Privacy Policy

Last updated: December 30, 2025

Introduction

Welcome to iDoctor ("we," "us," or "our"). We are committed to protecting your privacy and ensuring the security of your personal data, especially your health information. This Privacy Policy explains how we collect, use, store, and protect your data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

iDoctor is an AI-powered medical assistant that processes health-related data, which constitutes "special category data" under Article 9 of the GDPR. We take our responsibility to protect this sensitive information extremely seriously.

1. Data Controller

The data controller responsible for your personal data is:

iDoctor

Email: privacy@idoctor.app

Data Protection Officer: dpo@idoctor.app

If you have any questions about this Privacy Policy or our data practices, please contact us using the information above.

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Account Information

  • Email address
  • Name (if provided)
  • Account credentials (securely hashed)
  • Subscription and billing information

2.2 Health Data (Special Category Data)

  • Medical documents you upload (lab results, prescriptions, imaging reports, doctor notes)
  • Health information extracted from your documents
  • Medical questions and conversations with our AI assistant
  • Health metrics and trends derived from your data

2.3 Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Usage logs and analytics
  • Cookies and similar technologies
3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

3.1 Explicit Consent (Article 9(2)(a) GDPR)

For the processing of your health data (special category data), we rely on your explicit consent. Before uploading any health documents or using our AI medical assistant, you will be asked to provide clear, informed consent for the processing of your health information. You may withdraw this consent at any time.

3.2 Contract Performance (Article 6(1)(b) GDPR)

We process your account information as necessary to provide you with our services and fulfill our contractual obligations to you.

3.3 Legitimate Interests (Article 6(1)(f) GDPR)

We may process certain technical data based on our legitimate interests in maintaining the security and functionality of our services, provided these interests do not override your fundamental rights.

4. How We Use Your Data

We use your personal data for the following purposes:

  • To provide AI-powered analysis of your medical documents
  • To enable conversations with our medical AI assistant
  • To track your health trends and insights over time
  • To manage your account and provide customer support
  • To process payments and manage subscriptions
  • To send important service notifications
  • To improve and develop our services
  • To ensure the security and integrity of our platform
  • To comply with legal obligations

We do NOT use your health data for advertising purposes or share it with third parties for marketing.

5. Third-Party Services and Data Processors

We use the following third-party services to provide our platform:

5.1 Supabase (Data Storage)

We use Supabase for secure data storage and authentication. Supabase stores your account information and health documents with encryption at rest and in transit. Supabase is GDPR compliant and maintains appropriate data processing agreements.

5.2 OpenAI (AI Processing)

We use OpenAI's API to power our AI medical assistant. When you interact with our AI features, relevant portions of your health data may be processed by OpenAI to generate responses. OpenAI processes this data according to their data processing agreement and does not use your data to train their models when accessed via their API.

5.3 Payment Processors

We use Stripe for payment processing. Stripe handles your payment information directly and is PCI-DSS compliant. We do not store your full credit card details.

All third-party processors are bound by data processing agreements that ensure GDPR compliance and appropriate security measures.

6. Data Retention

We retain your personal data for the following periods:

  • Account Information: Retained while your account is active and for 30 days after account deletion to allow for account recovery.
  • Health Documents and Data: Retained while your account is active. Upon account deletion, health data is permanently deleted within 30 days.
  • Conversation History: Retained for 12 months or until you delete it, whichever comes first.
  • Technical Logs: Retained for up to 90 days for security and troubleshooting purposes.
  • Billing Records: Retained for 7 years as required by applicable tax and accounting laws.

You can request deletion of your data at any time, subject to any legal retention requirements.

7. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

7.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to access that data along with information about how it is processed.

7.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

7.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data ("right to be forgotten") in certain circumstances, including when the data is no longer necessary or you withdraw consent.

7.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data.

7.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

7.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

7.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing prior to withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@idoctor.app. We will respond to your request within 30 days. You can also manage certain aspects of your data directly through your account settings.

8. Data Security

We implement robust security measures to protect your personal data:

  • Encryption: All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3.
  • Access Controls: Strict access controls and authentication mechanisms limit access to personal data.
  • Infrastructure Security: Our infrastructure is hosted on secure, SOC 2 compliant cloud providers.
  • Regular Audits: We conduct regular security assessments and vulnerability testing.
  • Employee Training: Our team receives regular training on data protection and security practices.
  • Incident Response: We maintain incident response procedures to address any potential data breaches promptly.

In the unlikely event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

9. International Data Transfers

Some of our service providers may process your data outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for countries deemed to provide adequate data protection
  • Binding corporate rules where applicable

You can request information about the specific safeguards used for international transfers by contacting us.

10. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

10.1 Essential Cookies

Required for the platform to function properly, including authentication and security features. These cannot be disabled.

10.2 Functional Cookies

Enable enhanced functionality and personalization, such as remembering your preferences.

10.3 Analytics Cookies

Help us understand how visitors interact with our platform so we can improve our services. These are only used with your consent.

You can manage your cookie preferences through your browser settings or through our cookie consent banner.

11. Children's Privacy

Our services are not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes affecting your health data, we will seek fresh consent where required.

We encourage you to review this Privacy Policy periodically for any changes.

13. Complaints and Supervisory Authority

If you are not satisfied with how we handle your personal data or your privacy rights, you have the right to lodge a complaint with a supervisory authority. You may contact:

  • The supervisory authority in your EU member state of residence
  • The supervisory authority where the alleged infringement occurred

However, we encourage you to contact us first at privacy@idoctor.app so we can try to resolve your concerns directly.

14. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: privacy@idoctor.app

Data Protection Officer: dpo@idoctor.app

We aim to respond to all inquiries within 30 days.

By using iDoctor, you acknowledge that you have read and understood this Privacy Policy.

Home|Pricing