Almry Privacy Policy

Last Updated: August 14, 2025

Almry ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy ("Policy") describes how we collect, use, disclose, and protect your Personal Information when you use our application and services ("Services"). This Policy does not describe how we handle Protected Health Information (PHI), which is covered by our Notice of HIPAA Privacy Practices.

IMPORTANT NOTICE: When you use our AI Health Assistant features, your health information will be shared with third-party AI service providers as described in Section 3.

1. Information We Collect

We collect information to provide and improve our Services.

• Information You Provide:

  • Account Information: When you register using Google or Apple OAuth, we collect your name and email address.

  • Profile Information: You may voluntarily provide your date of birth, phone number, and primary care state to enhance your experience.

• Information From Your Use of the Services:

  • Health Information:

    • In Local Storage Mode, all health records you retrieve from providers are encrypted with SQLCipher and stored exclusively on your device. We do not have access to this information unless you choose to use cloud-based AI features.

    • In Hosted Storage Mode, you may consent to store your health records on our secure servers to enable certain features.

    • When using AI Health Assistant features, your health information is sent to third-party AI providers for processing.

  • Usage and Device Data: We collect comprehensive information about your use of our Services, including:

    • Device information: device type, model, operating system and version, app version, unique device identifiers

    • Network information: IP address, IP geolocation (country, region), network type

    • Session information: session IDs, timestamps, page views, feature interactions

    • Browser information: user agent, browser type and version, referrer URLs

    • Performance data: app crashes, errors, response times, load times

  • Security and Authentication Data:

    • Login history: timestamps, methods, success/failure, OAuth providers used

    • Security monitoring: risk scores, suspicious activity indicators, new device/location flags

    • Authentication factors: biometric authentication status (not the biometric data itself)

  • Mobile App Permissions: Our mobile app may request access to:

    • Camera: for scanning QR codes and documents

    • NFC: for reading health cards and medical devices

    • Biometric sensors: for secure app authentication (fingerprint/face data stays on device)

    • Background services: for syncing health records and notifications

    • Internet: for connecting to our services and healthcare providers

  • Financial Information: When you subscribe to the Premium tier or order a lab test, we and our third-party payment processors collect payment information.

2. How We Use Your Information

• To Provide and Secure the Services: We use your information to create your account, generate your unique server-side patient ID, manage your subscription and token balance, and secure your account.

• To Provide AI Features:

  • For Free tier users, local AI models (Gemma) process data on your device without sending information to third parties.

  • For Premium tier users, we transmit your health information, including your medical records and queries, to third-party AI service providers to generate responses. This may include your complete medical history, test results, medications, conditions, and other health information.

• To Facilitate Lab Testing: If you are in Hosted Storage Mode and order a test, we use your information to process the order and payment with our lab partners.

• To Generate Health Cards: We may create SMART Health Cards (verifiable QR codes) from your health records for sharing with authorized parties.

• Security and Account Protection:

  • Monitor for unauthorized access and suspicious activities

  • Implement risk scoring and fraud prevention

  • Maintain audit logs for HIPAA compliance

  • Detect and prevent abuse of our Services

• Product Improvement and Research: We may use anonymized and aggregated information for:

  • Developing and improving our AI models and algorithms

  • Conducting healthcare research and publishing insights (without identifying individuals)

  • Creating benchmarks and performance metrics

  • Training proprietary health analysis models

  • Developing new features and services

• Business Operations: We process information for legitimate business purposes including:

  • Quality assurance and service optimization

  • Business intelligence and internal reporting

  • Compliance with legal obligations and regulatory requirements

  • Merger, acquisition, or business transfer preparations

• To Communicate With You: We use your contact information to send you administrative messages, security alerts, and updates about the Services.

• To Comply with Law: We may use your information to comply with applicable laws and regulations.

3. How We Share Your Information

We do not sell your Personal Information. However, we do share your information in the following circumstances:

• With AI Service Providers (Premium Tier Only): When you use our AI Health Assistant features with Premium subscription, we share your health information with third-party AI providers including but not limited to:

  • Google (for Gemini AI models) - Servers may be located globally

  • OpenAI (for GPT models) - Servers primarily in the United States

  • Anthropic (for Claude models) - Servers primarily in the United States

  • X.AI (for Grok models) - Server locations vary

  • Other AI providers as we may integrate to improve our services

• Important Considerations for AI Processing:

  • These AI providers are not Business Associates under HIPAA and are not bound by HIPAA regulations

  • Your data may be processed on servers outside the United States

  • AI providers may temporarily store your data for processing (typically 30 days or less)

  • While AI providers generally don't train on individual user data, we cannot guarantee how they handle your information

  • You can avoid this sharing by using only local AI models (Free tier)

• With Service Providers: We share information with third-party vendors who help us operate our Services. These providers are contractually obligated to protect your information and include:

  • Infrastructure Providers: Amazon Web Services (AWS) for cloud storage and computing, including S3 for health card storage

  • Database and Caching: PostgreSQL for data storage, Redis for performance caching

  • Payment Processors: Apple App Store, Google Play Store, and third-party payment gateways

  • Analytics and Monitoring: Service monitoring and performance optimization tools

  • Security Services: Authentication providers, security monitoring, and fraud prevention services

• With Lab Partners: When you order a test, we share necessary information with our lab partners to fulfill your order.

• For Legal Reasons: We may disclose your information to law enforcement or in response to a legal process if we believe in good faith that it is required by law.

• In Business Transactions: If we are involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction.

4. Data Security

We implement robust security measures to protect your information.

• On-Device: All health records and credentials in Local Storage Mode are encrypted using AES-256 with SQLCipher.

• In-Transit: All data transmitted between the App and our servers is encrypted using TLS 1.3. Data sent to AI providers is also encrypted in transit.

• On-Server: All data stored on our servers in Hosted Storage Mode is encrypted at rest.

• AI Provider Security: We select AI providers that implement industry-standard security measures, though we cannot control their security practices.

• Your Responsibility: You are responsible for securing your device and account credentials.

5. Your Rights and Choices

You have control over your information.

• Account Information: You can review and update your profile information in the App's settings.

• Data Deletion: You can delete your account at any time. This will remove your account information from our servers. Data in Local Storage Mode will be deleted when you delete the app or your profile within the app. We cannot guarantee deletion of data already sent to third-party AI providers.

• Storage Mode: You choose your storage mode and can switch from Local to Hosted Mode only with explicit consent.

• Granular Consent Options: You may control how your data is used through:

  • Essential Processing: Required for service delivery (cannot be disabled)

  • Enhanced AI Features: Advanced analysis with third-party AI (opt-in)

  • Research Participation: Contributing to anonymized healthcare research (opt-in)

  • Partner Integrations: Sharing with specific partners (per-partner consent)

  • Product Analytics: Service improvement analytics (opt-out available)

  • Marketing Communications: Promotional content and updates (opt-in)

• Automated Decision-Making: You have the right to request human review of significant automated decisions affecting you, including risk scores and AI-generated health insights.

• Data Portability: You can export your health records in standard formats (FHIR, PDF) at any time.

• Opt-Out: You may opt out of cloud-based AI features at any time by canceling your Premium subscription or switching to local AI models.

6. Data Retention

• Detailed Retention Schedule:

  • Active Account Data: Retained while account is active plus 7 years (HIPAA requirement)

  • Health Records: Retained according to your storage preferences and applicable law

  • Login and Security Data: 2 years for security monitoring and compliance

  • Usage Analytics: Aggregated and anonymized after 90 days, retained indefinitely

  • Audit Logs: Minimum 6 years for HIPAA compliance

  • Health Cards: Until expiration date or revocation, typically 24-168 hours

  • Financial Records: 7 years for tax and regulatory compliance

• AI Provider Retention: Third-party AI providers may retain your data temporarily for processing. Typical retention periods are:

  • Google: Up to 30 days

  • OpenAI: Up to 30 days

  • Anthropic: Up to 30 days

  • Other providers: Varies by provider

• We may retain data longer if required by law, for legal claims, or with your consent for research purposes.

7. International Data Transfers

Your information may be transferred to and processed in countries other than the United States when:

• You use cloud-based AI features (AI providers' global infrastructure)

• We use cloud infrastructure providers (AWS and other services with global data centers)

• You access our Services while traveling internationally

These countries may have different data protection laws than your country of residence. We implement appropriate safeguards for international transfers including:

• Standard contractual clauses where required

• Ensuring providers maintain adequate security measures

• Limiting transfers to what is necessary for service delivery

By using our Services, you consent to such transfers.

8. Children's Privacy

The Services are not intended for use by individuals under 18 to create an account. A parent or legal guardian may manage a profile for a minor. If we learn we have collected Personal Information from a child under 13 without parental consent, we will take steps to delete that information.

9. Third-Party Services and Links

Our Services may contain links to third-party websites or integrate with third-party services (such as AI providers). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

10. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Policy in the App and updating the "Last Updated" date. Material changes to how we handle AI processing will require your renewed consent.

11. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to:

• Know what personal information we collect, use, and disclose

• Request deletion of your personal information

• Opt-out of the sale of your personal information (we do not sell personal information)

• Non-discrimination for exercising your privacy rights

12. Automated Processing and AI Decision Support

Our Services use automated systems for:

• Security threat detection and account protection

• Health risk assessment and alerts (clinical decision support)

• Personalized health insights and recommendations

• Quality assurance and error detection

• Usage pattern analysis for service improvement

You have the right to request human review of significant automated decisions.

13. Biometric Information

For enhanced security, our mobile app may collect:

• Fingerprint or face templates for device authentication (stored locally only, never transmitted)

• Voice patterns for future voice-enabled features (with separate consent)

• Activity and health metrics from connected devices (with authorization)

14. Innovation and Beta Features

We may offer experimental features that involve:

• Novel AI models and algorithms

• Experimental health monitoring techniques

• Predictive health analytics

• Integration with emerging technologies

Participation is voluntary and may involve additional data processing as disclosed at enrollment.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, including questions about how your data is shared with AI providers, please contact our Privacy Officer at help@almry.com.