Privacy Policy

Last updated: February 22, 2026. This policy explains how Rheva.ai handles your personal data.

1. Who We Are

Rheva.ai ("Rheva", "we", "us", "our") operates a medtech social commerce platform that connects patients with verified healthcare providers through AI-powered telemedicine, digital health records, and integrated pharmacy services. We are the data controller for the personal data processed through our platform.

2. Data We Collect

Account Data

When you register, we collect your name, email address, phone number, date of birth, and profile information.

Health Data

With your explicit consent, we process health-related information including symptoms shared with our AI assistant, consultation records, prescriptions, lab results, and health timeline data. This is classified as special category data under GDPR Article 9.

Usage Data

We automatically collect device information, IP addresses, browser type, pages visited, and interaction patterns to improve our services. This data is anonymized where possible.

Payment Data

Transaction records, wallet balances, and payment method details are processed through PCI-DSS compliant payment processors. We do not store full card numbers on our servers.

3. Legal Basis for Processing (GDPR Article 6)

  • Consent (Art. 6(1)(a)): For health data processing, AI assistant interactions, and marketing communications.
  • Contract (Art. 6(1)(b)): To provide our telemedicine, pharmacy, and payment services to you.
  • Legitimate Interest (Art. 6(1)(f)): For platform security, fraud prevention, and service improvement.
  • Legal Obligation (Art. 6(1)(c)): To comply with healthcare regulations, tax laws, and legal requirements.

4. How We Use Your Data

  • Providing AI-powered health guidance and connecting you with appropriate doctors
  • Facilitating video consultations, chat, and voice calls between patients and doctors
  • Managing digital health records and prescription histories
  • Processing payments and maintaining transaction records
  • Sending appointment reminders, follow-up notifications, and health alerts
  • Improving our AI models and platform features (using anonymized data only)
  • Ensuring platform security and preventing fraudulent activity

5. Data Sharing

We share your data only with:

  • Your chosen healthcare providers: Doctors and specialists you consult with on the platform
  • Pharmacy partners: When you place prescription orders, only necessary information is shared
  • Payment processors: PCI-DSS compliant providers for secure transactions
  • Cloud infrastructure: Encrypted data stored on HIPAA-compliant servers
  • Law enforcement: Only when legally required and with appropriate legal process

We never sell your personal data or health information to third parties.

6. Your Rights Under GDPR

If you are in the European Economic Area (EEA), you have the right to:

  • Access: Request a copy of all personal data we hold about you
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restrict processing: Limit how we use your data
  • Data portability: Receive your data in a machine-readable format
  • Object: Object to processing based on legitimate interests or for direct marketing
  • Withdraw consent: Revoke consent at any time without affecting prior lawful processing

To exercise any of these rights, contact us at privacy@rheva.ai. We will respond within 30 days.

7. Data Retention

We retain your account data for as long as your account is active. Health records are retained for the minimum period required by applicable healthcare regulations (typically 7-10 years). You may request earlier deletion of non-regulated data at any time. Payment records are retained for 7 years in accordance with financial regulations.

8. Data Security

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Health data is stored on HIPAA-aligned infrastructure with strict access controls. We conduct regular penetration testing and security audits. Access to personal data is limited to authorized personnel on a need-to-know basis.

9. International Transfers

If your data is transferred outside the EEA, we ensure protection through Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions where applicable.

10. Children

Rheva is not intended for individuals under 16 years of age. We do not knowingly collect data from children. If you believe we have collected data from a minor, please contact us immediately at privacy@rheva.ai.

11. Changes to This Policy

We may update this policy periodically. We will notify you of significant changes via email and a prominent notice on our platform at least 30 days before changes take effect.

12. Contact Our Data Protection Officer

For any privacy-related questions or concerns, contact our Data Protection Officer at dpo@rheva.ai or write to us at Rheva.ai, Data Protection Office, [Registered Address].

You also have the right to lodge a complaint with your local supervisory authority if you believe your data is being processed unlawfully.