Is this medical advice?

No. Rootyne is an information tool. We help you understand your results and give you leads, but it doesn't replace your doctor.

What do you do with my blood test?

Your blood test is encrypted and hosted on an HDS-certified server (French health data hosting standard) at Scaleway, in France. We extract your biological values and compare them to our specialised nutritional references for vegetarian and vegan diets. A clinical biologist then verifies every recommendation. We never share your blood test.

Behind every report, there's real nutritional expertise specialised for vegetarian and vegan diets, cross-referenced with your profile and situation. Plus a clinical biologist's review. It's cheaper than a naturopath consultation (~€60) and far more accurate than a generic tool.

Is it suited to my diet?

Rootyne is designed for vegetarians, vegans and pescatarians. Markers and recommendations also adapt to your situation: pregnancy, breastfeeding, athletic practice.

What if my results are concerning?

We clearly tell you when you should see your doctor. Rootyne never replaces medical follow-up, but we help you ask the right questions.

Privacy policy | Rootyne

Last updated: April 6, 2026

1. Data controller

The Rootyne website is published by Adeline Lefebvre, sole proprietorship (micro-enterprise), SIRET: 89462041800026, with registered office at 252 rue du Triez, 59290 Wasquehal. For any questions about protecting your personal data, contact the data controller at: dpo@rootyne.health.

2. Service description and role of AI

Rootyne offers a blood test analysis service and a dietary supplements shop. In accordance with Regulation (EU) 2024/1689 (AI Act), Rootyne informs you that an artificial intelligence system is used as a personalized writing tool: it extracts biological values from your blood test, then generates a draft of recommendations by applying a fixed, versioned, and evidence-based nutritional reference system (scientific literature, specialized nutritional guidelines), for which Rootyne assumes editorial responsibility. The AI makes no autonomous decisions and produces no medical interpretation. A qualified clinical biologist, registered with the National Order of Physicians, exercises systematic human control over all results and signs each recommendation.

Registration data : email address, first and last name (via Google or email/password).
Health profile : sex, diet type and duration, current dietary supplements, any medical treatments, wellness concerns, special situation (pregnancy, breastfeeding, athlete).
Health data : imported blood test results (PDF), extracted biological values, recommendations validated by the clinical biologist.

3. Purpose of processing

Your data is used to:

Create and manage your user account.
Allow the clinical biologist to interpret your results and provide personalized dietary supplementation recommendations.
Maintain a history of your analyses and recommendations.
Process and ship your dietary supplement orders.

4. Legal basis

Processing of ordinary data is based on contract performance (Article 6.1.b of the GDPR). Processing of your health data is based on your explicit consent (Article 9§2.a of the GDPR), given through a clear positive action (unchecked checkbox) prior to any blood test upload. You may withdraw this consent at any time by contacting dpo@rootyne.health, without affecting the lawfulness of prior processing.

5. Enhanced protection of health data

Your health data (blood tests and recommendations) is sensitive data within the meaning of Article 4§15 of the GDPR. It benefits from the following protections: exclusive hosting with Scaleway SAS, certified "Health Data Host" (HDS) in accordance with Article L.1111-8 of the French Public Health Code, with hosting in France; access strictly limited to the clinical biologist and strictly necessary technical staff; no use for commercial or advertising purposes; no sharing with third parties outside service provision.

6. Hosts and subcontractors

Rootyne uses the following service providers, bound by a GDPR-compliant data processing agreement:

Google Firebase (Google LLC) — authentication and non-health profile data. Hosting configured in the European Union. Transfers outside the EU governed by Standard Contractual Clauses (SCCs).
Vercel Inc. — web application hosting only. Health data does not transit through Vercel. Transfers outside the EU governed by SCCs.
Anthropic, PBC — artificial intelligence processing. Before any transmission, data is anonymized: all identifying information (name, date of birth, laboratory identifier) is removed. Only raw biological values and non-identifying profile data are transmitted. Data is not used to train models (Zero Data Retention). Transfers outside the EU governed by SCCs.
Stripe, Inc. — online payment processing. Stripe receives the email address and payment data (card number, etc.) required for the transaction. No health data is transmitted to Stripe. Transfers outside the EU governed by SCCs.
Resend, Inc. — transactional email delivery (payment confirmation, access to results). Resend only receives the recipient's email address. Transfers outside the EU governed by SCCs.
Upstash, Inc. — rate limiting for abuse protection. Only technical metadata (anonymized IP address) is processed, no personally identifiable data. Transfers outside the EU governed by SCCs.
Partner clinical biologist(s) — professional validation of blood test analyses. Clinical biologists act as data processors within the meaning of Article 28 of the GDPR, under a data processing agreement. Their access is strictly limited to the analyses assigned to them for validation. Health data is hosted in France by an HDS-certified host and is never transferred outside this secure environment. Clinical biologists are bound by professional secrecy (Art. L.1110-4 of the French Public Health Code) and by the ethical obligations of the French National Order of Physicians.

7. Data retention

Account and health profile data: retained while the account is active, deleted within 30 days after account closure. Health data (tests and recommendations): retained while the account is active, up to a maximum of 5 years from the last analysis. Order data: 10 years (legal accounting obligation). Upon account deletion, all personal and health data is deleted within 30 days, unless legally required to be retained.

8. Your rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights:

Right of access: obtain a copy of your personal data.
Right to rectification: have inaccurate or incomplete data corrected.
Right to erasure: request deletion of your data (subject to legal retention obligations).
Right to portability: receive your data in a structured, machine-readable format.
Right to withdraw consent: withdraw your consent to health data processing at any time.

To exercise these rights: dpo@rootyne.health. Rootyne commits to responding within one month. If the response is unsatisfactory, you may file a complaint with the CNIL (www.cnil.fr — 3 Place de Fontenoy, 75334 Paris Cedex 07).

9. Cookies

Rootyne only uses strictly necessary technical cookies for the service to function (authentication session management). These cookies do not require your consent (Article 82 of the French Data Protection Act). No advertising or tracking cookies are used. Rootyne uses <b>Umami</b>, a privacy-friendly analytics tool that works <b>without cookies</b> and does not collect any personally identifiable data (no IP address, no fingerprinting). Statistics are aggregated and anonymous.

10. Security

Rootyne implements the following measures to protect your data: encrypted communications (HTTPS/TLS), secure authentication, data access restricted on a least-privilege basis, health data hosted with an HDS-certified provider, data processing agreement signed with each subcontractor. In the event of a data breach, the CNIL will be notified within 72 hours in accordance with Article 33 of the GDPR.