Privacy Policy

Last updated: October 4, 2025

🔒

Our Privacy Commitment

Toowit is built on a privacy-first principle. We do not store personally identifiable information (PII) or your original medical documents. Your health data remains yours, and we use industry-leading encryption to protect it.

1. Introduction

Toowit ("we," "our," or "us") operates health.toowit.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use the Service.

2. Information We Collect

2.1 Personal Information

When you create an account, we collect:

  • Email address: Used for authentication via Google OAuth
  • Name: Provided by Google OAuth (used only for display purposes)

We do NOT collect: Date of birth, address, phone number, social security number, or other personally identifiable information beyond email and name.

2.2 Health Data

When you upload a medical test report, we extract and store:

  • Biomarker values: Numeric readings (e.g., cholesterol: 180 mg/dL)
  • Biomarker types: Names of tests (e.g., LDL cholesterol, HbA1c)
  • Test date: When the test was performed
  • Units: Measurement units (e.g., mg/dL, ng/mL)

We do NOT store:

  • Your name or date of birth from medical reports
  • Doctor's name or clinic information
  • Original medical documents (PDFs/images are deleted immediately after processing)
  • Medical diagnoses or treatment recommendations

2.3 Usage Data

We collect standard analytics data to improve the Service: IP address (anonymized), browser type, pages visited, time spent, and device information. We use privacy-respecting analytics tools.

3. How We Use Your Information

We use collected information for the following purposes:

  • Provide the Service: Extract biomarker data, visualize trends, generate AI insights
  • Account management: Authentication, account recovery, communications
  • Improve the Service: Analyze usage patterns, fix bugs, develop new features
  • Security: Detect fraud, abuse, and security threats
  • Legal compliance: Respond to legal requests, enforce our Terms of Service

We do NOT: Sell your data, share it with advertisers, or use it for marketing purposes without your explicit consent.

4. How We Share Your Information

4.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information or health data to third parties for marketing or advertising purposes.

4.2 Third-Party Service Providers

We use the following trusted third-party services to operate Toowit:

  • Supabase: Database hosting and authentication. Data is encrypted at rest and in transit. See their Privacy Policy.
  • Google OAuth: Authentication only. We do not access your Gmail or other Google services. See Google's Privacy Policy.
  • AI/LLM Provider (Google Gemini): Used to extract biomarker data from uploaded reports. We send only the text content of your report (no PII). Original documents are deleted immediately after processing. We do not train AI models on your data.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to protect rights, property, or safety.

5. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access control: Row-level security ensures you can only access your own data
  • Document deletion: Uploaded PDFs/images are immediately deleted after processing
  • Regular security audits: We continuously monitor for vulnerabilities

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

6. Your Rights & Choices

You have the following rights regarding your data:

  • Access: View all your biomarker data in the dashboard
  • Correction: Edit or delete individual biomarker readings
  • Deletion: Request complete account deletion. All your data will be permanently deleted within 30 days. Email us at privacy@toowit.com.
  • Export: Download a copy of your data in JSON or CSV format (feature coming soon)
  • Opt-out of analytics: Contact us to disable usage tracking

GDPR & CCPA Rights

If you are in the EU or California, you have additional rights under GDPR and CCPA, including the right to data portability and the right to restrict processing. Contact us at privacy@toowit.com to exercise these rights.

7. Cookies & Tracking

We use minimal cookies for:

  • Authentication: Keep you logged in (essential, cannot be disabled)
  • Analytics: Understand how users interact with the Service (can be disabled)

We do NOT use third-party advertising cookies or tracking pixels.

8. Children's Privacy

Toowit is not intended for use by individuals under 18 years of age. We do not knowingly collect information from children. If we learn we have collected data from a child without parental consent, we will delete it promptly.

9. International Users

Your data may be transferred to and processed in the United States or other countries where our service providers operate. By using Toowit, you consent to this transfer. We ensure appropriate safeguards are in place for international data transfers.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance.

11. Contact Us

If you have questions about this Privacy Policy or our data practices: