Privacy Policy

1. Overview

PreKare ("we", "our", "us") is an AI-powered preventive care application operated by Teramag Holding FZC (UAE Free Zone company) through its wholly owned subsidiary PreKare Lda (Portugal). Our registered address is Teramag Holding FZC, Sharjah Publishing City Free Zone, Sharjah, UAE.

This Privacy Policy applies to all users of the PreKare mobile application (iOS and Android) and the website prekare.ai. By using our services, you acknowledge you have read and understood this policy.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) (Regulation 2016/679), the Portuguese Lei n.º 58/2019, and applicable UAE data protection law.

2. Data Controller

The data controller for EU/EEA users is:

• PreKare Lda — Portuguese operating subsidiary
• Legal representative: Amina Khan
• Contact: privacy@prekare.ai

For users outside the EU/EEA, the controller is Teramag Holding FZC, Sharjah, UAE.

3. Data We Collect

3.1 Account data

When you register, we collect your email address and a hashed password. You may optionally provide your first name, age range, gender, skin type, and ethnicity for personalisation purposes.

3.2 Health data (sensitive — requires explicit consent)

With your explicit consent, PreKare reads data from Apple HealthKit or Google Fit. This includes:

• Step count and active energy
• Sleep duration and quality
• Heart rate variability (HRV)
• Resting heart rate

Health data is processed on-device. We transmit only anonymised, aggregated health signals (e.g. "sleep quality: low") to our recommendation engine — never raw biometric values.

3.3 Location data

We request approximate location (city-level precision) to determine your climate zone, UV index, and weather conditions. We do not store GPS coordinates. Location is processed in real time and discarded after generating a recommendation.

3.4 Calendar data

With your consent, we read event titles and dates from your device calendar to identify upcoming travel, stressful periods, and time-zone changes. We do not read event descriptions, attendees, or video call links.

3.5 Device and usage data

We collect standard analytics data: app version, OS version, screen resolution, session duration, and crash reports. This data is pseudonymised and cannot be linked to your identity without additional information.

3.6 Purchase and transaction data

When you purchase a subscription through the App Store or Google Play, the transaction is processed entirely by Apple or Google. We receive only a subscription status confirmation — never your payment card details.

4. How We Use Your Data

• Personalised recommendations — combining your health signals, location, weather, and calendar context to suggest relevant Amazon products via our LLM-powered recommendation engine.
• Service delivery — running the chatbot, sending proactive care alerts, and managing your subscription.
• Product improvement — analysing anonymised usage patterns to improve recommendation quality and app performance.
• Legal compliance — maintaining records as required by applicable law.
• Security — detecting and preventing fraud, abuse, and security incidents.

We do not use your data for advertising profiling, sell your data to third parties, or use your health data to train machine learning models without your explicit consent.

5. Legal Basis for Processing (GDPR)

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the PreKare service you signed up for.
• Legitimate interests (Art. 6(1)(f)) — improving service quality, security monitoring, and fraud prevention.
• Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)) — all health data, location, and calendar access. You may withdraw consent at any time without affecting lawfulness of prior processing.
• Legal obligation (Art. 6(1)(c)) — where required by Portuguese, EU, or UAE law.

6. Data Sharing & Sub-processors

We share data only with the following categories of third parties, under strict data processing agreements:

• Supabase Inc. (EU region servers) — database and authentication infrastructure.
• OpenAI / Anthropic — LLM inference for generating recommendations. Data sent is anonymised and does not include health data or PII beyond the recommendation context.
• Amazon Web Services — product catalogue API queries. Only product search terms are sent (e.g. "travel skincare SPF").
• RevenueCat — subscription management. Receives only your anonymised user ID and subscription status.
• Sentry — crash reporting. Crash data is anonymised before transmission.

We do not share your personal data with advertisers, data brokers, insurers, or employers.

7. Data Retention

• Account data — retained while your account is active, plus 30 days after deletion request.
• Health signals — not stored on our servers. Processed ephemerally per session.
• Chat history — retained for 12 months for service continuity. You may delete it at any time from the app.
• Analytics data — retained in anonymised form for 24 months.
• Legal and financial records — retained for 7 years as required by Portuguese and UAE commercial law.

8. Your Rights

Under GDPR and applicable law, you have the right to:

• Access — request a copy of all personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — delete your account and all associated data. Available in-app under Settings → Account → Delete my data.
• Restriction — restrict processing while a dispute is resolved.
• Portability — receive your data in a machine-readable format (JSON).
• Object — object to processing based on legitimate interests.
• Withdraw consent — revoke any integration (Health, Location, Calendar) at any time via app permissions or Settings → Privacy.
• Lodge a complaint — with the Portuguese data protection authority (CNPD) or your local supervisory authority.

To exercise any right, email privacy@prekare.ai. We will respond within 30 days.

9. Children's Privacy

PreKare is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, contact us immediately at privacy@prekare.ai and we will delete it promptly.

10. International Data Transfers

Our primary servers are located in the EU (Supabase EU region). Where data is transferred outside the EU/EEA (e.g. to our UAE parent entity or US-based processors), we rely on:

• EU Standard Contractual Clauses (SCCs) with all sub-processors.
• Adequacy decisions where available.
• Supplementary technical measures (end-to-end encryption).

11. Security Measures

• All data in transit encrypted with TLS 1.3.
• Database encrypted at rest (AES-256).
• Health data never stored on external servers.
• Access to production systems restricted to authorised personnel with MFA.
• Regular third-party security audits.
• Bug bounty programme — report vulnerabilities to security@prekare.ai.

Despite our measures, no system is 100% secure. We will notify you and the relevant supervisory authority within 72 hours of any breach affecting your personal data, as required by GDPR Art. 33–34.

12. Changes to This Policy

We may update this policy from time to time. For material changes, we will notify you via in-app notification and email at least 14 days before the change takes effect. Continued use of PreKare after the effective date constitutes acceptance of the updated policy.

Previous versions of this policy are available upon request.

13. Contact Us

• Privacy queries: privacy@prekare.ai
• Security reports: security@prekare.ai
• Mailing address: PreKare Lda, c/o IPN Incubadora, Rua Pedro Nunes, 3030-199 Coimbra, Portugal
• CNPD (Portuguese DPA): www.cnpd.pt