Privacy Policy

Effective Date: April 18, 2025.

Introduction to Our Privacy Policy

Welcome to AI DiagMe! Smart Medical Care Ltd (“we”, “us”, “our”) is deeply committed to protecting the privacy and security of your personal data. This Privacy Policy is designed to clearly explain how we handle your information. AI DiagMe is a trade name of Smart Medical Care Ltd.

This document details how we collect, use, and protect your personal data when you use our website, aidiagme.com (the “Site”), and our AI-powered lab result explanation services (the “Services”). Furthermore, it informs you about your data protection rights. We encourage you to read this entire privacy policy carefully. By using our Services, you acknowledge that you have reviewed this policy. For the processing of your health data specifically, we obtain your explicit consent separately.

1. Data Controller and Privacy Contact

Our Role as Data Controller

The data controller responsible for your personal data is:

  • Company: Smart Medical Care Ltd
  • Registered Office: 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom
  • Registration Number: 15309552
  • Contact Email: contact@aidiagme.com

Your Point of Contact for Privacy

For any questions regarding this privacy policy or your personal data, you can contact our Privacy Contact:

Smart Medical Care Ltd operates in coordination with Smart Medical Care SAS (French SAS, RCS Nice 932 924 194), which manages operations within the European Economic Area. For users residing in the EEA, Smart Medical Care SAS may act as a point of contact for data protection inquiries.

2. The Personal Data We Collect

To provide and improve our Services, we collect several categories of personal data. This section of our privacy policy outlines what we collect.

  • Identification and Contact Data: This includes your name and email address. We use your name to help pseudonymize (de-identify) your lab report before AI processing and use your email to send you the generated AI report.
  • Health and Contextual Data: This category covers the lab analysis report file (e.g., blood, urine) that you upload. It also includes contextual information you provide, such as age, sex, and medical history, which helps us generate a more relevant explanation.
  • Transaction Data: We collect information related to your purchase, which our payment provider Stripe processes directly. While we do not store your full credit card details, we do keep a history of your transactions with us.
  • Technical and Interaction Data: Through tools like Google Analytics, we collect information about how you interact with our Site, subject to your cookie consent. This may include your IP address (anonymized where possible), browser type, and pages visited.
  • Cookie Data: We collect information via cookies as detailed in our Cookie Policy and based on your consent choices.
  • Communication Data: This includes any information you provide when you contact our customer support.

3. How We Use Your Data: Purposes and Legal Bases

Our privacy policy is built on processing your data for specific purposes under appropriate legal bases (such as the UK and EU GDPR).

  • To Provide the AI Service: We use your Health Data and Report to generate your AI explanation, based on your Explicit Consent.
  • To Pseudonymize Your Report: Your name helps us remove direct identifiers from the report before AI analysis. This process constitutes pseudonymization (not full anonymization), as contextual data you provide (age, sex, medical history) is retained to ensure the relevance of the AI explanation. This is a necessary step for the performance of our contract.
  • To Deliver Your Report: We use your email address to send the results, which is essential for the performance of our contract.
  • To Manage Payments and Accounts: Your transaction and contact data are used to manage payments and your customer relationship, based on the performance of our contract.
  • To Improve Site and Service Security: We analyze usage data to improve our platform. This processing is based on your Consent for analytics cookies and our Legitimate Interest in securing our services.
  • To Improve Our AI Models: We may use pseudonymized health data to improve our services, based on our Legitimate Interest. You have the right to opt-out of this use.
  • To Fulfill Your Requests: When you contact support, we use your data to respond, based on our Legitimate Interest in providing excellent service.
  • To Comply with Legal Obligations: We may process any personal data as necessary to comply with the law.

4. Sharing Your Personal Data

We do not sell your personal data. This privacy policy confirms we only share your data with trusted third parties under strict conditions.

  • Service Providers (Processors): We share data with essential partners including Google Cloud for secure hosting. Regardless of your country of residence, all health data is hosted exclusively in France on Google Cloud servers certified for French Health Data Hosting (HDS) — the highest medical-data hosting standard in France.
  • Transactional Email Providers: We use external service providers (e.g., SendGrid, Mailgun) to deliver your AI-generated report via email. They temporarily process your email address and the report content strictly for technical routing and delivery purposes.
  • AI Infrastructure Providers: We use specialized routing services, such as Open Router, to securely interface with third-party AI models. Importantly, only rigorously de-identified data is sent to these providers to generate your report.
  • Legal and Business Obligations: We may disclose data if required by law or during a business transfer (like a merger), ensuring the new entity upholds our privacy policy commitments.

We require all partners to respect the security of your data and treat it lawfully, signing strict Data Processing Agreements (DPAs) to ensure the strict confidentiality of your information.

5. International Data Transfers and This Privacy Policy

As a UK-based company operating internationally, we process data across multiple jurisdictions. This section explains how we protect your data depending on where you reside.

If You Reside In The European Economic Area (EEA)

Your health data (lab reports, contextual information, and AI-generated reports) is hosted exclusively in France on Google Cloud servers certified for French Health Data Hosting (HDS). This certification meets the strictest European regulatory standards for sensitive health data. Your health data is not transferred outside of France for storage purposes.

However, in order to generate your AI report, pseudonymized data (your lab results with direct identifiers such as your name removed, but retaining contextual data such as age, sex, and medical history) is transmitted to our AI infrastructure provider, OpenRouter Inc., located in the United States. This transfer is governed by Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical safeguards including the pseudonymization process itself, which significantly reduces the risk associated with this transfer.

Analytics data (Google Analytics) is transferred to the United States under the EU-US Data Privacy Framework (DPF). Google LLC is certified under the DPF. Payment data is processed by Stripe Inc. in the United States, also certified under the DPF.

Smart Medical Care Ltd operates in coordination with Smart Medical Care SAS, a French company (RCS Nice 932 924 194), which manages operations within the EEA. For further information about how your data is handled within the EEA, you may contact us at contact@aidiagme.com.

If You Reside In The United Kingdom

Your health data is hosted in France on Google Cloud servers certified for French Health Data Hosting (HDS). Transfers between the United Kingdom and France are covered by the European Commission’s adequacy decision regarding the United Kingdom. Transfers to the United States (OpenRouter, Google, Stripe) are governed by the UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge) and, where applicable, by the UK International Data Transfer Agreement (UK IDTA).

If You Reside In The United States Or Elsewhere

Your health data is hosted in France on Google Cloud servers certified for French Health Data Hosting (HDS) — the highest health-data hosting standard available. There is no legal requirement under U.S. law to keep your medical data within the United States; we have chosen French HDS hosting because it offers the strongest security and regulatory framework for sensitive health data. The pseudonymized data transmitted to OpenRouter for AI processing remains within the United States.

If you reside in a jurisdiction with specific data protection laws (such as US state privacy laws), please refer to our Terms & Conditions for information about your specific rights.

Important Note On Pseudonymization Before Transfer

Regardless of your location, all lab reports are pseudonymized before being sent to our AI infrastructure provider. This means that your name and surname are automatically removed from the document. However, contextual data (age, sex, medical history) is retained to ensure the relevance of the AI explanation. This process constitutes pseudonymization within the meaning of Article 4(5) of the GDPR, not irreversible anonymization. We apply this safeguard as an additional layer of protection for all users worldwide.

6. Our Commitment to Data Security

We implement robust technical and organizational security measures to protect your personal data. These include:

Unified Health Data Hosting in France (HDS). Regardless of your country of residence, all health data is hosted exclusively in France on Google Cloud servers certified for French Health Data Hosting (HDS) — the highest health-data hosting standard in France. Google Cloud also holds comprehensive security certifications including ISO 27001 and SOC 2 Type II.

Pseudonymization Before AI Processing. Before any lab report is transmitted to our AI infrastructure provider for analysis, our system automatically detects and removes direct identifiers (name, surname) from the document. Contextual data (age, sex, medical history) is retained to ensure the relevance of the AI-generated explanation. This process reduces the risk of re-identification by external providers, while maintaining the quality of the service.

Encryption In Transit And At Rest. All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security). All stored data is encrypted at rest using AES-256 encryption on Google Cloud infrastructure.

Strict Internal Access Controls. Access to personal data and health data is restricted to authorized personnel only, following the principle of least privilege. Multi-factor authentication (MFA) is mandatory for all access to production environments. Access rights are reviewed quarterly.

Continuous Monitoring. We use Google Cloud monitoring tools to detect anomalies and potential security threats. Security incidents are managed according to our Incident Response Plan, with defined escalation procedures and notification timelines.

Regulatory Confirmation. The AI DiagMe service has been confirmed as a non-medical device by the French National Agency for the Safety of Medicines and Health Products (ANSM) (reference GIO 23593272, file 2500297). This classification has been obtained following a thorough review of our service by the ANSM’s Innovation Desk.

7. Data Retention Policy

We retain your personal data only for as long as necessary to fulfill the purposes for which we collected it, including for satisfying any legal, accounting, or reporting requirements. The retention period for your main personal data depends on the status of your account. Important note regarding user accounts: Currently, our service operates without formal account creation. Your historical data (contextual information and generated AI reports) is associated with your email address and retained for a maximum of 3 years after your last use, in anticipation of the deployment of our secure patient portal.

Once this portal is officially launched, the following provisions will fully apply and the retention period for your main personal data will depend on the status of your account:

  • For Active Accounts: Your account data, contact and contextual information, and your generated AI reports are retained as long as your account is active. This allows you to use our Services and access your history through the patient portal.
  • For Deactivated Accounts: Upon deactivation, we retain your data (account, contact, context, AI reports) for a maximum period of 3 years. This allows you to reactivate your account during this time. At the end of this period, without reactivation, this data will be permanently deleted.
  • Original Report: In line with the principle of data minimization, we will retain this file for a maximum of 90 days to resolve any potential delivery issues, after which it will be securely deleted.
  • Transaction Data: Retained for the period required by our legal and accounting obligations (typically 6 years in the United Kingdom).
  • De-identified Data for AI Improvement: Data from which direct identifiers have been removed may be used for research and improvement of our AI models, based on our Legitimate Interest. As contextual data (age, sex, medical history) is retained, this data remains subject to GDPR protections as pseudonymized data. You have the right to opt out of this use by contacting us.

A request to permanently delete your account will trigger the erasure of all data listed above, except where we have an overriding legal obligation to retain it (such as transaction data) or for data that has already been irreversibly de-identified.

8. Your Data Protection Rights Under This Policy

Depending on your location, you have rights regarding your personal data.

  • Right of Access, Rectification, and Erasure: You can request a copy of your data, correct it, or ask for its deletion.
  • Right to Restrict or Object: You can object to processing based on our legitimate interests (like using de-identified data for AI improvement).
  • Right to Withdraw Consent: You can withdraw consent for processing health data at any time.

Managing Your Account: Deactivation and Deletion

You have the right to erase your personal data. With the launch of our patient portal, you will have two distinct options to manage your account and data directly from your personal dashboard:

  • Deactivate Your Account: This option allows you to take a break from our Services. Your account and personal data (including your profile, AI reports, etc.) will no longer be actively accessible but will be securely stored for a period of 3 years. This allows you to reactivate your account and access your history at any time during this period. If your account is not reactivated within 3 years, it and all associated personal data will be permanently deleted, except for data subject to a legal retention obligation.
  • Permanently Delete Your Account: This option corresponds to exercising your Right of Erasure. It will trigger the irreversible and prompt deletion of your account and all associated personal data (profile, uploaded documents, AI reports), subject to our legal retention obligations (notably for transaction data). Once you perform this action, your data cannot be recovered.

How to Exercise Your Rights

Pending the official launch of the patient portal, you can exercise your right to erasure and request the permanent deletion of your data (linked to your email) at any time by contacting us directly at contact@aidiagme.com. As soon as the portal becomes available, the options to deactivate and permanently delete your account will be directly accessible from your online settings.

9. Children’s Privacy Policy

Our Services are not intended for individuals under 18. Consequently, we do not knowingly collect personal data from minors.

10. Cookies and Tracking Technologies

Our Cookie Policy provides detailed information on our use of cookies. Please consult it to learn how to manage your preferences.

11. Changes to This Privacy Policy

We may update this privacy policy periodically. The “Last Updated” date at the top will always indicate the latest version. We encourage you to review this page regularly.

12. How to Lodge a Complaint

If you have concerns about our data handling, please contact us first. You also have the right to lodge a complaint with a supervisory authority, such as the Information Commissioner’s Office (ICO) in the UK.

If you reside in the European Economic Area, you may also lodge a complaint with the data protection authority in your country of residence. In France, this is the Commission Nationale de l’Informatique et des Libertés (CNIL) — www.cnil.fr.

13. Additional Company Resources

  • Publications: Discover our articles and insights.
  • Get started: Learn how our AI-powered tool works.
  • FAQ: Find answers to common questions about data security and tool usage.
  • French website: For French speakers, please visit aidiagme.fr