1. Scope

This Privacy Policy explains how YHAP collects, uses, shares, and protects personal data when you use our Services.

2. Data We Collect

2.1 Data You Provide

·       Account data: name, email, password hash, profile details.

·       Health-related uploads (Blood Upload): blood test values you enter or upload, including files (PDF/images) and associated metadata (upload time).

·       Support communications: messages, attachments, feedback, surveys.

·       Payment data (if applicable): billing details handled by payment providers (we may receive limited tokens/receipts).

2.2 Data Collected Automatically

·       Device and usage data: device identifiers, IP address, app events, pages/screens viewed, timestamps, crash logs, language, approximate location derived from IP.

·       Cookies/SDK data (web/app): analytics and advertising identifiers, cookie IDs, mobile ad IDs (e.g., IDFA/GAID), referral parameters.

2.3 Data We Generate or Infer

·       Derived insights: scores, trends, categories, recommendations, and other algorithmic outputs based on your inputs.

·       Advertising segments: interest categories or cohorts used for targeted ads (where permitted).

3. Sensitive Data / Health Data

Blood test values and related health information may be treated as sensitive data under certain laws (e.g., GDPR special category data; “consumer health data” under some U.S. laws).

We process such data only to provide the Service you request and/or based on your explicit consent where required. You can withdraw consent at any time (see Section 10).

4. Purposes of Processing

We use personal data to:

·       Provide the Services (account, blood uploads, insights, recommendations).

·       Personalize your experience (settings, content, feature improvements).

·       Run analytics and improve reliability, security, and performance (debugging, fraud prevention).

·       Provide customer support and communications (service messages, updates).

·       Provide targeted advertising and marketing (show ads, measure ad performance, attribution).

·       Comply with legal obligations (tax, accounting, responding to lawful requests).

5. Legal Bases (EEA/UK/Switzerland)

Where GDPR applies, we rely on:

·       Contract performance (Art. 6(1)(b)) - providing the app and requested features.

·       Consent (Art. 6(1)(a)) - especially for certain marketing and for special category health data (Art. 9(2)(a)) where required.

·       Legitimate interests (Art. 6(1)(f)) - security, preventing abuse, basic analytics, improving Services (balanced against your rights).

·       Legal obligation (Art. 6(1)(c)) - compliance duties.

6. Targeted Ads, Analytics, and Tracking

We use analytics and advertising partners to show targeted ads, measure performance (conversion, attribution), and improve campaigns and user acquisition.

6.1 What We Share for Ads

Depending on your device and settings, we may share:

·       device identifiers (cookie IDs, mobile ad IDs),

·       IP address and approximate location,

·       event data (e.g., sign-up, feature usage),

·       attribution parameters.

We do not intentionally share your blood values with ad partners for ad targeting.

6.2 Your Choices

You can manage ad preferences using:

·       In-app settings

·       Device settings: limit ad tracking / reset ad ID.

·       Cookie banner or consent tool (web): TBA

·       Opt-out preference signals where required (e.g., Global Privacy Control) on the web.

7. How We Share Data

We share personal data with:

·       Service providers (processors): hosting, databases, analytics, customer support tools, security vendors, email delivery, payments.

·       Advertising partners: for targeted ads and measurement (see Section 6).

·       Legal and safety: if required to comply with law, protect rights, investigate fraud/security incidents.

·       Corporate events: merger, acquisition, financing, or asset sale (with appropriate safeguards).

We do not sell your blood values as standalone data. Under some laws, sharing identifiers for cross-context behavioral advertising may be considered a “sale” or “share”; see Section 11 for opt-outs.

8. International Data Transfers

We may process data in the United States and other countries. Where required (e.g., GDPR), we use appropriate safeguards such as Standard Contractual Clauses and additional measures where appropriate.

9. Data Retention

We keep personal data only as long as needed for providing the Services, legitimate business purposes (security, fraud prevention), and legal obligations.

Typical retention rules:

·       Account data: while your account is active.

·       Blood uploads: until you delete them or delete your account, unless we must retain limited records for legal/security reasons.

·       Logs/security data: limited periods (e.g., weeks/months) unless needed for investigations.

10. Your Rights and How to Exercise Them

10.1 EEA/UK/Switzerland Rights

You may have the right to access, correct, or delete your data; object to processing or request restriction; data portability; withdraw consent at any time; and lodge a complaint with a supervisory authority.

10.2 How to Submit Requests

Email: [privacy@yhap.ai]. We may verify your identity before fulfilling requests.

11. U.S. Privacy Rights (State Laws)

Depending on your state, you may have rights to access, delete, correct, opt out of targeted advertising, opt out of “sale”/“sharing” of personal data (as defined by law), and appeal certain decisions.

California: You may have the right to opt out of “sale” or “sharing” for cross-context behavioral advertising and to limit certain uses of sensitive information.

Opt-out method: Settings App

12. Washington “My Health My Data” (Consumer Health Data)

If you are a Washington resident, certain health-related data may be treated as “consumer health data.” We provide descriptions of categories collected (Section 2), purposes (Section 4), sharing categories (Section 7), and a way to exercise rights (Section 10).

Where required, we will obtain affirmative consent for collection/sharing beyond what is necessary to provide the requested service.

13. Automated Decision-Making / Profiling

We use algorithms to generate insights and recommendations. These outputs are intended for informational/wellness use and are not intended to produce legal or similarly significant effects about you.

You can contact us if you believe an output is incorrect or want clarification: hi@yhap.ai.

14. Security

We implement administrative, technical, and organizational measures designed to protect data. No security system is perfect; we cannot guarantee absolute security.

15. Children’s Privacy

The Services are not directed to children. We do not knowingly collect personal data from minors. If you believe a minor has provided data, contact us.

16. Changes to This Policy

We may update this Privacy Policy. We will post the updated version and adjust the “Last Updated” date. Material changes may be notified in-app or by email.

17. Contact

Questions or requests: hi@yhap.ai