Privacy Policy

1. Introduction

HF Health AI ("we," "us," or "our") operates the HF Health AI platform at hfhealth.care (the "Service"). This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and your rights regarding that information. By using the Service, you agree to the practices described in this policy.

Important notice: HF Health AI is an educational health information platform. We are not a covered entity under HIPAA, and the information you share with our AI specialists does not constitute a protected health record (PHR) under HIPAA. However, we treat all health-related data with the same level of care and security as if it were protected health information.

2. Information We Collect

We collect the following categories of information:

2a. Account Information

When you create an account via Manus OAuth, we receive your name and email address from the authentication provider. We store this information to identify your account and deliver the Service.

2b. Date of Birth (Age Verification)

We collect your date of birth the first time you log in. This information is used exclusively to verify that you meet the minimum age requirement (13 years old) to use the Service, and to apply appropriate access controls for users aged 13–17. Your date of birth is stored securely in our database and is never shared with third parties, used for marketing, or used for any purpose other than age verification. Users under 13 are blocked from accessing the Service in compliance with the Children's Online Privacy Protection Act (COPPA).

2c. Health-Related Conversation Data

When you chat with our AI specialists or use the Symptom Checker, we store the content of those conversations and symptom check results in our database. This data is used to provide the Service, maintain your conversation history, and improve the quality and safety of our AI responses. This data is associated with your account and is not sold or shared with third parties for advertising purposes.

2d. Payment Information

Subscription payments and one-time credit pack purchases are processed by PayPal. We do not store your full credit card number, bank account details, or PayPal credentials on our servers. We store only your PayPal subscription ID, plan tier, billing status, and transaction records necessary to manage your account. PayPal's privacy policy governs the handling of your payment credentials.

2e. Usage and Analytics Data

We collect anonymized usage data including page views, feature interactions, and session duration to understand how users engage with the Service and to improve it. This data does not identify you personally.

2f. Error and Diagnostic Data

We use Sentry to capture application errors and performance data. Error reports may include technical information about your browser, device, and the action that triggered the error. This data is used solely for debugging and improving the Service.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Verify your age and apply appropriate access controls
• Process subscription and credit pack payments via PayPal
• Maintain your conversation history and symptom check records
• Send transactional emails (welcome, payment receipts, usage limit notifications) via Resend
• Detect and prevent fraudulent, abusive, or harmful activity
• Enforce our Terms of Service and crisis safety protocols
• Improve the accuracy, safety, and quality of our AI models and platform
• Comply with applicable laws and regulations

4. Children's Privacy (COPPA)

The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. When a user submits a date of birth indicating they are under 13, their account is immediately blocked from accessing the Service and no health-related data is collected from that session. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] and we will delete that information promptly.

Users aged 13–17 ("teens") may use the Service with the acknowledgment that they are doing so with parental or guardian awareness. We display a parental consent notice to all verified teen users on sensitive features. Parents or guardians who wish to review, update, or delete their teen's account data may contact us at the email address above.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following limited circumstances:

• Service providers: We share data with trusted third-party providers who help us operate the Service, including PayPal (payments), Resend (transactional email), Sentry (error monitoring), and our cloud infrastructure provider. These providers are contractually obligated to protect your data and may not use it for their own purposes.
• Legal requirements: We may disclose your information if required to do so by law, court order, or government authority, or if we believe disclosure is necessary to protect the rights, property, or safety of HF Health AI, our users, or the public.
• Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.

6. Data Retention

We retain your account information and conversation history for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (e.g., payment records may be retained for up to 7 years as required by tax law).

Your date of birth is retained for the lifetime of your account solely for age verification purposes and is deleted when your account is deleted.

7. Data Security

We implement industry-standard security measures to protect your personal information, including:

• Encryption of data in transit using TLS/HTTPS
• Encrypted database storage for sensitive fields
• Secure cloud infrastructure with access controls and audit logging
• Session-based authentication with signed, HttpOnly cookies
• Real-time error monitoring and anomaly detection via Sentry

No method of transmission over the Internet is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete information.
• Deletion: Request that we delete your personal information (subject to legal retention requirements).
• Portability: Request a machine-readable export of your data.
• Opt-out of emails: Unsubscribe from non-transactional emails at any time using the unsubscribe link in any email we send.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

9. Cookies and Tracking

We use a single session cookie to maintain your authenticated session. This cookie is HttpOnly, Secure, and is deleted when you log out or your session expires. We do not use third-party advertising cookies or tracking pixels. Our analytics are anonymized and do not use cookies that track you across other websites.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where required by law, notify you by email or via a prominent notice on the Service. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: