Privacy Policy

Introduction

This Privacy Policy explains how OncoChat collects, uses, shares, and protects your personal information when you use our oncology support platform, including our websites, mobile apps, APIs, and SMS/WhatsApp or similar messaging channels (the "Service"). This Policy applies worldwide and incorporates U.S. (HIPAA, CCPA/CPRA), EU/UK/Swiss (GDPR, UK GDPR, FADP), and other international requirements.

By using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

We may collect the following categories of information:

• Account Information: name, email, phone, login credentials.
• Health Data: text you provide, images, lab summaries, wearable/device data (e.g., Apple Health, Google Fit, Oura, WHOOP).
• Communications: SMS, email, or chat content with us.
• Device & Usage Data: IP address, device identifiers, browser type, app version, operating system, time zone, cookies.
• Payment Data: if you purchase subscriptions, billing info (processed by third-party providers).
• Support & Feedback: messages, survey responses, error reports.

2. How We Use Information

We use your information to:

• Provide and operate the Service.
• Secure, troubleshoot, and maintain the Service.
• Analyze usage and improve features.
• Train, evaluate, and tune AI/ML models (using de-identified data where required).
• Develop new products and services.
• Communicate with you (service messages, support, reminders).
• Comply with legal/regulatory obligations.

3. Our Legal Bases for Processing (GDPR/UK GDPR/Swiss FADP)

Depending on your location, we rely on:

• Contract necessity – to provide the Service.
• Consent – for processing special category data (e.g., health) and for optional model training in the EU/UK.
• Legitimate interests – to secure/improve our systems, prevent fraud, and support our business.
• Legal obligations – to comply with applicable law.

You may withdraw consent at any time without affecting lawful processing prior to withdrawal.

4. HIPAA

When we act as a business associate to a covered entity, we will enter into a Business Associate Agreement (BAA) and safeguard Protected Health Information (PHI) as required by HIPAA. When we provide the Service directly to consumers, HIPAA may not apply, but we still apply comparable safeguards.

5. CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights:

• Know what personal information we collect, use, disclose, and share.
• Request deletion of your personal information.
• Request correction of inaccurate information.
• Opt-out of "Sale" or "Sharing" of personal information. We do not sell personal information for money. We honor "Do Not Sell or Share" requests, including browser-based Global Privacy Control (GPC).
• Limit the use of Sensitive Personal Information.

To exercise rights, submit a privacy request. We will not discriminate against you for exercising your rights.

6. International Transfers

We may transfer and process information in the United States and other countries. For cross-border transfers from the EU/EEA/UK/Switzerland, we rely on Standard Contractual Clauses (SCCs), UK Addendum/IDTA, and Swiss Addendum, along with supplementary measures.

7. How We Share Information

We may share information with:

• Service Providers & Subprocessors: cloud providers, analytics, SMS/email vendors, payment processors. A current list is available at oncochat.com/legal/subprocessors.
• Research or Development Partners: in de-identified or aggregated form only.
• Legal/Compliance: when required by law, subpoena, or government request.
• Business Transfers: in the event of a merger, acquisition, or sale.

We do not allow vendors to use your health data for their own marketing.

8. Retention

We retain personal information as long as necessary to provide the Service, comply with obligations, and resolve disputes. When your account is closed, we delete or de-identify your personal information subject to law and backup/archival limits. De-identified data may be retained indefinitely.

9. Your Rights

Depending on your location, you may have rights to:

• Access, correct, or delete your personal information.
• Restrict or object to processing.
• Receive your data in portable form.
• Withdraw consent (where consent is the basis).
• Appeal a decision (where required by U.S. state laws).

Submit requests via our contact form. We may verify your identity before responding. EU/UK users may contact their supervisory authority; California users may designate an authorized agent.

10. Children's Privacy

The Service is intended for adults 18 and over. We do not knowingly collect personal information from children under 13 (or under 16 in the EU/UK) without appropriate parental consent. If you believe a child has provided information, contact us.

11. Security

12. SMS/Email Communications

By providing your contact details, you consent to receive automated service messages (e.g., codes, reminders). Message & data rates may apply. Frequency varies. Text STOP to opt out, HELP for help. We comply with TCPA, CAN-SPAM, CASL, and PECR as applicable.

13. Automated Decision-Making

Our AI features may generate predictions or suggestions. These are assistive only and not determinative. We do not use AI to make binding legal or medical decisions without human involvement.

14. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email, in-app, or SMS with an updated effective date. Continued use of the Service after the effective date constitutes acceptance. Where required by law, we will request renewed consent.

15. Governing Language

This Privacy Policy is drafted in English. If this Privacy Policy is translated into any other language, the English-language version shall control in the event of any conflict or inconsistency. Any translated version is provided for convenience only.

16. Contact Us