Legal

ORIS Privacy Policy

Effective Date: May 2026

This Privacy Policy explains how the ORIS mobile application ("ORIS," "the App") — a standalone product operated by Rymeda, Inc. ("Rymeda," "we," "us") — collects, uses, and protects your information. ORIS is a conversational health AI that operates in two modes: (i) Anonymous Mode, where no Rymeda account is required, and (ii) Connected Mode, where you voluntarily link your Rymeda account to personalize the experience. When you operate in Connected Mode, the Rymeda Privacy Policy, HIPAA Notice of Privacy Practices, and Terms of Service also apply.

1. Data Controller

Rymeda, Inc.
Attn: Privacy Officer
Email: legal@rymeda.com

For privacy questions, data subject requests, or complaints related to ORIS, contact our Privacy Officer at the address above.

2. ORIS Is Not a Medical Service

ORIS provides general health information and guided assessments. ORIS is not a substitute for professional medical advice, diagnosis, or treatment. ORIS does not establish a doctor-patient relationship. In an emergency, call 911 or your local emergency number immediately. ORIS will surface emergency guidance when its safety engine detects red-flag symptoms, but it cannot replace clinical judgment.

3. Information We Collect

3.1 Anonymous Mode

When you use ORIS without connecting a Rymeda account, we collect:

  • An anonymous device identifier (UUID) generated on first launch — stored only on your device
  • The conversations you have with ORIS — stored locally on your device
  • Symptom assessment details you provide (body region, severity, duration, etc.) — stored locally on your device
  • The messages you send to our reasoning service — processed in real time and not associated with an identifiable user account
  • Basic device and crash diagnostics — used only to keep the app working

3.2 Connected Mode (Rymeda Account)

When you choose to connect your Rymeda account, ORIS additionally accesses:

  • Your medication list, as recorded in your Rymeda profile
  • Your medical conditions, as recorded in your Rymeda profile
  • Your care team contacts, as recorded in your Rymeda profile
  • Summaries of your recent ORIS conversations across all Rymeda-connected surfaces

You authorize this access through OAuth using your existing Rymeda credentials. ORIS receives only the fields listed above — not your full Rymeda record.

4. How We Use Your Information

We use the information we collect to:

  • Run the conversational assessment and produce a reasoned response
  • Detect emergencies and surface appropriate safety guidance (e.g., call 911, call 988)
  • Personalize the experience in Connected Mode based on your medications, conditions, and care team
  • Suggest follow-ups on past concerns and relevant communities or care paths
  • Diagnose crashes, performance issues, and abuse
  • Comply with legal obligations and protect against fraud or misuse

5. AI Processing and Model Training

Your conversations are processed by AI models (including third-party reasoning models) under contractual restrictions that prohibit those providers from using your data to train their general-purpose models.

We do not sell your information. We do not use your conversations to train commercial AI models. Internally, we may use aggregated, de-identified signals (for example, "how often does the chest-pain flow escalate to safety alerts") to improve ORIS's safety and accuracy.

6. Storage and Retention

  • Anonymous Mode: Your health profile and conversation history are stored locally on your device. They are not synced to our servers. Clearing the app or uninstalling it deletes this data.
  • Connected Mode: Conversation summaries are linked to your Rymeda account and retained per the Rymeda Data Retention Policy.
  • Authentication tokens: Stored in your device's secure keychain (Keychain on iOS, Keystore on Android). You can disconnect at any time in Settings, which deletes the tokens immediately.

7. Security

We protect data in transit with TLS 1.2+, store secrets in hardware-backed keychains where available, and access connected Rymeda data over short-lived OAuth tokens with PKCE. Rymeda's infrastructure undergoes regular third-party security review. See our Security page for technical details.

8. Your Choices and Rights

  • Disconnect Rymeda: Settings → Disconnect. Your tokens and the cached Rymeda profile are wiped from the device.
  • Delete local data: Uninstall the app, or use Settings → Clear conversation history.
  • Account deletion: Connected users can request deletion of their Rymeda account at legal@rymeda.com.
  • Access, correction, portability: Where applicable under CCPA/CPRA, GDPR, or state privacy laws, you may request access to, correction of, or a portable copy of your data. Contact us at legal@rymeda.com.
  • Do Not Sell or Share: We do not sell or share personal information for cross-context behavioral advertising.

9. Children

ORIS is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at legal@rymeda.com so we can delete it.

10. International Users

ORIS is operated from the United States. If you access ORIS from outside the United States, your information may be transferred to and processed in the U.S. For EU/UK users, we rely on Standard Contractual Clauses and applicable safeguards for international transfers — see the Rymeda GDPR notice.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced in the app and on this page with a revised effective date. Continued use of ORIS after a change constitutes acceptance of the updated policy.

12. Contact

Questions or complaints about this policy: legal@rymeda.com. For urgent medical concerns, contact a clinician or call 911.