99 Peaks - Privacy Policy

Effective date: Dec 3rd, 2023

Last updated: June 10th, 2026

This Privacy Policy describes how 99 Peaks Pte. Ltd., its affiliates, and subsidiaries (collectively, “99 Peaks,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information. This Privacy Policy also tells you about your rights and choices with respect to your personal information, and how you can reach us to get answers to your questions.

1. Information We Collect

We collect information about you in a variety of ways depending on how you interact with us and our websites, mobile applications, and services, including:

The following table sets out the types of information we collect and our primary purpose for doing so.

ContextTypes of DataPrimary Purpose
Account RegistrationName, contact information, account activity and preferences.We have a legitimate interest in providing account-related functionalities to our users, including easy access and saving preferences.
Client InformationName and contact information of clients and their employees.We have a legitimate interest in contacting our clients and communicating with them concerning normal business administration.
Cookies and First-Party TrackingCookies and similar tracking data generated when you use our website or App.We have a legitimate interest in making our website and App operate efficiently.
Cookies and Third-Party TrackingAnalytics and behavioural data collected by third-party technologies embedded in our website or App.Where required by law, we base the use of third-party cookies upon consent.
Demographic InformationAge, location, and similar personal characteristics.We have a legitimate interest in understanding our users and providing tailored services.
Email InterconnectivityOpen rates, link clicks, and interaction data from emails we send.We have a legitimate interest in understanding how you interact with our communications.
Feedback / SupportName, email address, and any content you send when contacting us for support or providing feedback.We have a legitimate interest in receiving and acting upon your feedback or issues.
Health and Wellness DataHealth data you directly input or consent to share, including vital signs, biomarker results, medical reports, lab results, physical and physiological data, and other health information you provide.We use your information to perform our contract to provide you with the Services. We also have a legitimate interest in personalising your experience based on the information you provide.
Mailing ListEmail address or postal address when you sign up for communications.We share information about our products and services with individuals who consent to receive such information.
Mobile DevicesUnique device identifiers and interaction data from your mobile device.We have a legitimate interest in identifying unique visitors and understanding how users interact with us on mobile devices.
Order Placement (Marketplace — not currently active)Name, billing address, shipping address, email address, phone number, and payment card information when you place an order via the Marketplace.We use your information to perform our contract to provide you with Marketplace products or services. The Marketplace feature is not currently active.
Partner PromotionInformation provided as part of a co-branded promotion with a third-party partner.We have a legitimate interest in fulfilling our promotions.
SurveysResponses and opinions you provide when participating in surveys.We have a legitimate interest in understanding your opinions and collecting information relevant to our organisation.
User ContentContent you post in any community or feedback features, including comments, reviews, and associated metadata.We use this information to understand our users, improve our Services, and foster a safe environment.
Website and App InteractionsLinks clicked, form inputs, device type, browser type, and behavioural data from your use of our website and App.We have a legitimate interest in understanding how you interact with our website and App to improve them and to detect and prevent fraud.
Web LogsBrowser type, operating system, IP address, domain name, click activity, referring website, and date/time stamps.We have a legitimate interest in monitoring our networks and understanding which of our services are most used.
2. How We Use Information

In addition to the purposes and uses described above, we use information in the following ways:

Although the sections above describe our primary purpose in collecting your information, in many situations we have more than one purpose. As a result, our collection and processing of your information is based in different contexts upon your consent, our need to perform a contract, our obligations under law, and/or our legitimate interest in conducting our business.

To the extent we maintain and use personal information in a deidentified form, we will not attempt to reidentify the information, except for the purpose of determining whether our deidentification processes satisfy our legal obligations.

3. How We Share Information

In addition to the specific situations discussed elsewhere in this Privacy Policy, we may disclose personal information in the following situations:

4. Your Choices

Some jurisdictions give you a right to make the following choices regarding your personal information:

Please note that not all of the rights described above are absolute, and they do not apply in all circumstances. In some cases, we may limit or deny your request because the law permits or requires us to do so, or if we are unable to adequately verify your identity. We will not discriminate against individuals who exercise their privacy rights under applicable law.

5. Submitting Requests

You may exercise the rights described above by contacting us as indicated in the “Contact Information” section below. If you disagree with our denial of a request, you may appeal our decision by contacting us with the subject line “Appeal.”

As required by law, we will require you to prove your identity. We may verify your identity by phone call or email. Depending on your request, we will ask for information such as your name and the last time you interacted with us. We may also ask you to provide a signed declaration confirming your identity.

In some circumstances, you may designate an authorised agent to submit requests to exercise certain privacy rights on your behalf. If you are an authorised agent submitting a request on behalf of an individual, you must attach a copy of a signed and notarised document indicating that you are able to act on that person’s behalf.

6. How We Protect and Retain Information

We store user data securely on encrypted servers hosted by Amazon Web Services (AWS) in the United States, using SSL/TLS encryption protocols to protect data during transmission and at rest. Note, however, that no method of transmission over the internet, or method of electronic storage, is fully secure. While we use reasonable efforts to protect your personal information from unauthorised access, use, or disclosure, we cannot guarantee the security of your personal information. In the event that we are required by law to inform you of a breach to your personal information, we may notify you electronically, in writing, or by telephone, if permitted to do so by law.

You are responsible for maintaining the confidentiality of your account password, and for any access to or use of your account by someone else who has obtained your password. You should notify us immediately of any unauthorised use of your password or account.

We retain your personal information for only as long as necessary to fulfil the purposes outlined in this Privacy Policy, including for the purposes of satisfying any legal, accounting, or reporting requirements, unless a longer retention period is required or permitted by law. For example, we typically retain your user-inputted data for twelve (12) months after account deletion unless legally required to retain it longer.

7. Transmission of Information to Other Countries

As a company that operates internationally, we may transmit your personal information to countries other than your country of residence, including to the United States where our servers are hosted. Privacy laws in those countries may differ from the laws in your country.

Where we transfer personal information internationally, we take steps to ensure that appropriate safeguards are in place to protect your information, consistent with the applicable legal requirements of your jurisdiction. These safeguards may include standard contractual clauses, contractual protections with our service providers, or other legally recognised transfer mechanisms. Where required by local law, we obtain your consent to such transfers.

By using the Services, you acknowledge that your personal information may be transferred to, stored, and processed in a country other than your country of residence. If you would like more information about the safeguards we apply to international data transfers, please contact us using the details below.

8. Health and Medical Data

The Services enable you to input and store sensitive health data, including biomarker results, medical reports, physical measurements, and other health information (“Health Data”). We treat Health Data with additional care and apply heightened security measures to its storage and processing.

Health Data is used solely to provide and improve the Services as described in this Privacy Policy. We do not sell Health Data to third parties. We do not use Health Data for advertising purposes.

Where you upload medical reports or clinical results, you are solely responsible for the accuracy of that data. The Services do not independently verify such data, and nothing in the Services constitutes medical advice.

In jurisdictions where Health Data constitutes sensitive personal data or sensitive personal information under applicable law, we process such data only on the basis of your explicit consent given at account registration and continued use of the Services, or as otherwise permitted by applicable law.

9. Third-Party Applications and Websites

For your convenience, we may provide links to websites and other third-party content or services that we do not own or operate. The websites and third-party content to which we link may have separate privacy notices or policies. We have no control over the privacy practices of websites or services that we do not own, and we encourage you to review the privacy policies of any third-party website or application.

10. Children

Our App and Services are not intended for children under the age of 18 and we do not knowingly collect personal information from children under the age of 18. If you are under 18, you must not provide your personal information to us.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. To the extent that our policy changes in a material way, the policy that was in place at the time that you submitted personal information to us will generally govern that information unless we receive your consent to the new privacy policy. If we make a material change to this Privacy Policy, we will attempt to notify you through email, in-app notification, and/or a website pop-up.

12. Contact Information

If you have any questions, comments, or complaints concerning our privacy practices, please contact us at:

Appendices — Jurisdiction-Specific Privacy Rights

Appendix A — Australia (Privacy Act 1988)

This Appendix applies to users whose primary residence is in Australia, and supplements the main Privacy Policy. In the event of any conflict specific to Australian law, this Appendix prevails.

A1. Australian Privacy Principles (APPs)

We handle personal information in accordance with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth). Health information is sensitive information under the Privacy Act and is afforded additional protections. We collect health information only with your consent and only for the purposes described in this Privacy Policy.

A2. Cross-Border Disclosure

We may disclose your personal information to overseas recipients, including our service providers in the United States. Before doing so, we take reasonable steps to ensure that overseas recipients do not breach the APPs in relation to your personal information, in accordance with APP 8.

A3. Your Rights under the Privacy Act

Under the Privacy Act, you have the right to:

To exercise these rights, contact us at support@99peaks.life.

A4. Health Disclaimers

The Services are not a medical device and are not provided by a registered health practitioner. The Services do not provide medical advice. For clinical matters, consult a registered health practitioner regulated under the Health Practitioner Regulation National Law.

Appendix B — United States

This Appendix applies to users whose primary residence is in the United States of America, and supplements the main Privacy Policy.

B1. No HIPAA Relationship

Unless expressly agreed in a separate Business Associate Agreement (BAA), 99 Peaks is not a HIPAA covered entity or business associate in connection with your consumer use of the Services. The Services are not intended for transmitting Protected Health Information in a HIPAA-regulated context.

B2. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

To exercise these rights, contact us at support@99peaks.life. California residents may also reach the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs by mail at 1625 North Market Blvd., Sacramento, CA 95834, or by telephone at (916) 445-1254 or (800) 952-5210.

B3. Other State Privacy Rights

Some US states provide additional privacy rights regarding access, correction, deletion, and portability of personal data. Those rights are preserved where mandatory under applicable state law.

Appendix C — Singapore (Personal Data Protection Act 2012)

This Appendix applies to users whose primary residence is in Singapore, and supplements the main Privacy Policy. In the event of any conflict specific to Singapore law, this Appendix prevails.

C1. Legal Basis for Processing

We collect and process your personal data, including Health Data and medical reports, under the Singapore Personal Data Protection Act 2012 (“PDPA”) on the following bases:

C2. Data Protection Officer

We have appointed a Data Protection Officer (“DPO”) as required under the PDPA. You may contact our DPO at support@99peaks.life with the subject line “Data Protection Officer.”

C3. Overseas Data Transfer

Your personal data is stored on AWS servers in the United States. We ensure that this transfer is subject to contractual protections at least equivalent to the PDPA standard, in compliance with the Transfer Limitation Obligation under section 26 of the PDPA and applicable PDPC guidelines.

C4. Data Breach Notification

In the event of a notifiable data breach under the PDPA, we will notify the Personal Data Protection Commission (PDPC) and affected users within three (3) business days of assessing that the breach is notifiable, as required under the PDPA Amendment Act 2020.

C5. Your Rights under the PDPA

Under the PDPA, you have the right to:

To exercise these rights, contact us at support@99peaks.life.

C6. Health Sciences Authority

The Services are not regulated as a medical device under the Health Products Act (Cap. 122D) or HSA guidelines. Content in the Services does not constitute medical advice. Consult a licensed healthcare professional for any health concerns.

Appendix D — Malaysia (Personal Data Protection Act 2010)

This Appendix applies to users whose primary residence is in Malaysia, and supplements the main Privacy Policy. In the event of any conflict specific to Malaysian law, this Appendix prevails.

D1. Legal Basis for Processing

We collect and process your personal data, including Health Data, under the Malaysian Personal Data Protection Act 2010 (“PDPA Malaysia”). Health Data constitutes sensitive personal data under PDPA Malaysia. By accepting these terms and using the Services, you give your explicit consent to our processing of your Health Data and medical reports for the purposes described in this Privacy Policy.

D2. Cross-Border Data Transfer

Your personal data is stored on servers in the United States. By using the Services, you expressly consent to this transfer. We ensure that appropriate contractual safeguards are in place with our service providers to protect your personal data to a standard consistent with PDPA Malaysia requirements.

D3. Your Rights under PDPA Malaysia

Under PDPA Malaysia, you have the right to:

To exercise these rights, contact us at support@99peaks.life.

D4. Consumer Protection

Malaysian users retain all non-waivable rights available under Malaysian consumer protection and data protection laws, including the Consumer Protection Act 1999, notwithstanding any other provision of this Privacy Policy.

D5. Health Content

The Services are not regulated as a medical device or controlled health product under Malaysian law. Nothing in the Services constitutes medical advice. Consult a registered medical practitioner for any health concerns.

Appendix E — Philippines (Data Privacy Act 2012, Republic Act No. 10173)

This Appendix applies to users whose primary residence is in the Philippines, and supplements the main Privacy Policy. In the event of any conflict specific to Philippine law, this Appendix prevails.

E1. Legal Basis for Processing

We collect and process your personal data, including Health Data and medical reports, in compliance with the Philippine Data Privacy Act 2012 (“DPA”) and its Implementing Rules and Regulations, as administered by the National Privacy Commission (“NPC”). Health Data constitutes sensitive personal information under the DPA. We process such data on the basis of your explicit consent given at account registration and continued use of the Services.

E2. Privacy Officer

We have designated a Privacy Officer responsible for ensuring our compliance with the DPA. You may contact our Privacy Officer at support@99peaks.life with the subject line “Privacy Officer — Philippines.”

E3. Cross-Border Data Transfer

Your personal data, including Health Data, is stored on servers in the United States. We ensure that such transfers comply with Section 21 of the DPA and applicable NPC issuances by implementing contractual safeguards with our data processors. By using the Services, you consent to this transfer.

E4. Data Breach Notification

In the event of a personal data breach that may result in serious harm to you, we will notify the NPC and affected users within seventy-two (72) hours of discovery, in accordance with NPC Circular No. 16-03.

E5. Privacy Impact Assessment

In accordance with NPC Advisory No. 2017-03, we have conducted a Privacy Impact Assessment covering the processing of sensitive personal information (Health Data and medical reports) within the Services.

E6. Your Rights under the DPA

Under the DPA, you have the right to:

To exercise any of these rights, contact us at support@99peaks.life.

E7. Health Content

The Services are not registered as a medical device with the Philippine Food and Drug Administration (FDA). Nothing in the Services constitutes medical advice, diagnosis, or treatment. Consult a licensed physician or healthcare professional for any health concerns.

99Peaks Logo

Your wellness and longevity
journey - gamified

Join our newsletter

© 2026 99 Peaks. All rights reserved.

FacebookLinkedInInstagram