Privacy Policy | atheal

Privacy Policy

How we protect and handle your personal health information

Effective Date: February 27, 2025

Last Updated: February 27, 2025

ATHEAL'S GUIDING PRIVACY PRINCIPLES

Atheal was built for our families, ourselves, and you. Your privacy is one of our top priorities. We empower you to take control of your health, and that includes having control of certain aspects of your Personal Information. Please read the Privacy Policy in full to understand all of our Personal Information practices as we set out our guiding privacy principles immediately below.

  • Your identity is not for sale for money. We do not disclose your Personal Information to third parties in exchange for money.
  • We limit the information we collect and retain. We collect Personal Information to provide you with our products and Services. We retain your information for the period of time necessary to fulfill the purposes for which we collected it, including delivering requested products and Services, protecting the interests of our members, and for the period of time required by law.
  • We limit the manners in which we share your test results with third parties. In order to deliver our product and services to you, it may be necessary for us to provide certain information to our Lab and Provider Partners. We will do so when such recipients agree to limitations regarding the use of your personal information.

We encourage you to review the rest of this Privacy Policy to learn more about Atheal's transparent privacy practices.

PRIVACY POLICY

This Privacy Policy governs how Atheal ("Atheal", "Company", "we", "our", "us") collects, stores, and uses your Personal Information (as defined below), as well as other data and information arising out of and/or relating to you and/or your use of our Services – which include without limitation your use of the website Atheal.com (the "Site") and any other technologies, features, websites, mobile applications, content, and other services we offer (collectively, the "Services"). We may also provide you with "just-in-time" disclosures, supplemental terms and/or clarifications, further options, and additional information pertaining to our collection, storage, and usage of Personal Information, and other data and information.

Atheal may also collect, store, and use Personal Information regarding you that is linked or reasonably linkable to you and that identifies your past, present, or future health status or mental health status, as may be applicable ("Consumer Health Data"). This Privacy Policy provides information about how we collect Consumer Health Data, how we use it, what sources it is derived from, to whom we disclose it and how we otherwise process it.

This Privacy Policy does not apply to third-party websites, applications, products, services, or other properties, even if they may link to our Site or our Site may link to them. We recommend you review the privacy practices of those third parties before connecting with and/or accessing third-party offerings, and before sharing any Personal Information with those third parties.

To keep things simple, we use the same capitalized terms as those set forth in our Terms of Service, unless otherwise indicated herein. In the event of a conflict between our Privacy Policy and our Terms of Service, the latter will control.

Contents

It is important that you read and understand the entire Privacy Policy before using our Services. For ease of review, below is a table of contents that links to each section. Please note that the complete provisions and not the headings shall govern.

  1. Personal Information We May Collect, Use, and Disclose
  2. Sources of Personal Information
  3. Disclosure of Personal Information
  4. Aggregated, Deidentified, or Anonymized Information
  5. Cookies and Tracking Technologies
  6. Data Security
  7. Data Retention
  8. International Transfers of Your Personal Information
  9. Children's Privacy
  10. Your Privacy Rights
  11. Saudi Arabia Privacy Notice
  12. Changes to This Privacy Policy
  13. Contact Us

1. Personal Information We May Collect, Use, and Disclose

"Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identifiable individual. Personal Information includes "personal data" as that term is defined in applicable privacy laws. Personal Information does not include "Publicly Available Information"; lawfully obtained, truthful information that is a matter of public concern; information that has been de-identified; or aggregate consumer information.

"Self-Reported Health Information" refers to Personal Information that relates to your physical or mental health and that you provide directly to us when you complete electronic forms designed for you to self-report your physical or mental health status, upload medical records, or link a wearable or Internet of Things device to our Services.

We may disclose non-Personal Information, such as aggregated user statistics, to third parties.

Category of Personal Information Processing Purposes Categories of Third-Party Recipients
Identifiers
Name, Address, Email, Phone, Date of birth, Account username, Social media info, IP address, Device identifiers		 Communicate with you, Provide customer service, Identity verification, Provide Services, Develop products, Analytics, Marketing, Business administration, Legal compliance, Security Third-party advertising platforms (only through cookies, which you can reject). We do not provide Lab Results or Self-Reported Health Information to these recipients.
Commercial information
Interests and preferences		 Same as Identifiers Same as Identifiers
Financial information
Bank account, credit/debit card numbers		 Provide Services, Business administration N/A
Internet activity
Browser version, pages visited, cookies, mobile OS		 Same as Identifiers Same as Identifiers
Geolocation Data
GPS data, IP-based location		 Same as Identifiers N/A
Professional information
Employer name, employment history, licenses		 Facilitate features, Analytics, Marketing, Business administration Applicable employer if accessing as employment benefit. We do not provide Lab Results or Self-Reported Health Information.
Audio/Visual information
Photos, videos, audio recordings		 Same as Identifiers N/A
Protected classifications
Age, gender, marital status, veteran status, race, disability		 Same as Identifiers N/A
Sensitive Personal Information
Genetic data, mental or physical health condition, consumer health data		 Same as Identifiers N/A
Inferences about you
Derived from above categories		 Any of the above purposes N/A

2. Sources of Personal Information

We may collect Personal Information about you from the following categories of sources:

  • Directly from you through self-reported information
  • Through cookies and other tracking technologies
  • Through linked wearable devices connected to our Services
  • From third party healthcare service providers and laboratory service providers (our "Lab and Provider Partners"), with your permission
  • From other third parties, including service providers, business partners, affiliates, analytics providers, and advertisers
  • From third parties that you choose (such as lab providers)
  • From government agencies or public records
  • From social media and other content platforms

3. Disclosure of Personal Information

We May Share We Won't Share (Without Your Affirmative, Express Consent)
  • Internet or electronic network activity
  • Browsing data
  • Click-based event data
  • IP address
  • Device information
  • Lab Results
  • Self-Reported Health Information
  • Mental or physical health conditions
  • Diagnoses or diagnostic testing
  • Genetic data
  • Clinical notes
  • Medical records

We may disclose Personal Information to:

  • Our affiliates for providing Services and internal administration
  • Our service providers for payment processing, analytics, hosting, marketing, customer support
  • Our payment processing platforms
  • Our Lab and Provider Partners with your permission
  • Third party platform advertisers (excluding Lab Results and Self-Reported Health Information)
  • Third parties related to compliance and harm prevention when required by law
  • Third parties related to corporate transformation (mergers, acquisitions, etc.)
  • At your request, other persons or entities relevant to your care
  • Third parties designated by you
  • Other users and the public when you choose to make information available

We do not disclose your Personal Information to third parties in exchange for money.

4. Aggregated, Deidentified, or Anonymized Information

We may create aggregated, de-identified, or anonymized information from Personal Information by removing certain data components (such as your name, email address, or linkable tracking ID) that makes the data identifiable, or through aggregation, obfuscation or other means. For example, we may de-identify any information and data provided and/or generated in connection with your use of our Services (including without limitation your Lab Results and other Personal Information), in compliance with applicable law.

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies and analytics services to track activity on the Site and Services.

a. Cookies

Cookies are files with a small amount of data which may include unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies we may use include web beacons to track information and analyze the Services.

Examples of Cookies we use:

  • Strictly Necessary: Cookies required to allow you to use our website, prevent fraud, and improve security
  • Performance: Cookies to assess website performance and improve content
  • Functionality: Cookies for enhanced functionality and tracking preferences
  • Advertising: Cookies to deliver relevant content and ads based on your interests

b. Analytics

We may use Google Analytics or other service providers for analytics services. These analytics services may use Cookies and other tracking technologies to help us analyze how users use the Services.

c. Third-Party Ad Networks

Certain companies may participate in advertising networks and may display an Advertising Option Icon for Interest-based Ads that links to an opt-out tool which allows you to exercise certain choices regarding targeting.

6. Data Security

The security of your data is important to us but remember that no method of transmission over the Internet or method of electronic storage is completely secure. Atheal uses certain safeguards designed to protect the security and integrity of your Personal Information.

In accordance with ISO 27001:2022 standards, we implement comprehensive information security management systems including:

  • Risk assessment and management processes
  • Security policies and procedures
  • Physical and environmental security measures
  • Access controls and authentication mechanisms
  • Network and communications security
  • System acquisition, development, and maintenance security
  • Incident management procedures
  • Business continuity management
  • Compliance with legal and regulatory requirements

Additionally, we implement technical and organizational measures required by HIPAA to protect personal health information, including:

  • Encryption of data at rest and in transit
  • Regular security assessments and audits
  • Staff training on data protection practices
  • Data breach notification procedures
  • Data Protection Impact Assessments where required
  • Appointment of data protection officers where required

7. Data Retention

We will retain your Personal Information for as long as is necessary to provide you with Services, to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies. Our determination of precise retention periods will be based on:

  • The length of time we have an ongoing relationship with you
  • Whether there is a legal obligation to which we are subject
  • Whether retention is advisable in light of our legal position

8. International Transfers of Your Personal Information

Your information, including Personal Information, may be transferred to – and maintained on – information systems located outside of your country where the data protection laws may differ from those of your jurisdiction. If you are located outside of Saudi Arabia and choose to provide information to us, please note that we transfer the data, including Personal Information, to Saudi Arabia and process it there.

We ensure that international transfers of data comply with applicable laws including:

  • Ensuring compliance with Saudi data protection laws for data processed within Saudi Arabia
  • Implementing data transfer agreements with appropriate protections where required
  • Ensuring that recipients of data have adequate data protection measures in place

9. Children's Privacy

Atheal's Services are not intended for children under the age of eighteen (18) years and we do not knowingly collect Personal Information from such persons. If you become aware that a child has provided us with Personal Information, please contact us at privacy@atheal.com, with the subject line "Minor Access". If we become aware that we have collected Personal Information from children without verification of parental consent, we take steps to remove that information from our information systems.

10. Your Privacy Rights

You may have certain rights and choices regarding our collection, use, and disclosure of your Personal Information based on applicable laws.

a. Opting out of promotional electronic communications

If you no longer wish to receive promotional email communications from us, you may opt out via the unsubscribe link included in such emails. We will comply with your request as soon as reasonably practicable.

b. Deleting your content or closing your account

You may be able to delete certain content through your account. If you wish to request to close your account, please contact us.

c. Additional rights available under Saudi law

Depending on applicable laws, you may have rights to:

  • Access your personal data
  • Rectify inaccurate data
  • Delete your data
  • Restrict or object to processing of your data
  • Data portability
  • Withdraw consent
  • Lodge a complaint with a supervisory authority

d. Mobile location data

You can disable our access to your device's precise geolocation in your mobile device settings.

e. Exercising your privacy rights

To exercise your rights, please send your request(s) using one of the following methods:

11. Saudi Arabia Privacy Notice

This Saudi Arabia Privacy Notice applies to any Saudi Arabia residents about whom we collect Personal Information. The provisions contained within this section are intended to provide notices in compliance with the Saudi Data Protection Law (SDPL) and other relevant Saudi laws and regulations.

a. Rights under Saudi Data Protection Law

Under the SDPL, Saudi residents have the following rights:

  • Right to be informed - You have the right to be informed about the collection and use of your personal data
  • Right of access - You have the right to request a copy of your personal data
  • Right to rectification - You have the right to have inaccurate personal data corrected
  • Right to erasure - You have the right to have your personal data erased in certain circumstances
  • Right to restrict processing - You have the right to request the restriction or suppression of your personal data
  • Right to data portability - You have the right to obtain and reuse your personal data
  • Right to object - You have the right to object to the processing of your personal data in certain circumstances
  • Rights related to automated decision making - You have rights related to automated decision making including profiling

b. Data Controller

Atheal is the data controller of your personal data. For inquiries about our data protection practices, please contact our Data Protection Officer at dpo@atheal.com.

c. Data Localization

In accordance with Saudi data protection laws, we store your personal data primarily within the Kingdom of Saudi Arabia. Any transfer of data outside of Saudi Arabia is conducted in compliance with the requirements of the SDPL and with appropriate safeguards in place.

d. Data Breach Notification

In the event of a data breach that might compromise your personal data, we will notify you in accordance with the requirements of the SDPL without undue delay.

12. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page or other appropriate means. Any modifications to this Privacy Policy will be effective upon our posting the modified version. We recommend reviewing this Privacy Policy periodically for any changes.

13. Contact Us

Please contact privacy@atheal.com if you have any questions about this Privacy Policy. We are open to feedback around our privacy policies and practices. Because email communications are not always secure, please do not include any sensitive information in your email to us.