── Legal ──
Privacy Policy
Last updated: June 4, 2026Effective: June 4, 2026
1. Introduction
This Privacy Policy explains how OsteoAI Oy ("we," "us," "the Company") collects, uses, stores, and protects your personal data when you use OsteoAI ("the Service").
We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and applicable Finnish data protection law.
Data Controller:OsteoAI Oy
Address: To be added upon registration
Business ID: To be added upon registration
Contact:
hello@osteoai.app 2. What Data We Collect
2.1 Account Data
- Email address
- Name (if provided)
- Professional status (osteopath, student, etc.)
- Account creation date and last login
2.2 Subscription and Billing Data
- Subscription plan and billing period
- Payment method details (processed by Stripe — we do not store card numbers)
- Transaction history and invoices
2.3 Usage Data
- Mode usage (Clinical Reasoning, Differential Diagnosis, etc.)
- Number of queries per session
- Response feedback (thumbs up/down, feedback tags)
- Session timestamps
2.4 Technical Data
- IP address
- Browser type and version
- Device type
- Error logs
2.5 Clinical Case Inputs
When you use OsteoAI, you may enter clinical case descriptions. These are stored as conversations in your account on United Kingdom Supabase servers and can be deleted at any time from the chat interface or via Settings → Privacy & Data → Delete my account.
⚠️ Important: You must not enter patient-identifiable information. Case inputs are processed in real time by our AI providers and are subject to their data retention policies (see Section 4). Messages sent to AI providers are not stored permanently by those providers and are not used to train AI models.
3. Legal Basis for Processing
| Data Type | Legal Basis |
|---|
| Account data | Contract performance (Article 6(1)(b)) |
| Billing data | Contract performance (Article 6(1)(b)) |
| Usage data | Legitimate interests — service improvement (Article 6(1)(f)) |
| Clinical inputs | Contract performance (Article 6(1)(b)) |
| Marketing emails | Consent (Article 6(1)(a)) |
4. Data Processors and Third Parties
4.1 OpenAI (AI Processing)
Purpose: Generating AI responses
Location: United States (Standard Contractual Clauses + OpenAI DPA)
OpenAI does not use API inputs to train models by default. Inputs may be retained up to 30 days for safety monitoring.
4.2 Anthropic (AI Processing)
Purpose: Generating AI responses for selected clinical modes
Location: United States (Standard Contractual Clauses + Anthropic Commercial Terms)
Anthropic does not use API inputs to train models by default.
4.3 Supabase (Database and Authentication)
Purpose: Account management, authentication, conversation storage
Location: United Kingdom (eu-west-2, London)
Transfers to the United Kingdom are covered by the EU adequacy decision pursuant to Article 45 GDPR (Commission Implementing Decision C(2025) 8771, valid until 27 December 2031).
4.4 Render (Backend Hosting)
Purpose: Running the application backend
Location: EU region (Frankfurt, EU Central)
4.5 Stripe (Payment Processing)
Purpose: Subscription billing and payment processing
Location: EU (Stripe Ireland Ltd.)
4.6 Vercel (Frontend Hosting)
Purpose: Serving the web application
Location: Global CDN (Vercel Edge Network) — primary processing in the United States (Standard Contractual Clauses)
5. Data Retention
We retain different categories of data for different periods. Automated cleanup runs daily to enforce these limits.
| Data Type | Retention Period |
|---|
| Account data | Until account deletion + 30 days |
| Billing records | 7 years (Finnish accounting law) |
| Conversations | Until you delete them or delete your account |
| Usage logs (query_log) | 90 days, then automatically deleted |
| Feedback ratings | 12 months, then automatically deleted |
| Clinical inputs sent to AI providers | Not stored by us — processed in real time |
| Technical logs | 90 days |
You can delete your account and all associated data at any time from Settings → Privacy & Data → Delete my account. Upon account deletion all data is permanently removed within 24 hours.
6. Your Rights Under GDPR
As a data subject in the EU, you have the following rights:
Right of access (Article 15) — Request a copy of all personal data we hold about you.
Right to rectification (Article 16) — Request correction of inaccurate data.
Right to erasure (Article 17) — Delete your account and all data via Settings → Privacy & Data, or contact us. We may retain billing records for legal purposes.
Right to restriction (Article 18) — Request that we limit processing of your data in certain circumstances.
Right to data portability (Article 20) — Request your data in a machine-readable format.
Right to object (Article 21) — Object to processing based on legitimate interests.
Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time.
Right to lodge a complaint — Lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) at tietosuoja.fi or with the supervisory authority in your country of residence.
To exercise any of these rights, contact us at hello@osteoai.app. We will respond within 30 days.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS)
- Encryption at rest for stored data
- Row-level security on all database tables
- JWT-based authentication with session revocation
- Access controls limiting who can access user data
- Regular security reviews
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security but we take commercially reasonable measures to protect your data.
8. Patient Data — Special Notice
OsteoAI is not designed to process patient personal data. Our Terms of Service explicitly prohibit entering patient-identifiable information into the Service.
If you are a healthcare practitioner, you are responsible for ensuring that all case descriptions entered are fully anonymised and that you comply with your national healthcare data protection requirements.
We are not a data processor of patient data. If you enter patient data in violation of our Terms of Service, you do so as an independent data controller and bear full responsibility for GDPR compliance in respect of that data.
8a. AI System Disclosure (EU AI Act)
OsteoAI uses artificial intelligence to generate clinical reasoning support. Users are informed that:
- Responses are generated by AI and not by a qualified human clinician
- AI-generated content may contain errors and must not replace clinical judgment
- OsteoAI is built on General Purpose AI models (OpenAI GPT-4o and Anthropic Claude) and is itself an application-layer system — it is not a General Purpose AI system. OsteoAI uses these underlying models to provide professional educational and clinical decision-support.
- OsteoAI is not a medical device and is not CE marked
- Human oversight is required — all outputs must be verified by the qualified practitioner
9. Cookies
We use essential cookies only:
- Authentication cookies (session management via Supabase)
- Theme preference (dark/light mode — stored in localStorage)
We do not use advertising cookies or third-party tracking cookies. No cookie consent banner is required as we use essential cookies only.
10. Children's Privacy
OsteoAI is intended for adults aged 18 and over. We do not knowingly collect data from persons under 18. If you believe a minor has created an account, contact us at hello@osteoai.app and we will delete the account.
11. International Data Transfers
Transfers to the United Kingdom (Supabase) are covered by the EU adequacy decision pursuant to Article 45 GDPR (Commission Implementing Decision C(2025) 8771, valid until 27 December 2031) and do not require additional safeguards.
Some of our data processors (notably OpenAI and Anthropic) are located outside the EU/EEA. Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and Data Processing Agreements with all processors.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or via the platform at least 14 days before they take effect. The current version will always be available at osteoai.app/legal/privacy.
13. Contact and Complaints
Finnish Data Protection OmbudsmanTietosuojavaltuutetun toimisto
PO Box 800, FI-00531 Helsinki
tietosuoja.fi+358 29 566 6700
This Privacy Policy was last updated on June 4, 2026.