Privacy Policy

Symplicured Pte. Ltd.

Singapore PDPA GDPR HIPAA-Ready SOC 2 Aligned Last updated: 9 Feb 2026

Symplicured Pte. Ltd. ("Symplicured", "we", "us", "our") is committed to protecting and respecting your privacy and personal data. This Privacy Policy ("Policy") explains how we collect, process, store, transfer, and protect personal data and health information when you access or use our website, platform, and related services ("Service").

By accessing or using the Service, you acknowledge that you have read and understood this Policy.

1. Data Controller / Data Processor Role

Depending on context, Symplicured may act as:

(a) Data Controller — when processing personal data for consumer use cases, analytics, product improvement, or compliance purposes.
(b) Data Processor — when handling data on behalf of enterprise customers (e.g., clinics, healthcare providers) under Business Agreements and Data Processing Agreements (DPAs).

2. Personal Data We Collect

We may collect personal data you voluntarily provide, data generated by the Service, and data automatically collected. Categories include:

2.1 User Input Data

Symptom descriptions
Answers to health questions
Health history or lifestyle information
Free-text search queries
Uploaded text, audio, images

2.2 Health Information (Special Category Data)

Medical symptoms
Potential conditions
Lifestyle factors
Medical history
Medications (if entered)
Clinical context (if provided)

Under GDPR, this may constitute Special Category Data (Art. 9).

2.3 Audio & Voice Data

Speech-to-text transcription
Symptom entry
Conversational interfaces

2.4 Image Data

We may accept health-related images (e.g., rashes, injuries) for informational purposes.

2.5 Device & Technical Data

Collected automatically, including:

IP address
Timestamps
Device type
Operating system
Browser type
Usage logs
Crash logs
Network identifiers

2.6 Analytics & Telemetry

We may collect analytics related to:

Session duration
Symptom search funnel
Question completion
Feature usage
Interaction metrics
Error events

Providers may include Amplitude or equivalent.

2.7 Cookies & Similar Technologies

We may use:

Cookies
Local storage
Session tokens
Authentication tokens
Analytics trackers

Cookie usage is described in Section 11.

3. Sources of Data

We collect data from:

Users directly
Device interactions
Enterprise partners (if applicable)
Authorized users (clinics, payers, caregivers)
Analytics providers
Cloud infrastructure

4. Purpose of Processing

Data may be processed for:

(a) Providing the Service
(b) AI-based symptom analysis & informational outputs
(c) Platform safety + product improvement
(d) Analytics, metrics, and telemetry
(e) Debugging, crash reporting, auditing
(f) Compliance with regulation
(g) Clinical sandbox or evaluation pathways
(h) Enterprise healthcare partnerships
(i) Research & development (subject to Section 15)
(j) Fraud prevention & security

5. Legal Bases of Processing (GDPR)

5.1 Article 6 Legal Bases

6(1)(a) Consent
6(1)(b) Contract performance
6(1)(c) Legal obligations
6(1)(f) Legitimate interests

5.2 Article 9 Special Category Data

For Health Information:

9(2)(a) Explicit consent
9(2)(h) Health or care evaluation (enterprise)
9(2)(j) Research & innovation (with safeguards)

6. HIPAA-Readiness (U.S. Context)

Symplicured is not currently a HIPAA Covered Entity or Business Associate, but may enter future arrangements with insurers, clinics, and telemedicine providers.

If we process Protected Health Information (PHI) in the future, we may:

Execute Business Associate Agreements (BAAs)
Adopt required safeguards
Follow HIPAA breach notification procedures

HIPAA is not currently binding unless contractually triggered.

7. PDPA (Singapore) Compliance

Under Singapore's PDPA, we:

Obtain valid consent for data collection
Provide access/correction rights
Restrict data disclosure without consent
Apply reasonable protection measures

8. SOC 2 & Security Controls

We implement controls aligned with SOC 2 principles, including:

Access control
Logging
Data minimization
Encryption in transit & at rest
Role-based access
Audit & monitoring
Deletion workflows
Least-privilege access
Intrusion monitoring
Periodic risk reviews
Security testing

No system is perfectly secure; users transmit data at their own risk.

9. Subprocessors & Third-Party Providers

We rely on subprocessors to provide essential functionality such as hosting, database, analytics, and AI inference. These include:

Infrastructure & Compute: Amazon Web Services (AWS)
Database & Authentication: Supabase
AI Model Providers: OpenAI, Anthropic, Google Gemini
Calendar & Scheduling: Google Calendar API (for appointment synchronisation when enabled by the clinic)
Cloud Hosting & Deployment: Vercel
Analytics & Telemetry: Amplitude or equivalent

When a clinic connects Google Calendar, we access calendar events (event titles, times, descriptions, and attendee emails) using OAuth 2.0 tokens granted by the authorised user. These tokens are encrypted at rest using AES-256-GCM. We do not access calendars beyond the scopes explicitly authorised, and access can be revoked at any time from the Integrations settings page or from your Google Account permissions.

Additional processors may be listed in updated public documentation. We ensure subprocessors operate under contractual Standard Operating Clauses, DPAs, or equivalent mechanisms.

10. International Data Transfers

Data may be stored or processed in locations outside your jurisdiction, including:

Singapore
United States
European Union / EEA
Other cloud regions

Transfers may rely on:

GDPR Standard Contractual Clauses (SCCs)
PDPA Transfer Limitation Guidelines
SOC 2 vendor certifications
HIPAA BAA (future)
Technical & contractual safeguards

11. Cookies & Tracking

We may use cookies for:

Authentication
Session continuity
Analytics
Performance metrics

Users may disable cookies but certain functionality may degrade.

12. Children & Minors

The Service is intended for individuals 16+. We do not knowingly collect personal data from individuals under 16.

13. Retention & Deletion

Data retention depends on:

(a) Purpose of processing
(b) Contractual or regulatory obligations
(c) Enterprise sandbox agreements (e.g., MOH LEAP)

Users may request deletion under Section 20.

14. Security Measures

We implement reasonable organizational and technical measures including:

Encryption at rest / in transit
Audit logging
Least-privilege access
Intrusion monitoring
Data minimization
Periodic risk reviews
Access controls
Security testing

No system is perfectly secure; users transmit data at their own risk.

15. Product Improvement & Research Use

We may use anonymized or pseudonymized data for:

(a) Product quality and safety
(b) Algorithm refinement
(c) Model performance audits
(d) Healthcare research
(e) Statistical analysis

16. Disclosure to Third Parties

We may disclose data:

(a) To subprocessors (Section 9)
(b) To enterprise healthcare partners (with consent)
(c) To regulators under sandbox programs
(d) To legal authorities if required
(e) During mergers/acquisitions (with notice)

We do not sell personal data. We do not disclose health data for advertising.

17. No Data Brokering / No Ad-Selling

Symplicured does not:

Sell personal data
Sell health data
Sell analytics data
Permit targeted health advertising

18. User Rights (PDPA + GDPR)

Depending on jurisdiction, Users may exercise:

Access
Correction
Erasure ("Right to be Forgotten")
Restriction
Portability
Objection
Withdrawal of consent

Requests handled under Section 20.

19. Breach Notification

In case of a data breach involving personal or health data, we will:

(a) Assess incident severity
(b) Notify affected parties where required
(c) Notify regulators if required under applicable law (e.g., GDPR, HIPAA, PDPA).

20. Data Access / Modification / Deletion Requests

Users may submit privacy requests including:

Access
Correction
Export
Deletion
Withdrawal of consent

Contact details in Section 25. We may verify identity before fulfilling requests.

21. Third-Party Links

The Service may contain external links. We are not responsible for third-party privacy practices.

22. Changes to This Policy

We may update this Policy periodically. Continued use constitutes acceptance of updates.

23. Governing Law

This Policy is governed by Singapore law.

24. Dispute Resolution

Disputes relating to data privacy shall be resolved via SIAC Arbitration in Singapore.

25. Contact & Data Protection Officer (DPO)

For privacy inquiries or requests:

Email: akshay@symplicured.com
DPO: Akshay Ishwar, Co-Founder & CEO