PRIVACY POLICY OF THE BIOW APP

Last updated: Friday, May 15, 2026

1. Data controller

The data controller responsible for the personal data collected through the App is BIOW EXPOSOMICS, S.L., with Tax Identification Number B33998980, registered office at Calle Michel Faraday, 75 - Naves 9-10, Gijón, 33211, Asturias, general email address info@biow.net and email address for privacy and exercise of rights lopd@biow.net .

2. Scope of application

This Privacy Policy applies to the processing of personal data carried out through the BIOW App, including the registration and management of the user account, the linking and control of the BIOW device, connectivity and technical communications with the device, incident management and technical support, the collection of strictly technical operating and telemetry data, and the security, maintenance and technical improvement of the App and the BIOW ecosystem.

When a specific functionality of the App is subject to particular conditions or specific information texts, those texts shall supplement this Policy where applicable.

3. What personal data we process

BIOW may process the following categories of data, depending on the actual use made by the user of the App:

3.1. Identification and account data

• Name and surname.
• Email address.
• Telephone number.
• User identifier.
• Access credentials, where applicable.

3.2. Data of the linked BIOW device

• Serial number or equipment identifier.
• Device model.
• Information on the link between the account and the device.
• Equipment status and technical parameters necessary for its operation.

3.3. Technical data on use of the App and connectivity

• IP addresses.
• Access logs.
• Date and time of connection.
• App version and operating system.
• Technical identifiers of the terminal, when necessary.
• Error events, failures, logs and technical traces.
• Network information necessary for connectivity with the device, including WiFi connectivity when essential for the provision of the service.

3.4. Mobile device location data

BIOW may process location data from the user's mobile device when this is necessary for the initial linking of a new BIOW device, in those cases where the terminal operating system requires the granting of such permission to allow the detection, linking or configuration of the device.

As a general rule, this access shall be limited to the linking or initial configuration phase of the device and shall not be used for continuous tracking, monitoring of movements, profiling or analysis of personal habits.

When technically necessary for the initial linking of a new device, BIOW may collect and temporarily store location data from the mobile device, linked to the user's account, exclusively to complete such linking, manage associated technical incidents and maintain minimal technical traceability of the process.

3.5. Device usage data and technical telemetry

• Operating logs.
• Technical incidents.
• Usage parameters strictly necessary for diagnosis, maintenance, support and security.
• Data necessary for the technical improvement of the product and service within the applicable legal framework and subject to the limitation of purposes indicated in this Policy.

3.6. Data provided by the user in communications and incidents

• Incidents, requests and communications sent to BIOW through the App or associated channels.
• Additional information voluntarily provided by the user when necessary to handle the request or resolve the incident raised.

3.7. Strictly necessary internal technical indicators

• BIOW may generate internal technical indicators derived from the operation of the App and the device only when strictly necessary to guarantee security, service continuity, error diagnosis, maintenance, technical support and technical improvement of the operation of the App or the device.
• Under no circumstances shall such records or indicators be used to create user profiles or to analyse, infer or evaluate personal habits, routines, schedules, behavioural patterns, presence or absence at home, or personal preferences.

4. How we obtain the data

Personal data may be obtained directly from the user when they create an account, configure the App, link the device or send communications and incidents.

They may also be obtained from the linked BIOW device itself, when technically necessary for the provision of the service, diagnosis, security or support.

Likewise, they may be obtained from third parties legitimately involved in the technical provision of the service or in incident management, when necessary and where the corresponding legal basis exists.

Certain technical data may be obtained automatically through the use of the App, in relation to events, access logs, failures or technical communications.

Location data may also be obtained from the user's mobile device, subject to prior authorisation of the corresponding operating system permission, when technically necessary for the linking, detection or initial configuration of a new BIOW device.

5. Purposes of processing and legal bases

BIOW shall process personal data for the following purposes:

5.1. Registration, authentication and management of the user account

Purpose: to enable the registration, authentication and administration of the user account in the App.

Legal basis: Article 6.1.b GDPR, performance of the relationship requested by the user.

5.2. Linking, configuration and control of the BIOW device

Purpose: to enable the connection between the App and the BIOW device, as well as its configuration, management and remote control when the functionality is available.

Legal basis: Article 6.1.b GDPR.

5.3. Provision of the service, technical maintenance and support

Purpose: to ensure the proper functioning of the App and the device, resolve incidents, provide technical support, manage faults and guarantee service continuity.

Legal basis: Article 6.1.b GDPR and, where applicable, Article 6.1.f GDPR in relation to BIOW's legitimate interest in ensuring the security and quality of the service.

5.4. App security, fraud prevention and system protection

Purpose: to detect improper access, prevent unauthorised use, and guarantee the security of the App, the device and the associated technological infrastructure.

Legal basis: Article 6.1.f GDPR.

5.5. Technical telemetry, diagnosis and product improvement

Purpose: to process technical records, incidents, error events and operating parameters strictly necessary to detect failures, resolve incidents, maintain the security of the App and the device, ensure service continuity and carry out justified technical improvements to the operation of the App and the BIOW product.

Legal basis: Article 6.1.b GDPR, insofar as the processing is necessary for the provision of the service requested by the user, and Article 6.1.f GDPR in relation to BIOW's legitimate interest in ensuring the security, stability, maintenance and technical improvement of the service and the device.

5.6. Processing of location data for the linking of new devices

Purpose: to enable the detection, linking, configuration and commissioning of a new BIOW device when the operating system of the mobile device requires access to location to enable such technical functionality.

Legal basis: Article 6.1.b GDPR, when the processing is necessary to perform the functionality requested by the user, and, where applicable, Article 6.1.f GDPR in relation to BIOW's legitimate interest in ensuring the correct configuration, security and technical support of the device and the App.

Express limitation: these data shall not be used for advertising purposes, for profiling, for the analysis of personal habits, or for continuous tracking of the user's location or movements.

5.7. Management of queries, incidents and communications from the user

Purpose: to handle requests, queries, complaints or incidents communicated through the App or its associated channels.

Legal basis: Article 6.1.b GDPR and, where applicable, Article 6.1.f GDPR.

5.8. Compliance with legal obligations

Purpose: to comply with legal, regulatory, tax, security and legal defence obligations or requirements from competent authorities.

Legal basis: Article 6.1.c GDPR.

5.9. Limitation of purposes and exclusion of personal habit analysis

The personal data collected through the App, including technical records derived from its use and, where applicable, location data processed for the initial linking of the device, shall be processed exclusively for the purposes described in this Privacy Policy.

In particular, BIOW shall not use such data for advertising purposes, for disclosure to third parties for commercial purposes, or for profiling or the analysis, inference or evaluation of the user's personal habits, routines, schedules, behavioural patterns, presence or absence at home, movements or geolocation for purposes other than the strictly technical purposes reported herein.

Any further processing for a different purpose shall require the corresponding legal basis and, where applicable, prior information to the user.

6. Mobile device permissions

The App may require access to certain functionalities of the mobile device in order to operate correctly. In particular, it may require:

• network and connectivity access, to allow communication with BIOW services and, where applicable, with the BIOW device
• local network or WiFi access, when essential for linking, configuring or controlling the device
• access to the mobile device location, only when technically necessary for the detection, linking or initial configuration of a new BIOW device and the operating system requires such permission
• push notifications, if the user wishes to receive operational, technical or informational notices

BIOW shall not use location data to track movements, monitor the user's location, create profiles or analyse personal habits. The App shall not access terminal functionalities that are not necessary for its operation without providing adequate information and, where applicable, without requesting the relevant authorisation.

Disabling this permission may prevent the correct initial linking of a new BIOW device in those environments or operating systems where such permission is technically required.

7. Data recipients

As a general rule, BIOW shall not disclose personal data to third parties, except where there is a legal obligation, where it is necessary for the provision of the requested service, or where providers act on behalf of BIOW as data processors.

Personal data may be accessed, as data processors, by providers of software development and maintenance, cloud hosting and infrastructure, technical support, monitoring, cybersecurity, backups, electronic communications and other technical services strictly necessary for the operation of the App.

The list of providers and categories of processors must be reviewed and updated according to the actual architecture of the service before final publication.

8. International transfers

As a general rule, BIOW shall seek to ensure that the data are processed within the European Economic Area.

If, for the provision of any service, it becomes necessary to use providers located outside the European Economic Area or with access from third countries, BIOW shall ensure that such processing is carried out in accordance with the appropriate safeguards provided for in Articles 44 et seq. of the GDPR, including, where applicable, adequacy decisions, standard contractual clauses and complementary technical, organisational and contractual measures.

9. Retention periods

BIOW shall retain personal data for the time necessary to fulfil the purpose for which they were collected and, subsequently, for the periods required by applicable regulations or necessary for the establishment, exercise or defence of legal claims.

As a general rule:

• account and user management data: while the account remains active and, subsequently, for the period necessary to address any resulting liabilities,
• technical data, logs and security: for the time strictly necessary to guarantee security, continuity and technical traceability and for legal defence
• incidents and support: while the incident is being managed and during the subsequent liability periods,
• technical telemetry: for the period strictly necessary for diagnosis, maintenance, support, service continuity and security, without being used for profiling or for the analysis of personal habits
• location data processed for the initial linking of devices: for the time strictly necessary to complete the linking and, when essential, to manage associated technical incidents or retain a minimal technical trace of the process; under no circumstances shall they be used for continuous tracking, profiling or analysis of personal habits,
• data processed on the basis of consent, when optional consent-based functionalities exceptionally exist: until consent is withdrawn, without prejudice to processing carried out previously and the minimum retention required for legal or legal defence reasons.

When the data are no longer necessary, BIOW shall proceed to delete, anonymise or block them, as appropriate.

10. Rights of data subjects

The user may exercise, under the terms provided for by applicable regulations, the rights of access, rectification, erasure, objection, restriction of processing and portability, as well as withdraw consent when processing is based on it.

To exercise these rights, the data subject may contact BIOW EXPOSOMICS, S.L. via the email address lopd@biow.net or by post at Calle Michel Faraday, 75 - Naves 9-10, Gijón, 33211, Asturias.

The request must sufficiently identify the applicant and specify the right they wish to exercise.

Likewise, if they consider that their rights have not been properly addressed, they may lodge a complaint with the Spanish Data Protection Agency.

11. Withdrawal of consent

When a specific processing activity is based on the user's consent —for example, in relation to optional permissions or non-essential functionalities— such consent may be withdrawn at any time.

The withdrawal of consent shall not affect the lawfulness of processing carried out previously and may mean that BIOW can no longer provide certain functionalities or services linked to such consent.

12. Minors

The App is not generally aimed at minors, unless a specific functionality expressly provides otherwise and the necessary legal basis exists.

BIOW shall not deliberately process data of minors without complying with the applicable legal requirements. If the unauthorised collection of data from a minor is detected, such data shall be deleted as soon as possible.

13. Automated decisions

BIOW shall not make decisions based exclusively on automated processing that produce legal effects concerning the user or similarly significantly affect them, unless this is necessary for the performance of an expressly requested service, is legally authorised or is based on the data subject's consent under the legally established terms.

There may be automated controls of a technical or security nature, such as error detection, irregular access detection, technical validations or system integrity checks, without this implying the adoption of automated decisions with the aforementioned effects.

14. Security

BIOW applies appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the nature of the data processed.

Among other measures, these may include access controls, authentication, profile-based permission management, encryption and pseudonymisation where appropriate, event logging, backups, security monitoring, environment segregation and minimisation of access to data.

Nevertheless, the user must adequately protect their credentials, device and access.

15. Third-party links and services

The App may integrate or link to third-party functionalities, content or services. In such cases, the use of those services may be subject to the policies and conditions of such third parties.

BIOW is not responsible for processing carried out by third parties acting as independent controllers, except with regard to the information and safeguards legally required when BIOW integrates such services into its ecosystem.

16. Changes to the Privacy Policy

BIOW may modify this Privacy Policy to adapt it to legal, technical, organisational or functional changes to the App.

When the changes are relevant, BIOW shall communicate them to users through the reasonable means available, including, where appropriate, notices within the App itself.

The current version shall in any case be the one published at any given time.

17. Contact

For any query related to this Privacy Policy or to the processing of personal data carried out through the BIOW App, BIOW EXPOSOMICS, S.L. may be contacted via the email address lopd@biow.net or at the address Calle Michel Faraday, 75 - Naves 9-10, Gijón, 33211, Asturias.