Privacy Policy


  1. General information

    MX Labs OÜ (hereinafter: “MX Labs", "us", "our" or "we") protects the privacy rights of our users ("users" or "you"). 

    This Privacy Policy (hereinafter: "Policy") lays out the general rules of our processing users’ data, that you provide or we collect in connection with using any of our products or services e.g. our website, web services, a newsletter or a software called Heart Monitor (we shall refer to all these as “Services”). We shall refer to all the data and other information you provide to us or we collect as “Data”, unless the particular provision points to a particular category or type of data.

    If any of such Data allow us to know your identity, they shall be treated as personal data in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

    Any MX Labs’ processing of the Data is governed by this Privacy Policy, unless separate terms and conditions, content of consents or information clauses for a particular Service provide other rules. Not all of the Data processing rules described herein shall apply to your Data, as there may be differences in processing in respect of some of our Services (e.g. not all Services include processing data concerning health or social network features).

    Please do not install or use the Services if you have any doubts about our Policy or do not agree to this Privacy Policy. 

  2. Who is processing your personal data?

    MX Labs OÜ is an exclusive data controller. Our contact details:
    1. Estonia: Lõõtsa tn 5, 11415 Tallinn; 

    2. Poland: ul. Gwiaździsta 66, 54-413 Wrocław, Poland;

    E-mail: office@mxlabs.ai
    To maintain the highest level of privacy we are supported by a professional Data Protection Officer: dpo@stsk.pl

  3. Why are we processing your Data?

    Your Data shall be processed only for the following purposes:


    1. development and provision the functionalities of the Services which are based on the analysis of the data concerning health and facial images with facial skin texture and other physiological signs measured in real-time with smartphone, tablet or any other device equipped with a camera,

    2. non-biomedical research for development our technology Shen.AI being used for the above analysis,

    3. performance of a contract if you use our Services under its terms and conditions or in order to take any steps at your requests, comments or questions prior to entering the contract or within the pre-sales or customer service;

    4. provision, maintain and improve the Services, give you access for them, understand your preferences to enhance well experiences or benefits using the Services, including statistical analysis of users’ preferences and behavior; 

    5. communication with you about promotions, rewards, upcoming events, and other news about products and services offered by us and our selected partners or other direct marketing.

  4. What Data are we processing and how do we collect it?

    If you want to use the Heart Monitor software or other Services which are based on analysis data concerning health and about facial skin texture and other physiological signs measured in real-time with smartphone, tablet or any other device equipped with a camera (using technology Shen.AI), you need register the account. Due to that, you provide us and we process your basic contact details: nick or name and email address, and additionally: age, gender, height, weight and – if you want - other information related to your health eg. total cholesterol or HDL.

    The Heart Monitor software and other Services which are based on analysis data as above, need additionally your facial images acquired through a supported device camera for the purpose of analyzing your facial blood flow, vital signs and other facial features. Such Data is used to provide you with status measurements such as heart rate, blood pressure, pulse rate variability (PRV) and other vital signs. Those measurements are also analyzed with the Data you provided us during the account registration process. Please be informed that your facial images as above are processed only within your device and only during the software data analysis to obtain the measure results, and they are not stored longer or somewhere else.

    If you want to apply for participation in non-medical research aimed at the development of MX Labs’ technology Shen.AI (research procedure for the development of artificial intelligence (AI) algorithms), we need your separate application and separate consent to participate in the research. Shen.AI analyzes facial skin texture and vital physiological signs in real-time. The technology applies remote photoplethysmography (rPPG) – a contactless optical measurement technique of recording skin blood pulsations at different vascular depths. The rPPG signal represents beat-to-beat pulsatile fluctuations in the intensity of light reflected from the skin. While these fluctuations remain invisible to the human eye, they can be detected by a simple camera. The captured signals are then analyzed computationally to estimate various cardiovascular parameters. An advanced image stabilization algorithm guarantees the best performance and reliable facial texture extraction. Our non-biomedical research aims to develop an AI model that is able to measure in real-time some vital parameters, including systolic and diastolic blood pressure based on the short video recording of the person’s face.

    In order to carry out the above researches, MX Labs shall need, apart the information about gender, age, height, weight, additional data: the values of blood pressure and optionally pulse rate measured with a traditional blood pressure meter in three separate measurements and a 2-minute-long video of your face (facial image). Video recording in the form of a video file will be sent via web browser to servers in UE controlled by MX Labs. We shall process these data anonymously, i.e. we do not combine it and store with any others personal data regarding your identity, e.g. name, email address, even if you provided them to us when using the Heart Monitor software or registering an account in our other Services. The detailed procedure of the research and instructions for obtaining the above-mentioned data shall be presented to you upon application to participate in the research.

    Please be reminded that all above mentioned data concerning health, as special categories of personal data and your facial images as biometric data (however not used for the purpose of uniquely identifying a natural person) shall always be processed under your explicit consent.

    Apart from the above mentioned data we in no instance process any others special categories personal data, such as information on your race, religion, political opinions or philosophical beliefs, sexual preferences or orientation or any information of similar categories. We do not require you to provide us such information and we do not collect it automatically.

    To subscribe to a newsletter, to request information or help from our support, pre-sales or customer service you provide us and we process only your nick or name, email address and other contact details if you provide them.

    In the remaining scope,  Data shall be processed only as a standard data collected from users of software or online services in accordance with the functions and technical specification of that software or services known to you, especially automatically from you, your device and other services you are using. Such Data can include: hardware and hardware components type, data and analytics about your use of our Services; your device type and the operating system that you use; broad geographic location (e.g. country or city-level location) based on your IP address; qualitative metrics of our Services performance on your device); qualitative and quantitative metrics of our Services performance on your device. The above mentioned data collected automatically are necessary for us to operate the Services. If you wish even such data not to be collected, you should not install or use our Services. If you already did, please refer to Information about your rights in Section 8 below. Additionally we can establish separate rules for collecting data as above, including the use of cookies or similar technologies, especially in a cookie policy for individual Services.

    Typically, this data itself shall not be personal data, but it may be considered personal if it identifies you together with other information. In this case, we shall apply to them all the rules and legal basis for processing personal data set out in this Policy.

    We also may receive some of your data from Social Network Services you participate in, especially when you connect to our Services using your account registered in some of such Social Network Services (e.g. Facebook). Such data includes: your username, email, awatar, age and gender. We may receive some of your data from other third parties, in particular when you decide to connect the Services with other applications.

    The data collected automatically, necessary to operate the Services or from Social Network Services shall not be combined by us and processed together with the biometric data or data concerning health from the non-medical research described above.

    When we collect some of the data you can provide us with your age but we cannot confirm that age from other sources. Please remember use of the Service is prohibited for users who are under 18 (eighteen) years old and if we learn that we had inadvertently gathered Data from a younger user, we will take reasonable measures to promptly erase such personal information from our records.

  5. Legal basis for personal data processing

    All your personal data which are data concerning health, MX Labs shall process only for the purpose identified in Section 3 let. a) and b) and only under your explicit consent (Article 9 point (a) of paragraph 2 GDPR).

    All your facial images which can be treat as biometric data, MX Labs shall process only for the purpose identified in Section 3 let. a) and b) and MX Labs shall not use them for the purpose of uniquely identifying you as a natural person (as mentioned in Article 9 of paragraph 1 GDPR). We process them only as pure data about facial skin texture and other physiological signs for the purpose of analyzing their relation/correlation with other vital parameters e.g. heart rate, blood pressure or PRV. We shall process the data as above only under your consent (Article 6 point (a) of paragraph 1 GDPR).

    The Data for purpose identified in Section 3 let. c), MX Labs shall process as being necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (Article 6 point (b) of paragraph 1 GDPR).

    MX Labs shall process the other Data for the purposes identified in Section 3 let. d) and e) as being necessary for the purposes of the legitimate interests pursued by us (Article 6 point (f) of paragraph 1 GDPR). Our legitimate interests include the need to continually raise quality, functionality and safety of our Services, increase availability and the number of people who visit our website, participating in our non-biomedical researches or use our Services and develop a novel computer-vision&AI-powered technology Shen.AI for data acquisition, analysis, and interpretation of vital signs.

  6. Who may access your Data?

    Within our organization your Data shall be disclosed only to our personnel which need to know such Data for carrying out their work and shall be subject to strict rules. We may disclose your Data to our affiliates (companies controlled by MX Labs) and their personnel. We do not have other recipients of your personal data.

    MX Labs shall not transfer any personal data to a third country (outside EU) or international organization.

    We may use third parties to collect and process personal data on our behalf and in accordance with our instructions. If such third parties collect data outside the EU, the personal data shall be immediately transferred to MX Labs and shall be processed by MX Labs only within the territory of the EU. The third party as above shall not have access to them, data shall not be transferred or given back to him outside the EU in any way.  

  7. How long are we store your personal data?

    We shall store your personal data in respect to the particular Services only within the Services period, unless the special terms and conditions for that Services set forth otherwise.

    If any personal data shall be processed within our non-biomedical research for development of our technology Shen.AI, the period for which the personal data shall be stored, shall be determined by the research and development period defined in the research procedure.

    If nothing else results from the Policy as above, from the particular terms of Services, information clauses or the research procedure in relation to the specific Data, the personal data shall not be stored for more than 3 years from the date of collection, subject to the provisions below.

    No Data shall be processed if you have withdrawn your consent for particular processing or expressed any objection to such processing.  In such an event the period for which the personal data shall be stored ends at once and data shall be erased or anonymized. 

    Some of the data may be processed longer if such processing is necessary for the establishment, exercise or defense of legal claims or after anonymization. 

  8. Information about your rights

    Users whose personal data are processed by MX Labs have the following rights:

    1. to request access to their data,

    2. to request that their data are corrected,

    3. to request that their data are erased,

    4. to request that their data are transferred,

    5. to request that the processing of their data is limited,

    6. to not be subject to automated decision-making, including profiling,

    7. to file an objection to the processing of their data,

    8. to withdraw consent at any time (without affecting the legality of the processing performed on the basis of consent before its withdrawal),

    9. to file a complaint with respect to data processing with the appropriate supervisory body.


    Should you have any queries, comments or request for your rights as above, please contact the data controller at data@mxlabs.ai or our Data Protection Officer at dpo@stsk.pl

    In order to speed up the procedure of examining the request, you may clarify your demand, e.g. by indicating what you wish to delete or change, or you do not want to receive news or other commercial information. In the absence of an unequivocal statement as to the scope of personal data to be erased, MX Labs may contact you in order to confirm details of your request. We shall respond to the aforementioned request immediately, at the latest within a month, and should that prove impossible, we shall give the reasons therefor.

    Please pay attention however, that erasure of all your data may be technically impossible if such data is connected with your accounts in other services, in particular Social Network Services and mobile platform operators.

    Also keep in mind that use of some Services requires your Data to be processed as described herein. If you do not accept processing of your Data, you should cease using the Services. If you object to processing of your Data, request the Data to be erased or request that we stop processing your Data, as a result you may not be (depending on the type of Data and the type of Services) able to use the Services. If you file an objection to the processing of data or withdraw your consent to processing of certain Data, you may not be able to use the full functionality of the Services or even may not be able to use the Services at all.

    If you consider your rights to be violated or your personal data processing rules infringed, you are entitled to file a complaint with relevant supervisory authority. You may lodge a complaint with any other personal data protection authority in a EU member state.