Patients with chronic illness have already been dismissed, misdiagnosed, and let down by systems that weren't built for them. The last thing you need is a platform that treats your most sensitive health information as a data asset. Here's exactly how we protect it — and why we built it this way.
When you walk into a doctor's office, you expect your chart to be private. You don't expect it to be sold to advertisers, shared with your employer, or used to train a marketing algorithm. That expectation exists because of HIPAA — the Health Insurance Portability and Accountability Act — which legally requires healthcare providers to protect your health information.
ChatDys is not a healthcare provider, so HIPAA does not technically apply to us. But we think that's the wrong standard to aim for. We voluntarily implement HIPAA-aligned security controls because our users are sharing information about their bodies, their diagnoses, their medications, and their fears — and that deserves the highest level of protection we can provide.
We also comply with the EU's General Data Protection Regulation (GDPR), which is widely considered the gold standard for health data privacy globally. If you're in the EU or UK, you have legally enforceable rights over your data — and we honor those rights for every user, regardless of where they live.
Six concrete protections, not vague promises.
All health data is encrypted in our database using AES-256. Every connection between your browser and our servers uses TLS 1.3 — the same standard used by major banks.
We voluntarily apply HIPAA security standards — role-based access controls, audit logging, minimum necessary access, and a formal incident response plan — even though we are not legally required to.
EU and UK residents have full GDPR rights: access, correction, export, restriction, and deletion. We process special-category health data only with your explicit consent under Article 9 GDPR.
Every access to health data is logged. Only you can see your data in the normal course of operations. Staff access requires elevated permissions and is recorded in a tamper-evident audit trail.
We do not sell, rent, or broker your personal health data. Period. Our business model is subscriptions, not advertising or data monetization.
You can export all your data — labs, chat history, health tracker logs, genetic variants — at any time. You can also delete your account and all associated data permanently.
No surprises. Here's every category of data ChatDys stores and exactly how it's handled.
| Data type | Where it's stored | Shared with third parties? | You can delete it? |
|---|---|---|---|
| Chat history | Encrypted database | Never | Yes |
| Lab results | Encrypted database | Never | Yes |
| Symptoms & vitals | Encrypted database | Never | Yes |
| Genetic variants | Encrypted database | Never | Yes |
| Uploaded documents | Encrypted cloud storage (S3) | Never | Yes |
| Health Roadmap | Encrypted database | Never | Yes |
| Account info (name, email) | Encrypted database | Only for login | Yes |
| Usage analytics | Anonymized — no PII | Aggregated only | Anonymized |
Health Insurance Portability & Accountability Act
HIPAA requires healthcare providers, health plans, and their business associates to protect patient health information. It sets standards for encryption, access controls, breach notification, and patient rights.
ChatDys's approach: We are not a covered entity under HIPAA, but we voluntarily implement all of HIPAA's Technical Safeguards — the same controls your hospital uses — because we believe health data deserves that standard regardless of legal obligation.
General Data Protection Regulation
GDPR is the EU's comprehensive data protection law — widely considered the world's strongest. It gives individuals explicit rights over their personal data and imposes strict obligations on organizations that process it.
Health data is classified as "special category data" under Article 9 GDPR, requiring explicit consent and heightened protections. We process your health data only with your informed consent, and you can withdraw that consent at any time.
The AI is the core of ChatDys. Here's exactly what happens with your health data when you ask a question.
When you enable 'Roadmap context' in the chat, relevant parts of your health profile (conditions, medications, recent labs) are included in the prompt sent to the AI. This is what makes answers specific to you rather than generic.
Any health data sent to the AI provider travels over an encrypted TLS 1.3 connection. It is processed in memory to generate your response and is not written to the provider's persistent storage.
Your personal health data is never used to train AI models — ours or our provider's. This is contractually prohibited in our data processing agreement with the AI provider.
The AI provider does not retain your health data after generating your response. There is no 'memory' of your data on their servers.
Your health data is never sold, rented, or shared with advertisers, data brokers, insurers, employers, or any other third party for commercial purposes.
These aren't buried in a policy document. Here's what you can do and exactly how to do it.
Settings → Account → Export Data. You'll receive a JSON file with your full health history, chat logs, and profile.
Settings → Account → Delete Account. All health data is permanently deleted within 30 days.
Email [email protected] with 'Data Access Request' in the subject. We'll respond within 30 days.
Most data (conditions, medications, labs) can be edited directly in the app. For account data, email [email protected].
Toggle off 'Roadmap context' in the chat at any time. Your health profile will no longer be included in AI prompts.
You have the right to complain to your local data protection authority. In the UK: ICO (ico.org.uk). In the EU: your national DPA.
Real questions from patients who were understandably cautious about sharing health data online.
Our privacy team responds to all inquiries within 2 business days. For urgent data requests, please include "URGENT" in the subject line.
Last reviewed: May 2026 · ChatDys LLC · For informational purposes only — not a substitute for professional medical advice.