Privacy Policy

Effective 29 May 2026 · Last updated 29 May 2026

Health Platform is a private, invitation-only service. We do not sell data, we do not run ads, and we do not share your health information with anyone outside the people you explicitly invite into your family circle.

1. Who we are

Health Platform (“Health Platform”, “we”, “us”) operates the service at www.healthplatform.ai and its sub-domains. We are the data controller for the personal information described in this policy.

Contact: [email protected]

Health Platform is operated from Singapore and complies with the Singapore Personal Data Protection Act 2012 (PDPA) and related guidelines issued by the Personal Data Protection Commission (PDPC).

2. What this policy covers

This policy explains what personal information Health Platform collects, why we collect it, how we store and protect it, who we share it with, and the rights you have over it. It applies to all use of our website, web applications, and API.

3. Information we collect

3.1 Information you give us directly

Account details: your name, email address, and authentication credentials (handled by our identity provider).
Profile information you choose to enter for yourself or for a family member you care for (date of birth, conditions, medications, clinical targets).
Manually-logged events: meals, medications, symptoms, notes, photos, voice memos.

3.2 Medical records and documents you upload

We store and process medical information that you provide to us, including uploads of medical reports, laboratory results, imaging summaries, clinical notes, and similar documents. This information is treated as sensitive personal data and is used solely to populate your or your family member’s record within Health Platform, to generate the dashboards and insights you request, and to share with caregivers you have explicitly authorised. We do not use these documents for any other purpose.

3.3 Information from connected health devices and services

You may, at your option, connect Health Platform to third-party health and wellness services (for example wearable devices, continuous glucose monitors, smart scales, blood pressure monitors, and similar consumer health platforms). When you do, we collect only the data types you authorise, for the time period you authorise, and via the authentication mechanism that the third party provides. We do not pull data from sources you have not explicitly connected. Authentication tokens are encrypted at rest using AES-GCM-256, and you can revoke our access from your account at any time.

3.4 Technical information

When you use our website or apps we automatically receive standard request metadata (IP address, user-agent, timestamps). This is used for security, abuse prevention, and basic operational telemetry. We do not run third-party analytics or advertising trackers.

4. How we use your information

To operate the service: store your records, render your dashboards, run alarms, deliver notifications to people you have invited.
To generate AI-assisted insights and summaries about your or your family member’s data, on your request.
To allow caregivers and clinicians you have explicitly granted access to view the records you have shared with them.
To diagnose technical problems and improve reliability.
To meet our legal and regulatory obligations.

We do not use your health data to train third-party AI models. When AI features are used, prompts are sent to our model provider under a zero-retention data processing agreement.

5. Legal basis and consent

Health Platform processes personal data on the basis of the consent you give when you create an account, upload information, or connect a third-party source. Because much of the information we hold is health-related, we treat it as sensitive and apply heightened protection.

Under the Singapore PDPA we observe the obligations of Consent, Notification, Purpose Limitation, Accuracy, Protection, Retention Limitation, Transfer Limitation, Access and Correction, Openness, and Data Breach Notification. You may withdraw consent at any time by deleting your account or disconnecting a specific source; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Where users are located in jurisdictions with additional data-protection regimes (for example the UK GDPR or EU GDPR), we rely on your explicit consent for processing health data and on performance of our contract with you for operating the service.

6. Sharing

We do not sell, rent, trade, or share your personal information for advertising. We share data only with:

Family members and caregivers you explicitly invite, and only the records you have granted them access to.
Sub-processors that run our infrastructure (hosting and edge compute, authentication, and AI inference). These vendors process data on our instructions under written data-processing agreements and are bound to confidentiality and security obligations equivalent to ours.
Legal authorities if compelled by valid legal process; we will notify you unless legally prohibited.

7. International transfers

Our infrastructure is hosted on a global edge network and data may be processed in any region where our infrastructure provider operates. In accordance with the PDPA’s Transfer Limitation Obligation, we ensure that any overseas recipient of your personal data is bound by enforceable legal obligations to provide a standard of protection comparable to that under the PDPA. Where users are located in jurisdictions requiring additional safeguards (for example Standard Contractual Clauses for transfers out of the UK or EEA), we apply those safeguards.

8. Security

All traffic is encrypted in transit using TLS 1.3.
OAuth tokens and other secrets are encrypted at rest using AES-GCM-256.
Access to production systems is restricted, MFA-protected, and audit-logged.
We follow least-privilege principles and isolate each family’s data in a dedicated database.

No system is perfectly secure. If we discover a data breach that is likely to result in significant harm to affected individuals, or that meets the threshold for notifiable breaches under the PDPA, we will notify the Personal Data Protection Commission and affected individuals within the statutory timeframes (no later than three calendar days for the PDPC).

9. Retention

We retain your data for as long as your account is active. When you delete your account we delete your personal data within 30 days, except where we are required to retain certain records for legal or audit purposes (in which case those records are isolated and access-restricted until their retention period expires).

10. Your rights

Under the Singapore PDPA and applicable data-protection laws you have the right to:

Request access to the personal data we hold about you and information about how it has been used or disclosed in the past year.
Request correction of inaccurate or incomplete data.
Withdraw consent for any specific processing or for any connected source, at any time.
Delete your account and the associated personal data.
Request a copy of your data in a portable, machine-readable format.
Lodge a complaint with the Personal Data Protection Commission (Singapore) at www.pdpc.gov.sg, or with your local data-protection authority.

To exercise any of these rights email [email protected]. We will respond within 30 days, or sooner if required by applicable law.

11. Children

Health Platform is designed to support the care of children by their parents or legal guardians. Children’s accounts are created and administered by a verified parent or guardian. We do not knowingly create direct accounts for children under 13 without parental consent. If you believe a child’s data has been provided to us without proper authorisation, contact us and we will delete it.

12. Third-party services and disconnection

You can disconnect any connected third-party source at any time from your Health Platform settings. Disconnecting stops further data collection from that source. Data already collected remains in your account unless you delete it. You may also revoke our access directly from the relevant third-party service’s account or authorisation settings.

13. Changes to this policy

If we make material changes we will notify you by email and update the “Effective” date at the top of this page. Continued use of the service after a change indicates acceptance of the updated policy.

14. Contact

Health Platform
Email: [email protected]
Website: www.healthplatform.ai
Jurisdiction: Singapore