heymedy

Legal

Privacy Policy

Last updated: March 10, 2026

1. Introduction

heymedy ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, name, date of birth, sex, blood type when you create an account.
  • Health Information: Medical conditions, medications, allergies, surgeries, family health history, lab results, and symptoms you share through the app.
  • Emergency Contacts: Names and phone numbers of emergency contacts you add.
  • Conversation Data: Messages you send to our AI health assistant.
  • Feedback: Any feedback or suggestions you submit through the app.
  • Uploaded Documents: Files and images you share through the chat, such as lab reports or medical documents. These are stored securely and processed by AI to help answer your questions.

2.2 Information Collected Automatically

  • Device Information: Device identifier, operating system version, and app version.
  • Usage Data: Features accessed, interaction patterns, and error logs to improve the Service.
  • Audit Logs: When you access health-data features, we log the timestamp, your user identifier, the endpoint accessed, response status, and your IP address for security monitoring and regulatory compliance. These logs are retained for up to 90 days.

2.3 Information We Do NOT Collect

  • We do not collect precise geolocation data.
  • We do not access your device contacts, photos, or files unless you explicitly share them.
  • We do not receive health data directly from healthcare providers, hospitals, insurers, or electronic health record (EHR) systems. All health data in the App is provided directly by you.

3. How We Use Your Information

We use the information we collect to:

  • Provide personalized health assistance through our AI companion.
  • Maintain and display your health records within the app.
  • Generate health insights based on your data.
  • Highlight symptoms that may warrant prompt professional care and provide general safety guidance.
  • Send notifications and reminders you have configured.
  • Improve and optimize the Service.
  • Communicate with you about your account or the Service.

We process your information based on the following legal bases: your consent (which you may withdraw at any time), performance of our contract with you (the Terms of Service), and our legitimate interests in improving and securing the Service.

4. How We Share Your Information

We do not sell, rent, or trade your personal information or health data to third parties. We do not share your personal information for cross-context behavioral advertising.

We may share your information only in the following circumstances:

  • AI Processing: Your conversations are processed by third-party AI providers (Anthropic) to generate responses. These providers are contractually bound to protect your data and not use it for training or other purposes.
  • Service Providers: We use trusted service providers for hosting, email delivery, and infrastructure who process data on our behalf under strict confidentiality agreements.
  • Legal Requirements: We may disclose information if required by law, court order, or governmental request.
  • Safety: We may share information if we believe it is necessary to protect the safety of any person or prevent illegal activity.

4.1 Complete List of Third-Party Service Providers

We believe in full transparency. The following is a complete list of third-party services that may process your data:

  • Anthropic (Claude): AI conversation processing and response generation. Data processed in the United States.
  • OpenAI: Text embedding generation for semantic search only. Data processed in the United States.
  • Resend: Transactional email delivery (OTP codes, account notifications). Only your email address is shared.
  • Railway: Managed application hosting and database infrastructure. Contact: privacy@railway.app.
  • Apple: Authentication via Apple Sign In (if you choose this method). Apple shares only your name and email (or a relay address) with us.
  • RevenueCat: Subscription and purchase management. RevenueCat processes an anonymous app user identifier and purchase transaction data to manage your subscription status. No health data is shared with RevenueCat.

5. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption of data in transit (TLS/SSL) and at rest.
  • Secure authentication with JWT tokens (short-lived, 15-minute access tokens) and optional Apple Sign In.
  • Refresh token rotation — each refresh token can only be used once.
  • Rate limiting on authentication endpoints to prevent brute-force attacks.
  • Regular security audits and updates.
  • Access controls limiting who can view your data.

While we strive to use commercially acceptable means to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain different categories of data for different periods:

  • Account information: Retained for the lifetime of your account.
  • Health profile data (conditions, medications, allergies, etc.): Retained for the lifetime of your account or until you delete individual records.
  • Conversation history: Active messages retained indefinitely; older messages are archived through summarization but remain accessible via data export.
  • AI-generated insights: Retained until acknowledged/dismissed by you, or until account deletion.
  • Authentication tokens: Access tokens expire after 15 minutes; refresh tokens expire after 90 days.
  • OTP codes: Expire after 10 minutes and are deleted after use.
  • Cached profile data: Expires automatically after 1 hour in Redis.
  • Usage and error logs: Retained for up to 90 days for debugging and improvement purposes.

Upon account deletion, we permanently delete account data from active application systems within 30 days, including health records, conversations, archived messages, embeddings, insights, feedback, and profile caches. Limited security logs and encrypted backups may persist during retention cycles and are then automatically purged no later than 6 months after the authenticated deletion request.

7. Your Rights

Regardless of where you live, we provide all users with the following rights:

  • Access: Request a copy of all personal and health data we hold about you in our application database via the in-app data export feature. Transient operational logs (such as audit logs retained for security monitoring) are not included in automated exports but may be provided upon specific request to privacy@heymedy.com.
  • Correction: Update or correct your personal information through the app settings.
  • Deletion: Request complete deletion of your account and all associated data. We will process deletion requests within 30 days.
  • Portability: Export your data in a standard, machine-readable JSON format.
  • Withdraw consent: You may withdraw consent to future health-data collection and AI processing through the in-app withdrawal control or by contacting us.
  • Appeal: If we decline to act on a privacy request, you may appeal that refusal.

To exercise any of these rights, you may use the in-app features or contact us at privacy@heymedy.com. We will respond to all requests within 30 days.

If we deny a privacy request, you may appeal by emailing privacy@heymedy.com with the subject line "Privacy Appeal." We will review the appeal and respond within 45 days. Washington residents may also use the Washington Attorney General complaint mechanism here: https://www.atg.wa.gov/file-complaint.

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights regarding your personal information.

8.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

  • Identifiers: Name, email address, device identifier.
  • Personal information under Cal. Civ. Code 1798.80(e): Name, date of birth.
  • Protected classification characteristics: Sex, age.
  • Internet or other electronic network activity: App usage data, interaction history.
  • Sensitive personal information: Health data (medical conditions, medications, allergies, symptoms, lab results), precise account credentials.

8.2 Your California Rights

  • Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive personal information to what is necessary to provide the Service.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

8.3 Do Not Sell or Share

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Because we do not engage in these practices, there is no need to opt out. We have not sold or shared personal information in the preceding 12 months.

To submit a CCPA request, contact us at privacy@heymedy.com. We will verify your identity before processing any request and respond within 45 days.

9. Data Breach Notification

In the event of a data breach that affects your personal information or health data, we will:

  • Notify affected users as soon as practicable and without unreasonable delay. Where Washington's data breach law applies, notice will be made no later than 30 days after discovery.
  • Notify the Federal Trade Commission (FTC) within the timelines required by the FTC Health Breach Notification Rule, including within 10 business days if the breach affects 500 or more individuals.
  • Notify prominent media outlets if the breach affects 500 or more residents of a single state or jurisdiction and federal law requires that notice.
  • Provide a description of the breach, the types of information involved, steps we are taking, and steps you can take to protect yourself.
  • Comply with all applicable state breach notification laws, including Washington State (RCW 19.255.010) and California (Cal. Civ. Code 1798.82).

10. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will take steps to delete that information promptly.

11. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers and third-party service providers are located. By using the Service, you consent to the transfer of your information to the United States. We ensure that all transfers are protected by appropriate safeguards, including encryption and contractual data protection obligations with our service providers.

11.1 Users Outside the United States

heymedy is operated from the United States and is primarily intended for users in the United States. If you are accessing the Service from the European Economic Area (EEA), United Kingdom, or another jurisdiction with data protection laws, please be aware that your data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.

Regardless of your location, we provide all users with the rights described in Section 7 (access, correction, deletion, portability, consent withdrawal, and appeal). If you believe our processing of your data infringes applicable law, you have the right to lodge a complaint with your local data protection authority.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page, updating the "Last updated" date, and sending a notification through the App. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy, please contact us at:

privacy@heymedy.com