Privacy Policy

Our privacy promise. Your health is some of the most personal information that exists, and we treat it that way. We collect only what we need to give you care and insight. We do not sell your personal information. We do not use your identifiable health data to train generalized AI models. We protect your data with strong encryption, we share it only with the people and partners delivering your care, and we give you real control to access, export, or delete it. This policy explains, in plain language, exactly what we collect, why, and the rights you have.

1. Scope of This Policy

This Privacy Policy describes how Pymander Technologies Inc. ("Pymander," "we," "us") collects, uses, shares, and protects information when you use the Pymander Health websites, apps, and services (the "Service"). Some health information you share is created or held in connection with licensed healthcare Providers and may also be protected health information under the Health Insurance Portability and Accountability Act ("HIPAA"); where that applies, the Provider's Notice of Privacy Practices and our agreements with Providers also govern how that information is handled.

2. Information We Collect

We collect the following categories of information:

• Account and identity information you provide, such as your name, email address, date of birth, and the credentials you use to sign in.
• Health information you choose to share or generate through the Service, such as your health history, intake responses, goals, symptoms, lab results ordered or uploaded through the platform, prescriptions, and the content of your consultations and coaching conversations.
• Wearable and connected-account data you choose to link, as described below.
• Payment information, processed by our PCI-compliant payment processors. We do not store full payment-card numbers.
• Usage and device information collected automatically, such as log files, device identifiers, app interactions, and approximate location derived from your IP address, used to operate, secure, and improve the Service.
• Communications you send us, such as support requests and survey responses.

3. How We Use Your Information

We use your information to provide and personalize the Service, including to deliver longevity and wellness features, generate insights through our coaching tools, coordinate consultations with licensed Providers, fulfill prescriptions and lab orders, process payments, communicate with you, maintain safety and security, prevent fraud and abuse, and comply with legal obligations. We use information only for purposes compatible with why it was collected, and we minimize what we use wherever we can.

4. Artificial Intelligence and Your Data

Our AI features generate insights and suggestions for you using the information relevant to your request. We want to be clear about how this works:

• Your data is used to construct your own coaching responses and insights at the time you ask for them. It is not a source for advertising.
• We do not use your identifiable health information to train generalized, foundation, or third-party AI models. Where we work to improve our own features, we use data that has been aggregated and de-identified so it can no longer reasonably be linked to you, or we rely on your separate, explicit consent.
• Human review of AI interactions is limited to what is necessary for safety, quality, security, legal compliance, or where you have asked for help, and is subject to confidentiality controls.
• AI output is educational and is not a medical diagnosis or treatment. Clinical decisions are made by licensed Providers, as described in our Terms of Service.

5. Wearable Device Data

Pymander integrates with wearable devices including Apple Watch, Whoop, Oura Ring, and Garmin. Wearable data, such as heart-rate variability, sleep stages, recovery scores, activity metrics, and blood-oxygen levels, is synced only with your explicit consent. This data is used exclusively to support your care, power personalized health insights, and inform Provider consultations. You may disconnect any wearable integration at any time from your account settings, which stops future syncing.

6. Google User Data

When you choose to connect your Google Calendar to Pymander Health, we request access to two scopes:

• https://www.googleapis.com/auth/calendar.readonly: read-only access to events on your primary calendar. We use this to give your coach context about your day so it can recommend bedtime adjustments before early meetings, modify workout intensity around travel, schedule recovery practices on light-meeting days, and avoid recommending early-morning workouts before flights.
• https://www.googleapis.com/auth/calendar.events: write access used only when you explicitly ask the coach to put something on your calendar (for example, "schedule a 30-minute walk at 4pm" or "put a sauna session on Thursday morning"). The coach never creates, modifies, or deletes events on its own. It does not modify or delete events created by other apps or by you.

Pymander Health's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we commit that data accessed through Google's APIs is:

• used only to provide and improve features visible to the user inside Pymander Health (the coach's context-aware recommendations and explicit user-requested calendar writes);
• never used for advertising or sold to advertisers;
• never shared with third parties except as necessary to provide or improve user-facing features (e.g. our infrastructure providers, under contractual confidentiality), or as required by law;
• never accessed by humans except where necessary for security, to comply with applicable law, when we have explicit user consent to do so, or where the data has been aggregated and anonymized so it can no longer be linked to an individual;
• never used to develop, improve, or train generalized AI / machine learning models. (Calendar data is read at request time to construct your individual coaching response, not used to retrain coach models.)

Tokens issued by Google are stored encrypted in our database and used solely to call Google's APIs on your behalf. You can revoke access at any time from Settings → Connections in the Pymander Health iOS app, or from myaccount.google.com/permissions. Revoking access immediately stops all calendar reads and writes by Pymander; existing event references in your past coaching conversations remain in your message history but no new calendar data is fetched.

7. How We Share Information

We share your information only as needed to run the Service and care for you, and never to sell it. Specifically, we may share:

• With licensed Providers involved in your care, so they can review your information and make clinical decisions.
• With healthcare partners who fulfill your care, including CLIA-certified laboratories for diagnostic testing and licensed pharmacies for prescriptions. They receive only the minimum information necessary.
• With service providers who process data on our behalf, such as secure hosting, payment processing, and communications, under contracts that require them to protect your data and use it only for us.
• For legal and safety reasons, when required by law, valid legal process, or to protect the rights, safety, and security of you, others, or Pymander.

8. We Do Not Sell Your Data

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We do not give advertisers or data brokers access to your health data. We do not use your protected health information to serve you ads.

9. Data Security

We use strong, industry-standard safeguards to protect your information, including encryption in transit (TLS 1.3) and at rest (AES-256), access controls that limit data to authorized personnel and your designated care team, audit logging, and regular security testing. Our handling of protected health information is designed to align with HIPAA requirements, and we enter into business-associate agreements with partners where required. No system is perfectly secure, but we work continuously to protect your data and will notify you and the appropriate authorities of a breach affecting your information as required by law.

10. Data Retention

We keep your information for as long as your account is active and as needed to provide the Service. We may retain certain information longer where required to meet legal, medical-record, tax, or regulatory obligations, to resolve disputes, or to enforce our agreements. When information is no longer needed, we delete it or de-identify it. Medical records held by Providers are retained according to the Provider's legal obligations.

11. Your Privacy Rights and Choices

You are in control of your information. Depending on where you live, you have the right to:

• Access the personal information we hold about you, and learn how we use and share it.
• Correct inaccurate information.
• Delete your personal information, subject to legal retention requirements.
• Export a portable copy of your health data in a common, machine-readable format.
• Withdraw consent or disconnect integrations at any time, and opt out of non-essential communications.
• Be free from discrimination for exercising any of these rights.

To exercise any right, use your account settings or contact us at hello@pymander.app. We will verify your request and respond within the timeframe required by law (generally within 30 to 45 days). You may use an authorized agent where the law allows, and you may appeal a decision by replying to our response.

12. State Privacy Rights

Residents of California and other states with comprehensive privacy laws have the specific rights described above, including the rights to know, access, correct, delete, and to opt out of any "sale" or "sharing" of personal information. Because we do not sell or share your personal information for advertising, there is no sale to opt out of, but you may still exercise your other rights as described in Section 11. California residents may also be entitled to information about our data practices under the "Shine the Light" law.

13. Cookies and Analytics

We use a limited set of cookies and similar technologies to keep you signed in, remember your preferences, secure the Service, and understand how it is used so we can improve it. We do not use third-party advertising trackers on health pages. You can control cookies through your browser settings, and where required we will ask for your consent.

14. Children's Privacy

The Service is intended for adults 18 and older. We do not knowingly collect personal information from children under 18. If you believe a child has provided us information, contact us and we will delete it.

15. International Users

The Service is operated in the United States and intended for U.S. residents. If you access it from outside the United States, you understand that your information will be processed in the United States, where data-protection laws may differ from those in your location.

16. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or the law. If we make material changes, we will notify you by email or through a prominent notice in the Service before they take effect, and we will update the "Last updated" date above. Your continued use of the Service after changes take effect means you accept the updated policy.

17. Contact Us

If you have questions about this Privacy Policy or how we handle your data, or to exercise your rights, contact us at hello@pymander.app or write to Pymander Technologies Inc., United States.