Privacy Policy
Last updated: March 2026
1. Introduction
uyaalak ("we", "our", "us") operates the website uyaalak.com and the uyaalak mobile and web application. This Privacy Policy explains how we collect, use, store, and protect personal and health information that you provide when using our services.
By using uyaalak, you agree to the practices described in this policy. If you do not agree with this policy, please do not use our services.
uyaalak has been designed following the data protection principles established by HIPAA and the GDPR (General Data Protection Regulation), with the goal of providing the highest level of security and privacy for medical information.
2. Information We Collect
a) Account Information (Healthcare Professional)
When you register for uyaalak, we collect the following information from the healthcare professional: full name, email address, phone number, professional credentials (medical license and specialty), clinic information (name, address, and tax ID), and payment information. Payment data is processed by Paddle, our payment processor — uyaalak does not store credit card numbers.
b) Patient Information
uyaalak stores patient information entered by the healthcare professional or collected through the WhatsApp pre-consultation intake form. This information includes: demographic data (name, date of birth, sex, phone number, address), clinical data (medical history, allergies, current medications, vital signs), and consultation records (SOAP notes, diagnoses with ICD-10/ICD-11 codes, and prescriptions).
Information collected through the WhatsApp pre-consultation intake form is reported by the patient and does not constitute a medical diagnosis.
c) Audio Recordings
uyaalak allows recording of medical consultations for AI-powered transcription. Audio recordings are processed by Deepgram for transcription and by Anthropic (Claude) for SOAP clinical note structuring. Recordings are stored encrypted in Cloudflare R2.
Audio recordings are NEVER used to train artificial intelligence models.
d) Usage and Technical Data
We automatically collect technical information including: device information, IP address, browser type, usage analytics (features used and session duration), and error logs for debugging purposes.
e) WhatsApp Communications
uyaalak sends and receives messages through the WhatsApp Business API (Meta's WhatsApp Cloud API) for appointment reminders, confirmations, and pre-consultation intake forms. The content of these messages is processed through Meta's infrastructure.
3. How We Use Information
We use the information collected for the following purposes:
To provide and improve the uyaalak service. To generate AI-powered transcriptions and clinical notes. To send appointment reminders and pre-consultation intake forms via WhatsApp. To process payments through Paddle. To communicate with users about their account or service updates. To analyze product usage to improve the experience. To comply with legal and regulatory obligations.
We do NOT sell personal data to third parties. We do not use audio recordings or patient data to train artificial intelligence models.
4. Data Ownership
Patient data belongs to the patient — not to the clinic, not to uyaalak. The healthcare professional acts as custodian of patient data within uyaalak, and uyaalak acts as a data processor on behalf of the healthcare professional.
uyaalak's long-term vision is to enable patients to carry their medical records across healthcare providers. Healthcare professionals can export their patients' data at any time.
5. Who We Share Information With
We share information only with the service providers necessary for the operation of uyaalak. We do not share data with advertisers or data brokers.
| Provider | Country | Function |
|---|---|---|
| Deepgram | United States | Audio transcription |
| Anthropic | United States | AI processing for clinical notes |
| Paddle | United Kingdom | Payment processing (Merchant of Record) |
| Sevalla (GCP) | Brazil (São Paulo) | Hosting infrastructure |
| Cloudflare | United States | CDN and object storage (R2) |
| Meta | United States | WhatsApp Business API |
We may share information if required by law or court order.
6. Data Security
We implement security measures designed to protect your personal and health information. These measures include: encryption in transit (TLS/HTTPS) and at rest for all stored data; infrastructure hosted on SOC 2 and ISO 27001 certified platforms; access controls and JWT-based authentication; regular security reviews; and soft deletes for regulatory compliance — data is not permanently deleted immediately.
uyaalak has been designed following the security principles established by HIPAA and the GDPR.
7. Data Retention
Account data is retained while the account is active and deleted upon request. Patient clinical data is retained per applicable medical record retention laws in each country (Guatemala, Mexico). Audio recordings are retained while the account is active. Usage data is retained for up to 24 months.
Users can request data export or deletion by contacting [email protected].
8. User Rights
You have the following rights regarding your personal information:
- Access: right to access your personal data.
- Rectification: right to correct inaccurate data.
- Deletion: right to request deletion of your data (subject to legal medical record retention requirements).
- Portability: right to export your data in a standard format.
- Objection: right to object to certain types of data processing.
To exercise these rights, contact [email protected].
9. Cookies and Similar Technologies
We use essential cookies for authentication and session management, as well as analytics cookies to understand how the service is used. We do not use advertising or tracking cookies. Users can manage their cookie preferences through their browser settings.
10. Minors
uyaalak is designed for healthcare professionals and not for direct use by minors. Patient records for minors are managed by the healthcare professional and/or the patient's legal guardian.
11. International Data Transfers
Data may be processed in the United States (Deepgram, Anthropic, Cloudflare) and in other countries where our service providers operate. We ensure appropriate safeguards are in place with all providers. The main hosting infrastructure is located in São Paulo, Brazil, for Latin American latency optimization.
12. Changes to This Policy
We may update this policy from time to time. We will notify users of significant changes via email or in-app notification. Continued use of the service after such changes constitutes acceptance of the updated policy.
13. Contact
For general service inquiries: [email protected]
For privacy-specific inquiries: [email protected]