Privacy Policy

Account Information. When you create an account, we collect your name, email address, and authentication credentials. We use Manus OAuth for authentication; we do not store your password directly.

Profile Information. You may optionally provide your diagnosed conditions, symptom history, and other health-related profile details. This information is voluntary and used to personalize your experience.

Health Tracker Data. If you use the Health Tracker feature, we collect symptom logs, vital sign readings, medication records, and other health data you choose to enter. This data is stored in our database and associated with your account.

Wearable Device Data. If you connect a wearable device (e.g., Oura Ring, WHOOP, Garmin, Fitbit, Apple Health), we receive biometric data from that device through our integration partner Terra API. This may include heart rate, heart rate variability, sleep data, activity levels, and other sensor readings.

Genetic & Genomic Data. If you use the Genetics features, we may collect: (a) raw genetic data files you upload (e.g., 23andMe or AncestryDNA export files), (b) specific SNP/variant identifiers (rsIDs) and genotype calls you manually enter, and (c) the results of variant matching against our GWAS research database. See Section 5 for full details on how genetic data is handled.

AI Chat Interactions. We store your chat messages and AI-generated responses to provide conversation history, improve our AI system, and enable features like session sharing. Do not include sensitive personal identifiers (Social Security numbers, financial account numbers) in chat messages.

Community Content. Forum posts, replies, and community map entries you create are stored and may be visible to other users according to the privacy settings you choose.

Community Map Location. If you opt in to the Community Map, we store your city and state (never your precise address). Your approximate city/region may be auto-detected from your IP address when you first add yourself to the map. You can remove yourself from the map at any time. See Section 6 for full details.

Usage Data. We automatically collect information about how you interact with our Services, including pages visited, features used, session duration, IP address, browser type, and device information.

Payment Information. Subscription payments are processed by Stripe. We do not store your full credit card number. We receive and store your Stripe customer ID, subscription status, and billing history.

Communications. If you contact us by email or through the platform, we retain those communications.

We use the information we collect to:

• Provide, operate, and improve the Services
• Personalize AI responses based on your condition profile and health history
• Match your genetic variants against our GWAS research database to surface relevant research (Pro/Premium only)
• Send you email alerts when new research is published for genetic variants you have saved (with your consent)
• Process subscription payments and manage your account
• Send transactional emails (account confirmations, subscription receipts, waitlist invitations)
• Send optional service communications (product updates, health tips) — you may opt out at any time
• Enforce our Terms of Service and Community Guidelines
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Conduct analytics to understand usage patterns and improve the platform
• Generate de-identified, aggregated research insights (no individual is identifiable)

We do not use your health data or genetic data for advertising purposes. We do not sell your personal information to third parties.

We do not sell your personal information. We share your information only in the following circumstances:

Service Providers. We share data with trusted third-party vendors who help us operate the Services, including: Stripe (payment processing), Resend (transactional email), Terra API (wearable device integration), xAI / Grok (AI language model processing), NCBI / PubMed (research database queries), and our cloud infrastructure provider. These vendors are contractually bound to protect your data and may only use it to provide services to us.

Community Features. Information you post in the forum or add to the Community Map is visible to other registered users according to your privacy settings. Forum posts are visible to all registered users. Community Map entries show only your city and state, and optionally your name and conditions if you have opted in to share them.

Genetic Data. Your raw genetic data files and manually entered variants are never shared with other users or third parties except as described in Section 5. Variant rsIDs are used only to query our internal research database and are never transmitted to external parties in a way that identifies you.

Doctor Directory. If you submit a doctor recommendation, that submission may be published in the directory and visible to all users.

Legal Requirements. We may disclose your information if required by law, subpoena, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of ChatDys, our users, or the public.

Business Transfers. If ChatDys LLC is acquired, merged, or its assets are transferred, your information may be transferred as part of that transaction. We will notify you before your information is subject to a different privacy policy.

With Your Consent. We may share your information for any other purpose with your explicit consent.

ChatDys collects sensitive health information including symptom logs, diagnoses, medications, wearable biometrics, and any documents you upload (such as lab results or physician notes). We treat this data with heightened care.

Not a Medical Provider. ChatDys LLC is not a healthcare provider, health plan, or healthcare clearinghouse. The Services are not a substitute for professional medical advice, diagnosis, or treatment. We are not a HIPAA-covered entity in the traditional sense; however, we voluntarily apply HIPAA-aligned security standards to all health data we process, including:

• Encryption of health data at rest and in transit (TLS 1.2+)
• Role-based access controls limiting who can view health data
• Audit logging of access to sensitive health records
• Minimum necessary data collection principles
• Business Associate Agreement (BAA) provisions with relevant service providers

Storage & Security. Health data is stored in an encrypted database. Documents you upload are stored in encrypted cloud storage. We implement access controls, audit logging, and security monitoring on all systems that process health data.

AI Processing. When you use the AI chat, relevant portions of your health profile may be included in the context sent to our AI providers to generate personalized responses. This data is transmitted over encrypted connections and is not used by AI providers to train their models under our agreements with them.

No Sale of Health Data. We will never sell, rent, or license your individually identifiable health information to any third party for any purpose.

Aggregate-Only Treatment Analytics. Our internal analytics track only aggregate, anonymized counts of treatment page views (e.g., "Magnesium was viewed 45 times this month"). We do not store, log, or report which individual user viewed which treatment.

What We Collect. The Genetics features of ChatDys allow you to: (a) upload a raw DNA data file exported from a direct-to-consumer genetic testing service (e.g., 23andMe, AncestryDNA), (b) manually enter specific SNP identifiers (rsIDs) and your genotype (e.g., AA, AG, GG), and (c) view how your variants compare to published GWAS research for conditions like POTS, MCAS, EDS, and ME/CFS.

How We Use Genetic Data. Your genetic data is used exclusively to:

• Match your variants against our curated GWAS research database to surface relevant published studies
• Display your personal variant matches within your account (visible only to you)
• Send you email alerts (via Resend) when new peer-reviewed research is published for rsIDs you have saved — only if you have an active account and have saved those variants
• Provide context to the AI assistant when you explicitly ask genetics-related questions in chat

What We Do NOT Do With Genetic Data. We will never:

• Share your raw genetic data file or individual genotype calls with any third party
• Use your genetic data for advertising, marketing profiling, or any commercial purpose beyond providing the Services
• Sell, rent, license, or transfer your genetic data to insurers, employers, law enforcement, or any other party without your explicit consent or a valid legal order
• Use your genetic data to make inferences about family members or relatives
• Combine your genetic data with other datasets in a way that could re-identify you if data were ever de-identified

Storage & Security. Uploaded genetic data files are stored in encrypted cloud storage (S3) with access restricted to your account. Manually entered rsID/genotype pairs are stored in our encrypted database. Raw file contents are processed server-side to extract variant data and are not retained in their original form beyond what is necessary for matching.

Data Minimization. We extract only the specific rsIDs present in our GWAS research database from uploaded files. We do not store or analyze the full genome sequence. Variants not relevant to our supported conditions are discarded during processing.

Deletion. You may delete your uploaded genetic profiles and manually entered variants at any time from the Genetics → My Variants page. Upon deletion, all associated variant data is permanently removed from our systems within 30 days.

GINA Protections. The Genetic Information Nondiscrimination Act (GINA) prohibits health insurers and employers from discriminating based on genetic information. ChatDys does not share your genetic data with insurers or employers. However, GINA does not cover life insurance, disability insurance, or long-term care insurance. We recommend you consult a genetic counselor before sharing genetic data with any platform.

Research Use. We may use de-identified, aggregated genetic data (e.g., "35% of users with POTS carry the rs2229634 risk allele") for internal research and platform improvement. No individual is identifiable in such aggregated analyses. We will never publish or share individual-level genetic data in any research context without your explicit written consent.

IP-Based Location Detection. When you choose to add yourself to the Community Map, we use your IP address to automatically suggest your approximate city and country. This is done by querying a third-party IP geolocation service (ip-api.com) with your IP address. The returned city/country is pre-filled in the map entry form for your convenience — you can edit or clear it before saving.

What Is and Is Not Stored. We store only the city and state/country you confirm and save in the map entry form. We do not store your raw IP address in the community map database. Your IP address may appear in server access logs for security purposes (standard web server logging), but these logs are not linked to your community map entry.

No GPS or Browser Location. We never request access to your device's GPS or the browser Geolocation API. All location detection for the Community Map is IP-based and city-level only. Precise coordinates are never collected.

Opt-In and Opt-Out. Adding yourself to the Community Map is entirely voluntary. You can remove your pin at any time from the Community Map page. Removing your pin permanently deletes your location entry from our database.

Name and Condition Sharing. When you add yourself to the map, you can independently choose whether to share your display name and/or your conditions with other users. These are separate opt-in toggles. By default, your name is not shared and your conditions are shared. You can change these settings at any time by clicking "Update My Pin."

Visibility to Other Users. Community Map entries are visible to all users of ChatDys (including non-authenticated visitors). Entries show only: city, state/country, and optionally your name and conditions if you have opted in to share them. No other personal information is displayed on the map.

ChatDys uses AI language models to power the chat assistant. When you submit a question, your message and relevant context from your profile may be sent to our AI processing partners (currently xAI/Grok and the Manus Forge API) to generate a response.

AI responses are generated automatically and may contain errors. All AI-generated content is for informational and educational purposes only. You should always verify AI responses with a qualified healthcare provider before making any medical decisions.

We retain your chat history to provide conversation continuity and to allow you to review past sessions. You may delete individual sessions from your profile page. We may use de-identified, aggregated chat data to improve the quality of our AI system.

Genetics in AI Context. When you ask a genetics-related question in chat, the AI may reference rsIDs and variant data from our public GWAS research database. Your personal variant data (uploaded file matches or manually entered variants) is only included in AI context if you are authenticated and have saved variants — and only to provide personalized research context. This data is transmitted over encrypted connections and is not used by AI providers to train their models.

AI Disclosure. For full details on how our AI works, its limitations, source reliability, and specific disclosures for genetics and community content, see our AI Disclosure.

We use cookies and similar tracking technologies to operate and improve the Services. Specifically:

Essential Cookies. Session cookies are required for authentication and to keep you logged in. These cannot be disabled without breaking core functionality.

Session Storage. We use browser sessionStorage (not cookies) to remember one-time UI preferences within a single browsing session, such as whether you have dismissed the Community Map privacy banner. This data is never transmitted to our servers and is cleared when you close your browser tab.

Analytics. We use a privacy-respecting analytics service to understand aggregate usage patterns. Analytics data is not linked to your personal identity.

You can control cookie behavior through your browser settings. Disabling essential cookies will prevent you from logging in to the Services.

We retain your account data for as long as your account is active. If you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal or compliance purposes (e.g., billing records for tax purposes, which are retained for 7 years).

Genetic Data. Uploaded genetic profiles and manually entered variants are deleted within 30 days of your deletion request or account deletion, whichever comes first.

Community forum posts you have made may remain visible after account deletion in de-identified form (your username replaced with "Deleted User") unless you request full removal of your posts at the time of account deletion.

Wearable biometric data is retained for as long as your account is active and for 90 days after account deletion to allow for data export requests.

Depending on your location, you may have the following rights regarding your personal information:

Access. You may request a copy of the personal information we hold about you, including your health data, genetic data, and chat history.

Correction. You may update or correct inaccurate information through your profile settings or by contacting us.

Deletion (Right to Erasure). You may request deletion of your account and all associated personal data, including genetic data. To submit a deletion request, contact us at [email protected]. We will process your request within 30 days.

Data Portability. You may request an export of your health tracker data, chat history, genetic variant data, and profile information in a machine-readable format.

Opt-Out of Genetic Alerts. You may unsubscribe from GWAS research alert emails at any time using the unsubscribe link in any alert email, or by deleting your saved variants from the Genetics → My Variants page.

Opt-Out of Marketing. You may unsubscribe from marketing emails at any time using the unsubscribe link in any email we send, or by contacting us. Transactional emails (account confirmations, subscription receipts) cannot be opted out of while your account is active.

California Residents (CCPA). California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information is collected, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your privacy rights. To exercise your CCPA rights, contact us at [email protected].

European / UK Residents (GDPR). If you are located in the European Economic Area or United Kingdom, you have rights under the General Data Protection Regulation, including the right to object to processing, the right to restrict processing, and the right to lodge a complaint with your local supervisory authority. Our legal basis for processing your data is: (a) performance of a contract (providing the Services), (b) legitimate interests (security, fraud prevention, service improvement), and (c) your explicit consent for genetic data processing (Article 9 GDPR — special category data).

To exercise any of these rights, contact us at [email protected].

The Services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us immediately at [email protected] and we will delete that information promptly.

Users between the ages of 13 and 18 should use the Services only with the consent and supervision of a parent or guardian. We strongly discourage minors from uploading genetic data files without parental consent and guidance from a genetic counselor.

We implement industry-standard security measures to protect your information, including:

• TLS/HTTPS encryption for all data in transit
• Encryption at rest for sensitive data, uploaded documents, and genetic data files
• Role-based access controls limiting employee access to personal data
• Regular security monitoring and audit logging
• Secure session management with signed JWT tokens
• Data minimization: we collect only what is necessary to provide the Services
• Separate storage and access controls for genetic data vs. general health data

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. In the event of a data breach affecting your rights and freedoms, we will notify you as required by applicable law.

The Services integrate with the following third-party providers. Each has its own privacy policy governing their data practices:

We encourage you to review the privacy policies of these third-party providers to understand how they handle your data.

ChatDys LLC is based in the United States. If you access the Services from outside the United States, your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

For users in the European Economic Area or United Kingdom, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for transferring personal data to the United States. Genetic data, as a special category under GDPR Article 9, is transferred only with your explicit consent and under appropriate safeguards.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and by posting a prominent notice on the Services at least 14 days before the changes take effect. Your continued use of the Services after the effective date of the revised policy constitutes your acceptance of the changes.

We encourage you to review this policy periodically. The "Last Updated" date at the top of this page indicates when the policy was most recently revised.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For account deletion requests, data export requests, genetic data deletion, or GDPR/CCPA rights requests, please email us at [email protected] with the subject line "Privacy Request" and we will respond within 30 days.