How it works Research Use cases Demo Join waitlist →

Privacy Policy

Your data is yours.

Your health history is the most personal thing you own. Here is exactly how we handle it.

Last updated: 2 June 2026

Who we are

SinceWhen Inc. ("SinceWhen", "we", "us") operates the SinceWhen service — an AI-powered lifetime medical record. For data protection queries, contact us at hello@sincewhen.ai. We act as the data controller for personal data processed under this policy.

What we collect

Information you give us

  • Account data — your name and email address, used to create and identify your account.
  • Medical records — documents, voice notes, prescription photographs, lab results, and discharge summaries you upload or dictate. This is the core of your SinceWhen thread.
  • Communications — any messages you send us (support requests, feedback, contact form submissions).

Information we collect automatically

  • Usage data — pages visited, features used, and session timestamps, used to improve the service and detect abuse.
  • Device data — browser type, operating system, and IP address, used for security and fraud prevention.

We do not use third-party advertising trackers. We do not install persistent advertising cookies.

How we use your data

  • To provide, maintain, and improve the SinceWhen service.
  • To generate AI summaries and structured briefs from your medical history.
  • To authenticate your identity and authorise access to your records.
  • To communicate service updates, security alerts, and waitlist status.
  • To comply with legal obligations.

We do not use your medical data to train AI models shared outside your account, unless you explicitly opt in to a research contribution programme.

Legal basis for processing

We process your personal data on the basis of your explicit consent, which you provide when creating an account. You may withdraw consent at any time by deleting your account. For health data (special category data under GDPR), we rely on your explicit consent and on processing necessary for the provision of health-related services.

Data storage and security

Your data is stored on Cloudflare's infrastructure, distributed across geographically redundant data centres. All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Medical records are stored in isolated, access-controlled storage with no default public access.

No SinceWhen employee can read your medical records. Access is limited to the AI processing pipeline and audit-logged infrastructure engineers responding to verified security incidents.

We are working toward SOC 2 Type II certification and operate with HIPAA-aligned practices.

Data sharing

We never sell your data. We share your data only with:

  • Cloudflare — infrastructure provider for storage, compute, and CDN delivery.
  • AI model providers — solely for on-demand inference to generate summaries and structured briefs. No data is retained by model providers beyond the processing window.
  • Legal requirements — if required by a court order or applicable law, we will notify you to the extent legally permitted before complying.

When you generate a QR code or time-limited specialist link, only the specific data scope you authorise is shared with the recipient, for the duration you specify. You can revoke this access at any time.

Your rights

  • Access — request a copy of all personal data we hold about you.
  • Correction — request correction of inaccurate data.
  • Deletion — delete your account and all associated data permanently. We retain a secure backup for 30 days before permanent deletion.
  • Portability — export your full thread as a structured data file at any time.
  • Objection — object to processing in circumstances where we rely on legitimate interests.
  • Complaint — lodge a complaint with your national data protection authority.

To exercise any right, email hello@sincewhen.ai. We respond within 30 days.

Children's privacy

SinceWhen supports records for children, managed by a parent or guardian who holds the account. Parents control all access to a child's record. When a child reaches majority, record ownership can be transferred to them. We do not knowingly collect data directly from children under 13 without verifiable parental consent.

International transfers

Cloudflare operates globally. If you are located in the European Economic Area, transfers outside the EEA are made under the EU Standard Contractual Clauses. A copy is available on request.

Cookies

We use only strictly necessary session cookies to maintain your authenticated state. We do not use marketing or analytics cookies.

Changes to this policy

We will notify you by email of material changes at least 14 days before they take effect. The current version is always available at sincewhen.ai/privacy.

Contact

Data protection queries: hello@sincewhen.ai. We aim to respond within 5 business days.