Legal
Privacy Policy
Last updated: 2 June 2026
This Privacy Policy explains how humn (“humn”, “we”, “us”) collects, uses, shares, and protects your personal data when you join our waitlist at humnlabs.ai or use the humn app at app.humnlabs.ai (together, the “Service”). humn analyzes your blood work and other health signals to build personalized health protocols. Because that involves health data, we treat your privacy as a core part of the product, not an afterthought.
We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (personopplysningsloven).
1. Data controller
The data controller responsible for your personal data is:
Chishti Capital Investment AS
Organization number: 919 888 733
Tandbergåsen 23d, 3070 Sande i Vestfold, Norway
Email: privacy@humnlabs.ai
If you have any questions about this policy or how we handle your data, contact us at privacy@humnlabs.ai.
2. Legal basis for processing
We only process your personal data when we have a lawful basis to do so:
- Contract performance (Art. 6(1)(b)): to provide the Service you signed up for, including generating your protocols and managing your account.
- Consent (Art. 6(1)(a) and, for health data, Art. 9(2)(a)): to process your health data and to send you marketing if you opt in. You can withdraw consent at any time.
- Legitimate interest (Art. 6(1)(f)): to secure the Service, prevent fraud and abuse, and improve our product, balanced against your rights.
- Legal obligation (Art. 6(1)(c)): to comply with accounting, tax, and other legal requirements.
Health data is a special category of personal data under Article 9 of the GDPR. We collect and process it only with your separate, explicit consent, which is distinct from your acceptance of our general terms.
3. What data we collect
Waitlist data
When you join the waitlist at humnlabs.ai, we collect your first name, last name, email address, city, country, how you heard about us, the topics you tell us you are interested in, and whether you would pay for a health optimization service. City, source, interests, and willingness help us understand demand and plan our rollout.
Account data
When you create an account in the humn app, we collect your name, email address, and authentication details. We support sign in with email, passkeys, and Google. We never see or store your Google password.
Health data (special category)
To build your protocols, we process the health information you choose to provide. This may include blood test results and biomarkers imported from connected laboratories, data you enter about your health, goals, and lifestyle, and the personalized protocols we generate for you (covering supplements, nutrition, training, sleep, and recovery).
Wearable and device data
If you connect a wearable such as WHOOP, we receive the health and activity metrics you authorize, for example sleep, recovery, and strain data. You control this connection and can disconnect it at any time, which stops further data collection from that device.
Usage and technical data
We automatically collect limited technical data when you use the Service, such as IP address, browser and device type, and pages or features you interact with. We use this to keep the Service secure and working correctly.
Communication data
We keep records of your support requests, emails with us, and your email and notification preferences.
4. How we use your data
The table below maps why we use your data to the legal basis for each purpose.
| Purpose | Data used | Legal basis |
|---|---|---|
| Manage the waitlist and tell you when access opens | Waitlist data | Consent |
| Create and manage your account | Account data | Contract |
| Generate and update your personalized protocols | Health, wearable, account data | Explicit consent |
| Send transactional emails (welcome, account, security) | Account, communication data | Contract |
| Provide customer support | Account, communication data | Contract / legitimate interest |
| Keep the Service secure and prevent abuse | Usage and technical data | Legitimate interest |
| Improve and develop the Service | Usage data (aggregated where possible) | Legitimate interest |
| Send marketing updates | Account, waitlist data | Consent |
| Meet legal and accounting obligations | Account, transaction records | Legal obligation |
5. AI processing
humn uses artificial intelligence to help analyze your health data and generate your protocols. For this we use the Claude API provided by Anthropic. We want to be clear about how this works.
- We send Anthropic the health information needed to generate a protocol, such as biomarker values, relevant health context, and your questions.
- Anthropic processes this data on our behalf as a data processor under a Data Processing Agreement, and does not use it to train its models.
- We minimize the data we send. Where identifying details such as your name or email are not needed to produce a result, we exclude them.
- Protocols and AI outputs are informational and educational. They are not medical advice and do not replace consultation with a qualified healthcare professional.
6. Data sharing and third parties
We do not sell, rent, or trade your personal data. We share it only with service providers who help us run the Service, and only as needed. Each is bound by a Data Processing Agreement.
| Provider | Purpose |
|---|---|
| Airtable | Storing waitlist sign-ups |
| Resend | Sending transactional and welcome emails |
| Supabase | Database and storage for the app |
| Anthropic | AI analysis and protocol generation |
| Vercel | Application hosting and delivery |
| Sentry | Error monitoring and reliability |
| Optional sign-in (OAuth) | |
| WHOOP | Optional wearable data, if you connect it |
| Laboratory partners | Importing your blood test results, if you use this feature |
We may also disclose data where required by law, to protect our legal rights, or in connection with a merger or acquisition, in which case we will notify you.
7. International data transfers
Some of our providers are based in the United States or process data outside the European Economic Area. Where data is transferred outside the EEA, we rely on appropriate safeguards, primarily the European Commission’s Standard Contractual Clauses, along with technical measures such as encryption, to protect your data to the standard required by the GDPR.
8. Data retention
We keep your data only as long as necessary for the purposes described in this policy.
| Data | Retention |
|---|---|
| Waitlist data | Until you ask us to remove it, or until the waitlist program ends |
| Account data | For the life of your account, then deleted within 30 days of account closure |
| Health and wearable data | For the life of your account, deleted within 30 days of account closure or consent withdrawal |
| Transaction and accounting records | As required by Norwegian law (up to 5 years) |
| Usage and technical data | Retained for a limited period, then aggregated or anonymized |
| Support correspondence | Up to 2 years after the interaction |
9. Your rights
Under the GDPR, you have the following rights over your personal data:
- Access (Art. 15): get a copy of the data we hold about you.
- Rectification (Art. 16): correct inaccurate or incomplete data.
- Erasure (Art. 17): ask us to delete your data.
- Restriction (Art. 18): limit how we use your data.
- Portability (Art. 20): receive your data in a portable format.
- Objection (Art. 21): object to processing based on legitimate interest.
- Withdraw consent (Art. 7): withdraw consent at any time, without affecting prior processing.
- Complain: lodge a complaint with a supervisory authority (see below).
To exercise any of these rights, contact us at privacy@humnlabs.ai. We will respond within 30 days. For complex requests, we may extend this by up to a further 60 days and will let you know if we do.
10. Health data
Health data receives extra protection because of its sensitivity. In addition to the measures elsewhere in this policy:
- We collect health data only after you give separate, explicit consent.
- Health data is encrypted in transit and at rest.
- Access is limited to those who need it to operate the Service, and is logged.
- If you withdraw consent or close your account, your health data is deleted within 30 days, after which we can no longer maintain or update your protocols.
humn is a health optimization and wellness service. It is not a healthcare provider and does not provide medical diagnosis or treatment.
12. Children
The Service is intended for adults aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us with personal data, contact us at privacy@humnlabs.ai and we will delete it.
13. Data security
We use technical and organizational measures to protect your data, including:
- Encryption in transit and at rest.
- Hashed storage of credentials and encryption of connected third-party tokens.
- Role-based access controls and the principle of least privilege.
- Monitoring, logging, and regular review of our security posture.
- An incident response process, including breach notification to authorities and affected users where required (GDPR Art. 33 and 34).
No method of transmission or storage is completely secure, but we work continuously to protect your data and limit risk.
14. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the date at the top and, where appropriate, notify you by email or in the app. For material changes affecting health data, we will ask for renewed consent where required.
15. Contact
For any privacy question or to exercise your rights, contact us at privacy@humnlabs.ai. We aim to respond within 30 days.
You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet), Postboks 458 Sentrum, 0105 Oslo, Norway, datatilsynet.no.