Last updated: March 15, 2026
We collect information you provide directly, including your name, email address, company affiliation, and health-related data such as biomarker results, wearable device data, and lab reports. We also collect usage data and analytics to improve our platform.
Your data is used to provide personalized biological age assessments, generate your PACE score, power AI coaching recommendations, and improve our services. We do not sell your personal data to third parties.
We implement industry-standard security measures including encryption at rest and in transit, row-level security policies, mandatory multi-factor authentication, and comprehensive audit logging. All health data is stored in compliance with applicable regulations.
We retain your data for as long as your account is active or as needed to provide our services. You may request deletion of your data at any time by contacting our support team.
You have the right to access, correct, or delete your personal data. You may also request a copy of your data in a portable format. For EU/EEA residents, these rights are guaranteed under GDPR.
For privacy-related inquiries, please contact us at hello@pacesovereign.com.
Last updated: March 15, 2026
By accessing or using PaceSovereign, you agree to be bound by these Terms of Service. If you do not agree, you may not use the platform.
PaceSovereign is a biological asset management platform that provides personalized aging metrics, AI-driven coaching, and health data analytics. Our platform is a data intelligence tool and does not constitute medical advice, diagnosis, or treatment.
PaceSovereign is not a healthcare provider. All scores, insights, and recommendations are generated by AI and published research. Always consult your physician before making changes to your health protocol. We are not responsible for health decisions made based on our data.
You are responsible for maintaining the confidentiality of your account credentials and for all activities under your account. You agree to provide accurate data and not to misuse the platform.
All content, algorithms, and designs on PaceSovereign are owned by us or our licensors. You may not copy, modify, or distribute any part of the platform without written permission.
PaceSovereign is provided “as is” without warranties of any kind. We shall not be liable for any indirect, incidental, or consequential damages arising from your use of the platform.
We reserve the right to modify these terms at any time. Continued use of the platform after changes constitutes acceptance of the new terms.
Last updated: March 23, 2026
For the purposes of this Data Processing Agreement (“DPA”), the following definitions apply:
This DPA governs the processing of Personal Data by PaceSovereign on behalf of the Controller for the following purposes: computation of the PACE (Pace of Aging Composite Estimate) score; AI-driven health coaching and nudge generation; longitudinal trend analysis of biological markers; readiness scoring; league-based peer comparison (anonymized); and generation of the Bio-Passport.
The following categories of Personal Data are processed under this DPA:
The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection law. Processing activities are limited to those necessary to provide the services described in Section 2.
PaceSovereign implements the following technical and organizational measures to ensure the security of Personal Data:
Encryption at Rest
All Personal Data is encrypted using AES-256-GCM at the database level. Encryption keys are managed through Supabase Vault with automatic rotation.
Encryption in Transit
All data in transit is protected by TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced across all endpoints.
Access Control
Row-level security (RLS) policies enforce that each user may access only their own data. Multi-factor authentication (MFA) is mandatory for all accounts. Zero-knowledge architecture ensures PaceSovereign personnel cannot access decrypted health data.
Audit & Monitoring
An append-only audit log records every data access event, including timestamp, actor, action, and affected resource. Logs are immutable and retained for a minimum of 24 months. SOC 2 Type II certification is pending.
The Controller authorizes the Processor to engage the following sub-processors for the processing of Personal Data. A complete list is maintained in the Sub-processor Register appended to this DPA.
All sub-processors are EU-based with the exception of Anthropic PBC (United States). For transfers to Anthropic, PaceSovereign relies on the European Commission's Standard Contractual Clauses (SCCs) adopted pursuant to Commission Implementing Decision (EU) 2021/914, supplemented by a Transfer Impact Assessment confirming that Anthropic does not retain Personal Data beyond the duration of each API request. No Personal Data is transferred to jurisdictions lacking an adequacy decision without appropriate safeguards in place.
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Articles 15–22 of the GDPR, including:
All Data Subject requests shall be acknowledged within 72 hours and fulfilled within 30 calendar days of receipt.
In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:
Personal Data is retained for the duration of the Controller's active account. Upon account termination or upon written request from the Controller:
The Controller has the right to request an annual audit of the Processor's data processing activities. PaceSovereign shall make available its SOC 2 Type II report (once certified) in lieu of an on-site audit, unless the Controller demonstrates a reasonable need for on-site inspection. The Processor shall cooperate fully with any audit and provide all reasonably requested documentation within 14 business days of the request.
This DPA is effective from the date the Controller creates a PaceSovereign account and remains in force for the duration of the processing activities. Upon termination:
Last updated: March 23, 2026
PaceSovereign is a lifestyle optimization and biological asset management platform. PaceSovereign is not a covered entity or business associate as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 45 C.F.R. Parts 160 and 164. We do not provide medical diagnosis, treatment, or payment processing. We do not transmit health information in connection with transactions for which the U.S. Department of Health and Human Services has adopted standards.
Notwithstanding our non-covered status, PaceSovereign voluntarily implements security practices aligned with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C):
Technical Safeguards
AES-256-GCM encryption at rest, TLS 1.3 in transit, unique user identification via Supabase Auth, automatic session termination, and comprehensive audit controls via append-only logging.
Access Controls
Row-level security (RLS) policies enforce minimum necessary access. Multi-factor authentication (MFA) is mandatory. Administrative access requires separate privileged credentials with additional verification.
Audit Controls
Every data access event is recorded in an immutable, append-only audit log including actor identity, timestamp, action performed, and resource affected. Logs are retained for a minimum of 24 months.
Workforce Training
All personnel with access to production systems receive annual training on data handling procedures, incident response protocols, and applicable privacy regulations.
While PaceSovereign processes health-related data (biomarker readings, wearable metrics, laboratory reports), this data is provided voluntarily by users for personal wellness and longevity insights. It is not collected, maintained, or transmitted in connection with any HIPAA-covered transaction. Users should not upload data subject to HIPAA protections without first consulting their compliance officer.
For Enterprise tier clients whose employees' data may be subject to HIPAA requirements, PaceSovereign is prepared to execute a Business Associate Agreement (BAA) upon request. Enterprise BAAs include additional administrative, physical, and technical safeguards as required by 45 C.F.R. § 164.314. Please contact our compliance team to initiate this process.
For HIPAA-related inquiries, please contact our compliance team at compliance@pacesovereign.com.
Last updated: March 23, 2026
PaceSovereign is designed exclusively for personal biological asset management. Permitted uses include: uploading and analyzing biomarker data to generate PACE scores; receiving AI-driven coaching recommendations; aggregating wearable device data for readiness and trend analysis; participating in anonymized league-based peer comparisons; and generating a Bio-Passport for personal reference.
The following activities are strictly prohibited and constitute grounds for immediate account termination:
Users bear sole responsibility for the accuracy and integrity of data uploaded to PaceSovereign, including laboratory reports, biomarker readings, and wearable device integrations. PaceSovereign is not liable for PACE scores, readiness assessments, coaching recommendations, or any other outputs derived from inaccurate, incomplete, or falsified inputs.
Each PaceSovereign account corresponds to a single natural person. Corporate or organizational accounts for multiple individuals require the Enterprise tier. Users shall not create multiple accounts to circumvent usage limits, league rankings, or enforcement actions. Sharing Bio-Passport grades or PACE scores under false pretenses — including representing another person's scores as one's own — constitutes fraud and is grounds for immediate termination without refund.
The PaceSovereign AI Coach provides data-driven suggestions based on published research and the user's biomarker trends. The AI Coach does not provide medical advice, diagnosis, or treatment recommendations. All coaching outputs include the disclaimer that users must consult a qualified physician before making changes to their health protocol. Users who rely on AI coaching outputs without independent medical consultation do so at their own risk.
PaceSovereign reserves the right, at its sole discretion, to investigate and take appropriate action against any user who violates this Acceptable Use Policy. Actions may include, without limitation: issuance of a written warning; temporary suspension of account access; permanent termination of the account without refund; and referral to law enforcement authorities where the violation involves unlawful conduct. PaceSovereign shall endeavor to provide reasonable notice before enforcement action, except where immediate action is necessary to protect the platform, other users, or comply with legal obligations.
Last updated: March 23, 2026
The following table lists all third-party sub-processors engaged by PaceSovereign to process Personal Data on behalf of our users, in accordance with our Data Processing Agreement.
| Sub-processor | Purpose | Data Processed | Location | DPA Status |
|---|---|---|---|---|
| Supabase Inc. | Database, Auth, Storage | All user data, biomarkers, scores | EU-West (Ireland) | DPA signed |
| Vercel Inc. | Application hosting, CDN | Application code, session data | EU (Frankfurt) | DPA via ToS |
| Anthropic PBC | AI processing (Coach, PDF parsing, nudges) | Biomarker values, coaching queries (not retained) | US | SCCs + DPA |
| Resend Inc. | Transactional email | Email address, name | EU | DPA via ToS |
Notice of Changes: PaceSovereign will notify users at least 30 days before engaging a new sub-processor. Users may object to the engagement of a new sub-processor within 14 days of receiving notice. If a reasonable objection is raised and cannot be resolved, the user may terminate their account and receive a full data export in accordance with the Data Processing Agreement.
© 2026 PaceSovereign. All rights reserved.