Privacy Policy

Last updated: 5 May 2025 · GDPR compliant · Supervisory Authority: Data Protection Commission Ireland

Summary: Phibbo collects health information you share to provide AI responses and, with your consent, to personalise future consultations. Your health data is stored encrypted and never sold. You can delete all your data at any time from your Profile page. Questions? vijayharre10@gmail.com

1. Data Controller

Phibbo ("we", "us", "our") is the data controller responsible for your personal data. Contact: vijayharre10@gmail.com. We are subject to the supervision of the Data Protection Commission (DPC) of Ireland (dataprotection.ie).

2. What Data We Collect

Account Data

Name and email address collected when you sign in via Google OAuth. Used to create and manage your account.

Health Profile Data (Special Category — Explicit Consent Required)

Age, biological sex, height, weight, smoking status, diet, current medications, known conditions, and allergies. Collected only if you choose to fill in your profile. This is "special category" health data under Article 9 GDPR and processed only with your explicit consent.

Consultation Data (Special Category)

The symptoms, concerns, images, and conversations you share during consultations. Stored encrypted in our database. Includes AI-generated responses, triage assessments, and source citations.

Phibbo Memory (Special Category — Opt-in Only)

With your consent, Phibbo extracts stable health facts from conversations (e.g. recurring conditions, preferences) to personalise future consultations. You can view and delete this at any time in Settings.

Usage Data

Daily message counts for usage limit enforcement. No detailed analytics or behavioural tracking.

Payment Data

Subscription payments are processed by Stripe. We store your Stripe customer ID but not full card details. Stripe's privacy policy applies to payment processing.

3. Legal Basis for Processing

We process your data on the following legal bases under the GDPR:

  • Explicit Consent (Art. 6(1)(a), Art. 9(2)(a)): For health profile data, consultation data, and AI memory. You can withdraw consent at any time.
  • Contract Performance (Art. 6(1)(b)): For account data and usage data needed to provide the Service.
  • Legitimate Interests (Art. 6(1)(f)): For security, fraud prevention, and service improvement — balanced against your privacy rights.
  • Legal Obligation (Art. 6(1)(c)): Where required by applicable law.

4. How We Use Your Data

  • Providing AI-generated health information responses tailored to your profile
  • Storing consultation history for your personal review
  • Personalising future consultations via AI memory (consent required)
  • Processing subscription payments
  • Enforcing usage limits
  • Detecting and preventing misuse and safety events
  • Sending transactional emails (account, billing) — no marketing without separate consent

5. Third-Party Services and Data Sharing

We do not sell, rent, or trade your personal data. We share data only with the following processors:

  • Google Firebase (Firestore, Auth): Secure cloud database and authentication. Data stored in EU region. Health data encrypted at rest using AES-256 before storage.
  • Google Gemini API: AI language model. Your messages are sent to Google's API to generate responses. Google's data processing terms apply. Conversation data may be processed outside the EEA under appropriate safeguards.
  • Stripe: Payment processing. Subject to Stripe's own privacy policy and PCI-DSS compliance.

We may disclose data where required by law, court order, or to protect the rights, safety, or property of Phibbo or others.

6. Data Retention

  • Account data: Retained while your account is active. Deleted 30 days after account deletion request.
  • Consultation data: Retained until you delete it (via History page) or request account deletion.
  • Health profile: Retained until you clear it (via Profile page) or delete your account.
  • Phibbo memory: Retained until you clear it (via Settings → Phibbo Memory) or delete your account.
  • Usage logs: Retained for 90 days for abuse prevention.
  • Safety events: May be retained longer for safety record-keeping purposes.

7. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

Right of Access (Art. 15)

Request a copy of all data we hold about you.

Right to Rectification (Art. 16)

Correct inaccurate data via your Profile page.

Right to Erasure (Art. 17)

Delete all your health data via Profile → "Forget saved data".

Right to Restriction (Art. 18)

Request we limit processing of your data.

Right to Data Portability (Art. 20)

Receive your data in a structured format.

Right to Object (Art. 21)

Object to processing based on legitimate interests.

Right to Withdraw Consent

Withdraw health data consent at any time — toggle in Profile.

Right to Lodge a Complaint

File a complaint with the DPC at dataprotection.ie.

To exercise any right, email vijayharre10@gmail.com. We will respond within 30 days.

8. Security

We take security seriously. Health data is encrypted at rest using AES-256-GCM before being stored in Firestore. All data is transmitted over TLS. Authentication uses Google OAuth. We conduct regular security reviews and follow OWASP security best practices. Despite these measures, no system is 100% secure. In the event of a data breach affecting your rights, we will notify you and the DPC within 72 hours as required by GDPR Art. 33–34.

9. Cookies

Phibbo uses only essential functional cookies and browser local storage required for authentication (Firebase Auth tokens) and theme preference. We do not use advertising, tracking, or third-party analytics cookies. No cookie consent banner is required for strictly necessary cookies under the ePrivacy Directive.

10. International Transfers

Some of our processors (Google Gemini API, Stripe) may process data outside the EEA. Where data is transferred, we ensure appropriate safeguards are in place under GDPR Chapter V — including Standard Contractual Clauses (SCCs) where applicable.

11. Contact and Complaints

Data protection queries: vijayharre10@gmail.com.
You have the right to lodge a complaint with the Data Protection Commission (Ireland): dataprotection.ie · Tel: +353 (0)76 110 4800.

⚕️ Phibbo is not a doctor. Always consult a qualified healthcare professional.