Data Privacy Policy and Regulatory Compliance for Sapiens Stress Measurement

Last updated: 28th November 2025

‍

In Brief

Data Privacy (not exhaustive, details see below)

At Sapiens, we are committed to protecting your privacy and personal data. Our privacy practices comply with the European Union’s General Data Protection Regulation (GDPR) and before we engage with B2B clients in non-EU states, we check dual-compliance also with the country of the B2B client.

Your data (“your” is referring to the Data Subjects data) is protected with stringent access controls, protected through pseudonymization and advanced security measures and is securely stored on servers in the EU.

Personally identifiable data is not shared with the employer or unrelated third parties.

Processing and storage of participant data is carried out by Sapiens Health & Performance GmbH in Germany. Laboratory analysis for hair and/or saliva samples is performed by Dresden Lab Services GmbH (Germany). Samples (saliva tubes and hair sampling equipment) are pre-labelled with an encrypted participant ID for traceability. After the Data Subject (or Sapiens/Customer staff) collected the saliva and/or hair samples, it is being sent to the laboratory without personally identifiable information (just with the encrpyted participant ID. Sapiens receives laboratory results linked only to the encrypted participant ID. Sapiens processes and stores all participant data on EU-based Microsoft infrastructure, applying encryption in transit and at rest and access controls appropriate for sensitive health data. Individual reports are delivered to Data Subjects (participants) via email as password-protected PDF files, with the password communicated via a separate channel (e.g., SMS or WhatsApp) to reduce the risk of unauthorised access.

Personally identifiable data is not shared with the/your employer and is not disclosed to external parties as identifiable data, unless you give explicit consent or we are legally required to do so.

External service providers (e.g., laboratory, survey platform) process data only using encrypted participant IDs (e.g., “IDHDHK”) and do not receive your name, email or any other personally identifiable data from Sapiens.

We rely on your explicit consent before collecting health-related information, which can be withdrawn at any time and we delete all personally identifiable data on a regular basis (after 24 months unless otherwise agreed).

Further Aspects on Regulatory Compliance (not exhaustive, details see below)

Sapiens is a wellness/lifestyle service and does not provide diagnosis, clinical interpretation, treatment, or prescribing.

Our services are designed to avoid constituting the practice of medicine or regulated medical acts under applicable law.

‍‍Saliva, hair and other biosamples are shipped as DHL Express or DHL Packages (not envelopes) using required triple packaging according to IATA regulations for liquids and are marked as “Exempt Human Specimen”.

According to Dangerous Goods Regulations, 3.6.2.2.3.8, these “Exempt Human Specimens” can be shipped from most countries to the German laboratory as there there is minimal likelihood that pathogens are present. Before contracting with Customers outside the EU/EEA, the local regulations are being reviewed.

Samples are pre-labelled with an encrypted participant ID for traceability. Saliva is collected by participants; hair can be collected by participants, Sapiens staff, or - if agreed - Customer staff following Sapiens instructions. Each custody step (collection, sealing, handover for shipment, receipt, laboratory intake) is recorded in a custody log.

Terms

“Customer”: Person or organisation who is in a contractual relationship with Sapiens to produce the Service, using personal and measured information from the Subject(s), who are defined by the Customer.

“Subject”:  Person, whose information is used by Sapiens to produce the Service, using self-assessment, saliva and hair measurement data, heartbeat measurement data and other personal information. In this document the word "You" is used to refer to the data subject. The Data Subject/You/participant and user of our Service is all used equivalent. A user of Sapiens services can either be referring to a subject in a B2B or B2C context. An individual user can either be an employee at a B2B client (paying or non paying user), a user who is related to a B2B client (e.g., external program participant who is paying or not-paying user) or a B2C client (paying user).

“Service”: The personalised wellness and performance solutions provided by Sapiens, including the collection and analysis of individual health data such as self-assessment responses and physiological measurements (e.g., saliva, hair, heartbeat data), as well as individual consultations and group workshops, as specified in the contract between the Customer and Sapiens.

‍

Data Privacy Principles

1. GDPR compliance: At Sapiens, we are committed to protecting your privacy and personal data. Our privacy practices comply with the European Union’s General Data Protection Regulation (GDPR).
2. Dual-compliance: For B2B clients outside the EU/EEA, Sapiens validates compliance with relevant local data protection requirements before contracting, in addition to GDPR.
3. Control: You (= individual users) are in control of your data. You decide what to share, with the right to transfer your data to another provider (data portability) and the right to request its removal from our systems (right to erasure).
4. Purpose-Limited Processing: The purpose of processing personal data is to provide personalised well-being and performance analysis and consultation. We collect only the data necessary to provide you with our products and services, ensuring we do not store unnecessary information.
5. Data Security: Your data is protected with stringent access controls and advanced security measures, allowing only authorised personnel with a legitimate purpose to access it. The data is encrypted in transit and at rest and stored on servers in the European Union. Individual reports are delivered as password-protected PDF files via email. The password is communicated via a separate channel (e.g., SMS or WhatsApp) to reduce the risk of unauthorised access.
6. Pseudonymisation: Third parties (e.g., analysis laboratory and survey platform) never receive personally identifiable information from Sapiens. Instead, data is handled using encrypted anonymous participant IDs (e.g., “DFDIGH”). The re-identification key (mapping of ID ↔ name/email) is stored separately with tightly restricted access and is available only to the designated Sapiens coach who debriefs results with participants.
7. Security measures: We apply confidentiality, integrity, and availability controls appropriate for sensitive health data, including encryption in transit and at rest, role-based access control, multi-factor authentication, audit logging, separation of the re-identification key from measurement data, device encryption for endpoints, and documented incident response procedures.
8. Explicit Consent: Before collecting or processing any health-related personal data, we obtain your explicit consent through a transparent process. We provide detailed information on how your data will be handled, and you have full control over your consent at any time. Voluntariness in employer-sponsored programs: Participation and consent are voluntary. If you do not consent to the processing of health data, you can still decline participation without negative consequences in the employment relationship. Your employer does not receive your individual-level identifiable data from Sapiens unless you give separate, explicit consent.
9. Personal Data not shared with Employer: We do not share your data without your consent, also not with your employer. We may provide anonymised, aggregate level reporting to our Customers, when sample sizes are large enough to not enable identifying individuals.
10. Retention and Regular Review: We retain personally identifiable data for up to 24 months from your last interaction, regularly reviewing and deleting data that is no longer needed or relevant.
11. Anonymised Data for Research: Sapiens does not share individual-level data with third parties. Data is used for research only when (i) the research has appropriate ethical approval where required and (ii) the participant has provided separate, explicit research consent. Research analyses use anonymised or aggregated datasets and do not use names or directly identifying information.
12. Your Rights: You have the right to access, correct, delete, restrict, or transfer your data. You can also withdraw your consent at any time when applicable.
13. Commitment to Improvement: We actively review and enhance our privacy practices, with all updates shared on our website to keep you informed.

Data Controller

The data controller is: 
Sapiens Health & Performance GmbH (”Sapiens”)
Dinxperloer Straße 365
46399 Bocholt
Germany

The Data Controller (”Sapiens”) can be contacted by e-mail at support@be-sapiens.com or by telephone at +49 172 88 66 434.

Sapiens is the primary data controller for delivering the Service. Service providers such as Dresden Lab Services GmbH and Firstbeat act as data processors depending on the specific processing activity. Customers (e.g., employers or universities) are operational partners and do not receive personally identifiable participant data unless separate, explicit participant consent is provided. If the Customer and Sapiens jointly define research purposes and means, a separate joint-controller arrangement and research consent process applies.

Where the Customer does not collect samples, does not process or access participant data, and does not conduct research, the Customer acts solely as an operational/promotional partner. In that scenario, the Customer is neither a processor nor a controller for participant data and does not receive individually identifiable data from Sapiens. The Customer’s involvement is limited to promotion and logistical coordination without access to Sapiens systems or participant-level results.

If the Customer collects hair samples or supports on-site operations under Sapiens’ documented instructions, the Customer (or its designated staff) acts as a processor for those limited activities and must sign a Data Processing Agreement (DPA) and confidentiality commitments. The Customer must follow Sapiens’ protocols, including pseudonymisation, secure handling, and chain-of-custody logging.

If the Customer and Sapiens jointly define research purposes and means, a separate joint-controller arrangement applies and research is conducted only with: (i) appropriate ethical approvals where required, and (ii) separate, explicit participant research consent. Research outputs use anonymised or aggregated datasets and do not include names or directly identifying information.

‍

Data Protection Officer

Sapiens has appointed a Data Protection Officer (DPO): Prejwal Prabhakaran, fulltime employee at Sapiens Health & Performance GmbH. You may contact the DPO regarding all questions about the processing of your personal data and the exercise of your GDPR rights. The DPO is bound by confidentiality in the performance of his tasks.

Email address: prejwal.prabhakaran@be-sapiens.com

Postal address: Sapiens Health & Performance GmbH, DPO, Dinxperloer Straße 365, 46399 Bocholt, Germany.

‍

The Purpose and Legal Basis of Data Processing

The purpose of processing the personal data is the basic operation of the Service, including user support operations. The basic operation and purpose of the Service is to provide a personalised analysis on the effect of lifestyle factors on different aspects of well-being.

The Subject’s saliva and hair measurements and if requested by the Customer further biosamples like blood tests, measured heartbeat, and self-assessment data are used to provide the Service.

The Service additionally includes direct personal feedback to each individual Subject by a Sapiens coach. The Service typically includes an pseudonymised feedback report to the Subject regarding its general well-being, and a personalised report consultation with a Sapiens coach. The Service may additionally include Customer group workshops, where non-identifiable, aggregated and anonymised data is displayed if requested by the Customer and if it serves the interests of the particiants (conditions sharing aggregate data apply, see below). The details of the Service are described, in detail, in the contract between the Customer and Sapiens. Personal data like email, phone number and name is also used for the Service support operations and communications between Sapiens and the Subject. If the applicable legislation requires the Subject consent for processing some of the personal data described in this document (for instance, concerning health related data i.e. so-called special categories of data), the consent will be acquired using an appropriate method.

This may be done for example by checking a separate consent checkbox in a survey, or by another specific action or statement to signify consent. Declining consent may impact the ability to offer the specific Service. Sapiens uses participant data to deliver the Service. Any additional use for research purposes is optional and performed only with separate, explicit research consent and appropriate ethical approval where required. Research outputs use anonymised or aggregated datasets so that individual participants are not identifiable.

Providing health and biomarker data is not a statutory requirement. However, if you do not provide the minimum required data (e.g., samples and/or questionnaire responses) or do not consent to health-data processing, Sapiens cannot generate your personalised report or deliver the full Service.

Legal bases for processing personal data under GDPR (Article 6 and Article 9):

(1) For account/administrative data (e.g., name, email, program administration), Sapiens processes your personal data primarily to perform the service contract and provide support (Art. 6(1)(b) GDPR) and to comply with legal obligations where applicable (Art. 6(1)(c)).

(2) For health-related and other special category data (e.g., biomarker results, questionnaire health information), Sapiens processes such data only with your explicit consent (Art. 9(2)(a) GDPR) and the corresponding consent lawful basis (Art. 6(1)(a)).

(3) Where we process limited data for security, fraud prevention, service improvement, and defending legal claims, we rely on legitimate interests (Art. 6(1)(f)), while applying strict safeguards and data minimisation.

You may withdraw consent at any time; withdrawal does not affect the lawfulness of processing before withdrawal.

‍

The Personal Data Retention Period

We generally retain personally identifiable data (e.g., name/email and the re-identification key) for up to 24 months from your last interaction in order to provide pre-/post results for your report, unless a longer period is required to comply with legal obligations or to establish, exercise, or defend legal claims. Where feasible, we delete the re-identification key earlier (thereby anonymising remaining coded measurement data) and/or retain only aggregated/anonymised datasets. After the retention period, Sapiens deletes or irreversibly anonymises data in accordance with documented retention schedules and legal requirements.

‍

The Type of Personal Data

The Group of Data Subjects: The personal data from participating Subjects is processed in the Service. In a typical case, the Customer of Sapiens is the organisation represented by the Subjects and the Customer determines the group of Subjects.

Regular Data: The Customer provides the full name and email address of each Subject in the Service. The  other personal data is provided by the Subjects themselves via the self-assessment survey, self-sampling or through the use of measuring devices. Customer or Sapiens may additionally gather information from the Subjects when providing the Service. Information will be also created analytically through Sapiens’ own activities.

The database contains the following information (partial or complete) about the Subjects. Before providing these data the Subjects are providing Consent and are seeing Sapiens' data privacy policy. Subjects can choose to provide the data below and do not need to provide these data.

• Full name (first and last)
• Email
• Phone number: If you choose SMS/WhatsApp password delivery, we process your mobile phone number and message delivery metadata for the purpose of sending the report password out-of-band.
• Year of birth, gender
• Information about the Customer (e.g., Employer of the Subject), e.g., name of the company

All the above data are stored separately from the heath-related data described below which are stored with under an encrypted ID only (e.g., DHDIKL)

Data stored under encrypted IDs are: 

• Sensitive health information if Subject chooses to provide it:
  • Perceived stress, perceived resilience, if provided via survey by the Subject
  • Perceived work-related stressors, if provided by the Subject
  • Perceived lifestyle and habits, if provided by the Subject
  • Information about chronic and acute diseases and medication, as well as female health conditions, if provided by the Subject
  • Cortisol measurement results from saliva
  • Steroid (cortisol, cortisone, testosterone, DHEA) and endocannabinoid (AEA, 1/2 AG, OEA, SEA, PEA) measurements from hair
  • Maximal oxygen consumption and fitness level classification
  • Heart rate and heart rate variability data (incl. recovery and sleep scores)
  • Gastrointestinal, immune, or musculoskeletal symptoms if Subject chooses to provide it
  • Sleep start time and sleep duration, and sleep rhythm formed by many periods of sleep
  • Information on personal habits like nutrition, exercise or attentional regulation activities
  • Information about nervousness and emotional wellbeing
  • Information from previous tests like lipids, blood glucose or similar
• In addition to the above, general wellness and physical activity related information such as detected exercise sessions, step count and training effect.
• Diary entries if created by the Subject during the measurement period in the Firstbeat app, such as alcohol consumption, self-documented events that are noteworthy and of interest to the Subject and self-evaluations regarding the diary entries.
• Other information submitted by the Subject to Sapiens through the Service or otherwise (e.g., by answering to Sapiens’ questionnaires)
• Information about the consents of processing data in the Service
• The results report with defined target actions created for the Subject based on the data analysis
• Other information with the Subject’s consent

Automated analysis (no legal/clinical decisions): Sapiens uses automated methods (e.g., scripts and scoring models) to process coded biomarker and questionnaire data and generate wellness-oriented insights and report outputs. These analyses do not produce legal effects or similarly significant effects and do not constitute medical diagnosis or treatment decisions. A human coach reviews and explains the outputs during the debrief.

‍

Principles of Data Protection

To deliver the Service, Sapiens applies technical and organisational measures designed for sensitive health-related data, including strict access controls, pseudonymisation, encryption, and incident handling.

Core principles

• Data minimisation: We collect and process only the data needed to deliver the Service (measurement logistics, analysis, reporting, debrief).
• Purpose limitation: We use your data to produce your wellness report and deliver coaching. Any additional purpose (e.g., research) requires separate consent and (where required) ethical approval.
• Pseudonymisation by design: Measurement data and biosamples are handled using encrypted participant IDs. External providers receive IDs, not names.
• Access limitation: Only authorised Sapiens personnel who need the data for service delivery can access it, under role-based access control.

Separation between identity data and measurement data

• Identity data (e.g., name, email; and optionally phone number for password delivery), and
• Measurement data (laboratory results, survey answers)

Any samples and measuring devices, which may be transported by post, do not contain any personal data that can resolve the Subject’s identity and contain no location information. Measurement data is stored and processed under an encrypted participant ID. The re-identification key (ID ↔ name/email) is stored separately with restricted access, and is available only to designated Sapiens personnel for participant communication and debriefing. The data from heart-rate monitoring device (Firstbeat) is processed under the data privacy policy of Firstbeat (data processor). Upon request, Data Subjects can receive an anonymized access and registration data for the Firstbeat service so that the data separation principle also applies to the use of the Firstbeat heart rate monitoring.

Security measures

Sapiens ensures that all data systems and computer equipment are sufficiently protected with appropriate technical methods, including firewalls, passwords, personal user IDs and personnel security training.

Specifically, Sapiens uses security measures appropriate for health-related data, including:

• Encryption in transit and at rest for data stored on EU-based Microsoft infrastructure (e.g., Microsoft 365/Azure).
• Multi-factor authentication (MFA) for Sapiens systems.
• Role-based access control and least-privilege permissions.
• Audit logging and monitoring for access to sensitive systems and datasets.
• Endpoint security (e.g., device encryption and secure access practices for staff who handle sensitive data).
• Incident response process including incident logging and escalation.

Data processors

To provide the Service, Sapiens uses external service providers acting as data processors on our behalf. These typically include: Dresden Lab Services GmbH (analysis of saliva and hair samples), Typeform (self-assessment survey collection via anonymous participant IDs), Firstbeat (ECG/HRV monitoring and analysis where applicable; participants register in the Firstbeat app under Firstbeat’s terms), Zoom Video Communications Inc. or Microsoft Teams for the debrief conversations (whichever system is approved by Customer IT) and Microsoft 365/Azure (EU) for hosting and internal processing.

These providers are engaged under appropriate contractual terms (e.g., data processing agreements where required). As a rule:

• Laboratory analysis (Dresden Lab Services GmbH): Laboratory result files are transmitted to Sapiens from Dresden Lab Service GmbH using secure channels and are pseudonymised using participant IDs (no name or other personal identifiers are transmitted together with the laboratory data to Sapiens). Where email is used, attachments must be encrypted and access restricted to authorised personnel only.
• Survey collection (Typeform): Surveys are completed using encrypted participant IDs. Sapiens does not send names/emails to the survey provider for the survey response dataset.
• ECG/HRV provider (Firstbeat): Firstbeat may process certain data as a processor for Sapiens (e.g., measurement data linked to an ID) and may act as an independent controller for app account/registration data processed under Firstbeat’s own privacy notice when participants create an account. Sapiens users can opt-in to using the Firstbeat service without using personal identifiers like their own email address and can then use a pseudomized email address provided by Sapiens.
• Communication for debriefs (video calls): Email is used for communication with the participant, e.g., in order to schedule the debrief conversation of the wellness report. Sapiens does not intentionally disclose unnecessary details in those systems and applies access controls to meeting links and files. Zoom or Microsoft Teams is used for the debrief depending on the system that is available according to the Customers IT regulations.

Secure delivery of individual reports

Individual reports are delivered as password-protected PDF files sent by email. The password is communicated via a separate channel (e.g., SMS or WhatsApp) to reduce the risk of unauthorised access if an email inbox is compromised. If you prefer a different delivery method/channel, you may request an alternative where available. Reports are identifiable only via the encrypted IDs used during the sampling process and provided to third parties without personally identifiable information.

The below map provides an overview of the data flow together with selected technical and organizational measures of data protection (not exhaustive as the visualization works together with the description in this document): 

‍
Transfer of Personal Data

Personal data may not be transferred without the data Subject’s consent outside Sapiens in a manner that the data could be identified, except in following exceptional circumstances: if required by any ruling of a governmental or regulatory authority, court, or by mandatory law; or if it is otherwise necessary for the purposes of preventing, or investigating, any breach of law, user terms or good practices or to protect the rights of Sapiens.

Unless upon the Subject’s explicit, separate consent, personal data of the Subjects will not be given to the Customer. (Note: if the Subject is a person who buys the Service for him/herself, the Subject is also a Customer and will naturally receive his/her own personal data.)

Sapiens processes and stores participant data on Azure servers in the EU. Where participants are located outside the EU/EEA, their data is transferred to the EU for processing and storage by Sapiens. Sapiens does not share personally identifiable data with third parties; third parties receive only encrypted anonymous participant IDs where applicable (e.g., laboratory and survey processing).

For ECG/HRV analysis, participants register in the Firstbeat app and agree to Firstbeat’s privacy terms; participants may use a personal/work email address or request an anonymised email option where available to reduce identifiability toward Firstbeat.

Delivery channels: Sapiens may communicate with participants via email for service delivery and sends the report as a password-protected PDF. The password is communicated separately (e.g., SMS/WhatsApp). Participants should ensure they have access to the chosen channels and protect their own devices and accounts.

Aggregate results sharing: If the participant and the Customer agree, Sapiens may share aggregated results back to the Customer and/or the participant group only where the group size is sufficiently large (as a rule: more than 10 participants) and the aggregation is presented to prevent back-tracing to individuals. Participants can opt out from inclusion in aggregated outputs. Aggregated results are only shared back if there is a clearly identifiable purpose, like deeper insight for the Customer and participants. The participants can always opt-out and their data are then not included in the aggregated data. Sapiens never shares aggregated data back to the Customer or participants unless the Customer explicitly request it.

The data Subject has the rights according to the EU General Data Protection Regulation (GDPR), to inspect his/her personal information, change or request to change his/her information and under some circumstances, the right to request erasure of personal information. Therefore, the Subject has the right to request Sapiens to correct inaccurate or incorrect personal information without unnecessary delay. The Subject has the right to request erasure of his/her information without unnecessary delay, for example when the personal data is no longer required for the original purposes, the personal data has been processed unlawfully, or the Subject withdraws consent to the processing and when there is no other legal ground for the processing.

The Subject has the right to request Sapiens to limit the processing in certain situations, including when the Subject denies the information being accurate or the processing is illegal. Under some circumstances the Subject also has the right to object to the processing.

The Subject may, under some circumstances, have the right to request transferring the personal data from one system to another. Whenever the legal justification for processing the personal data is consent, the Subject also has the right to withdraw the consent at any time.

Sapiens wishes that any disputes concerning the processing of personal data are primarily resolved in a conciliatory manner between the parties. The Subject has also the right to lodge a complaint with the competent supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. For Sapiens (Bocholt, Germany), the competent authority is typically the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestr. 2-4, 40213 Düsseldorf, Germany, email: poststelle@ldi.nrw.de, phone: +49 211 38424-0.

Any requests to inspect, modify or erase the personal data shall be indicated to Sapiens in person, or by a signed letter or similarly verified document, so that Sapiens can confirm the requestor has the right to make such a request. The request can be made with e-mail, if using the e-mail address registered when using the service. Sapiens may need to identify the Subject and ask for additional information in order to fulfil this kind of requests.

To exercise any of these rights, please contact us at  support@be-sapiens.com.

This description of the personal data processing has been updated on 28th November 2025. Sapiens follows the changes in legislation and regulator instructions related to personal data processing and develops the service further and will therefore reserve the right to make changes to this description.

‍

Legal basis for cross-border transfers and multi-jurisdictional compliance

Sapiens Health & Performance GmbH is a German company and applies GDPR as the baseline compliance framework. Where the Customer (only for B2B Customers) or participants are located outside the EU/EEA, Sapiens performs a documented dual-compliance assessment to ensure that processing and transfers are compliant with both GDPR and applicable local privacy and data protection laws in the relevant jurisdiction(s).

Consent and legal bases: Sapiens relies on explicit consent for processing health-related/special category data and for any optional research use. Consent is collected via a signed process (e.g., via Typeform survey consent flows) and can be withdrawn at any time. For non-health administrative data (e.g., account and program administration), Sapiens relies on contract performance and/or legal obligations, as applicable. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

Cross-border transfers: Where participants are outside the EU/EEA, their data will be transferred to and processed within the EU. For transfers from third countries into the EU, Sapiens implements jurisdiction-appropriate safeguards and documentation. Depending on the local legal requirements and the transfer scenario, Sapiens may implement, among others: (i) adequacy-based transfer pathways where recognised by local law, (ii) contractual safeguards (e.g., standard contractual clauses or equivalent instruments), and/or (iii) explicit participant consent to cross-border transfers where required. Sapiens minimises cross-border exposure by ensuring third parties receive only encrypted participant IDs and not personally identifiable data, except where explicitly consented or legally required.

Pre-contract compliance steps (applies to any non-EU/EEA engagement): Before contracting with a Customer outside the EU/EEA, Sapiens conducts and documents the following steps, as applicable:

1. Identify all jurisdictions involved (Customer location, participant location, processing location, sub-processor locations).
2. Map data categories (administrative data, health/special category data, biosamples) and processing purposes.
3. Confirm local rules for processing health/sensitive data (consent requirements, notice requirements, research rules, registration requirements, restrictions on international transfers).
4. Determine the lawful transfer mechanism(s) required under local law and implement them (including contracts and documentation).
5. Confirm and execute required contract structures (controller/processor arrangements, confidentiality, security obligations, incident handling).
6. Validate that external processors and sub-processors satisfy security and privacy requirements and are bound by appropriate processing terms.
7. Finalise participant-facing notices and consents, including cross-border transfer disclosures.
8. Confirm retention and deletion plan, incident response plan, and audit readiness according to local requirements

Further measures for regulatory compliance

The below descriptions define principles to ensure regulatory compliance of Sapiens services that go beyond data privacy regulations.

No medical services: Sapiens is a wellness/lifestyle service and does not provide diagnosis, clinical interpretation, treatment, or prescribing. Our services are designed to avoid constituting the practice of medicine or regulated medical acts under applicable law. ‍All outputs are informational and coaching-oriented and include “no medical advice” disclaimers. While Sapiens employs former medical doctors, these are not practicing physicians and work as health coaches at Sapiens. If symptoms indicate potential medical relevance, we use escalation rules to recommend physician follow-ups and are no longer coaching the client unless explicit consent is given.

• No Medical Diagnosis or Treatment: We do not provide medical diagnoses, prescriptions, or any therapeutic interventions. All feedback and recommendations are related to lifestyle (stress management, habits, etc.), and participants are clearly informed that this is not a substitute for medical care. We will include disclaimers that no component of the program is a medical act and advise participants to consult a healthcare professional if any health concerns arise (e.g. if results indicate unusually high stress hormone levels). By avoiding any claim to cure or treat diseases, we ensure the service remains outside the scope of regulated medical practice .
• Non-Invasive Sample Collection: The biological sample collection methods (saliva and hair) are non-invasive and low-risk. These can be done by the participants themselves or by non-medical personnel after brief training. Unlike blood draws or other clinical procedures, cutting a small hair sample and providing a saliva sample do not require a medical license or special clinical setting. This helps ensure we are not inadvertently performing any regulated medical procedures. Participants self-collect saliva, and hair collection (if assisted by staff) is done with simple scissors – a procedure that does not legally require a healthcare professional.
• Non-Medical Devices and Tools: The tools we use (e.g. the Firstbeat heart-rate/ECG monitor) are wellness devices intended for fitness/stress monitoring, not medical devices for diagnosing cardiac conditions. According to regulatory definitions, a product is a medical device only if intended for medical purposes such as diagnosing or treating disease . Our use of Firstbeat is strictly for tracking stress and lifestyle metrics, which are outside the scope of medical device regulation. Generally, the saliva,hair sampling nor the Firstbeat heart-rate monitor does not require any local approval when Sapiens operates in countries outside of the EU/EEA since they are not marketed or used as medical diagnostics.
• Local Regulatory Compliance: To be safe, we will engage local expertise or legal counsel to double-check that no aspect of the project (such as handling of human samples, offering health-related feedback, or using the ECG device) triggers any local health regulations. If there were any borderline cases (e.g. if authorities consider cortisol testing a “health service”), we would take necessary steps such as partnering with a local licensed professional or obtaining an exception. However, because the project is framed as a voluntary wellness intervention and not healthcare delivery, it should not fall under local healthcare laws for medical practice. In sum, we emphasize that the intended scope is educational and preventive (stress awareness), with no treatment or clinical diagnosis, thereby avoiding the need for medical licensure or clinical trial approvals.
• No medical doctors: While Sapiens employs former medical doctors, these people are not working as medical doctors/physicians at Sapiens but are collaborating with Sapiens as health coaches. Therefore, there is never any physician-patient relationship formed, no emergency services are offered and there is no clinical record keeping.
• Clear rules for abnormal findings: While the Sapiens markers and measurements are designed in a way that no clinical diagnoses can be done with them, there are clear rules in case of abnormal findings within these wellness and lifestyle markers. For example, if cortisol levels are abnormally high or low, the client is recommended to see a physician for a medical test. The low or high cortisol levels themselfes are not constituting a diagnosis of anything.
• Not intended to be a medical act: The Sapiens Service is never intendended to be a medical act. If under a local law any part of the service should ever be deemed a medical act, this component is removed in the local region and/or shifted to a licensed local professional (e.g., a venous blood test is not provided by Sapiens but can be done with a local licensed professional).
• Sample characteristics and minimisation: Biosamples are limited to non-invasive saliva and hair samples for hormone-related wellness markers. Sapiens does not perform genetic, drug or any medical testing beyond the indicated wellness markers.

• Retention and destruction ofsamples: Laboratory sample retention and destruction follow documented laboratory SOPs. After analysis and any defined short-term re-test window (typically <14 days), remaining sample material is destroyed securely (bio-waste disposal) and is not stored long-term for unrelated purposes unlessexplicitly agreed and consented (e.g., research).

Liability approach: Sapiens maintains clear separation between wellness coaching and medical care to avoid clinical liability associated with medical diagnosis/treatment. Operational risks are managed through protocols and documentation: chain of custody, secure data handling, restricted access, encryption, incident response processes, and formal contractual allocation of responsibilities. Where the Customer performs on-site activities (e.g., hair collection), responsibility and liability for those activities is allocated contractually, including obligations to follow Sapiens protocols, confidentiality requirements, incident reporting, and cooperation in case of complaints or investigations. Sapiens remains responsible for its own processing activities, report generation, coaching delivery, and the security of its systems and data flows. In case of incidents, Sapiens maintains documented response processes and cooperates with relevant stakeholders as required by applicable law.

Data/Sample Collection Workflows: We have three possible modes of collecting biological samples, and each has implications for data flow and custody:

1. Participant Self-Collection: Participants may collect their own samples at home. We would ship collection kits to them containing instructions, a saliva tube (for cortisol), and materials to cut a small 3 cm hair strand from the back of the head. Each kit will have a unique ID code (a 6-letter anonymized code) that the participant will use to label their samples instead of their name. The participant would then either mail the samples back using a pre-addressed secure shipment package or drop them off at a designated postal point. This method keeps the process personal and confidential, since the sample is labeled only by code and the participant’s identity is only linked via that code in our records.
2. Sapiens Staff Collection (On-site): Alternatively, Sapiens staff can travel to the country of the Customer or users to collect samples from participants (e.g. during a scheduled session). In this scenario, our staff will obtain saliva samples (participants spit into tubes themselves) and cut hair samples on-site. In this case, Sapiens staff will immediately label each sample with the participant’s anonymized ID code, log it, and secure it. The samples remain in Sapiens’ custody and are hand-carried or couriered back to Germany for analysis. We will still have participants fill out their consent and an ID coding sheet so that no personal identifiers travel with the samples.
3. Collection by Customer or related Staff: A possible option is to have trained local staff (e.g. from the partnering Customer) collect the hair samples. This option is only selected if requested explicetely by the Customer. For example, a research assistant could cut and gather hair strands from participants. In this case, the procedure remains non-medical as no invasive action is taken. Customer staff would follow Sapiens-provided protocols: using the pre-assigned codes, labeling and sealing samples, and maintaining a log. They would then either hand over the samples to Sapiens personnel or arrange secure shipment according to the standards mentioned in this document to the German laboratory. This approach would require a clear agreement that local staff maintain confidentiality and follow proper handling. If used, we will ensure local collectors sign confidentiality agreements and are briefed on privacy and handling procedures.

Shipment of biosamples: Saliva, hair and other biosamples are shipped as DHL Express or DHL Packages (not envelopes) using required triple packaging according to IATA regulations for liquids and are marked as “Exempt Human Specimen”. Shipments use accurate customs declarations and include any required export/import documentation. Due to sample stability for steroid hormone analysis, shipments are not temperature sensitive during the delivery period. Samples are labelled only with the encrypted anonymous ID and do not contain the subjects name or location. The triple packaging includes leakproof outer packaging, rigid outer packaging, an "exempt specimen" label, shipper information (in this case the shipper information is "Sapiens Health& Performance GmbH" in order to protect the identity of the user, a customs invoice as needed and additionally absorbant/cushioning materials. The biosamples shipped (saliva or hair in most cases) are classified as "Exempt Human Specimen" for the followiing reasons: 

• The sample is being shipped for purposes other than diagnosing an infectious disease
• The specimen has a low probability of containing infectious agents
• The user is not a patient with a medical history, symptoms, and any other relevant circumstances which creates a low risk of the specimen containing an infectious substance

Chain of custody: Each sample is pre-labelled with an encrypted anonymous ID for traceability. Saliva is collected by participants; hair can be collected by participants, Sapiens staff, or - if agreed - client staff following Sapiens instructions. Each handover step (collection, sealing, shipment handover, receipt, lab intake) is documented. Sapiens maintains this chain-of-custody log in an Excel-based tracking table stored on secured Microsoft Azure/Microsoft 365 infrastructure (EU). Any deviation (e.g., damaged package, missing label, mismatch, delay) is recorded in an incident log and handled under Sapiens’ incident response workflow.

‍

‍

‍

‍

‍

‍

‍