Privacy Policy

1. Introduction

YouDoo Health Technologies ("YouDoo", "we", "us", or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use the YouDoo platform ("Service").

We process personal data in compliance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable data protection legislation.

2. Data Controller

The data controller responsible for your personal data is:

3. Data We Collect

3.1 Account Data

When you create an account, we collect:

• Full name
• Email address
• Password (stored as a bcrypt hash — we never store plaintext passwords)
• Account type and role
• Organisation affiliation (if applicable)

3.2 Health and Wellness Data

When you use the Service as a patient, we collect health-related data including:

• Medical history and conditions (provided during onboarding)
• Pain diary entries (location, intensity, type, triggers)
• Therapy session transcripts and AI-generated summaries
• Exercise completion records and feedback
• Goals, preferences, and mobility assessments
• Progress statistics and adherence data

Health data is classified as special category data under Article 9 of the GDPR. We process this data based on your explicit consent provided during account registration and onboarding.

3.3 Voice and Audio Data

If you use voice-based therapy sessions, we process voice audio through our speech-to-text provider (ElevenLabs) to transcribe your conversations. Audio data is processed in real time and is not permanently stored. Only the text transcripts are retained.

3.4 Technical Data

We automatically collect:

• IP address
• Browser type and version
• Device information
• Session cookies and authentication tokens
• Usage patterns and feature interaction data

3.5 Organisation and Employee Data

When an organisation registers for the Service, we collect:

• Organisation name and details
• Administrator contact information
• Department and location structures
• Employee names and email addresses (for programme enrolment)
• Aggregated, anonymised wellness programme analytics

4. How We Use Your Data

We use your personal data for the following purposes:

5. AI Processing and Memory

YouDoo uses artificial intelligence (Anthropic Claude) to provide personalised health guidance. This includes:

• Session analysis: AI processes your therapy session transcripts to generate summaries, recommendations, and progress insights.
• Memory system: Key facts from your sessions are extracted and stored as vector embeddings to personalise future interactions. You can request deletion of your memory data at any time.
• Exercise recommendations: AI considers your condition, pain levels, and history to suggest appropriate exercises.
• Red flag detection: AI monitors session content for clinical safety concerns which are escalated for expert review.

All AI-generated recommendations are subject to expert clinical review through our panel review system. No fully automated decisions with legal or similarly significant effects are made without human oversight.

6. How Employee Data Is Processed

When an organisation enrols employees in a YouDoo wellness programme:

• Individual health data is private. Organisations cannot access individual employee therapy sessions, pain logs, exercise records, or AI conversation transcripts.
• Organisations receive only aggregated analytics — participation rates, programme engagement trends, and anonymised wellness metrics. No data can be traced back to individual employees.
• Employees maintain full control over their personal health data, including the right to delete it regardless of their employment status.
• Employee accounts persist independently of organisation membership. If an employee leaves the organisation, their personal data and history remain under their control.

7. Data Sharing and Third Parties

We share personal data only with the following categories of recipients:

We do not sell your personal data. We do not share individual health data with employers or any other third parties beyond those listed above.

8. Data Retention

• Account data: Retained for the lifetime of your account plus 30 days after deletion.
• Health data: Retained for the lifetime of your account. Deleted within 30 days of account deletion or upon request.
• Session transcripts: Retained for the lifetime of your account for continuity of care.
• Memory embeddings: Retained until you request deletion or delete your account.
• Payment data: Retained as required by tax and accounting regulations (typically 10 years under German law).
• Technical logs: Retained for up to 90 days for security and debugging purposes.

9. Your Rights

Under the GDPR, you have the following rights:

• Right of access (Art. 15) — obtain a copy of your personal data
• Right to rectification (Art. 16) — correct inaccurate data
• Right to erasure (Art. 17) — request deletion of your data
• Right to restriction (Art. 18) — limit how we process your data
• Right to data portability (Art. 20) — receive your data in a machine-readable format
• Right to object (Art. 21) — object to processing based on legitimate interest
• Right to withdraw consent (Art. 7(3)) — withdraw consent for health data processing at any time
• Right to lodge a complaint with a supervisory authority

To exercise any of these rights, contact us at privacy@youdoo.ai. We will respond within 30 days.

10. Data Security

We implement appropriate technical and organisational measures to protect your data:

• All data is encrypted in transit (TLS/SSL) and at rest
• Passwords are hashed using bcrypt with salt
• Authentication uses secure JWT tokens with HTTP-only cookies
• Infrastructure is hosted on Hetzner servers in Germany
• Access controls enforce role-based permissions
• Regular security reviews and updates

11. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). For these transfers, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection of your data.

12. Cookies

YouDoo uses only essential cookies required for authentication and session management. We do not use advertising or tracking cookies. Essential cookies include:

• Session token: Maintains your authenticated session
• CSRF token: Protects against cross-site request forgery
• Callback URL: Manages authentication redirects

13. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such data.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on the Service. The "Last updated" date at the top indicates when the policy was last revised.

15. Contact

For any privacy-related questions or to exercise your data rights, contact us at:

• Email: privacy@youdoo.ai
• YouDoo Health Technologies

You also have the right to lodge a complaint with your local data protection supervisory authority.