Privacy Policy

Last Updated: April 18, 2025

  1. Introduction

Welcome to AI DiagMe! Smart Medical Care Ltd (“we”, “us”, “our”) is committed to protecting the privacy and security of the personal data of its users (“you”, “your”). AI DiagMe is a trade name of Smart Medical Care Ltd.

This Privacy Policy explains how we collect, use, share, store, and protect your personal data when you use our website aidiagme.com (the “Site”) and our services for explaining lab results using artificial intelligence (the “Services”). It also informs you about your data protection rights and possible remedies. We encourage you to read this policy carefully. By using our Services, you acknowledge that you have reviewed this policy. The processing of your health data is based on your explicit consent obtained separately.

  1. Data Controller

The data controller for your personal data is:

Smart Medical Care Ltd

English Company

  • Registered Office: 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom
  • Registration Number: 15309552
  • Contact Email: contact@aidiagme.com
  1. Privacy Contact

For any questions regarding this policy or your personal data, you can contact our Privacy Contact:

  1. Personal Data We Collect

We collect different categories of personal data to provide and improve our Services:

  • Identification and Contact Data: Name, email address. We use your name primarily to facilitate the anonymization process of your analysis report before AI processing. We use your email address to send you the generated AI report.
  • Health and Contextual Data (Protected Health Information – PHI / Special Categories of Data):
    • The file of your lab analysis report (blood, urine, stool) that you upload (in PDF format).
    • Contextual information you provide via our online form to help us generate a more relevant explanation: age, sex, height, weight, personal and family medical history, allergies, lifestyle, etc.. This information may be considered PHI under US law (HIPAA).
  • Transaction Data: Information related to your purchase of the Service, processed directly by our payment provider Stripe (we do not store your full credit card information). Your transaction history with us.
  • Technical Usage and Interaction Data: Information about how you interact with our Site and Services, collected via analytics tools like Microsoft Clarity and Google Analytics (subject to your consent via our cookie banner). This may include your IP address (anonymized where possible), browser type, pages visited, time spent, clicks, user journey.
  • Data from Cookies and Similar Technologies: Information collected via cookies when you browse our Site, in accordance with our Cookie Policy and your consent choices. This includes data for audience analysis and potentially for analyzing the performance of advertising campaigns (Google Ads).
  • Communication Data: Any information you provide when you contact our customer support or give us feedback.
  1. How We Use Your Personal Data (Purposes and Legal Bases)

We process your personal data for specific purposes and only when we have an appropriate legal basis under applicable data protection laws (including GDPR where applicable due to our UK base, and US laws like HIPAA for PHI). Here’s how we use your data and the legal bases we rely on:

  • To Provide the AI DiagMe Service: We use your Identification Data, Health and Contextual Data (PHI), and the PDF Report you upload to analyze your report and generate the requested AI explanation. The primary legal basis for processing PHI is your Explicit Consent (required under both GDPR Art. 9(2)(a) and necessary for HIPAA compliance), which we collect via a mandatory checkbox before your report processing begins. For non-PHI data involved, the basis is the necessity for the performance of a contract (GDPR Art. 6(1)(b)).
  • To Facilitate Anonymization of the PDF Report: We use your Name and the PDF Report to enable the removal of direct identifiers from the document before AI analysis. This processing is necessary for the performance of the contract (GDPR Art. 6(1)(b)) and falls within the scope of processing based on your explicit consent for the health data (GDPR Art. 9(2)(a)).
  • To Send the Generated AI Report: We use your Email Address and the generated Report to deliver the result of our Service. The legal basis is the necessity for the performance of a contract (GDPR Art. 6(1)(b)).
  • To Manage Your User Account (if applicable) and Customer Relationship: We use your Identification, Contact, and Transaction Data to manage your account and our business relationship. The legal basis is the necessity for the performance of a contract (GDPR Art. 6(1)(b)).
  • To Process Payments: We use your Identification, Contact, and Transaction Data to enable secure payment processing via our provider Stripe. The legal basis is the necessity for the performance of a contract (GDPR Art. 6(1)(b)).
  • To Analyze Site and Service Usage for Improvement and Security: We use Usage Data and data from Cookies (Analytics like Microsoft Clarity, Google Analytics). The legal basis for using non-essential cookies is your Consent (GDPR Art. 6(1)(a)), collected via the cookie banner. For aspects related to service security, the legal basis is our Legitimate Interest (GDPR Art. 6(1)(f)).
  • To Improve our AI Models (Potential, with de-identified data): We may use De-identified Health Data (derived from your reports after removing identifiers according to HIPAA standards) to improve the quality and relevance of our services. The legal basis under GDPR for processing this de-identified data is our Legitimate Interest (GDPR Art. 6(1)(f)), subject to your right to opt-out. This processing only occurs after data has been appropriately de-identified.
  • To Analyze Marketing Campaign Effectiveness: We use data from Cookies (Advertising/Marketing like those from Google Ads). The legal basis is your Consent (GDPR Art. 6(1)(a)), collected via the cookie banner.
  • To Respond to Your Requests: We use your Identification, Contact, and Communication Data when you contact customer support or ask questions. The legal basis is the necessity for the performance of a contract (GDPR Art. 6(1)(b)) or our Legitimate Interest (GDPR Art. 6(1)(f)) in responding to your inquiries.
  • To Send Marketing Communications (Newsletters, offers – if implemented): If we implement this type of communication, we will use your Email Address only based on your specific Opt-in Consent (GDPR Art. 6(1)(a)). This consent will be requested separately and will never be presumed from your use of the main Service.
  • To Comply with Legal and Regulatory Obligations: We may process any relevant personal data if necessary to comply with a legal obligation (GDPR Art. 6(1)(c)).

Anonymization/De-identification and AI Improvement: Our internal tool removes your name from your PDF report before any AI analysis. We may use this health data, once appropriately de-identified according to HIPAA standards (making re-identification very difficult), to train and improve our AI models to make our explanations more accurate and useful. This is based on our legitimate interest (under GDPR). You have the right to opt-out of this use of your de-identified data for improving our models by sending an email to contact@aidiagme.com, as mentioned in our Terms of Service.

  1. Sharing Your Personal Data

We do not sell your personal data. We may share your personal data with third parties only in the following cases and with appropriate safeguards:

  • Service Providers (Processors/Business Associates):
    • Hosting: Microsoft Azure (servers located in the US for US users, operated by Microsoft) for secure hosting of our systems and your data, under agreements compliant with HIPAA where applicable.
    • Payment Processing: Stripe, Inc. to process your payments securely. Stripe may collect your payment data directly.
    • Audience and Interaction Analysis: Google (for Google Analytics, Google Ads) and Microsoft (for Microsoft Clarity), subject to your cookie consent.
    • AI Infrastructure Providers (for de-identified data only): We use a combination of internally developed AI models and third-party services. Only data from your reports that has been de-identified by us first is sent to these third-party providers to generate the explanation. They act as processors/business associates for this specific task on de-identified data.
  • Legal Obligations: If required by law, we may disclose your data to competent authorities (courts, regulators, law enforcement).
  • Business Transfers: In the event of a merger, acquisition, or sale of all or part of our assets, your data could be transferred to the acquiring entity, provided it adheres to similar confidentiality commitments.

We require all our processors/business associates to respect the security of your personal data and treat it in accordance with the law (including signing Business Associate Agreements (BAAs) under HIPAA where necessary). They are only authorized to process your data for specified purposes and according to our instructions.

  1. International Data Transfers

As a UK-based company, our primary operations are subject to UK/EU data protection laws (GDPR). Some of our service providers (Stripe, Google, Microsoft, etc.) are based or operate outside the UK, primarily in the United States. Your data, particularly when using the service from the US, will be processed on servers located in the US.

When we transfer personal data originating from the UK/EEA outside these regions (e.g., to US-based providers), we ensure an adequate level of protection is guaranteed through measures like:

  • Adequacy decisions (e.g., the UK Extension to the EU-US Data Privacy Framework for certified companies).
  • Appropriate safeguards like Standard Contractual Clauses (SCCs) approved by the relevant authorities, accompanied by transfer impact assessments if necessary.

Please note that data sent to third-party AI providers is de-identified by us prior to transfer. Transfers of US user data to our UK headquarters for operational purposes are conducted under appropriate safeguards.

  1. Data Security

We have implemented appropriate technical and organizational security measures to prevent accidental loss, unauthorized use or access, alteration, or disclosure of your personal data. These include:

  • Hosting on secure servers (Microsoft Azure in the US for US users), compliant with standards like those required by HIPAA.
  • De-identification of reports before AI processing.
  • Encryption of data in transit and at rest where appropriate.
  • Strict access controls to limit access to personal data to only those individuals who need it for their duties.
  • Procedures for handling suspected data breaches.
  1. Data Retention Period

We retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including satisfying any legal, accounting, or reporting requirements.

  • Account, Contact, and Contextual Data: Kept as long as your account is active, then for a maximum period (e.g., 3 years) after your last interaction, unless you request deletion sooner.
  • Original PDF Analysis Report: In line with data minimization, we recommend deleting this file shortly after successful generation and delivery of the AI report. We will retain it for a maximum of 90 days to resolve potential delivery issues, after which it will be securely deleted.
  • Generated AI Report (De-identified): This report, which no longer contains direct identifiers, is kept to allow you access (e.g., via the future patient portal) and for internal analysis purposes. We will retain it for a period (e.g., 3-5 years) after the last account activity, unless earlier deletion of your account is requested.
  • De-identified Data for AI Improvement: Data that has been irreversibly de-identified (no longer allowing re-identification) is not considered personal data under HIPAA or GDPR and may be kept longer, potentially indefinitely, for research and model improvement purposes.
  • Transaction Data: Retained for the period required by legal and accounting obligations (e.g., typically 6 years in the UK after the end of the relevant tax year).
  1. Your Data Protection Rights

Depending on applicable laws (like GDPR for UK/EU interactions, and potentially US state laws like CCPA/CPRA), you may have the following rights regarding your personal data:

  • Right of Access: Request a copy of the data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure (‘Right to be Forgotten’): Request deletion of your data, under certain conditions. (Note: HIPAA may require retention of certain health records for specific periods).
  • Right to Restrict Processing: Request restriction of processing of your data, under certain conditions.
  • Right to Object: Object to processing based on our legitimate interest (including the use of de-identified data for AI improvement via opt-out). Object to direct marketing.
  • Right to Data Portability: Request to receive the data you provided in a structured, commonly used, machine-readable format, and transmit it to another controller, under certain conditions.
  • Right to Withdraw Consent: If processing is based on consent (especially for health data/PHI and marketing), you can withdraw it at any time, without affecting the lawfulness of prior processing.

How to Exercise Your Rights: Currently, you can exercise your rights by contacting our Privacy Contact by email at contact@aidiagme.com. We plan to implement a user portal that will also allow you to manage some of your data and requests directly. We may ask you to verify your identity before responding to your request.

  1. Children / Minors

Our Services are not intended for individuals under 18 years of age. We implement age verification (confirmation of being at least 18) before payment. We do not knowingly collect personal data from individuals under 18.

  1. Cookies

We use cookies and similar technologies on our Site. For more information on the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

  1. Changes to this Privacy Policy

We may update this policy from time to time. The last updated date will be indicated at the top of this page. We encourage you to check this page regularly to stay informed about how we protect your data.

  1. Right to Lodge a Complaint

If you have concerns about how we process your personal data, we encourage you to contact our Privacy Contact first. You also have the right to lodge a complaint with the competent supervisory authority:

  • In the United Kingdom, the authority is the Information Commissioner’s Office (ICO) (www.ico.org.uk).
  • In the United States, depending on the nature of the complaint, you may contact the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (for HIPAA/PHI issues) or the Federal Trade Commission (FTC) (for general privacy or consumer protection issues), or your state Attorney General.