Privacy Policy

Last updated: 2026-06-16

What this means for you

Some of the information Healogy.ai handles is sensitive — your date, time, and place of birth (used to generate astrology and “cosmic DNA” content), the contents of your AI readings, and, if you choose to connect them, health metrics from wearables and a private “care record” you can share with a practitioner. We treat all of this as special-category / sensitive personal data, we ask for your explicit consent before collecting it, we encrypt the most sensitive parts, and you can export or delete it at any time. We never sell it.

1. Who we are

Healogy.ai (the “Platform”) is operated by Pairox Pty Ltd (ACN 154 477 728), a company incorporated in New South Wales, Australia (“Pairox,” “we,” “us,” or “our”). Pairox is the data controller / data fiduciary for the personal data described in this policy. Our Privacy Officer is Rishu Kalra (Founder & Privacy Officer), reachable at privacy@healogy.ai.

This policy explains what personal data we collect, why, the legal bases we rely on, who we share it with, how long we keep it, and the rights you have. It applies to our website, mobile apps, and related services. It incorporates and is incorporated by our Terms of Service, our Cookie Notice, and our Medical Disclaimer.

2. Categories of personal data we collect

We collect the following categories of personal data. Sensitive / special-category categories are marked, and the legal basis for those is your explicit consent (see Section 4).

Category	What we actually store	Storage & protection
Account & contact	Name, email, hashed password, phone number, profile image, language, timezone, and account roles.	Email and phone are stored in cleartext for delivery; your password is hashed; two-factor secrets and backup codes are stored separately and are never included in a data export.
Birth / astrology data (sensitive)	Date of birth, time of birth, place of birth (free-text location and geocoded latitude/longitude to seven decimal places), whether a birth time was provided, and timezone.	Stored on your user record; used as input to the astrology and AI-reading pipeline. Erased on account deletion.
Health-screening / intake (sensitive)	Your confirmation that you are 18+, your acknowledgement of the Medical Disclaimer, a health-content-consent timestamp, and any intake notes you record in your care record.	Acknowledgements are timestamped; intake notes live in the encrypted care record (below).
AI-reading inputs & outputs (may be sensitive)	The free-text question you submit, the reading cards returned, the cultural context selected, the prompt variant, and token counts.	Stored per-user, linked to your account, to render your reading history. Erased on account deletion.
Wearable health metrics (sensitive; only if you connect a device)	Steps, sleep duration, resting heart rate, heart-rate variability (HRV), active energy, heart rate, and workout records, with timestamps and source.	The detailed raw provider payload is encrypted at rest(AES-256-GCM); only coarse scalar values are kept in cleartext for trend charts. OAuth tokens for cloud sources are themselves encrypted at rest and are never logged. Every practitioner read of your data is audit-logged.
Care record (sensitive; consent-gated)	Longitudinal wellness entries — notes, session summaries, goals, intake — that you can keep private or share with a specific practitioner.	Encrypted at rest (AES-256-GCM); default visibility is private (you only); sharing requires an explicit, revocable consent grant per practitioner; every read is audit-logged.
Payment & tax data	Stripe customer / subscription / payment-method identifiers (tokens), wallet balance, transaction records, and — for practitioners — a hashed tax ID (only the last four digits in cleartext).	We never see or store your full card number— Stripe handles all card data (see Section 5).
Communications & device data	Messages between you and practitioners, push-notification device tokens, and the phone number and channel preferences used for SMS/WhatsApp reminders.	Used to deliver the service and the reminders you opt into.
Usage & analytics	Product-analytics events and standard request/serving data (e.g. IP address, device and request metadata).	Analytics fire onlyif you have consented to the “analytics” cookie category. See our Cookie Notice.

3. How and why we use your data (purposes)

To provide the Service. Create and manage your account, generate AI readings and astrology content from your birth data, facilitate bookings and live video sessions with practitioners, and operate messaging.
To process payments. Take payments, manage subscriptions and wallet balances, pay practitioners, and handle refunds and disputes.
To send you communications you ask for. Transactional email, and SMS or WhatsApp reminders where you opt in.
To keep the Platform safe. Detect and prevent fraud, abuse, and security incidents.
To meet legal obligations. Tax, financial-record-keeping, and consumer-protection requirements.
To improve the Platform — using analytics only where you have consented. We do not use your readings, messages, care-record content, session recordings, or wearable data to train AI models (see Section 4).

4. Legal bases for processing

Where the EU/UK GDPR applies, we rely on the following legal bases:

Explicit consent (Article 9(2)(a)) for all health and special-category data — your birth/astrology data, AI-reading inputs, wearable health metrics, care-record entries, and health-screening data. You can withdraw this consent at any time (Section 7).
Performance of a contract (Article 6(1)(b))— to provide the account, bookings, and payments you have signed up for.
Consent (Article 6(1)(a))— for analytics/marketing cookies and optional communications.
Legitimate interests (Article 6(1)(f))— for fraud prevention and platform security, balanced against your rights.
Legal obligation (Article 6(1)(c))— for tax and financial record-keeping.

For users in Australia, we handle personal and sensitive information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (sensitive information is collected only with consent, per APP 3). For users in India, we process personal data on the basis of consent under the Digital Personal Data Protection Act, 2023 (DPDP Act). For users in California, we honor CCPA/CPRA rights; we do not sell your personal data.

No AI training on your personal data. We do not use your readings, messages, care-record content, session recordings, or wearable data to train, fine-tune, or develop AI/ML models without your separate, specific, written consent. We may use aggregated, anonymized data that does not identify you for service improvement.

5. Service providers (sub-processors)

To run Healogy.ai we share the minimum necessary data with the service providers below. Each is bound by a data-processing agreement and may only use the data to provide its service to us. We never see or store your full card number — card data is entered directly with Stripe.

Provider	Role	What it receives
Stripe (incl. Stripe Connect)	Payments, payouts, subscriptions	Card and payment details (entered directly with Stripe — we never receive your full card number), billing amounts, customer/subscription identifiers, and, for practitioners, payout and tax-reporting data. Stripe is PCI-DSS Level 1 certified.
Anthropic (Claude)	AI readings, AI copilot/concierge	The text of your reading query and the context needed to generate a response. Used to produce the AI output only.
Resend	Transactional email	Your email address and message content (receipts, reminders, data-export links, account notices).
Twilio	SMS & WhatsApp reminders (only if you opt in)	Your phone number and the reminder message.
PostHog	Product analytics (only with your analytics-cookie consent)	De-identified usage events about how you use the app.
Vercel	Web/app hosting & delivery	Standard request/serving data (e.g. IP address, request metadata) needed to serve the site.
Cloudflare R2 / S3-compatible storage	Media + data-export storage	Uploaded media and your generated data-export archive (stored behind a time-limited link).
Daily.co / LiveKit (live-video provider)	Live practitioner video sessions	Real-time audio/video and connection data for your session room.
Oura, Apple Health, Google Fit (only if you connect them)	Wearable data sources	We receive health metrics from these services under the access you grant; we do not send your data to them.

6. How we protect and limit use of sensitive data

Encryption at rest. Care-record entries and the rich wearable payloads are encrypted with AES-256-GCM. Wearable OAuth tokens are encrypted at rest and are never written to logs.
Consent-gated sharing. Your care record is private by default. A practitioner can only see an entry if you grant a specific, revocable consent.
Audit logging. Every practitioner-side read of your care record or wearable data is recorded so you can see who accessed what, and when.
Purpose limitation.Practitioners may use information you share only to deliver your sessions — never for marketing, for other clients, or to train AI models.

7. How long we keep your data (retention)

We keep personal data only as long as needed for the purpose you provided it, then delete or anonymize it — except where the law requires us to keep specific records for a fixed period. The detailed windows are set out in our Terms of Service §10; in summary:

Tax and financial records— 5 years (Australian tax law).
Billing and transaction records— 3 years (chargeback/dispute window).
Fraud, abuse, and security logs— 12 months.
Grievance and dispute correspondence— 3 years.
Session recordings(only when both parties consent at the time) — 30 days, then automatically and irreversibly deleted.
Account/profile data, AI-reading history, birth/astrology data, care-record entries, and wearable samples — kept while your account is active; deleted or anonymized on account deletion, subject only to the legal-hold carve-outs above.

8. Your data protection rights

Depending on where you live, you have some or all of the following rights over your personal data. We honor these for users in the EU/EEA and UK (GDPR / UK GDPR), India (DPDP Act, 2023), Australia (Privacy Act 1988 / Australian Privacy Principles), and California (CCPA/CPRA), and we extend them to all users as a matter of policy.

Access. You can ask for a copy of the personal data we hold about you.
Portability. You have the right to receive the personal data you provided to us in a structured, commonly-used, machine-readable format (we provide JSON), and to reuse it elsewhere. Where you ask and it is technically feasible, we will help you move it to another service. This applies to data you provided that we process on the basis of consent or contract.
Correction. You can ask us to correct inaccurate or incomplete data, including from within your account settings.
Erasure (“right to be forgotten”). You can delete your account and ask us to erase your personal data. A 30-day grace period applies, during which you can cancel by signing in; after that, your data is permanently erased except for the limited records the law requires us to keep (Section 7).
Restriction & objection. You can ask us to restrict, or object to, certain processing.
Withdraw consent.Where we rely on your consent (including for health, wearable, and astrology/birth data), you can withdraw it at any time — for example, by disconnecting a wearable, revoking a care-record share, or deleting the data. Withdrawal does not affect processing that already happened.
Do Not Sell or Share (California).We do not sell your personal data. You can exercise the “Do Not Sell or Share My Personal Information” control from the cookie preference centre in our footer.
Complain. You can complain to us (privacy@healogy.ai, attn. Privacy Officer) or to your local data protection authority — for example, the Office of the Australian Information Commissioner (OAIC), your EU/EEA supervisory authority, the UK ICO, or the Data Protection Board of India.

How to exercise your rights. Signed-in users: Settings → Privacy. Anyone: email privacy@healogy.ai or use the controls on our Your privacy rights page. We respond to verified requests within 30 days. We may ask you to confirm your identity before acting on a sensitive request.

9. Getting a copy of your data (right of access and data portability)

You can ask us for a copy of the personal data we hold about you at any time. If you have an account, go to Settings → Privacy → Request my data; if you don’t, contact us at privacy@healogy.ai.

Format. We provide your data in a machine-readable format: a ZIP archive containing a structured JSON file (export.json) with your data, plus a plain-language PDF summary (summary.pdf). The JSON format means you can read, search, or import your data into another service.

What’s included.Your export contains your profile (with security secrets such as passwords removed), your AI assistant/agent sessions, transaction and billing records, generated reading/cosmic-DNA cards, dream-journal entries, saved favorites, and — decrypted for your own access — your care-record entries and wearable health samples. Because some categories can be very large, generous per-category limits apply; if your export reaches a limit, the included summary tells you so and how to request the remainder.

Timeframe. We respond to verified requests within 30 days (consistent with GDPR Articles 15 and 20, the DPDP Act, and equivalent laws), and may extend this where the law permits for complex requests, telling you why. Your download link is available for 7 days, after which you can request a fresh one.

Sensitive data. Your care record and wearable readings are health data. We decrypt them in your export only for you; the export is delivered over a secure, time-limited link.

10. International data transfers

Some of the service providers listed in Section 5 process data outside your country, including outside the EEA/UK. Where we transfer personal data internationally, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (2021/914) or equivalent mechanisms.

11. Children

Healogy.ai is for adults. You must be 18 or older to use the Platform. We do not knowingly collect personal data from anyone under 18; if we learn that we have, we delete it.

12. Changes to this policy

We may update this policy from time to time. We will post the updated version here with a new “Last updated” date and, for material changes, notify you by email or in-app notice.

13. Contact

Privacy and data matters: privacy@healogy.ai (Rishu Kalra, Founder & Privacy Officer). General support: hello@healogy.ai. You can also use our contact page or the Your privacy rights self-service controls.