1) Who we are and scope
This policy explains how we handle personal data when you use this application and related APIs (the “Service”). It is written to meet the transparency requirements of the UK/EU GDPR without making assurances we cannot verify.
2) Personal data we process
- Account and authentication data: your phone number (and email if you provide it). Authentication is handled by Supabase, which sets cookies to maintain your session.
- Usage and quota data: we track daily usage counts and last-used dates in our database to enforce free-tier limits and subscription access.
- Content you submit: medical notes you provide for processing and the resulting outputs are sent to the OpenAI API to generate responses. We do not store your submitted content or generated outputs on our servers beyond what is necessary to process your request.
- Payment data: handled by Stripe. We do not store your full payment card details on our servers.
- Security/anti‑abuse data: we use rate limiting and CAPTCHA. For this we may process an identifier derived from your phone number or IP address and CAPTCHA tokens (Cloudflare Turnstile) to prevent abuse.
- Feedback and support: if you submit feedback, we store the message and any name/email you choose to provide.
- Referral data: if you arrive with a referral parameter, we store a referral UUID in localStorage and associate referral relationships in our database when you sign up.
3) Purposes and lawful bases
- Provide the Service (contract): authenticate you, process your inputs, and deliver outputs.
- Billing (contract): manage subscriptions and payments via Stripe.
- Security and abuse prevention (legitimate interests): rate limiting, CAPTCHA, fraud/abuse prevention.
- Service operation (legitimate interests): track usage/quota to operate free and paid tiers.
- Legal (legal obligation): comply with applicable law where required.
4) Third‑party processing
We use service providers as part of delivering the Service. We do not sell personal data. Providers we use include:
- Supabase (authentication and database; stores user accounts, session cookies, usage records, and referral data).
- Stripe (payments and subscriptions; handles billing information and payment processing).
- OpenAI API (content processing; we send your submitted medical notes to OpenAI’s API to generate summaries and plans; we do not store this content ourselves).
- Cloudflare Turnstile (CAPTCHA; processes tokens and may set cookies to verify requests).
These providers may process data in countries outside your jurisdiction. For specific details about each provider’s practices and safeguards, please refer to their respective privacy documentation.
5) International transfers
Data may be processed in regions where our providers operate. We do not make representations beyond what we can verify about each provider’s transfer mechanisms.
6) Retention
- Account, usage, and referral records are retained while your account is active. Account deletion will remove your user record and related account data we control and will cancel any active Stripe subscription.
- Rate‑limit entries are temporary and are cleaned up automatically after their reset time.
- Submitted content and generated outputs are not stored by us after processing. Feedback is retained as needed to operate the Service.
7) Your rights
Subject to applicable law, you may have rights to access, rectify, erase, restrict, or object to processing of your personal data, and to data portability. You can also withdraw consent where processing is based on consent. To exercise these rights, contact us via the in‑app feedback form or support channel.
8) Cookies and similar technologies
- Authentication cookies: Supabase sets session cookies (e.g., access/refresh tokens) required to keep you signed in.
- Payment and security cookies: Stripe and Cloudflare Turnstile may set cookies to facilitate payments and prevent abuse.
- Local storage: we store a referral UUID in your browser’s localStorage when you visit with a referral link.
9) Security
We implement reasonable technical and organizational measures appropriate to the Service. However, no method of transmission or storage is completely secure.
11) Changes
We may update this policy to reflect changes to the Service or legal requirements.