Symplicured

Privacy Policy — Symplicured

Symplicured Pte. Ltd.

Jurisdiction: SingaporePDPAGDPRHIPAA-ReadySOC 2 AlignedLast updated: 11th January 2026

Symplicured Pte. Ltd. ("Symplicured", "we", "us", "our") is committed to protecting and respecting your privacy and personal data. This Privacy Policy ("Policy") explains how we collect, process, store, transfer, and protect personal data and health information when you access or use our website, platform, and related services ("Service").

By accessing or using the Service, you acknowledge that you have read and understood this Policy.

1. Data Controller / Data Processor Role

Depending on context, Symplicured may act as:

  • (a) Data Controller — when processing personal data for consumer use cases, analytics, product improvement, or compliance purposes.
  • (b) Data Processor — when handling data on behalf of enterprise customers (e.g., clinics, healthcare providers) under Business Agreements and Data Processing Agreements (DPAs).

2. Personal Data We Collect

We may collect personal data you voluntarily provide, data generated by the Service, and data automatically collected. Categories include:

2.1 User Input Data

  • Symptom descriptions
  • Answers to health questions
  • Health history or lifestyle information
  • Free-text search queries
  • Uploaded text, audio, images

2.2 Health Information (Special Category Data)

  • Medical symptoms
  • Potential conditions
  • Lifestyle factors
  • Medical history
  • Medications (if entered)
  • Clinical context (if provided)

Under GDPR, this may constitute Special Category Data (Art. 9).

2.3 Audio & Voice Data

  • Speech-to-text transcription
  • Symptom entry
  • Conversational interfaces

2.4 Image Data

We may accept health-related images (e.g., rashes, injuries) for informational purposes.

2.5 Device & Technical Data

Collected automatically, including:

  • IP address
  • Timestamps
  • Device type
  • Operating system
  • Browser type
  • Usage logs
  • Crash logs
  • Network identifiers

2.6 Analytics & Telemetry

We may collect analytics related to:

  • Session duration
  • Symptom search funnel
  • Question completion
  • Feature usage
  • Interaction metrics
  • Error events

Providers may include Amplitude or equivalent.

2.7 Cookies & Similar Technologies

We may use:

  • Cookies
  • Local storage
  • Session tokens
  • Authentication tokens
  • Analytics trackers

Cookie usage is described in Section 11.

3. Sources of Data

We collect data from:

  • Users directly
  • Device interactions
  • Enterprise partners (if applicable)
  • Authorized users (clinics, payers, caregivers)
  • Analytics providers
  • Cloud infrastructure

4. Purpose of Processing

Data may be processed for:

  • (a) Providing the Service
  • (b) AI-based symptom analysis & informational outputs
  • (c) Platform safety + product improvement
  • (d) Analytics, metrics, and telemetry
  • (e) Debugging, crash reporting, auditing
  • (f) Compliance with regulation
  • (g) Clinical sandbox or evaluation pathways
  • (h) Enterprise healthcare partnerships
  • (i) Research & development (subject to Section 15)
  • (j) Fraud prevention & security

6. HIPAA-Readiness (U.S. Context)

Symplicured is not currently a HIPAA Covered Entity or Business Associate, but may enter future arrangements with insurers, clinics, and telemedicine providers.

If we process Protected Health Information (PHI) in the future, we may:

  • Execute Business Associate Agreements (BAAs)
  • Adopt required safeguards
  • Follow HIPAA breach notification procedures

HIPAA is not currently binding unless contractually triggered.

7. PDPA (Singapore) Compliance

Under Singapore's PDPA, we:

  • Obtain valid consent for data collection
  • Provide access/correction rights
  • Restrict data disclosure without consent
  • Apply reasonable protection measures

8. SOC 2 & Security Controls

We implement controls aligned with SOC 2 principles, including:

  • Access control
  • Logging
  • Data minimization
  • Encryption in transit & at rest
  • Role-based access
  • Audit & monitoring
  • Deletion workflows
  • Least-privilege access
  • Intrusion monitoring
  • Periodic risk reviews
  • Security testing

No system is perfectly secure; users transmit data at their own risk.

9. Subprocessors & Third-Party Providers

We rely on subprocessors to provide essential functionality such as hosting, database, analytics, and AI inference. These include:

  • Infrastructure & Compute: Amazon Web Services (AWS)
  • Database & Authentication: Supabase
  • AI Model Providers: OpenAI, Anthropic, Google Gemini
  • Analytics & Telemetry: Amplitude or equivalent

Additional processors may be listed in updated public documentation. We ensure subprocessors operate under contractual Standard Operating Clauses, DPAs, or equivalent mechanisms.

10. International Data Transfers

Data may be stored or processed in locations outside your jurisdiction, including:

  • Singapore
  • United States
  • European Union / EEA
  • Other cloud regions

Transfers may rely on:

  • GDPR Standard Contractual Clauses (SCCs)
  • PDPA Transfer Limitation Guidelines
  • SOC 2 vendor certifications
  • HIPAA BAA (future)
  • Technical & contractual safeguards

11. Cookies & Tracking

We may use cookies for:

  • Authentication
  • Session continuity
  • Analytics
  • Performance metrics

Users may disable cookies but certain functionality may degrade.

12. Children & Minors

The Service is intended for individuals 16+. We do not knowingly collect personal data from individuals under 16.

13. Retention & Deletion

Data retention depends on:

  • (a) Purpose of processing
  • (b) Contractual or regulatory obligations
  • (c) Enterprise sandbox agreements (e.g., MOH LEAP)

Users may request deletion under Section 20.

14. Security Measures

We implement reasonable organizational and technical measures including:

  • Encryption at rest / in transit
  • Audit logging
  • Least-privilege access
  • Intrusion monitoring
  • Data minimization
  • Periodic risk reviews
  • Access controls
  • Security testing

No system is perfectly secure; users transmit data at their own risk.

15. Product Improvement & Research Use

We may use anonymized or pseudonymized data for:

  • (a) Product quality and safety
  • (b) Algorithm refinement
  • (c) Model performance audits
  • (d) Healthcare research
  • (e) Statistical analysis

16. Disclosure to Third Parties

We may disclose data:

  • (a) To subprocessors (Section 9)
  • (b) To enterprise healthcare partners (with consent)
  • (c) To regulators under sandbox programs
  • (d) To legal authorities if required
  • (e) During mergers/acquisitions (with notice)

We do not sell personal data. We do not disclose health data for advertising.

17. No Data Brokering / No Ad-Selling

Symplicured does not:

  • Sell personal data
  • Sell health data
  • Sell analytics data
  • Permit targeted health advertising

18. User Rights (PDPA + GDPR)

Depending on jurisdiction, Users may exercise:

  • Access
  • Correction
  • Erasure ("Right to be Forgotten")
  • Restriction
  • Portability
  • Objection
  • Withdrawal of consent

Requests handled under Section 20.

19. Breach Notification

In case of a data breach involving personal or health data, we will:

  • (a) Assess incident severity
  • (b) Notify affected parties where required
  • (c) Notify regulators if required under applicable law (e.g., GDPR, HIPAA, PDPA).

20. Data Access / Modification / Deletion Requests

Users may submit privacy requests including:

  • Access
  • Correction
  • Export
  • Deletion
  • Withdrawal of consent

Contact details in Section 25. We may verify identity before fulfilling requests.

22. Changes to This Policy

We may update this Policy periodically. Continued use constitutes acceptance of updates.

23. Governing Law

This Policy is governed by Singapore law.

24. Dispute Resolution

Disputes relating to data privacy shall be resolved via SIAC Arbitration in Singapore.

25. Contact & Data Protection Officer (DPO)

For privacy inquiries or requests: