Privacy Policy

1. Introduction

Welcome to Yantir. Yantir ("we", "our", or "us") is an AI-powered health assistant application operated by Yantir Ltd, a company registered in England and Wales (registered address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ).

This Privacy Policy explains what personal data we collect when you use the Yantir mobile application and website (collectively, the "Services"), why we collect it, how we use it, with whom we share it, how long we keep it, and what rights you have over it.

Because Yantir processes health-related data, we treat your information with the highest level of care and apply additional safeguards described in Section 5 below.

By creating an account or using the Services, you acknowledge that you have read and understood this Privacy Policy and, where required by law, you provide your explicit consent to the processing of your personal data as described herein.

2. Data We Collect

We collect only the data that is necessary to provide and improve the Services. The categories are:

2.1 Account & Identity Data

• • Full name and display name
• • Email address and password (stored in hashed form)
• • Date of birth and gender (used to personalise health insights)
• • Profile photo (optional, user-provided)

2.2 Health & Lifestyle Data

• • Symptoms, conditions, and medical history (entered by you)
• • Medications, dosages, and treatment notes
• • Diet, exercise, sleep, and lifestyle habits
• • Body metrics (e.g. weight, height, BMI) if you choose to enter them
• • Lab or test results (if you upload them)
• • Data from connected wearables or health platforms (only if you grant permission)

2.3 Usage & Interaction Data

• • Features used, screens viewed, and session duration
• • Actions taken within the app (e.g. queries submitted to the AI assistant)
• • Error logs and crash reports

2.4 Device & Technical Data

• • Device type, operating system, and version
• • IP address and general geographic region (country / city level)
• • App version and unique installation identifier
• • Push notification token (if you enable notifications)

2.5 Location Data

• • Approximate location (derived from IP address) for relevant regional health guidance
• • Precise location only if you explicitly grant permission for location-based features (e.g. finding nearby services)

We do not collect data that is not necessary for the operation of the Services. You may choose not to provide certain optional data, but this may limit the functionality available to you.

3. How We Use Your Data

We use your data solely to provide, personalise, and improve the Services. Specifically:

• • Service delivery: To operate your account, generate AI-powered health insights, and deliver personalised diet, exercise, and lifestyle recommendations
• • Personalisation: To tailor content, reminders, and recommendations to your individual health profile
• • Communications: To send you service-related notifications, reminders, and responses to your support requests
• • Service improvement: To analyse aggregated usage patterns, fix bugs, and improve app performance and features
• • Safety & security: To detect, prevent, and respond to fraud, abuse, or security incidents
• • Legal compliance: To meet our obligations under applicable law and to respond to lawful requests from authorities
• • Research & development: To improve our AI models, using only anonymised or aggregated data, and only with your explicit consent where required by law

We do not use your data for advertising or marketing purposes unrelated to the Services.

3.1 Legal Basis for Processing (UK GDPR / GDPR)

• • Contract performance: Processing your account and identity data to provide the Services
• • Explicit consent: Processing health and sensitive personal data; sending marketing communications; processing data for research
• • Legitimate interests: Security monitoring, fraud prevention, and service analytics (where these interests are not overridden by your rights)
• • Legal obligation: Compliance with applicable laws and regulatory requirements

3.2 Legal Basis for Processing (India DPDP Act)

For users in India, we rely on your consent or voluntary provision of personal data, or another lawful basis permitted under India's Digital Personal Data Protection Act 2023, as applicable. Health data is always processed on the basis of your explicit, informed consent.

4. How We Collect Your Data

• • Directly from you: When you register an account, complete your health profile, log symptoms or habits, or contact our support team
• • From third-party integrations: From connected wearables or health platforms (e.g. Apple Health, Google Fit) only when you grant Yantir permission to access them
• • Automatically: Usage, device, and technical data are collected automatically when you use the Services through cookies, SDKs, and server logs

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data — including your health data — to any third party.

We share your data only in the following limited circumstances:

6.1 Service Providers (Data Processors)

We use trusted third-party service providers to operate the Services. These providers act as data processors and are bound by strict data processing agreements. They may only process your data on our instructions and for the purpose of providing services to us. Current categories of processors include:

• • Cloud infrastructure: Secure hosting and storage of application data (e.g. AWS or Supabase)
• • AI processing APIs: Third-party AI services used to generate health insights. Only the minimum data required to generate your response is transmitted, and it is not retained by the AI provider beyond the processing of your request.
• • Analytics tools: Aggregated and anonymised usage analytics to help us improve the app
• • Communications services: Email and push notification delivery
• • Payment processors: Secure handling of subscription payments (payment providers do not receive your health data)

6.2 Healthcare Partners

We will only share your health data with healthcare professionals or partner organisations if you have given your explicit consent to do so for a specific purpose.

6.3 Legal & Regulatory Authorities

We may disclose your data to law enforcement, regulatory authorities, or courts where we are legally required to do so or where necessary to protect the rights, property, or safety of Yantir, our users, or others.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred to the successor entity. We will notify you before your data is transferred and becomes subject to a different privacy policy, and you will have the right to request deletion of your data at that time.

7. Data Retention

We retain your personal data only for as long as is necessary for the purposes described in this Privacy Policy, or as required by applicable law:

• • Active account data: Retained for as long as your account remains active
• • Health & sensitive data: Retained only for as long as is necessary to provide the Services or as required by applicable health regulations; permanently deleted within 30 days of a verified deletion request or account closure
• • Post-closure retention: Non-health account data may be retained for up to 12 months after account closure for legal, regulatory, and audit purposes, then permanently deleted
• • Anonymised/aggregated data: May be retained indefinitely for research and product improvement purposes, as it cannot identify you

You may request deletion of your data at any time (see Section 9).

8. Your Rights

Depending on your location, you have the following rights regarding your personal data. We honour all applicable rights under UK GDPR, EU GDPR, and India's Digital Personal Data Protection Act 2023:

• • Right of access: You may request a copy of all personal data we hold about you
• • Right to rectification: You may request correction of inaccurate or incomplete data
• • Right to erasure ("right to be forgotten"): You may request permanent deletion of your personal data at any time. We will process verified deletion requests within 30 days.
• • Right to data portability: You may request an export of your personal data in a structured, machine-readable format
• • Right to restrict processing: You may request that we limit how we use your data in certain circumstances
• • Right to object: You may object to processing based on legitimate interests
• • Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent to health data processing, contact us or delete your account.
• • Right to complain: You may lodge a complaint with the relevant supervisory authority — the Information Commissioner's Office (ICO) in the UK (ico.org.uk, 0303 123 1113) or the Data Protection Board of India (once fully constituted and operational)

To exercise any of these rights, contact us at contact@yantir.com or by post at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. We will respond to all valid requests within 28 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

• • Encryption of data at rest (AES-256) and in transit (TLS 1.2+)
• • Role-based access controls limiting data access to authorised personnel only
• • Secure, audited cloud infrastructure with regular security assessments
• • Password hashing using industry-standard algorithms
• • Regular monitoring for security vulnerabilities and threats

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by UK GDPR), and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to them.

No method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

10. Children's Privacy

Yantir is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13 years of age.

Users between the ages of 13 and 17 (or the age of majority in their jurisdiction) may only use Yantir with verifiable parental or guardian consent. We do not knowingly collect health data from minors without such consent.

If we become aware that we have inadvertently collected personal data from a child under 13 without parental consent, we will take immediate steps to delete that data. If you believe we may hold data about a child under 13, please contact us at contact@yantir.com.

11. International Data Transfers

Yantir Ltd is based in the United Kingdom. If you access the Services from outside the UK, your data may be transferred to, and processed in, the UK or other countries where our service providers operate (including the United States and the European Economic Area).

Where we transfer personal data outside the UK or the EEA, we ensure appropriate safeguards are in place, including:

• • Standard Contractual Clauses (SCCs) approved by the relevant authority
• • Adequacy decisions issued by the UK Secretary of State or the European Commission
• • Other appropriate safeguards as required under applicable data protection law

For users in India, we comply with the requirements of India's Digital Personal Data Protection Act 2023 regarding cross-border data transfers.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes, we will update the "Last updated" date at the top of this page.

If we make material changes that affect how we process your personal data — particularly your health data — we will notify you in advance via email or an in-app notification, and where required by law, we will seek your renewed consent before the new policy takes effect.

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after any changes constitute your acknowledgement of the updated policy.

13. Contact Information

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a complaint about how we handle your data, please contact us:

We aim to respond to all enquiries and rights requests within 28 days of receipt. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113 (UK), or with the Data Protection Board of India (once operational) for users in India.