NextDose.AI Inc. · Delaware Corporation · Back to Home

NextDose.AI — Privacy Policy

Effective Date: April 2, 2026

Entity: NextDose.AI Inc., a corporation incorporated in the State of Delaware ("Company," "we," "us," or "our")

Application: NextDose.AI mobile application ("App," "Service," or "Platform"). References to "NextDose," "NextDose.AI," "NextDose AI," or any variation thereof refer to the same entity, platform, and brand. Unless otherwise specified, all rights, protections, and obligations granted to or imposed on behalf of NextDose.AI under this Privacy Policy extend equally to its founders, owners, shareholders, parent company, subsidiaries, affiliates, investors, advisors, officers, directors, employees, contractors, and assigns.

This Privacy Policy describes how NextDose.AI Inc., a Delaware corporation, collects, uses, discloses, retains, and protects your personal information when you use the NextDose.AI mobile application. This Privacy Policy is incorporated into and forms part of our Terms of Service.

By downloading, installing, or using NextDose.AI, you acknowledge that you have read, understood, and consent to the practices described in this Privacy Policy. If you do not agree with any provision of this Privacy Policy, you must not use the App.

1. Definitions and Interpretation

2. Information We Collect

3. How We Collect Your Information

4. Purpose and Legal Basis for Processing

5. Apple HealthKit Data

6. AI-Powered Features and Third-Party Processing

7. Data Sharing and Disclosure

8. Data Retention

9. Data Security

10. Your Rights and Choices

11. Account Deletion

12. Children's Privacy

13. International Data Transfers

14. Third-Party Links and Services

15. Community Features and User-Generated Content

16. Subscription and Payment Data

17. Analytics and Performance Monitoring

18. Cookies and Similar Technologies

19. Do Not Track Signals

20. Push Notifications and Communications

21. Data Processing for Service Improvement

22. De-Identified and Aggregate Data

23. California Privacy Rights (CCPA/CPRA)

24. European Economic Area Rights (GDPR)

25. Other State Privacy Rights

26. Health Data Specific Provisions

27. Changes to This Privacy Policy

28. Governing Law

29. Contact Information

1. DEFINITIONS AND INTERPRETATION

"Account Data" means the information you provide when creating and maintaining your NextDose.AI account, including your name, email address, date of birth, and authentication credentials.

"Apple Health Data" means any health, fitness, or wellness data accessed through Apple's HealthKit framework, subject to Apple's HealthKit usage guidelines and the specific restrictions set forth in Section 5 of this Privacy Policy.

"AI Services" means NextDose.AI's proprietary artificial intelligence models and algorithms, including any third-party processing infrastructure used to support AI-driven features within the App.

"De-Identified Data" means data that has been processed in such a manner that it can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure non-attribution. De-Identified Data is not considered Personal Information under this Privacy Policy.

"Health Protocol Data" means data you voluntarily input into the App regarding your personal health and wellness routines, including but not limited to compound names, dosages, frequency, administration routes, supplement schedules, and related notes.

"Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.

"Usage Data" means data collected automatically when you interact with the App, including feature usage patterns, session duration, navigation paths, and error logs.

"User Content" means all data, text, images, photographs, and other content that you voluntarily submit, upload, or input into the App.

2. INFORMATION WE COLLECT

2.1 Account Information

When you create a NextDose.AI account, we collect:

Name (first and last name)
Email address
Date of birth (used for age verification and, optionally, personalized wellness insights)
Gender (optional; used for personalized health context)
Authentication credentials — if you use Sign in with Apple, we receive only the information Apple provides pursuant to your Apple ID settings; if you use Google Sign-In, we receive your name, email, and profile photo; if you use email/password registration, we store a securely hashed version of your password

2.2 Health Protocol Data

You may choose to input the following categories of health and wellness information:

Compound and supplement names, dosages, frequency, and route of administration
Injection site selections and rotation history
Supplement and vitamin schedules, including timing and dosing
Protocol schedules, reminders, and adherence records
Side effect and symptom notes reported voluntarily by you
Reconstitution and preparation notes

This data is voluntarily provided by you and is used to deliver the core journaling and tracking functionality of the App. You are under no obligation to provide any specific health protocol data, and you may use the App with as much or as little data as you choose.

2.3 Bloodwork and Laboratory Data

If you use the bloodwork features, we may collect:

Uploaded laboratory reports (PDF, image, or manually entered)
Extracted biomarker values from uploaded reports (e.g., hormone levels, metabolic panels, hematology markers)
Historical bloodwork trends derived from your uploaded data over time

2.4 Body Composition and Progress Data

Weight entries and body composition logs
Progress photographs (stored locally on your device by default; uploaded to our servers only if you explicitly enable cloud sync)
Goal weight and body composition targets

2.5 Apple Health Data

With your explicit authorization through Apple's HealthKit permission system, we may read the following data categories from Apple Health:

Weight and body mass measurements
Heart rate and heart rate variability (HRV)
Sleep analysis data
Workout and exercise data
Step count and activity data

The collection, use, and handling of Apple Health Data is subject to the specific and additional restrictions set forth in Section 5 of this Privacy Policy. Apple Health Data receives the highest level of protection under this Privacy Policy and is subject to restrictions that supersede any general data use provisions herein.

2.6 Usage Data

We automatically collect certain information about how you interact with the App:

Feature usage patterns (e.g., which screens are visited, which features are used)
Session duration and frequency
App performance metrics (crash reports, load times, error logs)
Device type and operating system version
App version

Usage Data is collected through TelemetryDeck, a privacy-focused analytics platform that does not collect personal identifiers, IP addresses, or device advertising identifiers. Usage Data is used solely for improving App performance and user experience, and is never linked to your Health Protocol Data, Apple Health Data, or Bloodwork Data.

2.7 Communication Data

Support requests and correspondence with our support team
Feedback and feature requests submitted through the App or via email

2.8 Information We Do NOT Collect

We do not collect:

Unique device identifiers (UDID, IDFA, or IDFV for tracking purposes)
Precise geolocation data
Contact lists or address books
Browsing history outside the App
Financial account numbers (all payment processing is handled by Apple through StoreKit)
Biometric data (fingerprint, face geometry) — biometric authentication is handled entirely on-device by iOS

3. HOW WE COLLECT YOUR INFORMATION

3.1 Information You Provide Directly

The majority of Personal Information we process is provided directly by you through your voluntary use of App features, including account creation, dose logging, bloodwork uploads, and protocol configuration.

3.2 Information Collected Automatically

Usage Data is collected automatically through privacy-focused analytics tools when you use the App. This data is collected in aggregate form and cannot be used to identify you individually.

3.3 Information from Third-Party Services

If you choose to authenticate using Sign in with Apple or Google Sign-In, we receive limited account information from those services in accordance with their respective privacy policies and your account settings.

If you authorize Apple HealthKit integration, we receive health and fitness data from Apple Health in accordance with your HealthKit authorization choices.

4. PURPOSE AND LEGAL BASIS FOR PROCESSING

We process your Personal Information for the following purposes:

4.1 Service Delivery (Contractual Necessity)

Providing the core dose logging, protocol tracking, and journaling functionality
Delivering bloodwork organization and visualization features
Generating personalized schedules, reminders, and adherence tracking
Enabling compound library access and informational content
Processing subscription management and feature access

4.2 AI-Powered Features (Consent)

With your explicit consent, as described in Section 6:

Processing your Health Protocol Data through AI Services to provide intelligent dose parsing, vial scanning, and natural language logging
Generating AI-powered bloodwork analysis and trend identification
Providing AI research assistant responses grounded in published literature
Offering protocol optimization suggestions and informational insights

4.3 Service Improvement (Legitimate Interest)

Analyzing aggregated Usage Data to improve App performance, stability, and user experience
Identifying and fixing software bugs and technical issues
Developing new features based on aggregated usage patterns
Conducting internal analytics to understand feature adoption and retention

4.4 Safety and Compliance (Legal Obligation)

Verifying user age eligibility (18+)
Responding to lawful requests from governmental authorities
Enforcing our Terms of Service
Protecting the rights, safety, and property of our users and the public

4.5 Communications (Legitimate Interest / Consent)

Sending transactional communications (account verification, password reset, subscription confirmations)
Sending dose reminders and protocol notifications (with your permission)
Communicating material changes to our Terms of Service or Privacy Policy

5. APPLE HEALTHKIT DATA — SPECIAL PROTECTIONS

This section applies specifically to any data accessed through Apple's HealthKit framework ("HealthKit Data"). The restrictions in this section are absolute and supersede any other provisions of this Privacy Policy that may be interpreted as broader in scope.

5.1 Purpose Limitation

HealthKit Data is used solely and exclusively for the following purposes:

Displaying your health metrics within the NextDose.AI app interface for your personal reference
Correlating health trends with your protocol data to provide you with personal insights within the App
Populating body composition and weight tracking features

5.2 Absolute Prohibitions on HealthKit Data

In compliance with Apple's HealthKit guidelines and App Store Review Guidelines Section 5.1.3, we absolutely and unconditionally commit to the following:

(a) No Advertising or Marketing. HealthKit Data will never be used for advertising, marketing, or any form of use-based data mining, whether by us or by any third party.

(b) No Sale or Licensing. HealthKit Data will never be sold, licensed, leased, or otherwise commercially transferred to any third party for any purpose whatsoever.

(c) No Disclosure to Third Parties. HealthKit Data will not be disclosed to or shared with any third party for any purpose, except as required by law or with your separate, explicit, informed consent for each specific disclosure.

(d) No iCloud Storage. HealthKit Data is not stored in iCloud. HealthKit Data is stored securely on your device and, if you enable cloud sync, in our encrypted Supabase database infrastructure — never in iCloud or any Apple cloud service.

(e) No AI Processing Without Separate Consent. HealthKit Data is not sent to AI Services as part of the general AI feature consent. If a specific feature requires AI processing of HealthKit Data, you will be presented with a separate, clearly identified consent prompt specific to that data and that purpose.

(f) No Aggregation with Non-HealthKit Data for Third-Party Use. HealthKit Data will not be combined with other data sources for the purpose of creating datasets for third-party use, even in de-identified or aggregate form.

5.3 HealthKit Authorization

When you first enable Apple Health integration, iOS will present its standard HealthKit authorization screen listing each data type we request access to. You may grant or deny access to each data type individually. You may modify these permissions at any time through iOS Settings > Privacy & Security > Health > NextDose.AI.

The App will function fully without HealthKit authorization. No features are gated behind HealthKit access; it is an optional enhancement.

5.4 HealthKit Data Deletion

If you revoke HealthKit permissions, we will cease reading new HealthKit data immediately. Previously synced HealthKit data stored in our systems will be deleted within 30 days, or immediately upon your request.

6. AI-POWERED FEATURES

6.1 NextDose.AI Intelligence

NextDose.AI utilizes proprietary AI models and algorithms, supported by third-party processing infrastructure, to deliver advanced features including intelligent dose parsing, vial label scanning, bloodwork analysis, protocol audit, PCT planning, and the research assistant.

6.2 Explicit AI Consent

Before any of your Health Protocol Data or Bloodwork Data is transmitted to AI Services, you will be presented with a clear, prominent consent prompt within the App. This consent prompt will:

Clearly identify that your data will be processed by NextDose.AI's AI systems
Describe the specific categories of data that will be transmitted
Explain the purpose of the processing
Confirm that data is encrypted in transit using TLS 1.3
Provide a clear mechanism to accept or decline

You may use the App without consenting to AI processing. Core features (manual dose logging, scheduling, reminders, compound library) function without AI. AI-powered features will be unavailable if you decline AI processing consent.

6.3 AI Data Handling

When your data is processed by AI Services:

Data is transmitted via encrypted connections (TLS 1.3)
Data is processed in accordance with strict data processing terms that prohibit the use of customer data for model training
Processing infrastructure does not retain your data after completing the request
AI outputs (responses, analyses, suggestions) are returned to the App and stored in your account
All AI outputs are presented with appropriate disclaimers, confidence indicators, and, where applicable, source citations

6.4 Withdrawal of AI Consent

You may withdraw your consent to AI processing at any time through the App's Settings > Privacy > AI Data Processing. Upon withdrawal:

No further data will be sent to AI Services
AI-powered features will become unavailable
Previously generated AI outputs stored in your account will remain accessible unless you request their deletion
Withdrawal of AI consent does not affect the lawfulness of processing performed prior to withdrawal

6.5 AI Data Scope

The following data categories may be transmitted to AI Services when you use AI-powered features:

Compound names, dosages, and administration details (for dose parsing and protocol analysis)
Bloodwork marker values and historical trends (for bloodwork analysis)
Natural language text input (for the research assistant and voice logging)
Vial photographs (for AI vial scanning, processed on-device via Apple Vision first, with extracted text sent to AI for interpretation)

The following data is never sent to AI Services:

Your name, email address, or other account identifiers
Apple HealthKit Data (unless you provide separate, specific consent per Section 5.2(e))
Payment or subscription information
Device identifiers
Progress photographs

7. DATA SHARING AND DISCLOSURE

7.1 Personal Information and De-Identified Data

NextDose.AI does not sell your Personal Information (as defined under the CCPA/CPRA) to third parties for monetary or other valuable consideration. We do not share your Personal Information for cross-context behavioral advertising.

De-Identified and Aggregated Data. As described in Section 22, the Company may create de-identified, anonymized, and aggregated datasets derived from user data. De-Identified Data cannot be used to identify you personally and is not considered Personal Information under the CCPA, CPRA, or any other applicable data protection legislation. The Company may use, license, sell, or otherwise make available De-Identified and Aggregated Data to third parties — including pharmaceutical companies, research institutions, healthcare organizations, and data analytics firms — for research, clinical development, market intelligence, and other lawful purposes. This use of De-Identified Data is an integral part of the Company's business model and is disclosed to you as part of this Privacy Policy. Your continued use of the App constitutes your acknowledgment of this practice. You may opt out of having your data included in de-identification and aggregation processes through Settings > Privacy > Data Research Participation, as described in Section 22.

7.2 Service Providers

We share Personal Information with the following categories of service providers, solely for the purpose of providing and maintaining the Service:

All service providers are contractually obligated to process your data only as instructed by us, to maintain appropriate security measures, and to not use your data for their own independent purposes.

7.3 Legal Requirements

We may disclose your Personal Information if required to do so by law or in response to valid legal process, including:

Court orders, subpoenas, or warrants
Requests from law enforcement or governmental authorities with appropriate jurisdiction
As necessary to comply with applicable law, regulation, or legal obligation

We will endeavor to notify you of such disclosure to the extent permitted by law.

7.4 Protection of Rights

We may disclose Personal Information where we reasonably believe disclosure is necessary to:

Protect the rights, property, or safety of NextDose.AI Inc., a Delaware corporation,, our users, or the public
Enforce our Terms of Service
Detect, prevent, or address fraud, security, or technical issues

7.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or other corporate transaction involving NextDose.AI Inc., a Delaware corporation,, your Personal Information may be transferred to the acquiring entity or successor. In such event, we will require the acquiring entity to honor this Privacy Policy or provide you with notice and, where required by law, an opportunity to opt out.

7.6 With Your Consent

We may share your Personal Information with third parties when you have provided explicit, informed consent to such sharing. Consent-based sharing will always be presented with a clear description of the data to be shared, the recipient, and the purpose.

8. DATA RETENTION

8.1 Active Account Data

We retain your Personal Information, Health Protocol Data, and Bloodwork Data for as long as your account remains active and as necessary to provide you with the Service.

8.2 Post-Deletion Retention

Following account deletion (see Section 11):

Health Protocol Data and Bloodwork Data: Deleted from active systems within 30 days
Backup systems: Purged within 90 days of account deletion
AI-generated outputs: Deleted with your account data within 30 days
Usage Data: Retained in aggregate, de-identified form (not attributable to you) for up to 36 months for service improvement purposes
Legal hold data: Data subject to a pending legal obligation, investigation, or dispute may be retained until the matter is resolved

8.3 Legal Protection Records Retained After Deletion

Certain data is retained after account deletion for the purpose of legal protection, compliance verification, dispute resolution, and enforcement of our Terms of Service. This retention is necessary to protect the legitimate interests of NextDose.AI Inc. and is authorized under CCPA/CPRA (retention for legal claims), GDPR Article 6(1)(f) (legitimate interest) and Article 17(3)(e) (establishment, exercise, or defense of legal claims), and applicable state law.

The categories of data retained include:

Identity and account records (name, email, account creation and deletion dates, device information used at the time of account creation and legal acceptance)
Legal acceptance records (acceptance timestamps and versions for Terms of Service, Privacy Policy, medical disclaimers, age verification, and AI consent)
Account activity records (login history, account events, and associated metadata)
Usage and engagement metadata (feature interaction patterns, session history, and navigation data demonstrating depth of platform engagement)
Commercial records (subscription history, payment tier, and referral attribution)
AI interaction records (records of AI-generated content delivered to you and associated disclaimers)
Safety and compliance records (records of safety warnings displayed and your responses)

This data is retained for a period of seven (7) years following account deletion, or longer if required to resolve an active legal matter, enforce Terms of Service provisions, or comply with applicable law. After the retention period, this data is permanently deleted. The specific data points, retention mechanisms, and internal processes used to maintain these records are proprietary to the Company.

8.4 De-Identified Data

De-Identified Data, as defined in Section 1 and further described in Section 22, is retained independently of your account. Because De-Identified Data cannot be attributed to you, it is not subject to individual deletion requests. See Section 22 for a full description of our de-identification practices.

9. DATA SECURITY

9.1 Technical Measures

We implement industry-standard technical security measures to protect your Personal Information, including:

Encryption at rest: AES-256 encryption for all stored Personal Information and health data
Encryption in transit: TLS 1.3 for all data transmission between the App, our servers, and third-party service providers
Authentication security: Secure credential storage using iOS Keychain; support for Sign in with Apple and biometric authentication (Face ID / Touch ID, processed entirely on-device)
Database security: Row-level security (RLS) policies in Supabase ensuring users can only access their own data
Access controls: Least-privilege access for all personnel with administrative access to systems containing user data
Secure development practices: Regular code reviews, dependency audits, and security testing

9.2 Organizational Measures

Personnel with access to user data are subject to confidentiality obligations
Access to production systems is logged and monitored
Security incident response procedures are documented and tested

9.3 Limitation

Despite our efforts, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the confidentiality of your account credentials and for all activity that occurs under your account.

9.4 Breach Notification

In the event of a confirmed data breach affecting your Personal Information, we will notify affected users and applicable regulatory authorities as expeditiously as practicable and in compliance with applicable state and federal law. We endeavor to provide notification within a reasonable timeframe following confirmation of the breach and completion of an initial investigation sufficient to determine the scope of the incident. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach. Nothing in this section creates a private right of action for delayed notification beyond what is provided by applicable law.

10. YOUR RIGHTS AND CHOICES

10.1 Access

You have the right to request access to the Personal Information we hold about you. You can access most of your data directly within the App (Settings > Your Data). For a complete data export, contact [email protected].

10.2 Correction

You have the right to request correction of inaccurate Personal Information. You can update most of your information directly within the App (Profile settings). For corrections to data not accessible through the App interface, contact [email protected].

10.3 Deletion

You have the right to request deletion of your Personal Information, subject to certain exceptions described in Section 11. You may initiate account deletion directly within the App (Settings > Account > Delete Account) or by contacting [email protected].

10.4 Data Portability

You have the right to receive a copy of your Personal Information in a structured, commonly used, and machine-readable format. Export formats available include PDF, CSV, and JSON. Data export is available through Settings > Your Data > Export.

10.5 Opt-Out Rights

You may opt out of the following data processing activities:

AI Processing: Settings > Privacy > AI Data Processing
Apple Health Integration: iOS Settings > Privacy & Security > Health > NextDose.AI
Push Notifications: iOS Settings > Notifications > NextDose.AI
Analytics: Settings > Privacy > Analytics (disables TelemetryDeck data collection)

10.6 Non-Discrimination

We will not discriminate against you for exercising your privacy rights. However, certain features that require specific data processing (e.g., AI-powered features requiring AI consent) will be unavailable if you opt out of the underlying data processing.

11. ACCOUNT DELETION

11.1 In-App Deletion

You may delete your account directly within the App by navigating to Settings > Account > Delete Account. Upon confirming deletion:

Your account will be deactivated immediately
Your Personal Information, Health Protocol Data, Bloodwork Data, and AI-generated outputs will be queued for permanent deletion
Deletion from active systems will be completed within 30 days
Deletion from backup systems will be completed within 90 days

11.2 Email Deletion Request

Alternatively, you may request account deletion by emailing [email protected] from the email address associated with your account. We will process the request within 30 days of verification.

11.3 Effects of Deletion

Upon account deletion:

You will lose access to all data stored in the App
Your subscription, if active, will not be automatically cancelled — you must cancel your subscription through Apple's App Store settings prior to or concurrently with account deletion
De-Identified Data that has already been incorporated into aggregate datasets cannot be individually extracted or deleted, as it is no longer attributable to you (see Section 22)
Certain Legal Protection Records (name, email, acceptance records, usage data) are retained as described in Section 8.3 for legal protection and Terms of Service enforcement purposes

12. CHILDREN'S PRIVACY

NextDose.AI is not intended for, marketed to, or designed for use by individuals under the age of eighteen (18). We do not knowingly collect Personal Information from individuals under 18.

If we become aware that we have collected Personal Information from an individual under 18, we will take steps to delete that information promptly. If you believe a minor has provided us with Personal Information, please contact us at [email protected].

Age verification is performed during account creation. Users must confirm they are 18 years of age or older before completing registration.

13. INTERNATIONAL DATA TRANSFERS

13.1 Processing Locations

Your Personal Information may be processed in the United States and other countries where our service providers maintain facilities. Our primary data infrastructure is hosted on Supabase's cloud platform, which utilizes Amazon Web Services (AWS) data centers.

13.2 Transfer Safeguards

For transfers of Personal Information from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Service provider certifications under applicable data transfer frameworks
Your explicit consent, where applicable

14. THIRD-PARTY LINKS AND SERVICES

14.1 External Links

The App may contain links to third-party websites, services, or resources, including licensed telehealth clinics and healthcare provider directories. These links are provided for your convenience and informational purposes only.

14.2 No Responsibility

We are not responsible for the privacy practices, content, or security of third-party websites or services. We encourage you to review the privacy policies of any third-party service before providing your personal information. Interaction with any third-party service accessed through the App is solely between you and that third party.

15. COMMUNITY FEATURES AND USER-GENERATED CONTENT

15.1 Community Feed

The App includes a community feed feature that aggregates publicly available discussion content from third-party platforms. This content is displayed within the App for informational and community engagement purposes.

15.2 Content Moderation

In compliance with Apple App Store Review Guideline 1.2, the community feed includes:

Automated content filtering for objectionable, harmful, or illegal material
A mechanism for users to report offensive or inappropriate content
The ability for users to block content sources
Published contact information for content concerns ([email protected])

15.3 Community Data

If future versions of the App enable user-submitted community content (ratings, reviews, tips), such content will be subject to moderation and may be visible to other users. Community content will be governed by the community guidelines published within the App. You should not include personal health information in community content.

16. SUBSCRIPTION AND PAYMENT DATA

16.1 Payment Processing

All subscription payments are processed by Apple through the App Store and StoreKit 2. We do not collect, process, or store your credit card numbers, bank account details, or other financial payment instruments.

16.2 Subscription Information

We receive from Apple:

Your subscription status (active, expired, in trial, cancelled)
Subscription tier (plan type)
Transaction identifiers
Original purchase date and expiration date

This information is used solely for feature access management and subscription status verification.

16.3 Restore Purchases

You may restore previously purchased subscriptions at any time through Settings > Subscription > Restore Purchases.

17. ANALYTICS AND PERFORMANCE MONITORING

17.1 Analytics Provider

We use TelemetryDeck for app analytics. TelemetryDeck is a privacy-focused analytics platform designed in compliance with GDPR, CCPA, and Apple's App Tracking Transparency framework.

17.2 What Analytics Collects

Aggregated feature usage events (screen views, feature activations)
App performance metrics (launch time, frame rates, crash counts)
Operating system version and device category (e.g., "iPhone" — not specific model)
App version

17.3 What Analytics Does NOT Collect

Personal identifiers (name, email, user ID)
Health Protocol Data, Bloodwork Data, or Apple Health Data
IP addresses
Device advertising identifiers (IDFA)
Precise location data
Compound names, doses, or any substance-related information

17.4 Opt-Out

You may disable analytics collection entirely through Settings > Privacy > Analytics.

18. COOKIES AND SIMILAR TECHNOLOGIES

The NextDose.AI mobile application does not use cookies, web beacons, pixel tags, or similar tracking technologies. Our companion website (nextdose.ai), if applicable, may use essential cookies for site functionality, which will be governed by a separate cookie policy.

19. DO NOT TRACK SIGNALS

The App does not track users across third-party websites or services and therefore does not respond to Do Not Track (DNT) signals. We do not participate in cross-app tracking or allow third-party advertising networks within the App.

20. PUSH NOTIFICATIONS AND COMMUNICATIONS

20.1 Push Notifications

With your permission, we send push notifications for:

Dose reminders and protocol schedule alerts
Bloodwork upload reminders
Streak and adherence notifications
Material updates to our Terms of Service or Privacy Policy

You may manage notification preferences through iOS Settings > Notifications > NextDose.AI or within the App at Settings > Notifications.

20.2 Transactional Communications

We may send transactional emails (account verification, password reset, subscription confirmations, privacy policy updates) to your registered email address. Transactional communications are necessary for account management and cannot be opted out of while your account is active.

21. DATA PROCESSING FOR SERVICE IMPROVEMENT

21.1 Internal Analytics

We analyze patterns in aggregated, de-identified Usage Data to:

Identify the most-used and least-used App features
Optimize App performance and reduce load times
Prioritize feature development based on aggregate usage patterns
Identify and resolve technical issues affecting multiple users

21.2 Quality Assurance

We may review de-identified examples of AI interactions (with all personal identifiers removed) to:

Assess and improve the accuracy of AI-generated outputs
Identify common user queries and information needs
Develop improved AI prompts and response frameworks
Ensure AI disclaimers and safety features function correctly

22. DE-IDENTIFIED AND AGGREGATE DATA

22.1 De-Identification

We may create de-identified and aggregate data from information collected through the App. De-identified data has been processed so that it cannot reasonably be used to identify any individual. De-Identified Data is not considered Personal Information under applicable data protection law.

22.2 Uses of De-Identified Data

We may use de-identified and aggregate data for any lawful purpose, including but not limited to service improvement, analytics, and product development. We do not attempt to re-identify individuals from de-identified data.

22.3 Apple HealthKit Data Exclusion

Apple HealthKit Data is categorically excluded from all de-identification and aggregation processes. This exclusion is absolute. See Section 5.

22.4 Opt-Out

You may opt out of having your data included in de-identification processes by contacting [email protected] or through Settings > Privacy > Data Research Participation. Opting out does not affect your access to any App features.

23. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

23.1 Applicability

This section applies to California residents and supplements the information contained in this Privacy Policy with disclosures required under the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA).

23.2 Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of Personal Information as defined by the CCPA:

23.3 Right to Know and Access

You have the right to request that we disclose the categories and specific pieces of Personal Information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information.

23.4 Right to Delete

You have the right to request deletion of your Personal Information, subject to certain exceptions under the CCPA (e.g., completing a transaction, detecting security incidents, complying with legal obligations).

23.5 Right to Correct

You have the right to request correction of inaccurate Personal Information.

23.6 Right to Opt-Out of Sale or Sharing

We do not sell or share your Personal Information (as those terms are defined under the CCPA/CPRA) for cross-context behavioral advertising purposes or for monetary consideration. De-Identified and Aggregated Data, as described in Sections 7.1 and 22, is not Personal Information under the CCPA/CPRA and is therefore not subject to the right to opt out of sale. The Company's use, licensing, or sale of De-Identified Data does not constitute a "sale" of Personal Information under applicable law.

23.7 Right to Limit Use of Sensitive Personal Information

You have the right to limit our use of your Sensitive Personal Information to purposes that are necessary to provide the Service. To exercise this right, use the privacy controls in Settings > Privacy or contact [email protected].

23.8 Exercising Your Rights

To exercise any California privacy right, you may:

Use the in-app privacy controls (Settings > Privacy)
Email [email protected]
Use the in-app account deletion feature (Settings > Account > Delete Account)

We will verify your identity before processing your request. We will respond to verifiable consumer requests within 45 days.

23.9 Authorized Agents

You may designate an authorized agent to make requests on your behalf. Authorized agents must provide written authorization signed by you and must verify their own identity.

23.10 Automated Decision-Making and Profiling

NextDose.AI uses AI-powered features to generate informational insights, research summaries, and protocol analysis. These features are informational tools only — they do not make automated decisions that produce legal or similarly significant effects on you. No access to the App, no pricing, no service availability, and no health outcome is determined by automated processing without human involvement. All AI outputs require your independent decision and action before they have any effect. To the extent CPRA grants you the right to opt out of automated decision-making technology, you may do so through Settings > Privacy > AI Data Processing, which disables all AI-powered features.

23.11 "Do Not Sell or Share" Mechanism

We do not sell or share your Personal Information as those terms are defined under the CCPA/CPRA. Because no sale or sharing of Personal Information occurs, a "Do Not Sell or Share" opt-out mechanism is not required for Personal Information. De-Identified and Aggregated Data is not Personal Information and is not subject to this opt-out right. If you wish to opt out of having your data included in de-identification and aggregation processes, you may do so through Settings > Privacy > Data Research Participation. Should our practices regarding Personal Information change, we will provide a conspicuous opt-out mechanism as required by law before any such change takes effect.

23.12 Non-Discrimination

We will not discriminate against you for exercising your CCPA/CPRA rights.

24. EUROPEAN ECONOMIC AREA RIGHTS (GDPR)

24.1 Applicability

This section applies to individuals located in the European Economic Area (EEA), United Kingdom, or Switzerland and supplements this Privacy Policy with information required under the General Data Protection Regulation (GDPR).

24.2 Data Controller

The data controller for the purposes of the GDPR is:

NextDose.AI Inc., a Delaware corporation,

Email: [email protected]

24.3 Legal Bases for Processing

We process your Personal Data under the following legal bases:

Consent (Art. 6(1)(a)): AI data processing, Apple HealthKit integration, push notifications
Contract (Art. 6(1)(b)): Account creation, service delivery, subscription management
Legitimate Interest (Art. 6(1)(f)): Service improvement, security, analytics
Legal Obligation (Art. 6(1)(c)): Tax records, responding to lawful government requests

For processing of Special Categories of Data (health data), we rely on explicit consent (Art. 9(2)(a)) obtained during account setup and through specific consent flows for AI processing and HealthKit integration.

24.4 Your Rights Under GDPR

In addition to the rights described in Section 10, EEA residents have the following rights:

Right to Restriction of Processing: You may request restriction of processing in certain circumstances
Right to Object: You may object to processing based on legitimate interests
Right to Lodge a Complaint: You may file a complaint with your local data protection authority
Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing

24.5 Data Protection Officer

For GDPR inquiries, contact: [email protected]

25. OTHER STATE PRIVACY RIGHTS

If you are a resident of a state with applicable consumer privacy legislation — including but not limited to Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), or any state that enacts comparable privacy legislation after the effective date of this Privacy Policy — you may have additional rights regarding your Personal Information, which may include:

The right to confirm whether we are processing your Personal Information
The right to access your Personal Information
The right to correct inaccuracies in your Personal Information
The right to delete your Personal Information
The right to obtain a portable copy of your Personal Information
The right to opt out of targeted advertising (we do not engage in targeted advertising)
The right to opt out of the sale of Personal Information (we do not sell Personal Information; De-Identified Data is not Personal Information)
The right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (our AI features are informational only and do not produce such effects)

To exercise any of these rights, contact [email protected] or use the in-app privacy controls at Settings > Privacy. We will respond to verified requests within the timeframe required by your state's applicable law. We will not discriminate against you for exercising your privacy rights.

If we are unable to resolve your privacy concern, you may have the right to appeal our decision or file a complaint with your state's attorney general or applicable regulatory authority.

26. HEALTH DATA SPECIFIC PROVISIONS

25.1 Voluntary Provision

All health-related data within NextDose.AI is provided voluntarily by you. The App is a personal health journal — you choose what to record and what to omit. We never require you to disclose specific health information as a condition of using the App.

25.2 Sensitivity Acknowledgment

We recognize that Health Protocol Data and Bloodwork Data constitute sensitive personal information. We apply heightened security, access controls, and processing restrictions to all health-related data categories.

25.3 No Medical Decisions

Health data stored in the App is intended for personal journaling and informational purposes only. It is not intended to, and should not, replace the advice, diagnosis, or treatment recommendations of a licensed healthcare professional. Consult your healthcare provider before making any health decisions.

25.4 HIPAA Disclaimer

NextDose.AI is not a "Covered Entity" or "Business Associate" as defined under the Health Insurance Portability and Accountability Act (HIPAA). The App is a consumer wellness and journaling tool, not a healthcare service. Data you input into NextDose.AI is not protected health information (PHI) under HIPAA. If you choose to share NextDose.AI data with your healthcare provider, you do so at your own discretion.

27. CHANGES TO THIS PRIVACY POLICY

26.1 Notification of Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. Material changes will be communicated to you through:

A prominent in-app notification
An email to the address associated with your account
An updated "Last Updated" date at the top of this Privacy Policy

26.2 Review Period

Material changes will be communicated at least thirty (30) days before taking effect. Your continued use of the App after the effective date of any revised Privacy Policy constitutes your acceptance of the changes.

26.3 Prior Versions

Prior versions of this Privacy Policy are available upon request by contacting [email protected].

28. GOVERNING LAW

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law principles. Disputes arising under this Privacy Policy shall be resolved in accordance with the dispute resolution provisions set forth in our Terms of Service.

29. CONTACT INFORMATION

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

NextDose.AI Inc., a Delaware corporation,