Privacy Policy

Last updated: 10/2/2025

1. Introduction

Welcome to Medi-Chat Assistant ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our medical chat assistant application. Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the application.

2. Information We Collect

2.1 Personal Information

We may collect personal information that you provide to us, including:

  • Name and email address (when you register or use Google OAuth)
  • Phone number (optional)
  • Profile information from Google (when using Google OAuth)

2.2 Medical Data Collection

We collect and process sensitive medical information including:

  • Symptoms and health concerns discussed during conversations
  • Medical questions and responses
  • Treatment inquiries and preferences
  • Health history shared during conversations
  • Dental conditions and concerns
  • Medication questions and discussions
  • Emergency situations and urgent concerns
  • General health inquiries

2.3 Automatically Collected Information

We may automatically collect certain information about your device and usage, including:

  • IP address and device information
  • Browser type and version
  • Usage patterns and preferences
  • Cookies and similar tracking technologies
  • Session data and conversation history
  • Response times and interaction metrics
  • Error logs and debugging information

2.4 Third-Party AI Processing

Your medical conversations are processed by third-party AI services:

  • Anthropic Claude API (US-based) - Primary AI service for generating responses
  • OpenAI GPT API (US-based) - Alternative AI service for response generation
  • Local LLMs (Sri Lanka-based) - Our own local language models for response generation

These services receive your medical data to generate responses and may store it temporarily.

3. How We Use Your Information

3.1 Medical Data Processing

We process medical data to:

  • Generate AI responses to your health questions
  • Improve our AI service quality and accuracy
  • Maintain conversation history for context
  • Provide personalized responses based on your concerns
  • Train and improve our AI models (with anonymized data)
  • Ensure appropriate medical disclaimers and safety measures

3.2 General Data Usage

We use the information we collect to:

  • Provide and maintain our medical chat assistant service
  • Process your medical inquiries and provide relevant responses
  • Authenticate your identity and manage your account
  • Improve our services and develop new features
  • Communicate with you about updates and important information
  • Ensure the security and integrity of our platform
  • Analyze usage patterns to improve user experience
  • Generate analytics and performance metrics

4. Google OAuth Integration

When you choose to sign in with Google, we collect and process information from your Google account, including:

  • Your Google email address
  • Your name and profile information
  • Gmail access (if you grant permission) for enhanced features
  • Google profile picture and basic profile data

This information is used solely for authentication and service provision. We do not access your Gmail content without your explicit permission, and we do not share this information with third parties except as described in this Privacy Policy.

5. Information Sharing and Disclosure

5.1 Third-Party Data Sharing

We share your data with:

  • AI Service Providers: Anthropic (Claude API) and OpenAI (GPT API) receive your medical conversations to generate responses
  • Google: For authentication services and profile information
  • Cloud Hosting Providers: For data storage and processing (PostgreSQL database hosted on Google Cloud or AWS)
  • Local LLMs: Our own local language models for response generation
  • Legal Authorities: When required by law or to protect our rights

5.2 General Sharing Policy

We do not sell, trade, or otherwise transfer your personal information to third parties except in the following circumstances:

  • With your explicit consent
  • To comply with legal obligations
  • To protect our rights and prevent fraud
  • With trusted service providers who assist in operating our platform
  • In case of business transfers or mergers

6. Data Security

6.1 Data Security Measures

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction, including:

  • Encryption in Transit: All data transmission uses TLS/SSL encryption
  • Encryption at Rest: Sensitive data stored with AES-256 encryption
  • Access Controls: Multi-factor authentication and role-based access
  • Regular Security Audits: Periodic security assessments and penetration testing
  • Data Backup and Recovery: Secure backup procedures and disaster recovery plans
  • Network Security: Firewalls, intrusion detection, and monitoring systems

6.2 Security Limitations

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

7. Data Retention

7.1 Data Retention Periods

We retain your personal information for different periods based on data type:

  • Medical Conversations: 1 month maximum (to support customized responses)
  • User Accounts: 1 year for legal compliance (after account deletion)
  • Analytics Data: Indefinitely (for research purposes)
  • Feedback Data: Indefinitely (for continuous AI improvement)
  • Session Data: 1 year (for analysis and debugging)

7.2 Data Deletion

We will delete your personal information when:

  • You request deletion of your account
  • The retention period expires
  • We are legally required to delete the data
  • The data is no longer necessary for the purposes outlined in this Privacy Policy

8. Your Rights

8.1 General Rights

You have the right to:

  • Access and update your personal information
  • Request deletion of your personal information
  • Opt out of certain communications
  • Revoke Google OAuth permissions
  • Request a copy of your data

8.2 Additional Rights (GDPR/CCPA)

  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Restrict Processing: Limit how we process your data
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for data processing
  • Right to Lodge Complaints: File complaints with supervisory authorities

8.3 How to Exercise Your Rights

To exercise your rights, please contact us at support@staarrc.com with:

  • Your request type (access, deletion, correction, etc.)
  • Verification of your identity
  • Specific data involved (if applicable)
  • Your preferred response method

We will respond within 30 days of receiving your request. For complex requests, we may extend this period by up to 60 days and will notify you of the extension.

8.4 Data Portability Procedures

You can request a copy of your data in a structured, machine-readable format. We will provide this within 30 days of your request, including:

  • Your personal information
  • Medical conversation history (if requested)
  • Account settings and preferences
  • Analytics data (if requested)

9. Medical Disclaimer

9.1 Enhanced Medical Disclaimer

IMPORTANT:

Our medical chat assistant is for informational purposes only and does not constitute medical advice, diagnosis, or treatment. This AI assistant is not a medical device and does not provide medical advice. All responses are for informational purposes only. We are not liable for any medical decisions made based on AI responses. Always consult with qualified healthcare professionals for medical concerns. In case of medical emergencies, contact emergency services immediately.

9.2 Professional Liability Limitations

  • We do not provide medical diagnoses or treatment recommendations
  • We do not replace professional medical consultation
  • We are not responsible for medical decisions made based on AI responses
  • Users assume full responsibility for their health decisions

10. Changes to This Privacy Policy

10.1 Policy Updates

We may update this Privacy Policy from time to time. We will notify you of any changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last updated" date
  • Sending email notifications for material changes
  • Providing in-app notifications for significant updates

10.2 Data Breach Notification

We will notify you within 72 hours of any data breach affecting your personal information, in accordance with applicable laws.

10.3 Data Breach Response Procedures

In case of a data breach, we will:

  1. Immediate Assessment: Assess the scope and impact of the breach
  2. User Notification: Notify affected users within 72 hours via email
  3. Authority Reporting: Report to relevant authorities as required by law
  4. Corrective Measures: Implement immediate corrective measures
  5. User Guidance: Provide guidance to affected users on protective steps
  6. Documentation: Document all breach response activities
  7. Prevention: Review and strengthen security measures to prevent future breaches

11. Regulatory Compliance

11.1 Compliance Status

  • HIPAA: Not applicable (we operate only in Sri Lanka, not in HIPAA-regulated jurisdictions)
  • GDPR: Not applicable (we operate only in Sri Lanka, not in GDPR-regulated jurisdictions)
  • Medical Device Regulations: Not applicable (we do not claim to provide medical devices)
  • Sri Lankan Regulations: We comply with applicable Sri Lankan data protection and healthcare regulations

11.2 Data Processing Legal Basis

We process your personal data based on:

  • Consent: For medical data processing and AI service provision
  • Legitimate Interest: For service improvement and analytics
  • Contract Performance: For providing the requested services
  • Legal Obligation: For compliance with applicable laws

11.3 International Data Transfers

When we transfer your data to US-based AI services (Anthropic, OpenAI), we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses: EU-approved data transfer mechanisms
  • Adequate Protection Measures: Technical and organizational safeguards
  • Regular Security Assessments: Ongoing evaluation of third-party security
  • Data Minimization: Only necessary data is transferred
  • Purpose Limitation: Data is used only for specified purposes
  • Retention Limits: Data is retained only as long as necessary

12. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

Email: support@staarrc.com
Address: Staarrc Technologies
Website: https://contact.staarrc.com
Data Protection Officer: Not applicable (we do not have a DPO as it is not required in Sri Lanka)

12.1 Complaint Procedures

If you have concerns about how we handle your personal data, you have the right to file a complaint with the Data Protection Authority of Sri Lanka.

Data Protection Authority Contact:

  • Website: https://dpa.gov.lk
  • Process: Follow the complaint procedures outlined on the DPA website

Internal Complaint Process:

You can also contact us directly at support@staarrc.com with your concerns. We will:

  1. Acknowledge your complaint within 14 business days
  2. Investigate your concerns within 14 business days
  3. Provide a detailed response within 3 months
  4. Implement corrective measures if needed

No Retaliation: We will not retaliate against you for filing a privacy complaint or exercising your privacy rights.

13. Cookies and Tracking Technologies

13.1 Types of Cookies We Use

We use the following types of cookies and tracking technologies:

  • Essential Cookies: Required for basic functionality and security
    • Session management
    • Authentication
    • Security features
    • Load balancing
  • Analytics Cookies: Help us understand usage patterns and improve our service
    • User interaction tracking
    • Performance monitoring
    • Error logging
    • Usage statistics
  • Preference Cookies: Remember your settings and preferences
    • Language preferences
    • Display settings
    • Accessibility options
    • User interface customizations

13.2 Cookie Management

You can manage your cookie preferences through:

  • Browser Settings: Most browsers allow you to control cookies through their settings
  • Cookie Consent Tool: Our website provides a cookie consent management tool
  • Opt-out Options: You can opt out of non-essential cookies while maintaining basic functionality

13.3 Third-Party Tracking

We may use third-party analytics services that place their own cookies. These services help us:

  • Analyze website traffic and usage patterns
  • Monitor performance and identify issues
  • Improve user experience and service quality

14. Children's Privacy

14.1 Age Restrictions

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

14.2 Parental Consent

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@staarrc.com. We will take steps to remove such information from our systems.

14.3 Age Verification

We do not currently implement age verification mechanisms. Users are responsible for ensuring they meet the age requirements for using our service.

14.4 Special Protections

If we discover that we have collected information from a child under 13, we will:

  • Immediately delete the information
  • Notify the parent or guardian
  • Implement additional safeguards to prevent future collection

15. Data Processing Records

15.1 Processing Activities Documentation

We maintain comprehensive records of all data processing activities, including:

  • Purposes of Processing: Why we process your data
  • Categories of Data: What types of data we process
  • Data Subjects: Who the data relates to
  • Recipients of Data: Who we share data with
  • Retention Periods: How long we keep data
  • Security Measures: How we protect data
  • Legal Basis: Why we are allowed to process data

15.2 Record Keeping

These records are:

  • Updated regularly to reflect current practices
  • Reviewed annually for accuracy and completeness
  • Made available to relevant authorities upon request
  • Used to ensure compliance with applicable laws

15.3 Data Protection Impact Assessments

For high-risk processing activities, we conduct Data Protection Impact Assessments (DPIAs) to:

  • Identify and minimize privacy risks
  • Ensure compliance with data protection principles
  • Document our risk mitigation measures
  • Review and update our processing practices

Additional Information

Data Processing Location

  • Primary Processing: Sri Lanka
  • Database Hosting: Google Cloud or AWS regions (flexible)
  • AI Services: Anthropic (US), OpenAI (US), Local LLMs (Sri Lanka)

Security History

  • Data Breaches: No history of data breaches
  • Security Incidents: No reported security incidents

Insurance Coverage

  • Professional Liability Insurance: Not currently in place
  • General Business Insurance: [Please specify if you have any business insurance]

Service Scope

  • Operating Jurisdiction: Sri Lanka only
  • Target Users: Sri Lankan residents
  • Service Type: AI-powered dental information assistant (not a medical device)