Privacy Policy

Privacy Promise — Plain-English Summary

This summary is provided for clarity. The full policy below controls if there is a conflict.

No sale of health data

We do not sell your health information, Apple Health/HealthKit data, CGM data, symptoms, conversations, or medical records.

No health-data advertising

We do not use or disclose health, fitness, or medical data for third-party advertising, targeted advertising, marketing attribution, or data-broker purposes.

User permission first

We ask for permission before collecting sensitive health data, connecting Apple Health/HealthKit, importing CGM or wearable data, or sharing records with care partners.

HealthKit consent in context

Before requesting Apple Health permissions, ChronicGPT explains in the app which Apple Health data categories are requested and why. You choose which categories to share.

AI transparency

ChronicGPT uses AI to support coaching, triage, summaries, and care workflows. AI is not a substitute for emergency care or independent clinician judgment.

Human review where required

Clinical decisions, prescriptions, or care changes that legally or clinically require clinician review will involve licensed clinician review.

Geographic focus

The Services are intended for users in the United States and India only.

Control and deletion

You may access, correct, export, and request deletion of your account data and previously imported Apple Health data, subject to legal retention and safety/audit requirements.

1. Scope and who we are

ChronicGPT Inc. d/b/a ChronicGPT ("ChronicGPT," "we," "us," or "our") provides digital health, wellness, AI coaching, care-navigation, and related services through our iOS app, website, and related communications (the "Services"). This Privacy Policy explains what information we collect, how we use it, when we disclose it, and the choices you have. The Services are intended only for users located in the United States and India. We do not intentionally offer the Services to users in the European Union, United Kingdom, or other jurisdictions unless we separately launch there and update this policy. This policy applies to ChronicGPT direct-to-consumer services and, where applicable, services we provide with clinicians, care teams, employers, health plans, or healthcare organizations. If we provide services on behalf of a HIPAA-covered healthcare provider or health plan, we may act as a business associate and additional HIPAA terms or a Notice of Privacy Practices may apply. If you use ChronicGPT directly for your own health management, HIPAA may not apply to that activity, but we still protect health information using strong safeguards and privacy-by-design practices.

2. Data we collect

We collect only the information reasonably needed to provide, secure, improve, and support the Services. Depending on the features you use, we may collect the following categories:

• Account and contact data: name, email address, phone number, password credentials, authentication identifiers, preferred language, and communication preferences.
• Profile and demographic data: age or date of birth, sex assigned at birth, gender, height, weight, location at country/state level where required for legal or clinical availability, and other profile details you choose to provide.
• Health and wellness data: symptoms, diagnoses you report, medications, allergies, conditions, goals, food intake, nutrition logs, glucose values, CGM data, blood pressure, heart rate, sleep, activity, weight, lab values, health records, photos of meals or labels, and other information you enter or authorize us to receive.
• AI conversation and care data: messages, chat transcripts, voice inputs, images, clinical summaries, generated responses, safety flags, clinician review notes, and support interactions.
• Device and app data: device type, operating system, app version, crash logs, security events, approximate location inferred from IP address, session identifiers, and feature usage events.
• Payment and subscription data: plan, transaction status, billing identifiers, and payment processor metadata. We use payment processors such as Apple, Stripe, Razorpay, banks, card networks, and UPI providers and do not store full card numbers.
• Identity verification data: where required for medical-record access, prescription-related workflows, fraud prevention, or legal compliance, we may collect or receive identity-verification results from vendors you authorize.
• Support and communications data: emails, support tickets, call notes, consent records, notification preferences, and SMS opt-in/opt-out status.

We treat health, biometric-adjacent, medication, symptom, CGM, wearable, HealthKit, and medical-record information as sensitive information even when a specific law does not label it that way.

3. How we collect data

• Directly from you: when you create an account, answer onboarding questions, chat with ChronicGPT, log meals, scan food, upload documents, provide photos, connect devices, or contact support.
• From Apple Health/HealthKit and device permissions: only after you grant permission for specific data types, such as steps, heart rate, sleep, blood glucose, weight, or workouts. Before requesting Apple Health permissions, we provide an in-app explanation of the categories requested and the purpose for the request.
• From connected devices and services: such as Dexcom, Abbott/Libre, Oura, Apple Watch, Fitbit, other wearables, labs, medical-record networks, or provider portals when you authorize the connection.
• Automatically: through essential cookies, app diagnostics, security logs, and privacy-preserving analytics.
• From service providers: such as payment processors, messaging providers, identity-verification vendors, cloud infrastructure providers, and customer-support tools.

You can choose not to provide some information, but certain Services may not work without it. For example, glucose coaching requires glucose data; meal guidance requires meal or nutrition information; and medical-record retrieval requires identity verification and authorization.

4. How we use data

We use information for the following purposes:

• Provide and personalize the Services: create your account, respond to health questions, generate summaries, track goals, estimate nutrition, analyze trends, manage reminders, and provide coaching or care navigation.
• Clinical safety and escalation: detect potential emergencies, unsafe medication-related requests, high-risk symptoms, or other situations where human review or emergency guidance may be appropriate.
• Connected data processing: import, normalize, display, and analyze data from HealthKit, CGMs, wearables, labs, and health records that you authorize.
• Service operations: customer support, payment processing, account administration, fraud prevention, debugging, security monitoring, and compliance.
• Product improvement: improve workflows, user experience, accuracy, reliability, and safety. We prefer aggregated, de-identified, or pseudonymized data whenever practical.
• Research and model evaluation: only with appropriate consent or when data has been de-identified in accordance with applicable law and internal governance.
• Legal compliance: respond to valid legal requests, enforce terms, maintain required records, and comply with privacy, healthcare, tax, consumer-protection, and telecommunications laws.

We do not train public foundation models on your identifiable health information. HealthKit data is not used to train public foundation models, for unrelated product development, or for advertising, targeted advertising, marketing attribution, data-broker disclosure, or other use-based data mining. If we use AI vendors or cloud AI infrastructure, we require contractual and technical protections designed to prevent those vendors from using your identifiable health data to train their general models.

5. AI, automation, and clinical safety

ChronicGPT uses artificial intelligence and rules-based logic to support health coaching, symptom triage, food recognition, nutrition estimation, glucose and wearable-data analysis, summaries, reminders, care navigation, and other Services. AI outputs can be wrong, incomplete, biased, or not appropriate for your situation.

• No emergency service: ChronicGPT is not an emergency medical system. If you may be experiencing a medical emergency, call local emergency services immediately.
• Not a sole basis for care: Do not use AI-generated information as the sole basis for diagnosis, medication changes, or urgent medical decisions.
• Human review: Where the Services include clinician services, prescription-related workflows, or decisions that legally or clinically require clinician judgment, licensed clinicians will review as required before the decision is finalized.
• Right to request review: You may request human review of an AI-generated clinical summary, risk flag, recommendation, or care-navigation decision by contacting support@chronicgpt.com or privacy@chronicgpt.com.
• Safety monitoring: We may log prompts, outputs, safety flags, and reviewer actions to improve safety, audit the service, and investigate incidents.
• Explainability: When practical, we provide the main reasons or data points behind AI-generated health insights, such as recent glucose trends, meal logs, sleep patterns, or wearable signals.

6. Apple HealthKit, CGM, wearables, and device permissions

If you choose to connect Apple Health/HealthKit, CGMs, wearables, or other devices, ChronicGPT will request permission only for the specific categories needed for the feature you use. Connecting Apple Health is optional. Before requesting Apple Health permissions, ChronicGPT will explain in the app which Apple Health data categories are requested and why. You may choose which categories to share, deny access, or revoke access later in Apple Health or iOS Settings.

• HealthKit data: We use HealthKit data only to provide health, wellness, coaching, and user-facing analytics features.

We do not use HealthKit data for advertising, targeted advertising, marketing attribution, data-broker disclosure, unrelated product development, or public foundation-model training.

• Granular control: Apple allows you to control each HealthKit data category separately. If you revoke access, future syncing stops. Data already imported into ChronicGPT may remain until deleted under our retention rules or legal, safety, audit, and clinical-retention requirements.
• Deletion of imported HealthKit data: You may request deletion of Apple Health data previously imported into ChronicGPT, subject to legal, safety, audit, dispute, healthcare, and clinical-retention requirements.
• CGM and wearable data: We may collect glucose readings, trend data, sleep, heart rate, activity, weight, or related device data after you authorize the connection. You can disconnect these integrations at any time.
• On-device permissions: Camera, microphone, photo, notification, motion, or location permissions are requested only when needed. For example, camera access may be used to scan a meal, barcode, medication label, or document.

7. How we disclose data

We disclose information only as described below and only to the extent reasonably necessary:

• Service providers and processors: cloud hosting, analytics configured to avoid health-data advertising use, payment processing, customer support, communications, identity verification, security, and debugging.
• Healthcare and care partners: clinicians, care teams, labs, pharmacies, medical-record networks, health information exchanges, or other providers when you request or authorize sharing, or when legally permitted for care and safety.
• User-authorized sharing: people or organizations you choose, such as a caregiver, doctor, coach, family member, or employer program, when you explicitly direct us to share.
• Legal and safety disclosures: to comply with law, valid legal process, regulatory obligations, audits, or to protect you, others, or the public from serious and imminent harm.
• Business transfers: in connection with a merger, financing, acquisition, reorganization, bankruptcy, or sale of assets, subject to confidentiality and this policy or a policy with materially equivalent protections.
• De-identified or aggregated data: information that does not reasonably identify you may be used or disclosed for analytics, research, product development, safety evaluation, or business reporting.

We require vendors that handle personal information to use appropriate safeguards and to process data only for authorized purposes. Where HIPAA applies, we use business associate agreements where required. Where Indian law applies, we use data-processing arrangements appropriate for processors handling personal data on our behalf.

8. Advertising, analytics, cookies, and tracking

We do not sell your personal information or health information. We do not share health, fitness, medical, HealthKit, CGM, wearable, symptom, medication, or conversation data with advertising platforms, data brokers, or third-party ad networks.

• Analytics: We may use privacy-preserving analytics to understand app performance, crashes, feature use, and aggregate behavior. Analytics events should not include PHI, sensitive health details, HealthKit data, CGM values, symptoms, diagnoses, medication names, or chat contents unless explicitly approved through a privacy/security review.
• Cookies and similar technologies: Our website may use essential cookies and limited analytics cookies. You can manage browser cookie settings. We do not use cookies to retarget users based on health information.
• App tracking: We do not track you across apps or websites owned by other companies for advertising without required consent. If we ever introduce tracking as Apple defines it, we will request permission through Apple App Tracking Transparency framework and update this policy.
• Marketing attribution: If we use campaign measurement, it must be configured to avoid sending health information or sensitive account data to advertising platforms.

9. SMS, email, push notifications, and in-app messages

We may send account, security, support, treatment-related, program, or reminder communications by in-app message, push notification, email, phone, or SMS if you provide the relevant contact information or enable notifications.

• Sensitive channels: SMS, email, and push notifications may not be end-to-end encrypted and may be visible to carriers, email providers, device manufacturers, or people with access to your device.
• Limited content: We avoid sending highly sensitive health details in SMS, email, or push notifications unless you authorize it or it is necessary for safety or service delivery.
• Opt out: You can change notification settings in the app or your device settings. For SMS, you may text STOP where supported. Transactional or legally required messages may still be sent when permitted by law.
• Separate marketing consent: Promotional SMS or email requires separate consent where required by law and is separate from care-related or transactional communications.

10. Data retention and deletion

We retain personal information only for as long as reasonably necessary for the purposes described in this policy, unless a longer period is required or permitted by law, safety, audit, dispute, tax, healthcare, or regulatory obligations.

• Account data: retained while your account is active and for a reasonable period after deletion to complete requests, prevent fraud, satisfy legal obligations, and maintain audit logs.
• Health records and clinical records: if we create or maintain medical records, AI clinical summaries, prescription-related records, or clinician-review records, they may be retained for at least 7 years or longer where required by applicable law.
• Apple Health/HealthKit data: you may request deletion of Apple Health data previously imported into ChronicGPT. We will delete it unless retention is required or permitted for legal, safety, audit, dispute, healthcare, clinical, or regulatory reasons.
• De-identified data: may be retained without a fixed deletion period because it is not reasonably linkable to you.
• Backups: deleted information may persist in encrypted backups for a limited period until overwritten according to our backup lifecycle.
• Dormant accounts: we may deactivate accounts after 24 months of inactivity after reasonable notice, while retaining records as required by law or legitimate business needs.

You may request deletion by emailing privacy@chronicgpt.com. We will process deletion requests within the time required by applicable law and explain any data we must retain.

11. Security safeguards

We use administrative, technical, and physical safeguards designed to protect personal and health information. No system can be guaranteed completely secure, but we design the Services with health-data sensitivity in mind.

• Encryption in transit and at rest for sensitive data.
• Role-based access controls, least-privilege access, and multi-factor authentication for administrative systems.
• Access logging, security monitoring, vulnerability management, and incident response procedures.
• Segregation of production data and controlled access to audit logs.
• Vendor review and contractual obligations for providers that process personal or health data.
• Data minimization and de-identification or pseudonymization where practical.
• Employee and contractor confidentiality obligations and privacy/security training.

12. Your privacy rights in the United States

Depending on your state and the data involved, you may have rights to know, access, correct, delete, obtain a copy of, or limit certain uses of your personal information or consumer health data. You may also have the right to withdraw consent, opt out of certain sharing, appeal a denied request, or designate an authorized agent. We honor applicable US privacy rights, including rights under state consumer privacy and consumer health-data laws where they apply. We do not sell personal information or consumer health data. We do not use sensitive health data for targeted advertising. If HIPAA applies to a particular service, you may also have HIPAA rights such as access, amendment, accounting of disclosures, restrictions, confidential communications, complaint rights, and breach notification rights. HIPAA rights will be described in the applicable Notice of Privacy Practices or service-specific notice. To exercise rights, contact privacy@chronicgpt.com. We may need to verify your identity before responding. We will not discriminate against you for exercising privacy rights.

13. Your privacy rights in India

For users in India, we process digital personal data in accordance with applicable Indian privacy law, including the Digital Personal Data Protection Act, 2023 as and when applicable to our Services. Where consent is the basis for processing, consent should be free, specific, informed, unambiguous, and limited to the stated purpose.

• You may request information about personal data processed by us and the purposes of processing.
• You may request correction, completion, updating, or erasure of personal data, subject to legal exceptions.
• You may withdraw consent, and we will stop processing data based on that consent unless continued processing is required or authorized by law.
• You may submit grievances to our grievance contact listed below.
• Where required, notices and consent flows will be made available in English and supported Indian languages relevant to the Services.

India grievance contact: grievance@chronicgpt.com.

14. Children and age limits

The Services are intended for adults 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If we learn that a person under 18 has provided information, we will take reasonable steps to delete it unless retention is required for safety, legal, or compliance reasons.

15. International transfers

ChronicGPT is based in the United States. If you use the Services from India, your information may be processed in the United States, India, or other countries where our service providers operate. We use contractual, technical, and organizational safeguards intended to protect personal information when it is transferred or processed across borders. We will comply with applicable data localization, transfer, or government-notification requirements if they become applicable to our Services.

16. Breach and incident notifications

If we determine that a security incident or breach requires notice under applicable law, we will notify affected users, regulators, credit agencies, media, healthcare partners, or other parties as required. Notices will describe, as legally required and reasonably available, what happened, what information was involved, what we are doing, and steps you can take to protect yourself.

17. Changes to this policy

We may update this policy as our Services, legal obligations, or privacy practices change. We will post the updated policy with a new effective date. For material changes, we will provide additional notice, such as in-app notice, email, website banner, or renewed consent where required.

18. Contact information

ChronicGPT Inc. d/b/a ChronicGPT 5159 Steinbeck Circle Flower Mound, TX 75022 United States Email: privacy@chronicgpt.com Support: support@chronicgpt.com Phone: (469) 850-9205 India grievance contact: grievance@chronicgpt.com You may file a privacy complaint with us at privacy@chronicgpt.com. We will not retaliate against you for filing a complaint or exercising privacy rights.