Privacy Policy

Effective date: June 16, 2026

MedAnswer AI ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights in relation to it. By using our Service, you agree to the practices described in this policy.

1. Information We Collect

1.1 Information You Provide

  • Account information: When you register, we collect your full name, email address, and hashed password.
  • Conversation content: Messages you send to the AI and the AI-generated responses are stored to provide persistent chat history.
  • Organisational data: Folder names, conversation titles, tags, and pinning preferences you create to organise your chats.
  • Payment information: If you subscribe to a paid plan, we collect your PayPal subscription ID, payment status, and transaction metadata. We do not store full credit card numbers or bank details — all payment processing is handled by PayPal.

1.2 Information Collected Automatically

  • Session data: We use PHP sessions to maintain your logged-in state and track usage limits.
  • Usage data: We track the number of AI interactions you perform to enforce plan limits.
  • Guest identifiers: If you use the Service without registering, a temporary guest identity is created (using a randomised internal email address) to maintain your session. This data may be migrated to your account if you later register.
  • Log data: Standard web server logs may capture your IP address, browser type, pages visited, and timestamps for security and diagnostic purposes.

1.3 Information from Third Parties

  • PayPal: We receive subscription and payment confirmation data from PayPal when you subscribe to a paid plan.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the MedAnswer AI Service
  • Authenticate you and manage your account
  • Deliver AI-generated responses to your medical queries
  • Store and display your conversation history
  • Process payments and manage your subscription
  • Enforce usage limits based on your plan tier
  • Rotate and personalise AI quick-prompt suggestions based on your recent topics
  • Detect, prevent, and respond to fraud, abuse, or security incidents
  • Comply with legal obligations
  • Communicate with you about your account or the Service

We do not sell your personal data to third parties. We do not use your conversation content to train AI models.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

  • Contract: Processing necessary to provide the Service you have requested (account management, delivering AI responses, managing subscriptions).
  • Legitimate interests: Security monitoring, fraud prevention, and platform diagnostics.
  • Legal obligation: Where required to comply with applicable law.
  • Consent: Where we ask for your consent (e.g., cookies), you may withdraw it at any time.

4. Data Sharing and Disclosure

We may share your information with:

  • AI Service Provider: Your message content is sent to our AI provider to generate responses. The provider's use of this data is governed by their terms of service and privacy policy.
  • PayPal: Payment and subscription information is shared with PayPal to process transactions. PayPal's use of data is governed by PayPal's Privacy Policy.
  • Google Fonts: Font files are loaded from Google's CDN. Your IP address may be logged by Google. See Google's Privacy Policy for details.
  • Law enforcement: We may disclose your information where required by law, court order, or governmental authority.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

We do not share your data with advertisers or data brokers.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data is retained until you delete your account.
  • Conversation history is retained until you delete individual conversations or your account.
  • Guest session data may be purged periodically according to our data retention schedule.
  • Payment records are retained as required for legal, tax, and accounting obligations (typically 7 years).
  • Server logs are retained for a limited period for security purposes.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Passwords are hashed using bcrypt and are never stored in plain text
  • Database queries use parameterised statements to prevent SQL injection
  • All output is HTML-escaped to prevent cross-site scripting
  • Access to the admin panel is restricted to authorised administrators
  • Payment data is processed by PCI-compliant third parties (PayPal)

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct inaccurate or incomplete data.
  • Deletion: Request that we delete your personal data ("right to be forgotten").
  • Portability: Request your data in a portable format.
  • Restriction: Request that we restrict the processing of your data.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Withdraw any consent you have previously given.

To exercise these rights, contact us through the platform's support channels. We will respond within the timeframe required by applicable law (generally 30 days).

8. Children's Privacy

Our Service is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected such information, we will take steps to delete it promptly.

9. International Transfers

Your data may be processed in countries other than your own, including by Google (United States) and PayPal (United States). We take reasonable steps to ensure that such transfers comply with applicable data protection laws.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by revising the effective date at the top of this page. Continued use of the Service after changes are posted constitutes acceptance of the updated policy.

11. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us through the platform's support channels.