Privacy Policy

This Privacy Policy describes how Kimya Labs LLC ("Kimya Labs," "we," "us," or "our") collects, uses, and shares information about you through the Ruya Health product family, which includes:

• ruyahealth.com — our public marketing site
• app.ruyahealth.com — our consumer health-education chat application
• platform.ruyahealth.com — our enterprise platform for health plans and self-insured employers (when accessed for marketing, demos, or account self-service before a contract is signed)

If you don't agree with this Policy, please don't use the services.

Important: What we are NOT

Before going further, here are honest disclaimers about the current state of our services. We update this section as our compliance posture changes.

• We are not a covered entity under HIPAA. The consumer service at app.ruyahealth.com is not designed to receive protected health information (PHI). Do not paste medical records, lab results, insurance documents, or claims data into the chat.
• We are not currently SOC 2 Type II, HITRUST, ISO 27001, or HIPAA-certified. We follow reasonable security practices described in our Data Protection page, and we are building toward formal certification, but we have NOT completed any third-party security audit as of this Policy's effective date.
• We are not a medical provider. AI responses are general educational information, not medical advice. Always consult a qualified clinician.
• We are not finished. This is an early-stage product. Features, policies, and security controls evolve. Material changes will be communicated as described in Section 14.

1. Information we collect

1.1 Information you provide

When you create a consumer account at app.ruyahealth.com:

• Identifiers: email address, first name, last name
• Authentication data: a scrypt one-way hash of your password (we never see the plaintext password)
• Optional health profile data: free-text fields for chronic conditions, current medications, and an age range bucket (for example, "40–49"). These fields are entirely user-controlled. The signup form instructs you not to enter personally identifying information; we rely on you to follow that instruction.

When you chat with the AI assistant:

• The text of your messages
• The text of the AI's responses
• Conversation titles auto-generated from your first message
• Timestamps and metadata about your activity

When you sign in with Google OAuth:

• The email address, name, profile image URL, and Google account ID that Google shares with us. We do NOT request access to your Gmail content, Google Calendar, Google Contacts, Google Drive, or any other Google service data. Our requested scopes are limited to email, profile, and openid.

When you contact us through the marketing site or via support email:

• Your email address, any name you provide, and the contents of your message

1.2 Information collected automatically

• Session cookies issued by our authentication system. These are HttpOnly, Secure, and SameSite=Lax.
• IP address and user-agent string captured at authentication events
• Server logs of request paths, response codes, and error contexts. Server logs do NOT include the body of API requests or the content of AI conversations.

We do not use third-party advertising trackers, behavioral analytics, or session-replay tools. The marketing site uses minimal first-party analytics aggregated from server logs.

1.3 What we do NOT collect

For clarity, we do not collect or request:

• Social Security numbers, government-issued identification numbers, or driver's license numbers
• Health insurance policy numbers, group numbers, or claims data
• Lab results, prescriptions, or any record received from a healthcare provider on your behalf
• Payment card information (the consumer service is currently free; we do not process payments)
• Biometric data, geolocation beyond country-level IP geolocation, contacts, or device microphone/camera data

If you accidentally include any of the above in a chat or support email, contact support@ruyahealth.com and we will delete it from our systems within a reasonable period.

2. How we use information

We use the information we collect to:

1. Operate the services: authenticate you, maintain your session, process your messages through our AI provider, return responses, manage your profile and conversations
2. Personalize AI responses: include the health context you voluntarily provided (conditions, medications, age range) in the system prompt sent to the AI so responses are relevant to you
3. Send transactional emails: account verification, password reset, security notifications
4. Maintain and improve the services: diagnose errors, monitor performance, fix bugs, deploy security updates
5. Detect and prevent abuse: rate-limit authentication endpoints, identify suspicious patterns, block automated scrapers
6. Comply with legal obligations: respond to lawful legal process, enforce our Terms of Service, protect rights and safety

We do NOT use your information to:

• Train any machine-learning model (ours or any third party's). Your chats are not used to improve the AI.
• Sell, rent, or trade your information to data brokers, advertisers, or marketing partners
• Build advertising profiles or run targeted advertising campaigns
• Make automated decisions that produce legal or similarly significant effects on you

3. How we share information

We share information only with the categories of recipients listed below. Each is bound by a contract that limits their use of your information to providing services to us.

3.1 Service providers (sub-processors)

Our current sub-processor list is also available at ruyahealth.com/data-protection. We will update that page when sub-processors change.

3.2 Enterprise customers

If you access platform.ruyahealth.com on behalf of an enterprise customer (a health plan or employer with a signed contract with Kimya Labs), additional sharing may occur within that customer's organization as agreed in the relevant Business Associate Agreement (BAA) or Master Services Agreement (MSA). That sharing is governed by your relationship with the enterprise, not by this Privacy Policy.

3.3 Legal process

We may disclose information when we believe in good faith that disclosure is required to:

• Comply with a subpoena, court order, or other legal process
• Enforce our Terms of Service
• Protect the rights, property, or safety of Kimya Labs, our users, or the public
• Investigate fraud, security incidents, or violations of our policies

We will challenge requests that are overly broad or that seek information about individual users without proper legal process.

3.4 Business transfers

If Kimya Labs is involved in a merger, acquisition, financing, or sale of assets, information may be transferred to the new entity. We will notify users of any such transfer and any material change to this Policy that results.

3.5 What we don't do

We do NOT share your information with:

• Advertisers, data brokers, or marketing partners
• Insurance companies, employers, or your healthcare providers (we have no business relationship that would require this for the consumer service)
• Third parties for cross-context behavioral advertising
• Anyone for purposes other than those listed above

4. Data retention

We retain information for the following periods. See the Data Protection page for the canonical retention schedule.

• Active accounts: while your account exists
• Account data after deletion: removed from the active database immediately; encrypted backups expire within 35 days
• Conversations and messages: while the parent account exists, or until you delete them individually
• Server logs: 30 days
• Authentication logs (IP, user-agent at sign-in): 90 days
• Email transaction records (delivered, bounced, complained): retained by our email provider per their policies, typically up to 90 days

You may request deletion at any time using the in-app Profile → Delete my account flow, or by emailing support@ruyahealth.com.

5. Your rights and choices

5.1 All users

You may:

• Access: request a copy of the information we hold about you
• Correct: update inaccurate information; most account fields are directly editable in the app
• Delete: permanently delete your account and all associated data (Profile → Danger Zone → Delete my account, or email us)
• Export: request your data in a portable format
• Object: object to certain processing
• Disconnect Google: unlink your Google sign-in from the Profile → Linked Accounts section

To exercise any right, email support@ruyahealth.com from the email address on your account. We will respond within 30 days.

We do NOT discriminate against users who exercise their rights.

5.2 California residents (CCPA / CPRA)

You have the right to know what categories of personal information we collect, how we use them, and whether we sell or share them. We do NOT sell personal information and do NOT share personal information for cross-context behavioral advertising. We have not sold or shared personal information for behavioral advertising in the preceding 12 months.

To submit a verifiable consumer request, email support@ruyahealth.com. You may designate an authorized agent to make a request on your behalf.

5.3 EU, UK, and EEA residents (GDPR / UK GDPR)

The legal bases on which we rely are:

• Performance of a contract (Article 6(1)(b)) — to provide the service you signed up for
• Legitimate interests (Article 6(1)(f)) — to operate, secure, and improve the service
• Consent (Article 6(1)(a)) — when you provide optional health profile data or connect a Google account

You have the right to lodge a complaint with your local data protection authority. We currently do not have an appointed EU representative; for inquiries from EU/EEA residents, email support@ruyahealth.com.

6. Children's privacy

The consumer services are intended for users 18 years of age or older. We do not knowingly collect information from anyone under 18. If you believe a minor has provided us with information, contact support@ruyahealth.com and we will delete the account and associated data.

This is a higher age threshold than COPPA's 13-year-old floor; the elevated threshold reflects the health-adjacent nature of the service and the corresponding need for informed consent.

7. Security

We use reasonable administrative, technical, and physical safeguards to protect your information. Detailed practices are documented at ruyahealth.com/data-protection. In summary:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption at rest, with key management via AWS KMS
• One-way scrypt hashing for stored passwords
• Authentication session cookies marked HttpOnly, Secure, and SameSite=Lax
• Server-side session revocation on sign-out
• Rate limiting on authentication endpoints
• Routine dependency updates and security review

We do NOT yet have a third-party SOC 2, HITRUST, ISO 27001, or HIPAA certification. No system is perfectly secure; we make no guarantees that the safeguards above will prevent all unauthorized access.

If we experience a security incident that compromises your information, we will notify you and applicable regulators as required by law, including the Federal Trade Commission's Health Breach Notification Rule (16 C.F.R. Part 318) and Massachusetts data breach notification law (M.G.L. c. 93H).

To report a suspected vulnerability, email security@ruyahealth.com (we welcome responsible disclosure).

8. International data transfers

Kimya Labs is based in Massachusetts, United States. We store and process data primarily in the AWS us-east-1 region (Northern Virginia, USA). If you access the services from outside the United States, your information will be transferred to and processed in the United States.

US data protection laws may differ from those of your country. By using the services, you consent to this transfer and processing.

For users in the European Economic Area, United Kingdom, or Switzerland: we rely on appropriate safeguards (including Standard Contractual Clauses where applicable with our sub-processors) to provide protection equivalent to that required by your home jurisdiction.

9. Third-party services and AI-generated content

The services may contain links to or integrate with third-party websites and services. We are not responsible for those parties' privacy practices.

AI-generated responses in the chat may reference or paraphrase third-party sources, medical literature, or guidelines. Such references do not constitute endorsement, partnership, or affiliation with the referenced parties.

10. Do Not Track signals

Our services do not currently respond to Do Not Track ("DNT") browser signals. We will update this section if our practice changes.

11. Cookies

The services use only first-party cookies necessary for authentication (session cookies) and user preferences. We do not use third-party advertising or tracking cookies. The marketing site may set minimal cookies required for security and load balancing through Cloudflare; those cookies do not contain personally identifying information.

12. Cross-product data flows

Information collected through any of our three subdomains (ruyahealth.com, app.ruyahealth.com, platform.ruyahealth.com) may be shared internally within Kimya Labs to provide and improve the related service, subject to the limitations described elsewhere in this Policy.

For example, if you sign up for platform.ruyahealth.com using the same email as your existing app.ruyahealth.com account, the two accounts remain separate by default and require explicit linking on your part.

13. Retention and deletion of derivative data

If we have used your information to create aggregated, de-identified, or anonymized statistics (for example, "the average length of a chat conversation is N messages"), those statistics are not personal data and may be retained indefinitely. We will not attempt to re-identify de-identified data.

14. Changes to this Policy

We may update this Policy from time to time. When we do, we will update the "Last updated" date at the top.

For material changes (changes that meaningfully expand the categories of information collected, the purposes for which it is used, or the third parties with whom it is shared), we will provide at least 14 days' advance notice via email to the address on your account and an in-app banner. Continued use of the services after the effective date of a material change constitutes acceptance of the updated Policy.

We will keep prior versions of this Policy available on request to support@ruyahealth.com.

15. Contact us

For questions about this Policy, to exercise your rights, or to report a concern:

We aim to respond to privacy inquiries within 30 days.