Join Boli
EN FR ES

Legal - Privacy

Privacy policy.

How Boli Care SAS collects, uses, stores and shares personal data - built around the requirements of the GDPR, the French Loi Informatique et Libertés and the CNIL guidelines, and aligned with the standards expected of a medical device.

Last updated
11 March 2026
Version
2.0
Applies to
boli.care & the Boli Care app
GDPR (EU 2016/679) Loi Informatique et Libertés CNIL guidelines ISO 13485-aligned QMS
In short
  • We are Boli Care SAS, established in France. We are the data controller for your data.
  • Health data is sensitive (GDPR Art. 9). We process it only with your explicit consent and apply reinforced safeguards.
  • Data is hosted within the European Union. Any transfer outside the EU is framed by GDPR-compliant safeguards (SCCs + transfer impact assessment).
  • We never sell personal data.
  • You can exercise all GDPR rights at any time by emailing privacy@boli.care.
  • You also have the right to lodge a complaint with the CNIL (France) or your local supervisory authority.

01Introduction

Boli ("we", "our") is a digital-health company supporting people living with obesity, in particular those treated with anti-obesity medications. Our long-term horizon is metabolic health: we start with obesity care, and this new generation of treatments turns it into a transversal field whose benefit extends well beyond weight. We treat the protection of your personal data as a core requirement, not a compliance afterthought.

This Privacy Policy is governed by Regulation (EU) 2016/679 ("GDPR"), French Law n° 78-17 of 6 January 1978 as amended ("Loi Informatique et Libertés"), and the guidelines and recommendations issued by the Commission Nationale de l'Informatique et des Libertés ("CNIL"). It applies in addition to any national data-protection rules of your EU country of residence (e.g. AEPD in Spain, Garante in Italy).

02Data controller & DPO

Data controller
Boli Care SAS - Société par Actions Simplifiée
Registered office
3 rue Loustau, 64200 Biarritz, France
RCS / SIRET
989 985 718 R.C.S. Bayonne · SIRET 989 985 718 00018
Privacy contact
privacy@boli.care
Data Protection Officer
dpo@boli.care
Postal address (DPO)
Boli Care SAS - DPO, 3 rue Loustau, 64200 Biarritz, France

03Scope

This policy applies to:

  • Visitors of our website boli.care.
  • People who interact with our forms, newsletter, content or social channels.
  • Future and current users of the Boli Care application and clinician console.
  • Healthcare professionals using the clinician console.

It does not cover third-party websites or services accessible through links from our site, which have their own privacy policies.

04Data we collect

a. Data you actively provide

  • Identity & contact details (first name, last name, email, phone, language).
  • Information you submit through forms, newsletter sign-up or messages you send us.
  • Healthcare professional credentials, when applicable (specialty, registration number, institution).

b. Data collected automatically

  • IP address, browser, device, operating system, language.
  • Pages visited, duration, referring URL.
  • Cookies and tracking technologies - see the Cookie Policy.

c. Data collected in the Boli Care app (where applicable)

If you sign up for or use the Boli Care app, additional data may be collected:

  • Health data: weight, BMI, symptoms, ongoing treatment, side effects, titration history.
  • Eating-behaviour data: food habits, emotional eating, cravings, type of diet.
  • Physical activity & mobility: activity level, types of exercise, physical limitations.
  • Sleep data: quality, duration, difficulty falling asleep.
  • Self-reported psychological data: mood, stress, self-esteem, mental fatigue.
  • Contextual data: household structure, social support, professional activity.
  • User preferences and settings.
Health data is sensitive. Under GDPR Article 9, this category receives special protection. We collect it only with your explicit, separate consent and apply reinforced security measures.

05Processing register

The table below summarises the main processing operations we carry out, the legal basis for each, the data categories involved and how long we keep them.

Purpose Legal basis Data categories Retention
Operate the website & ensure its security Legitimate interest Connection logs, IP, browser, technical data 12 months max
Reply to your contact requests Pre-contract / Consent Identity, contact details, message content 3 years from last active contact
Send the newsletter Consent Email, language, interaction data Until you unsubscribe
Operate the Boli Care app - clinical safety functions, side-effect tracking, audit trail Contract + Explicit consent (Art. 9.2.a) Account, health data, behavioural & clinical data Use of service + 3 years (intermediate archive)
Provide the clinician console & share data with HCPs you authorise Explicit consent Health data, clinical events, audit logs Use of service + 3 years
Comply with medical device obligations (vigilance, traceability) Legal obligation Device events, vigilance reports, audit logs Up to 10 years after end of life of the device (per MDR)
Audience measurement (website analytics) Consent Pseudonymised browsing data 13 months max (CNIL recommendation)
Real-world evidence research & product improvement Consent (separate, opt-in) Aggregated & pseudonymised data Duration of the research project
Manage accounting & billing Legal obligation Identity, billing data 10 years (French Commercial Code)
Defence of legal claims Legitimate interest Data necessary to the dispute Duration of the dispute + applicable limitation period

A documented balancing test is performed for each processing operation based on legitimate interest.

07Sharing & sub-processors

We may share your data with:

  • Sub-processors (hosting, analytics, CRM and email tools), under contracts that comply with Article 28 GDPR and include security and confidentiality guarantees.
  • Healthcare professionals or researchers, only with your explicit consent.
  • Regulatory authorities, where the law requires it.
  • Potential acquirers, in the event of a merger, acquisition or restructuring, in compliance with the GDPR.

We never sell personal data. The current list of sub-processors is available on request from dpo@boli.care.

08International transfers

Some data may be transferred outside the European Union, in particular to the United States (hosting, AI services, analytics tools). When this is the case, we put in place appropriate safeguards under Chapter V of the GDPR:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission (implementing decision 2021/914).
  • A documented Transfer Impact Assessment (TIA) for each transfer.
  • Additional technical and organisational measures (encryption, pseudonymisation, key management) where required.

09Retention

We keep your data only for as long as necessary for the purposes for which it was collected. Detailed periods are listed in the processing register. At the end of the applicable period, your data is deleted or irreversibly anonymised. You may request deletion at any time (see your rights), subject to retention obligations imposed on us by law.

10Your rights

Under the GDPR and the Loi Informatique et Libertés, you have the following rights over your personal data:

Right Article What it means
AccessGDPR Art. 15Get a copy of your data and information about how it is processed.
RectificationGDPR Art. 16Correct inaccurate or incomplete data.
Erasure ("right to be forgotten")GDPR Art. 17Delete your data when no longer needed or when you withdraw consent.
RestrictionGDPR Art. 18Limit the processing in specific situations.
PortabilityGDPR Art. 20Receive your data in a structured, commonly used, machine-readable format.
ObjectionGDPR Art. 21Object to processing based on legitimate interest, including profiling.
Withdraw consentGDPR Art. 7Withdraw consent at any time, without affecting prior lawful processing.
No automated decision-makingGDPR Art. 22Not be subject to a decision based solely on automated processing.
Post-mortem directivesL.I.L. Art. 85Define what happens to your data after death (French law).
Lodge a complaintGDPR Art. 77Complain to your supervisory authority - see below.

To exercise any of these rights, contact privacy@boli.care. We will reply within one month of receiving your request (Art. 12 GDPR). This period may be extended by two months in exceptional cases - we will inform you in writing if so.

You may also lodge a complaint with the supervisory authority of your country of residence:

CountryAuthorityWebsite
FranceCNIL - Commission Nationale de l'Informatique et des Libertéscnil.fr
SpainAEPD - Agencia Española de Protección de Datosaepd.es
European UnionEDPB - European Data Protection Board (coordination)edpb.europa.eu
Other EU countryYour national data-protection authorityList of EEA authorities

11Security

We implement state-of-the-art technical and organisational measures to protect your data:

  • Encryption in transit (HTTPS / TLS 1.3) and at rest.
  • Hosting within the European Union or by GDPR-compliant providers.
  • Strict access control and data minimisation.
  • Pseudonymisation of user identifiers.
  • Confidentiality clauses for all employees and sub-processors.
  • Regular team training on personal-data protection.
  • ISO 13485-aligned quality management system.
  • Regular penetration testing and a secure development lifecycle.
Data-breach notification. No system is infallible. In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours and inform you as soon as possible (Art. 33 & 34 GDPR). To report a suspected incident: security@boli.care.

12Minors

Our services are not intended for persons under the age of 16, in line with Article 8 GDPR and Article 45 of the Loi Informatique et Libertés. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, please contact us immediately at privacy@boli.care.

13Data Protection Impact Assessment (DPIA)

Given the nature of the data processed (health data under Article 9 GDPR), the algorithmic profiling used to personalise guidance, the systematic monitoring involved and the potential vulnerability of the data subjects, we have carried out a Data Protection Impact Assessment in accordance with Article 35 GDPR and the CNIL criteria.

This document is kept up to date and is available on request from our DPO at dpo@boli.care.

14Profiling & automated decisions

Our application uses an algorithmic personalisation system to deliver content and guidance suited to your health profile. This profiling is based on the information you provide (symptoms, habits, treatment) and is used solely to improve the relevance of the support we offer.

This processing is based on your explicit consent (Art. 9.2.a and Art. 22.4 GDPR). At any time you may:

  • Obtain information about the underlying logic of the profiling.
  • Request human intervention.
  • Contest an automated recommendation.
  • Withdraw your consent to profiling.

15Changes

We may update this policy to reflect changes in our practices, services or legal obligations. Updates are published on this page with a new revision date. For material changes, we will inform you by email or through the application.

  1. v2.0 - 11 March 2026: addition of the processing register, sub-processors section, structured rights table and EU-wide complaint authorities.
  2. v1.0 - initial publication.

16Contact & complaints

Privacy contact
privacy@boli.care
DPO
dpo@boli.care
Postal address
Boli Care SAS - DPO, 3 rue Loustau, 64200 Biarritz, France
Security incident
security@boli.care
Supervisory authority
CNIL - cnil.fr · or any other competent EEA authority
Other legal documents

Browse the rest.

Privacy

Privacy Policy

Current page
Cookies

Cookie Policy

Read →
Terms

Terms of use

Read →
Notice

Legal Notice

Read →