Privacy Policy — AWARE Clinic

Introduction

AWARE Clinic (“AWARE Clinic,” “we,” “us,” or “our”) is the data controller responsible for the personal information processed through our web application, mobile application, and any related services, features, and functionality (collectively, the “Service”).

This Privacy Policy explains the categories of information we collect, the purposes for which we use that information, the parties with whom we share it, how long we retain it, the rights you have over your data, and the technical and organisational measures we employ to protect it. This Policy should be read together with our Terms and Conditions.

We are committed to processing your data lawfully, fairly, and transparently. Where this Policy refers to “Personal Data,” it has the meaning given in the applicable data-protection law of your jurisdiction, including the EU General Data Protection Regulation (GDPR), the Egyptian Personal Data Protection Law No. 151 of 2020, the UK GDPR, and other applicable legislation.

Scope of this Policy

This Policy applies to all Personal Data and Health Data we collect when you create an account, use the Service, communicate with us, or interact with our website. It applies regardless of how you access the Service (web browser, mobile application, API, or other means) and regardless of your geographic location.

This Policy does not apply to third-party websites, applications, or services linked from the Service, even if they display the AWARE Clinic name or logo. We encourage you to review the privacy policies of any third-party service you interact with.

Data Controller

Data Controller: AWARE Clinic
Registered Jurisdiction: Arab Republic of Egypt
Data Protection Contact: Available through the contact channels published on the Service.

For Users in the European Union, the appointed EU representative (where required under GDPR Article 27) can be reached through the same channels. We will update this section if a formal EU representative is appointed.

Information we Collect

4.1 Information you provide directly

Account information: name, email address, password (stored as a cryptographic hash, never in plaintext), date of birth, gender, and profile details.
Health Data: medical history, current symptoms, conditions, diagnoses, medications, allergies, lab results, MRQ questionnaire responses, treatment plans, lifestyle and dietary information, biometric data, and any other health-related information you provide or that is generated through your use of the Service. Health Data is classified as sensitive personal data / special category data under GDPR Article 9 and is subject to heightened protections as described in this Policy.
Communications: messages exchanged with Healthcare Providers, support inquiries, feedback, and any other communications sent through or in connection with the Service.
Payment information: payment card details are collected and processed directly by our payment processor, Stripe. AWARE Clinic does not store, process, or have access to your full card number, CVV, or PIN. We receive only a tokenised reference, transaction amounts, dates, and the last four digits of your card for record-keeping.
Identity verification (Healthcare Providers): professional licence numbers, certifying authority details, proof of credentials, and jurisdictional practice information submitted during registration and periodic re-verification.

4.2 Information collected automatically

Device and usage data: IP address, browser type and version, operating system, device identifiers, screen resolution, language preference, time zone, referring URL, pages visited, features used, clickstream data, session duration, and interaction patterns.
Cookies and similar technologies: we use cookies, local-storage tokens, and similar technologies as described in section 12.
Log data: server access logs, error logs, authentication events, and security-related events. These logs are retained in identifiable form for up to ninety (90) days and are then anonymised or deleted.

4.3 Information from third parties

Google OAuth: if you sign in using Google, we receive your name, email address, and profile picture from Google via OAuth 2.0. We do not receive or store your Google password.
Google Workspace integration: if you connect Google Calendar, Gmail, or Google Drive, we access only the specific scopes you authorise. We adhere to the Google API Services User Data Policy, including the Limited Use requirements (see section 9).
Laboratory and diagnostic providers: where you or your Healthcare Provider authorise integration with third-party laboratory services, we may receive lab results and diagnostic data on your behalf.

How we Use your Information

We use your information for the following purposes:

Service delivery: creating and managing your Account, facilitating appointments, enabling communication with Healthcare Providers, processing payments, and delivering the core features of the Service.
Healthcare support: maintaining your digital health record, tracking symptoms, generating health-trend analytics, and supporting your Healthcare Provider in delivering clinical care.
AI Features: generating algorithmic analyses, symptom-trend reports, nutritional insights, and wellness recommendations. All AI-generated outputs are informational only and do not constitute medical advice (see section 6).
Communications: sending transactional emails (appointment confirmations, password resets, security alerts), service notifications, and, with your consent, marketing communications.
Security and fraud prevention: detecting, investigating, and preventing unauthorised access, fraud, abuse, and security incidents.
Legal compliance: complying with applicable laws, regulations, court orders, and regulatory requirements, including medical-records retention, tax reporting, and mandatory breach notifications.
Service improvement: analysing anonymised and aggregated usage data to improve the Service, develop new features, fix bugs, and optimise performance. We do not use identifiable Health Data for analytics without your explicit consent.
Dispute resolution: establishing, exercising, or defending legal claims.

AI Features and Automated Processing

The Service incorporates AI Features that analyse your Health Data to generate insights, trend reports, symptom correlations, nutritional recommendations, and other computationally derived outputs. It is important that you understand the following:

All AI-generated outputs are provided for informational and educational purposes only. They do not constitute medical advice, diagnosis, or treatment.
AI Features may produce inaccurate, incomplete, or misleading results. You must not rely on AI outputs as a substitute for the independent clinical judgement of a qualified Healthcare Provider.
We do not use AI Features to make automated decisions that produce legal or similarly significant effects on you without human oversight. Where AI assists clinical workflows, the final clinical decision is always made by your Healthcare Provider.
You may request human review of any AI-generated analysis or recommendation by contacting your Healthcare Provider or our support team.
You have the right to object to automated processing of your data, including profiling, in accordance with your rights under applicable data-protection law (see section 10).

AWARE Clinic does not sell, license, or share your Health Data with third parties for the purpose of training external AI models or algorithms.

Legal Basis for Processing

Where the GDPR or equivalent legislation applies, we process your data on the following lawful bases:

Processing activity	Lawful basis (GDPR)	Justification
Account creation & management	Performance of contract (Art. 6(1)(b))	Necessary to provide the Service
Health Data processing	Explicit consent (Art. 9(2)(a)); health-care provision (Art. 9(2)(h))	Special-category data requiring explicit consent
Payment processing	Performance of contract (Art. 6(1)(b))	Necessary to process payments
Service communications	Performance of contract (Art. 6(1)(b))	Essential service notifications
Security & fraud prevention	Legitimate interests (Art. 6(1)(f))	Protecting Users and platform integrity
Analytics (anonymised)	Legitimate interests (Art. 6(1)(f))	Service improvement; balanced against privacy
Marketing communications	Consent (Art. 6(1)(a))	Opt-in only; withdrawable at any time
Legal compliance	Legal obligation (Art. 6(1)(c))	Tax, medical-records, regulatory requirements
AI Features / analytics	Explicit consent (Art. 9(2)(a)); legitimate interests (Art. 6(1)(f))	Informational outputs only; not automated decision-making

Where we rely on legitimate interests, we have conducted a Legitimate Interest Assessment (LIA) to ensure that our interests do not override your fundamental rights and freedoms. You may request a copy of the relevant LIA through the contact channels published on the Service.

8.1 With your Healthcare Provider

Your clinical information (health records, symptom logs, lab results, treatment plans, and related communications) is shared with the Healthcare Provider(s) you are assigned to or have selected on the platform. This sharing is necessary to provide you with clinical care and is authorised by your explicit consent at the time of registration or appointment booking.

8.2 With authorised AWARE Clinic personnel

A limited number of authorised AWARE Clinic staff may access your Account information and, where necessary, Health Data for the purposes of providing technical support, ensuring platform safety, investigating complaints, and complying with legal obligations. All staff are bound by confidentiality obligations and receive regular data-protection training.

8.3 With third-party service providers (sub-processors)

We share data with third-party service providers who process data on our behalf, solely for the purposes described in this Policy. All sub-processors are bound by Data Processing Agreements (DPAs) requiring them to implement appropriate technical and organisational safeguards.

Provider	Purpose	Data location	Transfer safeguard
Stripe	Payment processing	United States / EU	SCCs + DPA
Google Cloud / Workspace	Authentication, Calendar, Email, Drive	EU (primary), global	SCCs + DPA + Adequacy
Cloudflare	CDN, WAF, DDoS protection	Global edge network	SCCs + DPA
Railway / hosting	Application hosting	Germany, EU	DPA + GDPR compliance
Transactional email provider	Email delivery	EU / US	SCCs + DPA

A complete, up-to-date list of sub-processors is available on request through the contact channels published on the Service. We will notify you of any material changes to our sub-processor list at least thirty (30) days before the change takes effect.

8.4 For legal reasons

We may disclose your data where required by law, court order, regulatory request, or governmental investigation. We may also disclose data where we reasonably believe disclosure is necessary to protect the rights, property, or safety of AWARE Clinic, its Users, or the public, or to detect and prevent fraud or security incidents.

8.5 Business transfers

If AWARE Clinic is involved in a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction, subject to the acquirer agreeing to honour the commitments made in this Privacy Policy and maintaining equivalent data-protection standards.

8.6 What we do not do

We do not sell your Personal Data or Health Data. We do not share your data with third parties for their own advertising, marketing, or commercial purposes. We do not use your data for behavioural advertising or ad targeting.

Use of Google API Services

AWARE Clinic uses Google API Services for authentication (OAuth 2.0) and optional integrations (Google Calendar, Gmail, Google Drive). Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

When you sign in using your Google account, we use Google OAuth 2.0 to authenticate you. The information received from Google is limited to your name, email address, and profile picture, and is used solely to identify and authenticate your account.

If you authorise additional Google integrations:

Google Calendar: used solely to manage appointment scheduling. We access only calendar events related to AWARE Clinic appointments.
Google Drive: used solely for document storage related to your health records on the platform.
Gmail: used solely for sending transactional and service-related communications.

We do not use Google API data for advertising, do not transfer it to third parties for advertising purposes, and do not use it for purposes unrelated to the Service. You may revoke access to your Google account at any time through your Google Account permissions settings.

Your Rights and Choices

Subject to applicable data-protection law, you have the following rights regarding your Personal Data:

Right of access (GDPR Art. 15)

Request a copy of the Personal Data we hold about you, including processing purposes, categories, recipients, and retention periods.

Right to rectification (GDPR Art. 16)

Request correction of inaccurate or incomplete Personal Data.

Right to erasure (GDPR Art. 17)

Request deletion of your Personal Data where the data is no longer necessary, you withdraw consent, you object to processing, or the data was unlawfully processed. Subject to legal retention obligations (e.g. medical-records retention laws).

Right to restriction (GDPR Art. 18)

Request that we restrict processing of your Personal Data in certain circumstances, such as while we verify accuracy or assess an objection.

Right to data portability (GDPR Art. 20)

Receive your Personal Data in a structured, commonly used, and machine-readable format (JSON or CSV) and transmit it to another controller.

Right to object (GDPR Art. 21)

Object to processing based on legitimate interests or for direct marketing. Where you object to direct marketing, we will cease such processing immediately.

Right to withdraw consent (GDPR Art. 7(3))

Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

Right not to be subject to automated decision-making (GDPR Art. 22)

Object to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you.

Right to lodge a complaint

File a complaint with a supervisory authority. EU Users may complain to any EU data-protection authority. Egyptian Users may complain to the Egyptian Personal Data Protection Centre.

10.1 Additional rights by jurisdiction

California residents (CCPA/CPRA): you have the right to know what Personal Data we collect, the purposes of collection, the categories of third parties with whom we share it, and the right to request deletion. You have the right to opt out of the sale of Personal Data (we do not sell your data). You have the right to non-discrimination for exercising your privacy rights.
UK residents: you have equivalent rights under the UK GDPR. You may lodge a complaint with the Information Commissioner’s Office (ICO).
Egyptian residents: you have rights under the Egyptian Personal Data Protection Law No. 151 of 2020, including the right to access, correct, and delete your data, and the right to withdraw consent.

10.2 How to exercise your rights

To exercise any of your rights, contact us through the contact channels published on the Service. We will respond within thirty (30) days, or such shorter period as required by applicable law. We may request identity verification before processing your request, and if we cannot verify your identity we may decline the request in order to protect your data. We do not charge a fee for processing rights requests, except where requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or decline to act.

International Data Transfers

Your Personal Data and Health Data are primarily stored in data centres located in Germany, within the European Union. However, some data-processing activities may involve transfers to countries outside the European Economic Area (EEA), for example where a sub-processor operates servers or support teams in the United States or other jurisdictions.

Where Personal Data is transferred outside the EEA, we ensure an adequate level of protection through one or more of the following safeguards:

European Commission adequacy decisions recognising the destination country as providing an adequate level of data protection (GDPR Article 45).
Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Article 46(2)(c)), incorporated into our agreements with all relevant sub-processors.
Supplementary technical and organisational measures assessed on a case-by-case basis in accordance with the Schrems II framework, including encryption in transit and at rest, pseudonymisation, access controls, and contractual restrictions on government access.
Binding Corporate Rules where applicable.
Your explicit consent where required and where no other safeguard is available (GDPR Article 49(1)(a)).

You may request a copy of the Standard Contractual Clauses or other transfer safeguards through the contact channels published on the Service.

Cookies and Similar Technologies

12.1 What we use

Strictly necessary cookies: required for the Service to function (authentication tokens, session identifiers, CSRF protection, security cookies). These cannot be disabled.
Functional cookies: remember your preferences (language, theme, display settings) to enhance your experience. These can be disabled but may reduce functionality.
Analytics cookies: collect anonymised, aggregated usage data to help us understand how the Service is used and to improve it. We do not use analytics cookies to track individual users across websites.
We do not use advertising, tracking, or behavioural-profiling cookies.

12.2 Managing cookies

You can manage cookie preferences through your browser settings. Where required by applicable law, we will display a cookie-consent banner allowing you to accept or reject non-essential cookies before they are placed. Disabling cookies may limit certain features of the Service.

12.3 Do Not Track

The Service does not currently respond to “Do Not Track” (DNT) browser signals, as there is no universally accepted standard for DNT. We do not engage in cross-site tracking.

Data Retention

We retain your data only for as long as necessary to fulfil the purposes described in this Policy, to comply with legal obligations, and to resolve disputes. The specific retention periods are as follows:

Data category	Retention period	Legal basis
Account information	Duration of Account + 12 months post-closure	Contractual necessity; legitimate interests
Health Data / medical records	Minimum 10 years after last clinical encounter (or longer per applicable law)	Legal obligation; vital interests; explicit consent
Communications (clinical)	Same as Health Data retention	Legal obligation; contractual necessity
Communications (non-clinical)	Duration of Account + 12 months	Legitimate interests
Payment & billing records	5–7 years per applicable tax/accounting law	Legal obligation
Technical logs (identifiable)	90 days, then anonymised	Legitimate interests; security
Technical logs (anonymised)	Up to 12 months	Legitimate interests; analytics
Cookie & consent records	Duration of consent + 12 months	Legal obligation (ePrivacy)
Marketing preferences	Duration of Account	Consent

When the applicable retention period expires, data is securely deleted using industry-standard methods (cryptographic erasure for encrypted data, secure overwrite for unencrypted data) or irreversibly anonymised within ninety (90) days. Anonymised data that can no longer identify you may be retained indefinitely for research and analytics.

Data Hosting and Information Security

14.1 Data hosting

All Personal Data and Health Data are stored in data centres located in Germany, within the European Union. Our hosting infrastructure providers maintain ISO 27001, SOC 2 Type II, and equivalent certifications. The data centres feature physical security controls including biometric access, 24/7 on-site security, CCTV surveillance, and environmental controls (fire suppression, climate control, redundant power).

14.2 Technical security measures

Encryption at rest using AES-256 for all Personal Data and Health Data.
Encryption in transit using TLS 1.2 or higher for all data transmissions.
Cryptographic hashing (bcrypt) for passwords; we never store passwords in plaintext.
Multi-factor authentication (MFA) enforced for all Healthcare Provider accounts and administrative access.
Role-based access controls (RBAC) with least-privilege principles; access to Health Data is restricted to authorised personnel on a need-to-know basis.
Web application firewall (WAF) and DDoS mitigation via Cloudflare.
Automated vulnerability scanning and regular penetration testing conducted at least annually by independent third parties.
Intrusion-detection systems (IDS) with real-time alerting and automated response.
Database access auditing and logging for all queries accessing Health Data.
Secure software development lifecycle (SSDLC) practices, including code review, static analysis, and dependency vulnerability scanning.

14.3 Organisational security measures

All employees and contractors with access to Personal Data are bound by confidentiality agreements and receive data-protection training upon hire and annually thereafter.
Background checks are conducted for personnel with access to Health Data.
Incident-response plan documented, tested, and updated at least annually.
Business-continuity and disaster-recovery plans with regular testing.
Access reviews conducted quarterly; access to production systems revoked upon role change or departure within 24 hours.

No system can guarantee absolute security. While we implement industry-standard measures, we cannot warrant that unauthorised access, disclosure, or breach will never occur. If you believe that your Account has been compromised, please notify us immediately through the contact channels published on the Service.

Data Breach Notification

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the competent supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach (GDPR Article 33).
Notify affected Users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34).
Document the breach, its effects, and remedial actions in an internal breach register (GDPR Article 33(5)).
Cooperate with supervisory authorities and law enforcement during any investigation.
Take all reasonable steps to contain the breach, mitigate its effects, and prevent recurrence.

Breach notifications to you will include a description of the nature of the breach, the categories and approximate number of records affected, the likely consequences, the measures taken or proposed to address the breach, and contact information for our data-protection point of contact.

We also comply with the breach-notification requirements of the Egyptian Personal Data Protection Law No. 151 of 2020, UK GDPR, CCPA/CPRA, and any other applicable legislation.

Data Portability and Account Closure

16.1 Data export

You have the right to receive your Personal Data and Health Data in a structured, commonly used, and machine-readable format (JSON or CSV). To request a data export, contact us through the contact channels published on the Service. We will fulfil your request within thirty (30) days and make the export available for secure download.

16.2 Account closure

You may close your Account at any time through the in-app settings or by contacting us through the contact channels published on the Service. Upon Account closure:

You will be offered the opportunity to export your data before closure is finalised.
Active data processing will cease within forty-eight (48) hours.
Data subject to legal-retention obligations (medical records, tax records) will be archived securely with access restrictions for the required retention period, then permanently deleted.
Data not subject to legal retention will be permanently deleted within ninety (90) days.
Anonymised or aggregated data that can no longer identify you may be retained for research and analytics.

Children’s Privacy

The Service is not intended for, and shall not be used by, anyone under the age of eighteen (18). We do not knowingly collect Personal Data from children under eighteen. If we discover that a child under eighteen has provided Personal Data, we will immediately suspend the relevant Account and delete all associated data. If you believe that a child has provided us with Personal Data, please contact us through the contact channels published on the Service.

Applicable Data Protection Laws

AWARE Clinic is committed to compliance with all applicable data-protection laws in the jurisdictions where it operates or serves Users. Our data-protection framework considers the following legislation:

The General Data Protection Regulation (EU) 2016/679 (GDPR) as the primary framework governing data processed and stored in our German data centres.
The Egyptian Personal Data Protection Law No. 151 of 2020 and its implementing regulations, applicable to AWARE Clinic’s operations as an entity registered in Egypt.
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, applicable to Users in the United Kingdom.
The U.S. Health Insurance Portability and Accountability Act (HIPAA) to the extent applicable to Users in the United States.
The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), applicable to California residents.
Brazil’s Lei Geral de Proteção de Dados (LGPD) to the extent applicable.
Any other applicable national, federal, state, or regional data-protection legislation in the User’s jurisdiction of residence.

Where there is a conflict between the requirements of multiple applicable data-protection laws, AWARE Clinic will apply the highest standard of protection reasonably achievable.

Data Protection Officer

AWARE Clinic has designated a Data Protection point of contact responsible for overseeing compliance with this Policy and applicable data-protection laws. The Data Protection contact can be reached through the contact channels published on the Service. Official contact details will be made available here.

The Data Protection contact is responsible for monitoring compliance, advising on data-protection impact assessments, cooperating with supervisory authorities, and serving as the point of contact for data-subject rights requests.

Data Protection Impact Assessments

AWARE Clinic conducts Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals, in accordance with GDPR Article 35. This includes processing of Health Data at scale, implementation of new AI Features, and any significant changes to data-processing activities. DPIA records are maintained internally and are available for review by supervisory authorities upon request.

Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will notify you by email to the address associated with your Account and by posting a prominent in-app notification at least thirty (30) days before the changes take effect. The “Effective Date” at the top of this Policy will be updated accordingly.

Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the updated Policy. If you do not agree to the changes, you must stop using the Service and may request Account closure and data export in accordance with section 16.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or the way we handle your Personal Data, you may reach the AWARE Clinic team through the contact channels published on the Service. Official privacy, support, and security contact details will be made available here.

Data Controller: AWARE Clinic
Jurisdiction: Arab Republic of Egypt
Data hosting: Germany, European Union