Privacy Policy
1. Introduction
Welcome to Ask Your Surgeon. We are committed to protecting your privacy and personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our service.
Ask Your Surgeon is an educational chatbot designed to provide evidence-based urology information to patients after diagnosis. We are not a diagnostic tool or a replacement for professional medical advice.
2. Information We Collect
2.1 Personal Information
- Name and email address (provided during registration)
- Medical condition information (voluntarily provided in your profile)
- Reading level and language preferences
- Authentication data (Google OAuth tokens)
2.2 Usage Information
- Questions you ask the chatbot
- Chatbot responses and conversation history
- Session timestamps and duration
- Browser type and IP address
3. How We Use Your Information
We use your information to:
- Provide personalized medical information relevant to your condition
- Improve the accuracy and relevance of chatbot responses
- Enable clinicians to view conversations with their linked patients (with your consent)
- Monitor service quality and usage patterns
- Comply with legal and regulatory requirements
4. Data Security
We implement industry-standard security measures to protect your data:
- Encryption: All data is encrypted in transit (HTTPS/TLS) and at rest
- Access Control: Row Level Security (RLS) policies ensure you can only access your own data
- Authentication: Secure OAuth 2.0 authentication via Google
- Database Security: Hosted on Supabase with enterprise-grade security
- Limited Access: Only authorized personnel can access backend systems
5. Data Sharing
We do not sell or share your personal data with third parties, except:
- Your Clinician: If you link your account to a clinician, they can view your conversation history
- Service Providers: We use Supabase for database hosting and OpenAI for chatbot responses (anonymized)
- Legal Requirements: We may disclose data if required by law or to protect user safety
6. Your Rights
You have the right to:
- Access: View all personal data we hold about you
- Correction: Update or correct your profile information
- Deletion: Request deletion of your account and all associated data
- Data Portability: Export your conversation history
- Withdraw Consent: Unlink from your clinician at any time
To exercise these rights, contact your clinician or email support (contact details to be added).
7. Data Retention
- Active Accounts: Data retained while your account is active
- Inactive Accounts: Deleted after 2 years of inactivity (or as per local regulations)
- Deleted Accounts: All data permanently deleted within 30 days of account deletion
- Audit Logs: Retained for regulatory compliance (minimum 7 years)
8. Cookies and Tracking
We use essential cookies for:
- Session management (keeping you logged in)
- Security (CSRF protection)
- User preferences (text size, language, audio settings)
We do not use advertising or analytics cookies.
9. Third-Party Services
- Google OAuth: Used for secure authentication (Google Privacy Policy applies)
- Supabase: Database and authentication provider (Supabase Privacy Policy applies)
- OpenAI: Powers the chatbot responses (queries are anonymized, no personal data sent)
10. Children's Privacy
Our service is designed for adults (18+) or children using the service under parental/guardian supervision. We do not knowingly collect data from children under 13 without parental consent.
11. International Data Transfers
Your data is stored on Supabase servers. Please ensure the Supabase region you select complies with your local data protection regulations (e.g., GDPR for EU users).
12. Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this privacy policy or how we handle your data, please contact:
Email: [Your contact email to be added]
Address: [Your organization address to be added]
14. Regulatory Compliance
- GDPR: If you are in the EU/UK, you have additional rights under GDPR
- UK Data Protection Act 2018: We comply with UK data protection laws
- NHS Data Security Standards: We follow NHS guidelines for patient data protection
This service provides educational information only and does not constitute medical advice, diagnosis, or treatment. Always consult your healthcare provider for medical decisions. In emergencies, call 999 (UK) or your local emergency number.