Privacy Policy

Health AI Technology Sdn. Bhd. ("we", "us" or "our") operates a website and app providing AI-driven healthcare tools (research, clinic solutions, and iridology-based self-diagnosis) to Malaysian users. We respect your privacy and comply with Malaysia's Personal Data Protection Act 2010 (PDPA) and app-store requirements. Our policy clearly explains what personal data we collect, how we use and protect it, and your rights. As mandated by Google Play policy, our privacy policy (publicly accessible via a non-geofenced URL) discloses all categories of personal and sensitive user data we access, and includes developer contact information and our data retention/deletion practices. This Privacy Policy covers data collected by our website and mobile app in Malaysia (our services are currently limited to Malaysia).

Information We Collect

We collect personal information that you provide when creating an account or using our services, and technical data automatically. This includes:

Account Information

Your name, email address, password, and any profile details you enter when you register or update your account. We use this to authenticate and manage your account.

Health and Sensitive Data

If you use our iridology self-diagnosis tool or health-tracking features, you may upload images of your iris or enter personal health details (e.g. medical history, symptoms). Biometric data such as an iris scan is considered sensitive personal data under Malaysian law. Processing this data requires your explicit consent. We collect only the health or iris data that you actively provide for the diagnosis tool, and never infer additional health data without your permission.

Device and Usage Data

We automatically collect technical details such as your device type, IP address, browser/device identifiers, and app usage logs (e.g. pages visited, features used). This data is used for analytics and to improve our service performance and security. It is not used to identify you personally.

Cookies and Tracking

We use cookies or similar technologies for essential purposes (keeping you logged in, remembering preferences) and for analytics. These help us understand usage patterns to enhance our service. Third-party analytics (e.g. Google Analytics) may collect anonymous usage data; we do not merge this with your personal account. We do not engage in hidden tracking or sell your browsing history or data to advertisers.

Currently, we do not collect any payment or credit card information because no purchases are processed. In the future, if we integrate a payment gateway (for the herb/supplement marketplace), we will explicitly request payment details at checkout. Such financial information (card numbers, billing info) will be collected with your consent and handled securely (see Security section). At all times, we do not sell your personal data or share it for marketing without your consent.

How We Use Your Information

We use your data strictly to provide and improve our services:

• Service Delivery: To operate the website/app, manage your account, and fulfill the requested services (e.g. generate iridology analysis).
• Personalization: To personalize your experience, such as greeting you by name, remembering your settings, or providing relevant health tips.
• Communications: To send you necessary communications (account notifications, service updates, or responses to your inquiries). If you opt in, we may also send occasional newsletters or health-related tips; you can unsubscribe anytime.
• Analytics and Improvement: To analyze trends and usage so we can improve the app. We use aggregated data to understand how people use features and where we can enhance functionality. This includes performance logs and crash reports to fix bugs.
• Legal and Compliance: To comply with legal obligations (e.g. retain records for statutory retention, respond to lawful requests by authorities) and to protect our rights (e.g. fraud prevention, enforcing our Terms of Service).

We rely on your consent for processing your personal and sensitive data for these purposes. You may withdraw consent at any time by contacting us (see Contact section). If you do, we will stop using your data in the manner consent was given (subject to legal obligations). For example, we use your health data only for the diagnostic feature you opted into; we will not repurpose it for anything else without asking you again.

Data Sharing and Disclosure

We do not sell or rent your personal data to third parties. We only share information in limited circumstances:

• Service Providers: We may share data with trusted third-party service providers who perform functions on our behalf (e.g. web hosting, email delivery, analytics, payment processors when implemented). Each provider must keep data secure and only use it to provide the contracted service.
• Legal Requirements: If required by law or by a court order, we may disclose specific user data to government authorities or courts. For example, we will comply with PDPA Commissioner's directions or respond to lawful requests (such as tax or audit requirements).
• Business Transfers: If our company merges or is acquired, your data may be transferred to the successor entity (subject to this policy). We would notify you if this occurs.
• Aggregate/De-Identified Data: We may share anonymous, aggregated data for research or marketing analysis, but it will never identify you personally.

Any sharing of sensitive personal data (health or biometric) beyond the above will only occur with explicit consent. For example, if we introduce new features involving health data sharing (like connecting with a healthcare provider), we will ask for your consent and update this policy. Except as above, we do not disclose your information to any other third parties, and certainly never for undisclosed or unrelated uses.

Security and Data Retention

We take data security seriously. We have implemented appropriate technical and organizational measures to protect your data from unauthorized access, loss or misuse. This includes industry-standard encryption (SSL/TLS) for data in transit, secure storage on our servers, and regular security reviews. Our team has access to personal data only on a need-to-know basis and we follow strict internal policies (staff training, password controls, etc.) to protect your information.

Under Malaysian law, we retain your personal data only as long as necessary for the purposes described. Specifically, data will be deleted or anonymized once it is no longer needed to provide the service or comply with legal obligations. For example, if you delete your account or request deletion, we will remove your data from active databases. We may keep minimal records (e.g. log of deletion request) if required by law (e.g. company account records retention rules). Any data retention for bookkeeping or tax purposes will follow the statutory periods (typically 7 years for accounting records). Otherwise, we periodically purge or anonymize old data.

We also adhere to PDPA's retention principle: "personal data shall not be kept longer than is necessary…and shall be destroyed or permanently deleted if it is no longer required for the purpose". If a data breach occurs, we will follow the PDPA breach-notification guidelines (notify the Commissioner and affected users if there is likely significant harm).

Cookies and Tracking

Our website/app may use cookies or similar technologies to enhance functionality. These are small data files placed on your device to remember preferences (e.g. language settings, login state). We use analytic cookies to measure site traffic and feature usage. You can control cookies in your browser settings or device, and opt out of analytics via provided links (e.g. Google Analytics opt-out). Disabling cookies may affect certain features. We do not use cookies to collect new personal data beyond what is stated above, nor do we share cookie data with ad networks.

Your Rights and Choices

You have control over your personal data. Under PDPA and applicable guidelines, you may:

• Access and Update: You can view or update your account information at any time by logging in. You may request a copy of the personal data we hold on you, and correct any inaccuracies.
• Consent Withdrawal: You may withdraw consent for processing of your personal data (e.g. stop our marketing emails) by contacting us or unsubscribing from emails. Withdrawal will not affect data processed prior to withdrawal or where we have other lawful reasons to keep it.
• Data Portability: You have the right to request that we transfer your personal data to another service provider (where technically feasible). Upon request, we will provide your data in a machine-readable format if possible. (This right is subject to technical feasibility and does not apply to aggregated/derived data.)
• Object or Limit Processing: You can object to or limit certain processing (e.g. analytics) by notifying us. We will stop the contested processing unless we have a compelling legal ground to continue.
• Account Deletion: If you have an account with us, you can request deletion of your account and associated data. As required by Google Play policy, we provide an easy way to delete your app account both within the app and on our website. When we delete your account at your request, we will also delete your personal and sensitive data linked to that account. Note that we may retain non-identifying log data or certain information if required for legal compliance (e.g. to prevent fraud, keep tax records); such retention will be explained at the time of request. Otherwise, your data will be fully erased from our systems.
• DPO Contact: By law, we have appointed a Data Protection Officer (DPO) to oversee PDPA compliance. You may contact our DPO at any time for requests or complaints.

We will respond to access, correction or deletion requests within a reasonable timeframe (typically 30 days) and inform you if we need more time or have legal reasons to refuse a request. If you are not satisfied, you may contact Malaysia's Personal Data Protection Commissioner for further assistance.

Changes to This Policy

We may update this Privacy Policy from time to time (e.g. when new features are added or when laws change). Any change will be effective when posted on our website, with the revised "Last Updated" date. We encourage you to review this policy periodically. We will notify you of major changes (e.g. via email or app notification) and obtain consent again if required. Our privacy policy is publicly accessible at our official website (no PDF or login required), in accordance with app store requirements.

Sources: This policy is informed by Malaysia's Personal Data Protection Act 2010 and official guidelines, as well as Google and Apple app store privacy requirements. We take these standards seriously to protect your data and comply with the law.