aen

Privacy Policy

Effective Date: May 9, 2026·Last Updated: May 9, 2026

1. Introduction

This Privacy Policy describes how 5M Ventures LLC (“we,” “us,” “our”) collects, uses, and protects your information when you use Aeon (“Service”). Aeon is designed with privacy as a core architectural principle. We process your health data only during your active session and delete it when your session ends.

1.1 HIPAA Disclaimer

Aeon is not a covered entity or business associate as defined under the Health Insurance Portability and Accountability Act (HIPAA). Aeon does not provide healthcare services, process insurance claims, or maintain medical records. The information you provide is processed solely for the purpose of generating a personalized longevity assessment and is not subject to HIPAA protections. If you have questions about how your health information is protected, review Sections 4 and 6 of this policy.

1.2 Beta Status

Aeon is currently in private beta. Features, data handling practices, and this Privacy Policy may be updated as the Service develops. Material changes will be indicated by an updated effective date and, where feasible, a notice on the landing page.

2. Information We Collect

2.1 Information You Provide Directly

  • (a)Email address. Required to deliver your results PDF. Collected at session start.
  • (b)Basic intake information. Age, biological sex, and health goal selections. Used during your session to generate personalized recommendations.
  • (c)Uploaded health data files. Blood work results, supplement labels, DEXA scan reports, or similar documents. These files are parsed by our system during your session to extract biomarker values and supplement information.
  • (d)Google account information (optional). If you use Google Sign-In to verify your email, Google shares your email address and email verification status with us. We do not receive your Google password, contacts, or other Google account data.

2.2 Information Generated During Your Session

  • (a)Parsed biomarker values. Extracted from your uploaded files by AI-powered document parsing.
  • (b)Generated recommendations. Personalized longevity recommendations produced by our recommendation engine.
  • (c)Biological age estimate. Calculated using the PhenoAge model based on your parsed biomarker data.
  • (d)Results PDF. A compiled document containing your dashboard, recommendations, and evidence citations.

2.3 Information Collected Automatically

  • (a)Session metadata. Session start time, session duration, and session completion status. Used for operational monitoring and abuse prevention.
  • (b)Basic device information. Browser type, operating system, and screen resolution. Used solely for rendering your dashboard correctly. We do not use this data for tracking or profiling.
  • (c)IP address. Collected automatically by our hosting infrastructure. Not linked to your health data. Retained in server logs per our hosting provider’s standard retention period.

2.4 Information We Do NOT Collect

We do not collect: names, physical addresses, phone numbers, payment information, social security numbers, insurance information, or any government-issued identification. We do not create user accounts or maintain user profiles.

3. How We Use Your Information

We use your information for the following purposes:

  • (a)To provide the Service. Parsing your uploaded files, generating your dashboard and recommendations, calculating your biological age estimate, and compiling your results PDF.
  • (b)To deliver your results. Sending the results PDF to the email address you provide.
  • (c)To maintain and improve the Service. Monitoring for errors, abuse, and system performance. We do not use your health data for model training, analytics, or any purpose beyond generating your session results.
  • (d)To comply with legal obligations. Responding to lawful requests from law enforcement or regulatory authorities, if applicable.

4. Data Retention and Deletion

Your lab values and health analysis are cleared when your session ends. We cannot recover them. Certain non-health data (email, reminder preferences) may persist as described below.

4.1 Health Data — Cleared at Session End

All uploaded files, parsed biomarker values, generated recommendations, biological age calculations, and dashboard content are cleared from our servers when your session ends. Session end is triggered when you confirm session completion or after 2 hours of inactivity. We do not retain your lab values or health analysis results after session termination.

4.2 Email Address — Retained

We retain your email address and the date of your session for the following purposes: delivery confirmation, operational recordkeeping, and abuse prevention. Your email address is not linked to any health data after your session ends.

You may request deletion of your email address from our records at any time by contacting us at privacy@getaeon.ai. We will process deletion requests within 30 days.

4.3 Retest Reminders — Opt-In Only

If you opt in to a retest reminder, we store your email address and your chosen reminder date. No health data (biological age, biomarker values, or recommendations) is stored with the reminder. Reminder records auto-expire after the reminder date plus a 7-day grace period. You may request early deletion by emailing privacy@getaeon.ai.

4.4 Results — Delivered via Email

Your assessment report and share card are delivered to your email address via our email provider (Resend). These attachments contain health-related information including biomarker values, biological age estimates, and personalized recommendations.

Email is delivered via standard internet email protocols (SMTP), which are not end-to-end encrypted. Your results may pass through third-party mail servers in transit. By providing your email address, you acknowledge and consent to receiving health-related assessment results through this unencrypted channel.

Once delivered, your results exist in your inbox and are subject to your email provider’s security and retention policies. You are responsible for the security of your email account. We do not retain a server-side copy of the report or share card after delivery. Our email provider may retain delivery metadata (recipient address, send timestamp, delivery status) per their standard retention schedule. If you lose your results, we cannot regenerate them because the underlying health data no longer exists.

4.5 AI Processing

Your biomarker values and demographic context are sent to our AI provider (Anthropic) for analysis during your session. Anthropic does not use API inputs for model training. Anthropic’s data retention policies govern any temporary processing logs on their infrastructure. No health data is retained on our servers after the API response is received and your session ends.

4.6 Waitlist and Feedback Data

If you join the beta waitlist, we store your email address and signup date. Waitlist records auto-expire after 180 days. If you submit feedback through the session-end screen, we store your feedback text and a timestamp. Feedback records auto-expire after 90 days. Neither waitlist nor feedback records are linked to your health data.

4.7 Server Logs

Standard server logs (IP addresses, request timestamps, error logs) are retained per our hosting provider’s default retention period, typically 30–90 days. These logs do not contain your health data.

5. Third-Party Processors

We use the following categories of third-party service providers to operate Aeon. These providers process data on our behalf and are contractually obligated to use it only for the purposes we specify.

CategoryPurposeData Shared
AI/LLM ProviderDocument parsing and recommendation generationUploaded file contents and intake data (during session only)
Email Service ProviderDelivering your results PDFEmail address and PDF attachment
Hosting/InfrastructureRunning the ServiceAll data transiting through the platform
Session State ProviderTemporary session storage and rate limitingSession tokens, email address, waitlist and feedback data
Authentication ProviderOptional email verification via Google Sign-InEmail address and verification status

We do not sell, rent, or trade your personal information or health data to any third party. We do not share your data with advertisers, data brokers, or marketing platforms.

5.1 AI/LLM Provider Data Handling

Your uploaded health data is sent to our AI provider’s API for document parsing and recommendation generation. This data is transmitted via encrypted connection (TLS 1.2+). We use API configurations that do not retain input data for model training. Your data is processed and discarded by the AI provider in accordance with their API data processing terms.

6. Data Security

We implement the following security measures:

  • (a)Encryption in transit. All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • (b)Encryption at rest. During your active session, any temporarily stored data is encrypted at rest using AES-256 or equivalent.
  • (c)No persistent storage of health data. Your lab values and health analysis exist only in temporary session storage and are cleared when the session ends. Retest reminders (opt-in only) store your email and reminder date with no health data attached.
  • (d)Access controls. Administrative access to our infrastructure is limited to authorized personnel and protected by multi-factor authentication.
  • (e)No user accounts. The absence of user accounts eliminates entire categories of risk: credential theft, account takeover, and stored profile breaches.

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data during transmission or processing.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • (a)Right to access. You may request confirmation of what personal information we hold about you. Because we delete health data at session end, the only personal information we retain is your email address and session date.
  • (b)Right to deletion. You may request deletion of your email address from our records. Contact us at privacy@getaeon.ai. We will process requests within 30 days.
  • (c)Right to restrict processing. Because processing occurs only during your active session and data is deleted afterward, the practical scope of this right is limited to your email address.
  • (d)Right to data portability. Your results PDF, delivered to your email, constitutes a portable copy of your processed data. We do not retain data in a format that supports additional portability requests after session end.
  • (e)Right to withdraw consent. You may close your browser at any time to end your session. Closing the session triggers data deletion. You may also request deletion of your retained email address at any time.

7.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, the right to delete it, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at privacy@getaeon.ai.

7.2 European Economic Area, UK, and Swiss Residents (GDPR/UK GDPR)

Our legal basis for processing your health data during your session is your explicit consent, which you provide when you accept these terms and initiate your session. Health data constitutes “special category data” under GDPR Article 9. Our processing is lawful under Article 9(2)(a) (explicit consent).

Our legal basis for retaining your email address is our legitimate interest in operational recordkeeping and abuse prevention (Article 6(1)(f)).

You have the right to lodge a complaint with your local data protection authority.

7.3 Data Protection Contact

For privacy inquiries, contact: privacy@getaeon.ai

8. Children’s Privacy

Aeon is not intended for individuals under 18 years of age. We do not knowingly collect information from children. If we learn that we have collected information from a child under 18, we will delete that information promptly.

9. Cookies and Tracking

Aeon uses only essential cookies required for session management (maintaining your active session state). We do not use:

  • (a) Analytics cookies or tracking pixels.
  • (b) Advertising cookies or retargeting technologies.
  • (c) Social media tracking scripts.
  • (d) Cross-site tracking of any kind.

We do not use Google Analytics, Facebook Pixel, or similar tracking tools.

10. International Data Transfers

Your data is processed on servers located in the United States. If you are accessing Aeon from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

For EEA/UK users: transfers are conducted pursuant to Standard Contractual Clauses or other appropriate safeguards as required by applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised policy on our website with an updated effective date. Because we do not maintain user accounts, we cannot provide individual notice of changes. Material changes will be indicated by a prominent notice on our landing page for a reasonable period following the update.

12. Contact Us

For questions, concerns, or requests related to this Privacy Policy, contact us at:

privacy@getaeon.ai
5M Ventures LLC
Wake County, North Carolina

© 2026 5M Ventures LLC. All rights reserved.