heymedy

Legal

Privacy Policy

Last updated: March 29, 2026

1. Introduction

heymedy ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, name, date of birth, sex, blood type when you create an account.
  • Health Information: Medical conditions, medications, allergies, surgeries, family health history, lab results, and symptoms you share through the app.
  • Emergency Contacts: Names and phone numbers of emergency contacts you add.
  • Conversation Data: Messages you send to our AI health assistant.
  • Feedback: Any feedback or suggestions you submit through the app.
  • Uploaded Files and Media: Files, images, and voice recordings you share through the chat, such as lab reports, medical documents, or voice messages. These are stored securely and may be processed to support the features you use.

2.2 Information Collected Automatically

  • Device Information: Device identifier, operating system version, and app version.
  • Usage and Diagnostic Data: Features accessed, interaction patterns, crash diagnostics, and error logs used to operate, secure, and improve the Service.
  • Notification Data: Push notification token and platform information if you enable reminders or notifications.
  • Audit Logs: When you access health-data features, we log the timestamp, your user identifier, the endpoint accessed, response status, and your IP address for security monitoring and regulatory compliance. These logs are retained in accordance with our retention schedule.

2.3 Information We Do NOT Collect

  • We do not collect precise geolocation data.
  • We do not access your device contacts, photos, or files unless you explicitly share them.
  • We do not receive health data directly from healthcare providers, hospitals, insurers, or electronic health record (EHR) systems. All health data in the App is provided directly by you.

3. How We Use Your Information

We use the information we collect to:

  • Provide AI-assisted organization and review of the health information you choose to add.
  • Maintain and display your health records within the app.
  • Generate summaries and reminders based on your logged data.
  • Display general safety guidance and emergency prompts when urgent keywords are detected.
  • Send notifications and reminders you have configured.
  • Improve and optimize the Service.
  • Communicate with you about your account or the Service.

We process your information based on the following legal bases: your consent (which you may withdraw at any time), performance of our contract with you (the Terms of Service), and our legitimate interests in improving and securing the Service.

4. How We Share Your Information

We do not sell, rent, or trade your personal information or health data to third parties. We do not share your personal information or health data for cross-context behavioral advertising.

We may share your information only in the following circumstances:

  • AI Processing: Your conversations are processed by third-party AI providers (Anthropic) to generate responses. These providers are contractually bound to protect your data and not use it for training or other purposes.
  • Service Providers: We use trusted service providers for hosting, email delivery, and infrastructure who process data on our behalf under strict confidentiality agreements.
  • Legal Requirements: We may disclose information if required by law, court order, or governmental request.
  • Safety: We may share information if we believe it is necessary to protect the safety of any person or prevent illegal activity.

4.1 Complete List of Third-Party Service Providers

We believe in full transparency. The following is a complete list of third-party services that may process your data:

  • Anthropic (Claude): AI conversation processing and response generation. Data processed in the United States.
  • OpenAI: Text embedding generation for semantic search. Data processed in the United States. OpenAI may retain API inputs for abuse monitoring for up to 30 days unless a separate zero-retention arrangement applies.
  • Resend: Transactional email delivery (OTP codes, account notifications). Only your email address is shared.
  • Railway: Managed application hosting and database infrastructure. Contact: privacy@railway.app.
  • Apple: Authentication via Apple Sign In (if you choose this method), iOS notification delivery, and iOS speech-recognition services when you use voice input on Apple devices.
  • Expo: Push token registration and notification delivery relay for enabled notifications.
  • Sentry: Crash and error monitoring to help us detect and fix stability issues.
  • Platform Notification and Speech Providers: Mobile platform services, such as Apple APNs and the speech-recognition provider available on your device, may process device tokens, microphone audio, transcripts, and related metadata when you use notifications or voice features.
  • RevenueCat: Subscription and purchase management. RevenueCat processes an anonymous app user identifier and purchase transaction data to manage your subscription status. No health data is shared with RevenueCat.

5. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption of data in transit (TLS/SSL) and at rest.
  • Secure authentication with JWT tokens (short-lived, 15-minute access tokens) and optional Apple Sign In.
  • Refresh token rotation — each refresh token can only be used once.
  • Rate limiting on authentication endpoints to prevent brute-force attacks.
  • Regular security audits and updates.
  • Access controls limiting who can view your data.

While we strive to use commercially acceptable means to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain different categories of data for different periods:

  • Account information: Retained for the lifetime of your account.
  • Health profile data (conditions, medications, allergies, etc.): Retained for the lifetime of your account or until you delete individual records.
  • Conversation history: Active messages retained indefinitely; older messages are archived through summarization but remain accessible via data export.
  • AI-generated insights: Retained until acknowledged/dismissed by you, or until account deletion.
  • Authentication tokens: Access tokens expire after 15 minutes; refresh tokens expire after 90 days.
  • OTP codes: Expire after 10 minutes and are deleted after use.
  • Cached profile data: Expires automatically after 1 hour in Redis.
  • Usage and error logs: Retained in accordance with our retention schedule for debugging and improvement purposes.

Upon account deletion, we permanently delete account data from active application systems within 30 days, including health records, conversations, archived messages, embeddings, insights, feedback, and profile caches. Limited security logs and encrypted backups may persist during retention cycles and are then automatically purged in accordance with our backup retention schedule.

7. Your Rights

Regardless of where you live, we provide all users with the following rights:

  • Access: Request a copy of all personal and health data we hold about you in our application database via the in-app data export feature. Transient operational logs (such as audit logs retained for security monitoring) are not included in automated exports but may be provided upon specific request to privacy@heymedy.com.
  • Correction: Update or correct your personal information through the app settings.
  • Deletion: Request complete deletion of your account and all associated data. We will process deletion requests within 30 days.
  • Portability: Export your data in a standard, machine-readable JSON format.
  • Withdraw consent: You may withdraw consent to future health-data collection and AI processing through the in-app withdrawal control or by contacting us.
  • Appeal: If we decline to act on a privacy request, you may appeal that refusal.

To exercise any of these rights, you may use the in-app features or contact us at privacy@heymedy.com. We will respond to all requests within 30 days.

If we deny a privacy request, you may appeal by emailing privacy@heymedy.com with the subject line "Privacy Appeal." We will review the appeal and respond within 45 days. Washington residents may also use the Washington Attorney General complaint mechanism here: https://www.atg.wa.gov/file-complaint.

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights regarding your personal information.

8.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

  • Identifiers: Name, email address, device identifier.
  • Personal information under Cal. Civ. Code 1798.80(e): Name, date of birth.
  • Protected classification characteristics: Sex, age.
  • Internet or other electronic network activity: App usage data, interaction history.
  • Sensitive personal information: Health data (medical conditions, medications, allergies, symptoms, lab results), precise account credentials.

8.2 Your California Rights

  • Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive personal information to what is necessary to provide the Service.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

8.3 Do Not Sell or Share

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Because we do not engage in these practices, there is no need to opt out. We have not sold or shared personal information in the preceding 12 months.

To submit a CCPA request, contact us at privacy@heymedy.com. We will verify your identity before processing any request and respond within 45 days.

9. Data Breach Notification

In the event of a data breach that affects your personal information or health data, we will:

  • Notify affected users as soon as practicable and without unreasonable delay. Where Washington's data breach law applies, notice will be made no later than 30 days after discovery.
  • Notify the Federal Trade Commission (FTC) within the timelines required by the FTC Health Breach Notification Rule, including within 10 business days if the breach affects 500 or more individuals.
  • Notify prominent media outlets if the breach affects 500 or more residents of a single state or jurisdiction and federal law requires that notice.
  • Provide a description of the breach, the types of information involved, steps we are taking, and steps you can take to protect yourself.
  • Comply with all applicable state breach notification laws, including Washington State (RCW 19.255.010) and California (Cal. Civ. Code 1798.82).

10. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will take steps to delete that information promptly.

11. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers and third-party service providers are located. By using the Service, you consent to the transfer of your information to the United States. We ensure that all transfers are protected by appropriate safeguards, including encryption and contractual data protection obligations with our service providers.

11.1 Users Outside the United States

heymedy is operated from the United States and is primarily intended for users in the United States. If you are accessing the Service from the European Economic Area (EEA), United Kingdom, or another jurisdiction with data protection laws, please be aware that your data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.

Regardless of your location, we provide all users with the rights described in Section 7 (access, correction, deletion, portability, consent withdrawal, and appeal). If you believe our processing of your data infringes applicable law, you have the right to lodge a complaint with your local data protection authority.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page, updating the "Last updated" date, and sending a notification through the App. If a material change affects how we collect, use, or share health data already collected from you, we will obtain any additional consent required before applying that change.

13. Contact Us

If you have questions about this Privacy Policy, please contact us at:

privacy@heymedy.com