of data for German users takes place strictly within the UE or countries having an adequacy decision.

12.3 United Kingdom (UK GDPR & Data Protection Act 2018)

  • Legal framework: For residents of the United Kingdom, the processing is governed by the UK GDPR and the Data Protection Act 2018.
  • UK Representative: Elfie also uses the services of Prighter to ensure its representation with the Information Commissioner’s Office (ICO).
  • Transfers: The data of British users are hosted in France. This transfer is based on mutual adequacy decisions between the United Kingdom and the European Union.

12.4 Singapore (PDPA 2012)

  • PDPA Guarantees: As a company based in Singapore, Elfie respects the ten obligations of the Personal Data Protection Act (PDPA), including the protection obligation (AES-256 encryption) and the notification obligation in case of a data breach.
  • Local Hosting: Users choosing the Singapore region see their data hosted locally on GCP Singapore.

12.5 Turkey (KVKK)

  • Granular Consent: In accordance with KVKK law n° 6698, we collect an explicit, specific, and informed consent for the processing of health data and cross-border transfers.
  • VERBİS Register: Elfie fulfills its declaration obligations toward the Turkish register of data controllers if applicable to its volume of activity.

12.6 United States (CCPA/CPRA & COPPA)

  • California: Californian residents have extended rights, notably the right to limit the use of their “Sensitive Personal Information” (health data) and the right to request that their data not be shared for cross-context behavioral advertising purposes.
  • COPPA: We apply a reinforced protection for children under 13 years, prohibiting any collection of data without verifiable parental consent.

12.7 Australia (Privacy Act 1988)

  • Australian Privacy Principles (APP): Elfie processes personal and health information in accordance with the 13 APP principles of the Australian law on the protection of privacy.
  • Local Hosting: For users residing in Australia, data are hosted exclusively on Google Cloud Platform (GCP) servers in Australia.
  • Sensitive Data: Health information is only collected with an explicit consent and for purposes directly related to the application functions.

12.8 Egypt (Law n° 151 of 2020)

  • Protection of Personal Data: Elfie respects the provisions of the Egyptian law on the protection of personal data, notably concerning “sensitive data” (health).
  • Cross-border Transfer: By choosing the Europe/Africa region, your data are stored in France (GCP); this transfer is performed by guaranteeing a level of protection at least equivalent to that required by Egyptian law.

12.9 Brazil (LGPD - Law n° 13.709/2018)

  • Lei Geral de Proteção de Dados (LGPD): Elfie guarantees Brazilian residents the exercise of their rights, notably access, correction, anonymization, or deletion of data.
  • Partner Relation: Although Elfie collaborates with local entities for innovation, no identifiable data is shared with the Sociedade Beneficente Israelita Brasileira Hospital Albert Einstein without an additional specific consent.

12.10 Vietnam (Decree n° 13/2023/ND-CP - PDPD)

  • Sensitive Personal Data: In accordance with the Decree on the protection of personal data (PDPD), Elfie treats health data as “sensitive data”.
  • Consent: We collect an explicit and informed consent for the collection, processing, and cross-border transfer of these data.
  • Rights of users: Vietnamese residents have the right to consult, modify, delete their data and to request the stop of any marketing processing.

12.11 Mexico (LFPDPPP)

  • ARCO Rights: In accordance with the Ley Federal de Protección de Datos Personales en Posesión de los Particulares, Mexican users can exercise their ARCO rights (Access, Rectification, Cancellation, and Opposition).
  • Sensitive Data: Consent for the processing of health data is collected in an express and written manner (via electronic signature in the application).

13. Modifications and Contact DPO

The processing related to the update of this notice and the management of your contact requests rests on the legal obligation of transparency and information of the data controller.

13.1 Modifications to the Privacy Notice

Elfie reserves the right to modify the present Privacy Notice in order to reflect technological evolutions of our products, changes in our processing practices, or new world legislative requirements.

  • Notification: In case of major modifications (for example, a change of hosting location or purpose of processing), we will inform you via a notification within the application or by email before the modifications become effective.
  • Consultation: The most recent version of this notice is accessible at any time in the settings of the Elfie application or on our official website.
  • Date of effect: The date of the last update is systematically indicated at the top of the document. Any new version replaces by right the previous versions.

13.2 Contact and Data Protection Officer (DPO)

For any question, concern, or to exercise your rights as a data subject (as described in Section 11), you can contact our DPO directly:

  • Email: dpo@elfie.co or contact@elfie.co.
  • Postal address: Elfie Pte. Ltd. Attn: Data Protection Officer Wishart Road, #05-27, The Foresta @ Mount Faber Singapore 098752.

13.3 Regional representatives

To facilitate communication with local regulatory authorities and users, we have designated representatives:

  • European Union / United Kingdom: As mentioned in Section 12, you can contact Prighter Group via their compliance portal (https://prighter.com/q/18718275968) for any request relative to the GDPR or the UK-GDPR.
  • Other regions: For any other jurisdiction (Vietnam, Mexico, Brazil, etc.), please use the central email address of the DPO to obtain localized assistance.

Related posts

Browse all posts
Medical publications
Dec 21, 2025

Biological Age

Read more
Therapeutic areas
Aug 19, 2025

Medications

Read more
Therapeutic areas
Aug 17, 2025

Obesity

Read more