Privacy Policy & Consumer Health Data Privacy Policy
Last updated: July 8, 2026
Health9.ai (“Health9”, “we”, “us”) provides AI-powered health consultations over live voice and video. Because you talk to us about your health, we hold ourselves to a simple standard: we collect the minimum, we keep almost nothing, and we never sell or share your health data for advertising. This policy explains exactly what happens to your information, and also serves as our Consumer Health Data Privacy Policy for the purposes of the Washington My Health My Data Act and similar US state laws.
1. What we collect — and what we deliberately don't
Health9.ai does not require an account. When you use the service we process:
- Your voice, during a consultation. Your microphone audio is streamed in real time to our AI provider to power the conversation, and a text transcript of the call is assembled in your browser so your consultation summary can be created.
- Consultation content. Whatever you choose to tell the AI doctor — your symptoms, history and questions. This is consumer health data and we treat all of it as sensitive.
- Your device language. Your browser's language setting (e.g. en-GB) is used once, to greet you in your language. It is not used to profile you.
- Your email address — only if you type it in. Used once, to send you your consultation PDF. We do not add you to mailing lists.
- Basic usage analytics. We use Google Analytics to understand page visits and feature usage (e.g. “a consultation was started”). Analytics events never include your voice, transcript, symptoms or email.
- Standard server logs. Our infrastructure provider (Cloudflare) processes IP addresses and request metadata to serve and secure the site.
We do not collect your name, government identifiers, payment details, precise location, or contacts. We do not use advertising trackers or pixels, and we do not implement geofences.
2. What we store
We do not store your consultation on our servers. Your conversation exists in your browser during the call, and disappears when you close or refresh the page. The PDF summary is generated on your device. If you download it, the only copy is yours. If you ask us to email it, the PDF passes through our email provider to reach your inbox and is not retained by us afterwards.
3. Who processes your data on our behalf
We use a small number of service providers (processors), each bound by their own data protection commitments:
- OpenAI (US) — powers the real-time voice conversation, speech transcription and the structuring of your consultation summary. API data is not used to train OpenAI's models.
- Simli (US) — renders the doctor's video avatar. It receives the AI doctor's audio (not your microphone) to animate the avatar's face.
- Cloudflare (US/global) — hosts the website and API, and delivers consultation-summary emails from [email protected].
- Google Analytics (US) — anonymous usage statistics only.
We never sell your personal data, and we never share consumer health data with third parties for marketing or advertising. We do not and will not use your health data for targeted advertising.
4. Consent
Starting a consultation is an affirmative act: when you press “Start Consultation” and allow microphone access, you consent to the real-time processing of your voice and the health information you choose to share, as described in this policy. This is the explicit consent we rely on under UK GDPR Article 9(2)(a) for special category (health) data, and the consent required by US state consumer health data laws. You can withdraw consent at any time by ending the call — processing stops immediately.
5. Your rights
Depending on where you live (including the UK/EU under GDPR, and US states such as Washington, California, Colorado, Connecticut and Virginia), you may have rights to access, correct, delete, or receive a copy of personal data we hold about you, to withdraw consent, and to complain to a regulator (in the UK, the ICO at ico.org.uk).
Because we don't store your consultations or maintain accounts, in most cases we hold no personal data about you at all after your call ends. To exercise any right, or to ask what we hold, email [email protected]. We respond within 30 days. If we refuse a request under the Washington My Health My Data Act, you may appeal by replying to our decision; if the appeal is denied you may contact the Washington Attorney General.
6. Security
All traffic is encrypted in transit (TLS/HTTPS; consultations use encrypted WebRTC). Our API keys are stored as encrypted secrets, email sending is restricted to our verified domain with SPF/DKIM/DMARC authentication, and we minimize data by design — the strongest protection for data is not storing it.
7. Breach notification
If a security incident affects unsecured health data, we will notify affected users and the relevant authorities (including the US FTC under the Health Breach Notification Rule and the UK ICO, as applicable) without unreasonable delay and within the legally required timeframes.
8. International transfers
Our processors operate primarily in the United States. Where UK/EU data is transferred internationally, it is protected by appropriate safeguards such as the processors' standard contractual clauses and data protection frameworks.
9. Children
Health9.ai is not intended for anyone under 18. We do not knowingly collect data from children. If you believe a child has used the service, contact us and we will assist.
10. Changes
We will post any changes to this policy on this page with an updated date. Material changes will be highlighted on the homepage.
Contact
Health9.ai — [email protected] or [email protected]
Dr. Nova is an AI assistant, not a licensed physician. See our Terms of Service for important limitations. © 2026 Health9.ai