Privacy Policy

Your health story is yours. At Tholi Health, we built this app to help you translate the language of your body into the language your doctor needs to hear. That mission only works if you trust us completely with your most sensitive information. This Privacy Policy tells you exactly what we collect, why we collect it, who can see it, and how you can control it.

1. Who We Are

Tholi Health Inc. ("Tholi Health," "we," "us," or "our") operates the Tholi Health mobile and web application (the "App") and related services (collectively, the "Services"). Our Services are designed to help women and people with hormonal and chronic health conditions prepare for specialist appointments by translating symptom language into clinically meaningful summaries.

Our principal place of business is in Ontario, Canada. We serve users in Canada and the United States. Our services are not currently available to users outside of these regions.

2. Scope of This Policy

This Privacy Policy applies to all personal information and personal health information collected through the Services, including our App, website, and any related communications. It applies whether you are a registered user, a visitor to our website, or a prospective user on our waitlist.

This Policy does not apply to third-party websites or applications that may be linked from our Services. Those third parties have their own privacy practices, and we encourage you to review them. Unless explicitly stated, we do not accept liability for your activities on third-party websites or applications.

3. Information We Collect

3.1 Health and Symptom Information (Sensitive)

This is the core information you provide to help Tholi Health do its job. It includes:

• Symptoms, health concerns, and bodily experiences you describe or log in the App
• Hormonal cycle data, menstrual health information, or reproductive health details you choose to share
• Chronic condition diagnoses, medical history, or specialist referral information you voluntarily enter
• Appointment notes, clinical summaries, and AI-generated translations of your symptoms
• Free-text entries, voice memos, or uploaded documents you provide to the App

3.2 Account Information

• Name, email address, and password
• Additional profile details including year of birth, province/state, and health condition categories
• Subscription and billing information (processed by our third-party payment processor; we do not store full card numbers)
• Communication preferences and opt-in/opt-out settings

3.3 Usage and Interaction Data

• Features you access, pages you view, and actions you take within the App
• Session duration, timestamps, and in-app navigation patterns
• Error logs and crash reports
• Feedback, survey responses, and support communications you send us

3.4 Device and Technical Information

• Device type, operating system, and browser type
• IP address (used to infer approximate location for jurisdiction compliance; not stored permanently)
• Cookies and similar tracking technologies (see Section 11)

4. How We Use Your Information

We use your information only for the purposes described below. We do not sell your personal information or personal health information to any third party.

Core Service Delivery

• To process your symptoms and generate clinically meaningful appointment summaries
• To convert your language into clinical terminology for your personal use. We do NOT train our models on your personal health information
• To maintain your longitudinal health record and surface patterns over time
• To deliver appointment preparation tools, pre-visit checklists, and in-appointment scribe features

Account and Subscription Management

• To create, maintain, and secure your account
• To process your subscription payments
• To communicate with you about your account, service updates, and policy changes

Service Improvement and Research

• To improve the accuracy and clinical relevance of our AI features, using aggregated and de-identified data only
• To conduct internal analytics and product research using pseudonymized data
• To develop new features based on usage patterns

5. Legal Basis for Processing

5.1 Canadian Users: PIPEDA and Ontario PHIPA

For users in Canada, our collection, use, and disclosure of personal information is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for personal health information of Ontario residents, by the Personal Health Information Protection Act (PHIPA).

Our processing is based on the following grounds:

• Consent: We obtain your express consent before collecting sensitive health information. You may withdraw consent at any time (see Section 10).
• Contractual Necessity: We process account and billing data to fulfill the subscription agreement with you.
• Legitimate Interests: We process de-identified usage data to improve our Services, balanced against your privacy rights.
• Legal Obligation: We process certain data as required by Canadian law.

We adhere to PIPEDA's 10 Fair Information Principles: Accountability, Identifying Purposes, Consent, Limiting Collection, Limiting Use/Disclosure/Retention, Accuracy, Safeguards, Openness, Individual Access, and Challenging Compliance.

5.2 US Users: HIPAA Status and FTC Obligations

Tholi Health is not a HIPAA "covered entity" as defined under 45 C.F.R. § 160.103. We are not a healthcare provider, health plan, or healthcare clearinghouse. We do not transmit health information in connection with healthcare transactions as defined under HIPAA.

However, Tholi Health is subject to the Federal Trade Commission's Health Breach Notification Rule (16 C.F.R. Part 318), as updated in 2024, which applies to vendors of personal health records and related service providers that handle identifiable health information outside of HIPAA. In the event of a breach of unsecured personal health information, we will notify affected US users and the FTC as required by that Rule.

We voluntarily align our security and access control practices with the standards of the HIPAA Security Rule as a best practice. This includes administrative, physical, and technical safeguards for electronic protected health information.

For California residents, your rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) are described in Section 10.2 below.

6. AI-Powered Features and Automated Processing

Tholi Health uses artificial intelligence to translate the natural language you use to describe your symptoms into clinically meaningful terminology.

• Your symptom descriptions are processed by large language model (LLM) technology to generate clinical summaries. This processing occurs on secure infrastructure and is subject to the same data handling standards as all other health data.
• We do not use your identifiable health data to train third-party AI models.
• AI-generated translations are tools to support your communication with healthcare providers. They are not medical diagnoses, treatment recommendations, or substitutes for professional medical advice.
• You can review, edit, or delete any AI-generated content before sharing it with your provider.
• Automated processing does not produce legally binding decisions about you or your healthcare.

7. How We Share Your Information

We share your information only in the limited circumstances described below. We never share your identifiable health information for advertising, marketing, or commercial profiling.

Service Providers (Sub-processors)

We engage trusted third-party vendors to help us operate the Services. These include cloud hosting providers, payment processors, analytics platforms, and AI infrastructure providers. All sub-processors are contractually required to process your data only on our documented instructions, maintain equivalent security standards, never use your data for their own purposes, and delete or return your data upon termination.

At Your Direction

When you choose to share an appointment summary or health report with a healthcare provider, specialist, or other third party, you authorize us to facilitate that disclosure. We are not responsible for how third parties handle information you choose to share with them.

Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a materially different privacy policy and give you the opportunity to delete your account and data.

Legal Requirements

We may disclose information when required by applicable law, court order, or government request, or when we believe disclosure is necessary to protect the rights, property, or safety of Tholi Health, our users, or the public. We will notify you of such disclosures where legally permitted.

De-identified and Aggregated Data

We may use and share de-identified or aggregated data (which cannot reasonably identify you) for research, product improvement, and industry reporting. This data is not personal information under PIPEDA or personal health information under PHIPA.

8. Data Security

We implement administrative, technical, and physical safeguards designed to protect your health information. Our security measures include:

• Encryption of health data at rest (AES-256) and in transit (TLS 1.2+)
• Role-based access controls limiting employee access on a strict need-to-know basis
• Multi-factor authentication for all systems that process health data
• Regular security assessments, penetration testing, and vulnerability management
• Audit logging of all access to personal health information
• Incident response procedures aligned with PIPEDA and FTC Health Breach Notification Rule requirements

9. Data Retention

We retain your personal information and personal health information for as long as your account is active or as needed to provide you with the Services. If you delete your account, we will delete or anonymize your personal information within a reasonable period, except where we are required to retain it by law or for legitimate business purposes such as fraud prevention or legal compliance.

10. Your Privacy Rights

10.1 Rights of Canadian Users (PIPEDA and PHIPA)

• Right of Access: You have the right to request access to the personal information and personal health information we hold about you, and to receive a copy in a structured, accessible format.
• Right to Correction: You have the right to request correction of inaccurate or incomplete information.
• Right to Withdraw Consent: You may withdraw your consent to our collection, use, or disclosure of your health information at any time, subject to legal or contractual restrictions.
• Right to Deletion: You may request deletion of your account and associated personal health information, subject to our retention obligations.
• Right to Lodge a Complaint: You have the right to complain to the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca, or to the Information and Privacy Commissioner of Ontario (IPC) at www.ipc.on.ca.

To exercise any of these rights, please contact our Privacy Officer at the address in Section 15. We will respond within 30 days as required under PIPEDA.

10.2 Rights of US Users

California (CCPA/CPRA): You have the right to know what personal information we collect and how it is used, to request deletion, to opt out of the sale or sharing of your personal information (we do not sell or share your data), to correct inaccurate information, to limit use of sensitive personal information, and to non-discrimination for exercising your rights.

Other US States: Residents of Virginia, Colorado, Connecticut, Texas, Washington, and other states with comprehensive privacy laws have similar access, correction, deletion, and opt-out rights. We will honor these rights for all US users regardless of state.

Washington My Health My Data Act: For Washington State residents, we provide additional protections for consumer health data as required under that Act, including restrictions on sharing health data and requirements for consumer consent.

10.3 In-App Controls

You can directly manage your data through the App at any time: export your health data, delete individual logs or summaries, update your profile information, manage notification preferences, or delete your entire account.

11. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to operate the site, understand how visitors use it, and improve your experience. We do not use tracking technologies to build advertising profiles or share data with ad networks.

• Essential Cookies: Required for the website and App to function. Cannot be disabled.
• Analytics Cookies: Help us understand how visitors navigate the site. We use privacy-respecting analytics tools and do not enable cross-site tracking.
• Preference Cookies: Remember your settings and preferences.

12. Children's Privacy

The Services are not directed to individuals under the age of 16 (or under 19 in provinces where that is the age of majority). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from someone under the applicable age of majority without appropriate parental consent, we will take steps to delete that information promptly.

13. Cross-Border Data Transfers

For Canadian users: When your personal information is processed in or transferred to the United States or another jurisdiction, it may be subject to the laws of that jurisdiction. We take steps to ensure that any such transfers comply with PIPEDA's transfer-for-processing requirements and that our service providers maintain adequate protection.

For US users: Your data may be stored on servers in Canada and/or the United States. Processing in Canada is subject to Canadian privacy law, which provides strong privacy protections comparable to those in the US.

14. Changes to This Privacy Policy

When we make material changes, we will post an updated version on our website with a revised "Last Updated" date, notify you by email at the address associated with your account, and obtain your renewed consent where required by applicable law for changes affecting your health information.

15. Contact Us

Tholi Health Inc., Privacy Officer

Email: info@tholihealth.com

Mailing Address: Toronto, Ontario, Canada

We aim to respond to all privacy inquiries within 30 days.

Canadian complaint escalation:

• Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca | 1-800-282-1376
• Information and Privacy Commissioner of Ontario (IPC): www.ipc.on.ca | 1-800-387-0073

US complaint escalation: Federal Trade Commission at www.ftc.gov or your applicable state attorney general's office.

© 2026 Tholi Health Inc. All rights reserved. This document does not constitute legal advice. Tholi Health recommends consulting qualified legal counsel for jurisdiction-specific compliance guidance.