Last updated: May 4, 2026

GDPR & Data Protection

How we comply with the General Data Protection Regulation and how you can exercise your rights.

1. Our GDPR commitment

WOW Longevity processes special-category health data on behalf of our members, and we treat that responsibility seriously. We design our platform around the GDPR principles of lawfulness, data minimisation, purpose limitation, accuracy, storage limitation, integrity and accountability. This page summarises the practical commitments that flow from those principles. Our full disclosures live in our Privacy Policy.

2. Your data subject rights

You can exercise all of your GDPR rights (Art. 15–22) directly from your account:

Access & portability — request a JSON export of your data: /dashboard/profile/security
Rectification — update your profile and health entries: /dashboard/profile
Erasure — delete your account and associated health data: /dashboard/profile/security
Withdraw consent — revoke health-data or marketing consents at any time: /dashboard/profile/consents
Restriction & objection — email dpo@wowlongevity.com

We respond to verified rights requests within one month, as required by Art. 12(3) GDPR.

3. Sub-processors

The following sub-processors help us deliver the service. Each is bound by a Data Processing Agreement and processes data only on our documented instructions.

Name	Purpose	Country	Transfer mechanism
Supabase	Database & file storage	EU	EU — no transfer required
Vercel	Application hosting / edge	US / EU edge	SCCs
Anthropic	AI Copilot & document extraction	US	SCCs
WHOOP	Wearable data sync (opt-in)	US	User OAuth + SCCs
Oura	Wearable data sync (opt-in)	US	User OAuth + SCCs
Resend	Transactional email	US	SCCs

4. Data Protection Officer & supervisory authority

Our Data Protection Officer can be reached at dpo@wowlongevity.com [REVIEW WITH DPO] (DPO appointment and dedicated contact details to be confirmed).

Our lead supervisory authority is [REVIEW WITH DPO] (depends on the final location of our legal entity — to be confirmed and inserted here with name, address and website of the relevant national DPA). You may also contact the data protection authority of the EU member state where you reside.

5. Personal-data breach notification

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it, in line with Art. 33 GDPR. Where the breach is likely to result in a high risk, we will also inform affected users without undue delay (Art. 34 GDPR).

6. International transfers

Where data is transferred outside the European Economic Area (e.g. to Anthropic, Resend, WHOOP, Oura, or Vercel infrastructure in the United States), we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) together with appropriate technical and organisational safeguards. A copy of the SCCs in force with a given sub-processor is available on request from dpo@wowlongevity.com.

7. How to file a complaint

If you feel our processing of your personal data infringes the GDPR, please contact our DPO first — most issues can be resolved quickly. You also have the right to lodge a complaint directly with a supervisory authority, typically the one in the EU member state where you live, work, or where the alleged infringement took place.

A directory of EU data protection authorities is published by the European Data Protection Board at edpb.europa.eu.