Privacy Policy

Compound is a health management and health data organization service. In this policy, Compound, we, us, or our refers to the operator of the Compound website, app, dashboard, appointment, report upload, and related services.

For privacy questions, access requests, correction or deletion requests, account cancellation, complaints, or security concerns, contact us at hello@compoundlife.ai.

We process personal information only where a legal basis under the Personal Information Protection Law applies, including: your consent (and separate consent for sensitive personal information and other situations required by law); processing necessary to enter into or perform a contract to which you are a party, such as providing the features you request; processing necessary to perform statutory duties or obligations; and other circumstances permitted by law.

Where we rely on consent, you may withdraw it as described in Your Rights. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

We collect only the information reasonably necessary to provide and improve Compound. The information we collect depends on how you use the service.

• Account and contact information, such as name, email address, phone number, login credentials, language preference, and account settings.
• Health-related information, including uploaded reports, PDF/TXT/CSV files, biomarker values, lab reference ranges, questionnaire answers, goals, symptoms, medication or supplement notes, appointment details, and clinic-uploaded reports.
• Service and transaction information, such as booking requests, concierge messages, order identifiers, upload history, report status, and support communications.
• Technical and usage information, such as IP address, device and browser data, log events, session information, security signals, pages viewed, and feature interactions.
• Derived information generated by the service, such as biomarker summaries, trends, health management insights, protocol drafts, and AI-assisted explanations.

Health information is sensitive personal information under the Personal Information Protection Law of the People's Republic of China. We process this information only for specific purposes, where there is sufficient necessity, with stricter protection measures, and with separate consent where required.

Necessity and impact on your rights and interests: we process health and other sensitive information only because the relevant features (such as report parsing, biomarker tracking, and protocol drafts) cannot function without it. If sensitive personal information is leaked or unlawfully used, it could harm your personal dignity or endanger your personal and property safety; we therefore apply enhanced safeguards described in Security.

Compound stores and processes user personal information and health information within mainland China. If this infrastructure position changes, we will update this policy, provide required notices, complete the statutory cross-border procedures (security assessment, standard contract, or certification), and obtain any required separate consent before any cross-border transfer.

We use personal information to provide, maintain, secure, and improve Compound.

• Create and manage accounts, authenticate users, and protect accounts from unauthorized access.
• Upload, store, parse, and display health reports and biomarker results.
• Generate health management summaries, trends, explanations, and protocol suggestions.
• Coordinate appointment and concierge workflows, including clinic report uploads authorized by the user or connected to a booking.
• Respond to support requests, send service notices, and communicate about account, security, booking, or product changes.
• Improve service quality, safety, reliability, content, and user experience using aggregated, de-identified, or otherwise legally permitted data.
• Comply with applicable laws, enforce our terms, prevent fraud, and protect users, Compound, and third parties.

We do not sell personal information. We may entrust service providers to process information on our behalf only as needed to operate Compound, such as cloud hosting, storage, authentication, security, customer support, analytics, payment, appointment operations, and report ingestion.

Entrusted processors act only on our instructions under a written processing agreement that specifies the purpose, duration, and method of processing and the categories of information involved. They are subject to confidentiality and security obligations, may not process the information beyond the agreed scope or sub-entrust it without our consent, and are supervised by us. A list of the categories of entrusted processors and embedded third-party SDKs is available on request.

We do not share health information with employers, insurers, advertisers, or public databases without separate authorization from the user or another valid legal basis.

Where we provide personal information to an independent personal information processor (for example a clinic, laboratory, or medical institution that determines its own processing purposes), we will inform you of the recipient's name, contact information, processing purpose and method, and the categories of personal information involved, and we will obtain your separate consent where required by law.

We retain personal information only for the shortest period necessary to achieve the purpose of processing. As a general rule, we retain account and health information for the duration of your account; after you cancel your account, we delete or anonymize it within the minimum period required by law.

Indicative retention periods: {Specific Retention Periods, e.g., uploaded reports and biomarker data — duration of account; logs and security records — N months; cancellation records — minimum statutory period}.

If deletion is technically difficult or a legal retention period has not expired, we will stop processing the information for purposes other than storage and necessary security protection.

Compound uses automated and AI-assisted processing to read reports, map biomarkers, and generate health management summaries, trends, explanations, and protocol drafts. This output is health management information for reference only and is not a medical diagnosis.

Where a decision is made solely through automated means and significantly affects your rights or interests, you may request that we explain it and you may refuse a decision made solely by automated means. Content generated by AI is labelled as required by applicable rules on generative AI and deep synthesis.

Subject to applicable law and identity verification, you may request access, copy, correction, supplementation, deletion, account cancellation, restriction or withdrawal of consent, and an explanation of our personal information processing rules.

You may withdraw consent at any time through your account settings or by emailing hello@compoundlife.ai. Withdrawing consent may affect our ability to provide features that require the relevant information, especially health report analysis, biomarker tracking, appointment coordination, and clinic upload workflows.

To exercise your rights or raise a complaint, contact the personal information protection officer or hello@compoundlife.ai. If you are not satisfied with our response, you may also lodge a complaint with the competent cyberspace or other regulatory authority.

Compound is not intended for children under 14. If we need to process personal information of a minor under 14, we will require consent from the minor's parent or guardian and apply special personal information processing rules as required by law.

We use cookies, local storage, and similar technologies to keep you signed in, secure your session, remember preferences, and measure aggregate usage. We may also embed third-party software development kits (SDKs) for security, analytics, and core functionality.

You can manage or clear cookies through your browser or device settings. Disabling some technologies may affect sign-in, security, or certain features.

We use technical, organizational, and administrative safeguards designed to protect personal information, including access control, authentication, encryption where appropriate, logging, backup, permission management, and incident response processes. We conduct a personal information protection impact assessment for processing of sensitive personal information, automated decision-making, and any cross-border transfer.

No internet or information system can be guaranteed to be completely secure. If a personal information security incident occurs, we will take remedial measures and notify users and regulators as required by law.

We may update this policy when our product, processing activities, legal requirements, or security practices change. For material changes, we will provide notice through the website, app, account message, email, or another appropriate method.