A1C - Your Health Companion

Updated Date: March 5, 2026, 12:00 AM

Privacy Policy

1. Introduction and Scope

This Privacy Policy describes how the operators of A1C Insight and AskSally Terminal (collectively referred to as "we", "us", or "our") collect, use, disclose, and protect your personal information when you access and use our mobile and web applications, A1C Insights and AskSally Terminal (the "Apps"), and the related services, features, and content we provide (collectively, the "Services").

We are registered in Singapore, and our Services are designed for and offered to users worldwide. We recognize the importance of protecting your personal information, particularly health-related data, which is among the most sensitive types of personal information. This Privacy Policy has been developed to ensure compliance with a comprehensive range of international data protection and privacy regulations, including but not limited to:

- Singapore's Personal Data Protection Act 2012 (PDPA) [1]

- The European Union's General Data Protection Regulation (GDPR) [2]

- The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) [3]

- Washington State's My Health My Data Act (MHMDA) [4]

- Nevada's Consumer Health Data Privacy Law [4]

- The Federal Trade Commission Act (FTC Act) [5]

- The FTC Health Breach Notification Rule [6]

- Other applicable international, federal, state, and local privacy laws

By creating an account, accessing, or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this policy, you must not access or use our Services. Your use of our Services is also governed by our Terms and Conditions, which are incorporated by reference into this Privacy Policy.

2. CRITICAL MEDICAL DISCLAIMER

2.1. Preventive and Educational Focus

Our Apps are wellness and educational tools designed to provide preventive health insights and educational information to help you manage your metabolic well-being. Our goal is to empower you with data to support proactive lifestyle choices. The Services are intended to provide preventive consultation and are not designed for, and must not be used for, diagnostic or curative purposes. The Apps do not provide medical diagnoses, treatments, or curative consultations. All information should be considered as part of a preventive health strategy and not as a substitute for professional medical care for existing health conditions.

2.2. Not a Medical Device

The Apps are not medical devices and have not been evaluated or approved by the Singapore Health Sciences Authority (HSA), the U.S. Food and Drug Administration (FDA), or any other regulatory authority.

The Apps are not intended to diagnose, treat, cure, or prevent any disease or medical condition. All information, insights, and recommendations provided by the Apps are for informational and educational purposes only and must not be considered a substitute for professional medical advice, diagnosis, or treatment. You should always consult with a qualified healthcare provider regarding any medical questions, concerns, or decisions, including before making any changes to medication, diet, or exercise based on information from the Apps. In the event of a medical emergency, contact your local emergency services immediately.

3. Key Definitions

To ensure clarity and transparency throughout this Privacy Policy, the following terms are defined as they are used herein:

- Companion App: Refers to our mobile application, A1C Insight, which is required to collect and synchronize health data from third-party wearables and Continuous Glucose Monitors (CGMs) with the AskSally Terminal App.

- Personal Data: Any information, whether true or not, about an individual who can be identified from that information, or from that information combined with other information to which we have or are likely to have access. This includes identifiers such as name, email address, and IP address.

- Health Data: A subset of Personal Data that relates to the physical or mental health of an individual, including the provision of health care services, and which reveals information about their health status. Under GDPR, this is classified as a Special Category of Personal Data requiring heightened protection. Under CCPA/CPRA, this is Sensitive Personal Information.

- Biomarker Data: Health-related data points you voluntarily provide to the Apps, such as blood glucose levels, heart rate, weight, blood pressure, and other metabolic or physiological indicators.

- Lab Results: Medical laboratory test results that you manually enter or upload to the Apps, including but not limited to HbA1c levels, lipid panels, and other diagnostic test outcomes.

- Continuous Glucose Monitor (CGM) Data: Data from a CGM device that you authorize us to access via third party health integration platforms (e.g., Apple Health, Google Health Connect), providing continuous or frequent glucose readings.

- User Content: Any data, text, information, notes, feedback, or other materials you submit, upload, or otherwise provide to the Apps.

- Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.

- Data Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this Privacy Policy, we are the Data Controller of your Personal Data.

- Data Processor: A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller. Our third-party service providers act as Data Processors.

- Explicit Consent: A freely given, specific, informed, and unambiguous indication of your wishes by which you, through a clear affirmative action, signify agreement to the Processing of Personal Data relating to you. For Health Data, this consent must be explicit and cannot be implied.

- Breach of Security: Unauthorized acquisition, access, use, or disclosure of unsecured personal health information that compromises the security or privacy of such information.

4. Information We Collect

4.1. Data Collection via Companion App (for AskSally Terminal Users)

For users of AskSally Terminal, it is important to understand that health data from third-party devices, such as wearables and Continuous Glucose Monitors (CGMs), is collected exclusively through our Companion App, A1C Insight. The data flows as follows:

1. Your third-party device (e.g., CGM, smartwatch) sends data to a health integration platform (e.g., Apple Health, Google Health Connect).

2. You authorize our Companion App, A1C Insight, to access this data from the health integration platform.

3. The Companion App then synchronizes this health data with your AskSally Terminal account.

Your use of the Companion App is subject to its own Terms and Conditions and Privacy Policy, and your access to it is contingent upon maintaining an active subscription to AskSally Terminal.

4.2. Information You Provide Directly to Us

The following table outlines the types of information you actively provide when you use our Services:

- Account Information

- Description: Information required to create and maintain your user account.

- Examples: Full name, email address, password, date of birth, country of residence.

- Legal Classification: Personal Data

- Health & Wellness Data

- Description: Health-related information you voluntarily enter or upload to track your metabolic health. This is the core data used to provide our Services.

- Examples: Biomarker Data (blood glucose, heart rate, weight, blood pressure), Lab Results (HbA1c, cholesterol levels), medication information, dietary logs, exercise data.

- Legal Classification: Sensitive Personal Data / Special Category Data / Sensitive Personal Information

- User Content

- Description: Any additional information or content you choose to provide.

- Examples: Notes about your health, feedback about the Apps, communications with our support team, survey responses.

- Legal Classification: Personal Data (may include Health Data)

- Payment and Transactional Data

- Description: Information related to your purchases and subscriptions. We do not collect or store your credit card information.

- Examples: Subscription history, transaction IDs, payment status.

- Legal Classification: Personal Data

- Conversations with Insight

- Description: Transcripts and summaries of your voice or text conversations with our AI-powered health insights feature.

- Examples: Voice recordings, text transcripts, AI-generated summaries and insights.

- Legal Classification: Sensitive Personal Data / Special Category Data

- Geolocation Data

- Description: Your device’s location, with your explicit consent.

- Examples: GPS coordinates, Wi-Fi-based location.

- Legal Classification: Personal Data (can be Sensitive Personal Information in some jurisdictions)

4.3. Information We Collect Automatically

When you access and use our Services, we automatically collect certain information about your device and usage patterns:

- Usage Data

- Description: Information about your interaction with the Apps and Services.

- Examples: Features accessed, pages viewed, time spent on pages, navigation paths, frequency of use, actions taken within the Apps.

- Device Information

- Description: Technical information about the device you use to access our Services.

- Examples: IP address, device type and model, operating system and version, browser type and version, unique device identifiers.

- Log Data

- Description: Information automatically recorded by our servers when you use the Services.

- Examples: Date and time of access, error logs, crash reports, performance data.

4.4. Information from Other Sources

To provide our Services, we may collect information about you from the following third party sources, but only with your explicit authorization:

- Health & Wellness Data from third party Services

- Description: Health-related information from third party health integration platforms (e.g., Apple Health on iOS, Google Health Connect on Android) that you connect to our Apps.

- Examples: CGM data, heart rate, activity levels, and other health metrics from health integration platforms (e.g., Apple Health, Google Health Connect).

- Legal Classification: Sensitive Personal Data / Special Category Data

- Web3 Wallet Information

- Description: Information from your web3 wallet when you connect it to our Services for authentication.

- Examples: Your public wallet address. We do not have access to your private keys or funds.

- Legal Classification: Personal Data

5. How We Use Your Information

We process your Personal Data only for specific, explicit, and legitimate purposes. We will not process your data in a manner that is incompatible with these purposes. The table below outlines our purposes for processing, the categories of data used, and the legal bases we rely upon under applicable data protection laws.

- Providing Core Services

- Purpose: To deliver the personalized metabolic health analysis, educational insights, and recommendations that form the core functionality of the Apps. This includes the use of Artificial Intelligence (AI) to analyze your data and generate insights. You acknowledge that AI may produce inaccurate or ‘hallucinated’ results, and you should verify all AI generated advice with professional guidelines.

- Data Used: Account Information, Health & Wellness Data, User Content

- Legal Basis (GDPR): Explicit Consent (for Health Data) and Contractual Necessity (to perform the contract with you)

- Legal Basis (PDPA): Consent

- Legal Basis (CCPA/CPRA): Contractual Necessity and Consent

- Service Improvement and Development

- Purpose: To analyze usage patterns, identify bugs, and develop new features to enhance user experience.

- Data Used: Usage Data, Device Information, De-identified and Aggregated Health Data

- Legal Basis (GDPR): Legitimate Interests (improving our Services and user experience)

- Legal Basis (PDPA): Legitimate Interests

- Legal Basis (CCPA/CPRA): Business Purpose

- Communication

- Purpose: To send you administrative messages, service updates, security alerts, and respond to your inquiries.

- Data Used: Account Information, User Content

- Legal Basis (GDPR): Legitimate Interests (maintaining our relationship with you) and Contractual Necessity

- Legal Basis (PDPA): Legitimate Interests

- Legal Basis (CCPA/CPRA): Business Purpose

- Research and Development

- Purpose: To conduct research to advance scientific understanding of metabolic health, improve algorithms, and contribute to public health knowledge. We use only De-identified and aggregated data for this purpose unless we obtain your separate explicit consent.

- Data Used: Aggregated and De-identified Data (or identifiable data with separate explicit consent)

- Legal Basis (GDPR): Legitimate Interests (for De-identified data) or Explicit Consent (for identifiable data)

- Legal Basis (PDPA): Legitimate Interests (for De-identified data) or Consent (for identifiable data)

- Legal Basis (CCPA/CPRA): Business Purpose (for De-identified data) or Consent (for identifiable data)

- Security and Fraud Prevention

- Purpose: To verify accounts, detect and prevent fraud, abuse, and security incidents, and protect the rights and safety of our users and the public.

- Data Used: Account Information, Usage Data, Device Information

- Legal Basis (GDPR): Legitimate Interests (ensuring security) and Legal Obligation

- Legal Basis (PDPA): Legitimate Interests and Legal Obligation

- Legal Basis (CCPA/CPRA): Business Purpose and Legal Obligation

- Legal Compliance

- Purpose: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests.

- Data Used: Any relevant Personal Data

- Legal Basis (GDPR): Legal Obligation

- Legal Basis (PDPA): Legal Obligation

- Legal Basis (CCPA/CPRA): Legal Obligation

6. Data Sharing and Disclosure

We understand the sensitive nature of your Health Data and are committed to maintaining your trust. We do not sell your Personal Data to third parties. We may share your information only in the following limited circumstances:

6.1. With Service Providers (Data Processors)

We engage carefully selected third-party service providers to perform functions on our behalf. These service providers may have access to your Personal Data only to the extent necessary to perform their designated functions and are contractually obligated to:

- Process your data only in accordance with our documented instructions

- Implement appropriate technical and organizational security measures

- Not use your data for their own purposes

- Maintain confidentiality

- Delete or return your data upon termination of services

Examples of service providers include cloud hosting providers, data analytics services, customer support platforms, and email communication services. For AskSally Terminal, we use Dynamic.xyz to facilitate web3 wallet connections; their privacy policy is available on their website.

6.2. With Your Explicit Consent

We may share your Personal Data with third parties when we have your explicit consent to do so. For example, you may choose to share your health insights with your healthcare provider or a family member.

6.3. For Legal and Security Reasons

We may disclose your Personal Data if we believe in good faith that such disclosure is necessary to:

- Comply with a legal obligation, such as a court order, subpoena, or government request.

- Protect and defend our rights, property, or safety, or that of our users or the public.

- Prevent or investigate possible wrongdoing in connection with the Services.

- Enforce our Terms and Conditions.

6.4. In Connection with a Business Transfer

In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your Personal Data may be transferred to a successor or affiliate as part of that transaction. We will notify you before your Personal Data is transferred and becomes subject to a different privacy policy.

6.5. In Aggregated or De-identified Form

We may share aggregated statistical data or de-identified information that cannot reasonably be used to identify you. This information may be used for research, statistical analysis, business intelligence, marketing, and other legitimate business purposes. De-identified data is not considered Personal Data under most data protection laws.

7. Web3 Wallet, Blockchain, and Financial Data

7.1. Web3 Wallet Information

AskSally Terminal uses Web3 wallet authentication for account access. When you connect your wallet, we collect your public wallet address to identify your account. We do not collect or have access to your private keys, and you are solely responsible for the security of your wallet.

We use Dynamic.xyz as a third-party service provider to facilitate wallet connections across all supported platforms. Your interaction with Dynamic.xyz is subject to their privacy policy, which we encourage you to review.

7.2. Blockchain Transactions and Data

The subscription model for AskSally Terminal requires locking a specific amount of our native token, $A1C. To subscribe, you will lock a specified amount of tokens. You may choose to unsubscribe at any time by initiating the unlocking process. Upon initiating the unlock, your access to premium features will be immediately revoked. You may re-lock your tokens at any time to restore access. Please be aware that the token unlocking process is subject to a 14-day on-chain cooldown period before the tokens are fully transferable in your wallet, a process governed by the smart contract. This transaction is recorded on a public blockchain. Information recorded on the blockchain is public and permanent. This may include your wallet address, the transaction amount, and the timestamp. We do not control the blockchain and are not responsible for the information that is publicly available on it.

7.3. Financial Information

For A1C Insights, subscription payments are processed through third-party App Stores (Apple App Store or Google Play Store). We do not collect or store your credit card information. The respective App Store’s privacy policy governs the handling of your payment information.

For AskSally Terminal, you may need to acquire $A1C tokens through third-party platforms like Uniswap. We are not a party to these transactions and are not responsible for the privacy or security of your data on these platforms.

8. International Data Transfers

As a Singapore-registered company offering Services to users worldwide, your Personal Data may be transferred to, stored, and processed in Singapore or other countries where we or our service providers operate. These countries may have data protection laws that differ from those in your country of residence.

When we transfer Personal Data from the European Economic Area (EEA), United Kingdom, Switzerland, or other jurisdictions with comprehensive data protection laws to countries that have not been recognized as providing an adequate level of data protection, we implement appropriate safeguards to ensure your data remains protected. These safeguards include:

- Standard Contractual Clauses (SCCs): We use Standard Contractual Clauses approved by the European Commission [5] and other relevant authorities. These are standardized contractual terms that ensure the transferred data receives a level of protection consistent with EEA data protection law.

- Adequacy Decisions: Where applicable, we may rely on adequacy decisions issued by the European Commission or other relevant authorities recognizing certain countries as providing adequate data protection.

- Your Explicit Consent: In certain circumstances, we may seek your explicit consent for the transfer of your data to a third country.

For more information about the safeguards we use for international data transfers, please contact us using the information provided in the Contact Us section.

9. Your Data Protection Rights

We respect and uphold your rights concerning your Personal Data. Depending on your jurisdiction and the applicable data protection laws, you may have the following rights:

9.1. Universal Rights (Available to All Users)

- Right to Access

- Description: You have the right to request and receive a copy of the Personal Data we hold about you.

- How to Exercise: Contact us using the information in Section 16. We will provide the information within the timeframe required by applicable law (typically 30 days).

- Right to Rectification (Correction)

- Description: You have the right to request that we correct any inaccurate or incomplete Personal Data.

- How to Exercise: You can update certain information directly in your account settings, or contact us for assistance.

- Right to Erasure (Deletion)

- Description: You have the right to request the deletion of your Personal Data, subject to certain legal and contractual obligations.

- How to Exercise: You may delete your account through the Apps or contact us. We will delete your data in accordance with our retention policies and legal obligations.

- Right to Withdraw Consent

- Description: Where we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time.

- How to Exercise: You can withdraw consent by closing your account or contacting us. Withdrawal will not affect the lawfulness of processing based on consent before withdrawal.

9.2. Additional Rights for EEA, UK, and Swiss Residents (GDPR)

In addition to the universal rights above, if you are located in the EEA, UK, or Switzerland, you have the following additional rights under GDPR:

- Right to Data Portability: You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit it to another data controller without hindrance.

- Right to Object: You have the right to object to processing of your Personal Data based on legitimate interests or for direct marketing purposes.

- Right to Restrict Processing: You have the right to request the restriction of processing of your Personal Data in certain circumstances, such as when you contest the accuracy of the data.

- Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

9.3. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA and CPRA:

- Right to Know: You have the right to request information about the categories and specific pieces of Personal Information we have collected, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share Personal Information.

- Right to Delete: You have the right to request deletion of your Personal Information, subject to certain exceptions.

- Right to Opt-Out of Sale: You have the right to opt out of the “sale” of your Personal Information. We do not sell your Personal Information.

- Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA/CPRA rights.

- Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your Sensitive Personal Information (which includes Health Data) to purposes necessary to provide the Services you requested.

9.4. Rights for Washington State Residents (MHMDA)

If you are a Washington State resident, you have specific rights under the My Health My Data Act regarding your consumer health data, including the right to confirm collection, access third-party recipients, withdraw consent, and request deletion.

9.5. How We Respond to Your Requests

We are committed to facilitating the exercise of your rights. When you submit a request, we will:

- Verify your identity to protect your Personal Data from unauthorized access

- Respond within the timeframe required by applicable law (typically 30 days, which may be extended by an additional 30 days in complex cases)

- Provide the requested information or action free of charge for the first request, though we may charge a reasonable fee for subsequent repetitive or manifestly unfounded requests

- Inform you if we cannot comply with your request and explain the reasons

10. Data Accuracy, AI, and User Responsibility

This section outlines the limitations of the data and insights provided by our Services and your responsibilities as a user.

10.1. Data Accuracy

While we strive to provide accurate insights, the quality of our Services depends on the accuracy of the data you provide. We are not responsible for inaccuracies arising from:

- User provided data: You are responsible for the accuracy and completeness of the data you enter into the Apps.

- Third-party devices: We are not liable for inaccuracies in data from third-party devices and health integration platforms, such as CGM sensors, due to issues like sensor calibration errors, latency, or hardware malfunctions. Furthermore, the Company is not responsible for errors in data extraction, Optical Character Recognition (OCR), or parsing of uploaded documents. You are solely responsible for verifying that the digital data entered into the Apps matches the original physical records before relying on any analysis.

- OCR and Data Extraction: For features that involve Optical Character Recognition (OCR) or other automated data extraction from uploaded documents, you are responsible for verifying that the extracted digital data matches the original source.

10.2. Artificial Intelligence (AI)

Our Services use AI to analyze your data and provide insights. You acknowledge that AI systems may produce inaccurate or “hallucinated” results. You should always verify AI-generated advice with a qualified healthcare professional.

10.3. Assumption of Risk

You assume all risks associated with the use of our Services. We are not liable for any decisions or actions you take based on the information or insights provided by the Apps.

11. Data Security

Protecting your Personal Data, particularly your sensitive Health Data, is of paramount importance to us. We have implemented and maintain appropriate technical, physical, and organizational security measures designed to protect your Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure.

11.1. Security Measures

Our security measures include, but are not limited to:

- Encryption: We use industry-standard encryption protocols (such as TLS/SSL) to protect data in transit between your device and our servers. Data at rest is also encrypted using strong encryption algorithms.

- Access Controls: Access to Personal Data is restricted to authorized employees, contractors, and service providers who have a legitimate need to access the data to perform their duties. Access is granted on a need-to-know basis and is protected by authentication mechanisms.

- Security Monitoring: We employ monitoring systems to detect and respond to security incidents, unauthorized access attempts, and anomalous activity.

- Regular Security Assessments: We conduct regular security audits, vulnerability assessments, and penetration testing to identify and remediate potential security weaknesses.

- Incident Response Plan: We maintain an incident response plan to ensure prompt and effective response to any data breach or security incident.

- Vendor Security: We require our service providers to implement appropriate security measures and conduct due diligence to assess their security practices.

11.2. Your Responsibility

While we implement robust security measures, the security of your Personal Data also depends on you. You are responsible for:

- Maintaining the confidentiality of your account information and not sharing it with others

- Using a strong, unique password for your account

- Logging out of your account when you finish using the Apps, especially on shared devices

- Notifying us immediately if you suspect any unauthorized access to your account

- Keeping your device's operating system and security software up to date

11.3. Limitations

Despite our best efforts, no method of transmission over the Internet and no method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities in accordance with applicable law.

12. Breach Notification

12.1. Our Commitment

We take the security of your information seriously and have implemented measures to prevent breaches. However, in the unlikely event of a breach of security involving your Personal Data, we are committed to transparency and will comply with all applicable breach notification requirements.

12.2. Notification Under GDPR

For users in the EEA, UK, or Switzerland, if a breach is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach. We will also notify the relevant supervisory authority as required by GDPR [2].

12.3. Notification Under FTC Health Breach Notification Rule

As our Apps are not covered by HIPAA, we are subject to the FTC Health Breach Notification Rule [6]. In the event of a breach of security involving unsecured personally identifiable health information, we will:

- Notify Affected Individuals: Provide notice to each individual whose information was breached without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. The notice will include:

- A description of what happened

- The types of information involved

- Steps we are taking to investigate and mitigate harm

- What you can do to protect yourself

- Contact information for questions

- Notify the FTC: If the breach involves 500 or more individuals, we will notify the Federal Trade Commission at the same time we notify affected individuals.

- Media Notice: If the breach involves 500 or more residents of a state or jurisdiction, we will provide notice to prominent media outlets serving that state or jurisdiction.

12.4. Notification Under Other Laws

We will also comply with breach notification requirements under PDPA, CCPA/CPRA, MHMDA, and other applicable laws, which may have different thresholds and timeframes.

12.5. What Constitutes a Breach

Under the FTC Health Breach Notification Rule, a "breach of security" means:

- Unauthorized acquisition of personally identifiable health information

- Unauthorized access to such information

- Unauthorized use or disclosure of such information

This includes both external attacks (such as hacking) and internal incidents (such as unauthorized employee access).

13. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, resolve disputes, and enforce our agreements.

13.1. Retention Criteria

The criteria we use to determine retention periods include:

- Service Provision: We retain your data for as long as your account is active and you continue to use our Services.

- Legal Obligations: We may be required to retain certain data for specific periods to comply with legal, tax, accounting, or regulatory requirements (typically 3 to 7 years depending on the jurisdiction and type of data).

- Legitimate Interests: We may retain data for a reasonable period to protect our legal rights, such as in the event of disputes or litigation.

- User Requests: We will delete data upon your request, subject to legal retention requirements.

13.2. Specific Retention Periods

- Account Information: Duration of account plus 30 days after account closure (unless longer retention required by law)

- Health & Wellness Data: Duration of account plus 30 days after account closure (unless longer retention required by law)

- Usage and Log Data: 12 to 24 months, unless required for security investigations or legal compliance

- De-identified/Aggregated Data: Indefinitely (as it cannot identify you)

- Backup Data: Up to 90 days in backup systems before permanent deletion

13.3. Account Closure and Data Deletion

When you close your account or request deletion of your Personal Data:

- We will delete or anonymize your Personal Data within 30 days of your request, unless we are required or permitted by law to retain it for a longer period.

- Some information may be retained in our backup systems for up to 90 days before being permanently deleted.

- De-identified and aggregated data that cannot be used to identify you may be retained indefinitely for research and analytical purposes.

- We may retain certain information as necessary to comply with legal obligations, resolve disputes, enforce our agreements, or as otherwise permitted by law.

- For AskSally Terminal users, account closure does not affect transactions recorded on the blockchain. Your public wallet address and transaction history will remain on the blockchain.

14. Children's Privacy

Our Services are not intended for, marketed to, or directed at individuals under the age of 18 years. We do not knowingly collect, use, or disclose Personal Data from children under 18. By using our Services, you represent and warrant that you are at least 18 years of age or have reached the age of legal majority in your jurisdiction.

If we become aware that we have inadvertently collected Personal Data from a child under 18 without proper parental consent, we will take immediate steps to delete such information from our systems. If you believe that we may have collected information from a child under 18, please contact us immediately using the information provided in the “Contact Us” section, and we will investigate and take appropriate action.

15. Cookies and Tracking Technologies

This section explains our position on cookies and similar tracking technologies and clarifies your responsibilities as a user.

15.1. Our Applications Do Not Use Cookies

Our mobile and web applications, A1C Insights and AskSally Terminal (the “Apps”), do not set, use, or store any cookies on your device. We have designed our Services to function without the need for cookies to track your activity or store your preferences directly within our Apps.

15.2. Understanding Cookies

Cookies are small text files that are placed on your device (computer, smartphone, or tablet) by websites you visit or applications you use. They are widely used to make websites and applications work, or work more efficiently, as well as to provide information to the owners of the site or app.

15.3. Potential Sources of third party Cookies

While our Apps do not set cookies, you may encounter cookies from third-party sources when interacting with or using our Services. It is important for you to understand where these cookies may come from:

- Third party Analytics Services: We use third-party analytics services, such as Google Analytics, to help us understand how our Services are used. These services may set cookies on your device to collect anonymous usage data, such as which features are most popular, how much time is spent in the Apps, and to identify performance issues. We do not have access to or control over these cookies.

- Your Web Browser: When you access our Services through a web browser, the browser itself may set cookies for its own purposes, such as remembering your settings or for security. These cookies are controlled by your browser’s developer (e.g., Google, Apple, Mozilla).

- Other Installed Applications: Other applications, browser extensions, or security software installed on your device may set cookies or interact with your browser in a way that results in cookies being placed on your device. These are outside of our control.

15.4. Your Responsibility and How to Manage Cookies

You are solely responsible for managing cookies set by third parties. We do not provide any tools to manage these cookies, as we do not control them. You can manage cookies through the settings of your web browser or device.

Most web browsers allow you to:

- View the cookies that have been set.

- Delete some or all cookies.

- Block cookies from all or specific websites.

- Receive a notification when a cookie is set.

To learn how to manage cookies on your specific browser, please consult the help documentation provided by the browser developer (e.g., Google Chrome, Apple Safari, Mozilla Firefox, Microsoft Edge).

15.5. Our Non-Liability for Third-Party Cookies

We are not responsible for and shall not be held liable for any cookies set by third parties, including our service providers (like Google Analytics), your web browser, or any other application on your device. The use of information collected by these third-party cookies is governed by their own privacy policies. We strongly encourage you to review the privacy policies of these third parties to understand their data collection practices.

15.6. Do Not Track Signals

Some web browsers have a “Do Not Track” (DNT) feature that signals to websites that you do not want to have your online activity tracked. As we do not use cookies or track users directly, these signals do not apply to our Apps. However, you should be aware that third-party services, such as your browser or analytics providers, may have their own policies regarding DNT signals.

16. Changes to This Privacy Policy

We have the discretion to update this Privacy Policy at any time. When we do, we will revise the “Last Updated” date at the top of this page. For material changes, we will notify you by email (sent to the email address specified in your account), by posting a prominent notice within the Apps, or by other means as required by applicable law. We encourage you to frequently check this page for any changes to stay informed about how we are helping to protect the personal information we collect. You acknowledge and agree that it is your responsibility to review this Privacy Policy periodically and become aware of modifications. Subject to applicable law, your continued use of our Services after we post any modifications to the Privacy Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Privacy Policy.

16.1. Notification of Material Changes

If we make material changes that significantly affect your rights or how we process your Personal Data, we will provide you with prominent notice prior to the changes taking effect. This notice may be provided through:

- Email notification to the address associated with your account

- A prominent notice within the Apps

- A notification when you next access the Services

We will provide such notice at least 30 days before the new policy takes effect, giving you the opportunity to review the changes and decide whether to continue using the Services.

16.2. Your Continued Use

Your continued use of the Services after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the revised policy, you must stop using the Services and may close your account. If you close your account due to a material change in the Privacy Policy, we will delete your Personal Data in accordance with Section 13 (Data Retention).

16.3. Reviewing Changes

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. You can always find the most current version of this policy on our website or within the Apps.

17. Contact Us

We are committed to addressing your questions, concerns, and requests regarding this Privacy Policy and our data practices. If you wish to exercise your data protection rights, have questions about how we process your Personal Data, or wish to file a complaint, please contact us using the following channels:

- For A1C Insights Users: By Email [email protected]

- For AskSally Terminal Users: By Email [email protected]

General Privacy Inquiries: When contacting us about privacy matters, please include:

- Your full name and email address associated with your account

- A detailed description of your request or concern

- Any relevant supporting documentation

We will make every effort to respond to your request within the timeframe required by applicable law (typically 30 days, which may be extended by an additional 30 days for complex requests).

18. Supervisory Authority and Dispute Resolution

18.1. For EEA, UK, and Swiss Residents

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the right to lodge a complaint with a data protection supervisory authority if you believe that our processing of your Personal Data violates applicable data protection law. You may lodge a complaint in the Member State of your habitual residence, your place of work, or the place where the alleged infringement occurred.

A list of supervisory authorities in the EEA is available at: https://edpb.europa.eu/about-edpb/board/members_en

For the UK, the supervisory authority is the Information Commissioner's Office (ICO): https://ico.org.uk/

18.2. For California Residents

California residents may contact the California Attorney General's office regarding privacy concerns or complaints:

- Website: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

- Phone: (916) 210-6276

18.3. For Washington State Residents

Washington State residents may contact the Washington State Attorney General's office:

- Website: https://www.atg.wa.gov/file-complaint

- Phone: (800) 551-4636

18.4. For Singapore Residents

Singapore residents may contact the Personal Data Protection Commission (PDPC):

- Website: https://www.pdpc.gov.sg/

- Email: [email protected]

18.5. FTC Complaints

For matters related to the FTC Act or FTC Health Breach Notification Rule, you may file a complaint with the Federal Trade Commission:

- Website: https://reportfraud.ftc.gov/

- Phone: 1-877-FTC-HELP (1-877-382-4357)

18.6. Dispute Resolution

For all users, we encourage you to contact us first so that we can attempt to resolve any concerns directly. If we are unable to resolve your concern, you may have the right to pursue dispute resolution through arbitration or the courts as set forth in our Terms and Conditions.

19. Compliance Summary

This Privacy Policy is designed to comply with the following major data protection frameworks and regulations:

- Singapore PDPA: Consent, purpose limitation, notification, access and correction, protection, retention limitation, transfer limitation, accountability

- EU GDPR: Lawfulness of processing, special category data protections, data subject rights, data protection by design and by default, international transfers with safeguards, breach notification within 72 hours

- California CCPA/CPRA: Consumer rights (know, delete, opt-out), sensitive personal information protections, non-discrimination, privacy policy disclosures, right to limit use of sensitive personal information

- Washington MHMDA: Consumer health data consent requirements, authorization for sale, geofencing prohibition (not applicable to our apps), consumer rights (confirm, access, withdraw, delete)

- Nevada Health Data Law: Consent, privacy notice, restricted access, authorization for sale/sharing, security measures, geofencing restriction (not applicable to our apps)

- FTC Act: Reasonable privacy and security practices, truthful representations, protection against unfair or deceptive practices

- FTC Health Breach Notification Rule: Notification to affected individuals within 60 days, notification to FTC (if 500+ affected), media notification (if 500+ in a state), breach definition includes unauthorized acquisition, access, use, or disclosure

19.1. Why HIPAA Does Not Apply

Important Notice: Our Apps are NOT covered by HIPAA because:

We are not a health plan, healthcare provider, or healthcare clearinghouse (i.e., not a HIPAA "covered entity")
We do not receive health information directly from HIPAA covered entities
We do not provide services to HIPAA covered entities that would make us a "business associate"
Our Apps are offered directly to consumers who voluntarily enter their own health information
The Apps are wellness tools, not medical devices

As stated by the U.S. Department of Health and Human Services (HHS): “The HIPAA Rules do not apply to health information maintained by anyone who isn’t a covered entity or business associate. For example, the HIPAA Rules likely wouldn’t apply to consumer health information maintained in an app that isn’t offered by a HIPAA covered entity or its business associate, even if the health information originated from a covered entity or business associate.” [7]

Our Apps are offered directly to consumers who voluntarily enter their own health information, and we do not receive health information from or provide services to HIPAA covered entities.

19.2. Applicable Laws Provide Comprehensive Protection

While HIPAA does not apply, the combination of PDPA, GDPR, CCPA/CPRA, MHMDA, Nevada Health Data Law, FTC Act, and FTC Health Breach Notification Rule provides comprehensive protection for your personal and health information that is equal to or exceeds HIPAA protections in many respects.

20. Acknowledgment and Consent

By creating an account and using our Services, you acknowledge that:

You have read and understood this Privacy Policy
You consent to the collection, use, and disclosure of your Personal Data as described in this Privacy Policy
For users providing Health Data, you provide explicit consent for the processing of your Health Data for the purposes described in this Privacy Policy
You understand that you can withdraw your consent at any time by closing your account or contacting us
You understand that HIPAA does not apply to our Apps, but that your information is protected by other comprehensive privacy laws
You are at least 18 years of age or have reached the age of legal majority in your jurisdiction
You have the authority to provide the Personal Data you submit to the Apps

21. References

[1] Personal Data Protection Commission Singapore. (2023). Advisory Guidelines for the Healthcare Sector. Retrieved from https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/advisory-guidelines-for-the-healthcare-sector-sep-2023.pdf

[2] European Parliament and Council of the European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). Retrieved from https://gdpr-info.eu/

[3] State of California Department of Justice. California Consumer Privacy Act (CCPA). Retrieved from https://oag.ca.gov/privacy/ccpa

[4] Securiti. (2023). Healthcare Privacy Laws & Regulations Around the World. Retrieved from https://securiti.ai/healthcare-privacy-laws/

[5] Federal Trade Commission. Federal Trade Commission Act. Retrieved from https://www.ftc.gov/legal-library/browse/statutes/federal-trade-commission-act

[6] Federal Trade Commission. (2024). Health Breach Notification Rule. Retrieved from https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule

[7] U.S. Department of Health and Human Services. (2022). HIPAA & Health Apps. Retrieved from https://www.hhs.gov/hipaa/for-professionals/special-topics/health-apps/index.html