Submit offer Compliance and Health Data Workshop - Regulatory Guidance for a Fertility Matchmaking Platform

 1. GENERAL INFORMATION

Title of tender: Compliance and Health Data Workshop - Regulatory Guidance for a Fertility Matchmaking Platform

Company name: Y factor ApS

Address: Suomisvej 4, Frederiksberg C

CVR nr.: 44690934

Date: 12th March 2026

Deadline for tender: 4 weeks after submission

Contact for questions: Sofie, Karine and Deyan

Phone and e-mail: sofie@yfactor.app, karine@yfactor.app, deyan@yfactor.app

2. PRESENTATION OF COMPANY

Y factor is a two-sided fertility matchmaking platform that connects private sperm donors with recipients (referred to as Future Parents). The platform is delivered as a mobile application, available on iOS and Android.

Y factor currently operates across the United Kingdom, Germany, Spain, Italy and with an active expansion into the United States ( mainly California for now). The platform is growing and serves a sensitive user base that requires the highest standards of privacy, data protection, and regulatory compliance.

The company is an early stage, bootstrapped startup with a team of 8 people. Y factor is part of the Beyond Beta accelerator programme.

Website: Y factor

3. DESCRIPTION OF THE TASK UNDER MARKET EVALUATION

Y factor seeks a structured, interactive workshop (half-day or equivalent in multiple shorter sessions) delivered by a specialised legal and/or compliance consultancy. The purpose of the workshop is to equip the Y factor team with practical knowledge and understanding of the regulatory landscape for operating a fertility matchmaking platform that handles sensitive health-related data across multiple jurisdictions.

This is a knowledge transfer engagement, not a formal legal opinion. The goal is for the Y factor team to walk away with a clear understanding of what is and is not permissible, what the regulatory requirements are, and how to build compliant features and processes going forward. We want to develop internal competence on the path toward health tech compliance, not just receive a document.

Specifically, we require expert guidance on the following areas:

A. Medical Document Storage & Processing

• Can Y factor lawfully collect, store, and process medical documents such as STI/STD test results uploaded by users for the purpose of verification by other users or the platform? How does that work in the US where there’s no GDPR for instance?

• Can Y factor lawfully collect and store DNA or genetic test results/references provided by donors?

• What are the data classification requirements for such documents under GDPR (Article 9 special categories of personal data) and equivalent regulations in the U, and US/California (CMIA/AB 254, CCPA/CPRA, California Health & Safety Code)? 

• What technical and organisational safeguards are required if storage is permissible (encryption at rest, access controls, retention periods, purpose limitation)?

• Are there differences between storing the actual document vs. storing only a verified status flag (e.g., “STI test verified on [date]” without retaining the underlying document)?

B. User Consent & Legal Basis

• What is the appropriate legal basis for processing health data in this context (explicit consent, substantial public interest, or other)?

• What consent mechanisms and user flows are required for both the user uploading a medical document and the user requesting to view a verification result?

• How should consent be managed across jurisdictions when a donor in Denmark shares verification status with a recipient in Spain, US or the UK?

• CMIA-specific: Under California’s AB 254, Y factor is likely classified as a “reproductive or sexual health digital service” and deemed a “provider of health care” for CMIA purposes. What does the required CMIA authorisation flow look like? Must it be separate from the Terms of Service? What format and content does Cal. Civ. Code § 56.11 require?

• When the platform shows Donor A’s reproductive health profile data to Recipient B, does that constitute a “disclosure” under CMIA requiring specific written authorisation from Donor A?

C. Jurisdictional Compliance

• GDPR (EU/EEA): Obligations for processing special-category health data, including Data Protection Impact Assessment (DPIA) requirements.

• UK GDPR: Post-Brexit divergences relevant to health data processing for a Danish-registered entity.

• Spain (LOPDGDD): Any Spain-specific requirements beyond base GDPR.

• US/California (CCPA/CPRA): Classification of health data, consumer rights, and compliance requirements for a European company expanding into California. Any HIPAA applicability considerations, CMIA/AB 254 

• Italian / German regulations: Any sector-specific health data regulations applicable to a tech platform (not a healthcare provider).

D. Platform Liability & Safety

• What is Y factor’s liability exposure if a user uploads fraudulent or outdated medical documentation?

• What disclaimers, terms of service provisions, and user agreements are recommended to limit platform liability?

• Are there mandatory reporting obligations if the platform becomes aware of health related risks to users (e.g., falsified STI results)?

• What are the recommended safety and moderation policies for a platform facilitating private sperm donation?

E. Data Architecture Recommendations

• Recommended data flow: Should documents be stored server-side (AWS S3 encrypted) or only verified client-side and never persisted?

• Retention policies: How long can/should medical documents or verification results be retained?

• Cross-border data transfers: Implications of EU users’ health data being accessible to or processed for US based users, especially with separate AWS infrastructure planned for EU and US.

• Data subject rights: How to handle access, rectification, and deletion requests for health data.

4. TASK OBJECTIVES AND SUCCESS CRITERIA

The objective is to receive actionable, written legal and compliance guidance that enables Y factor to make informed decisions on its medical document handling features. Success will be measured by:

1. A clear legal opinion (per jurisdiction) on whether and how Y factor may store and process medical documents such as STI/STD results and DNA test references.

2. A written compliance framework or checklist covering GDPR, UK GDPR, LOPDGDD, and CCPA/CPRA requirements applicable to Y factor’s use case.

3. Specific, implementable recommendations for consent flows, data retention, and technical safeguards.

4. A risk assessment identifying key liability exposures and recommended mitigation strategies (disclaimers, ToS provisions, insurance considerations).

5. All deliverables provided in written form (report or memo format) suitable for use by the company’s development team and future legal reference.

5. BUDGET AND SPECIFICATION OF AN OFFER

We expect a written offer to include at least:

• Date of submission of offer

• A brief presentation of the bidder, stating the CVR number and contact details. If relevant, with references and history (especially experience with health tech, fertility services, GDPR, or cross-border data compliance)

• Bidder’s proposal for solving the task, including proposed methodology and timeline

• Specification of the price for solving the task (total fixed fee or hourly rate with estimated hours)

• Discount, if relevant

• Timeframe and end date for delivery of the written advisory

• Conditions for the offer, if any

Indicative budget: Approximately 28000 DKK exlusive VAT (incl. preparation, delivery, and a brief written summary of key findings).

6. BACKGROUND FOR THE TENDER

Beyond Beta is subject to a number of requirements for good, healthy financial management, including documentation that the agreed price for external purchases is an expression of the market price. This tender is part of these requirements.

We emphasise that the bidder must only make an offer on the requested task. Services of executing or implementing nature cannot be approved. The winning bid is chosen based on an assessment of the best correlation between price and quality.