Dama Assist Privacy Policy
Last Updated: May 6, 2026
This Privacy Policy explains how DAMA HEALTH LTD ("we", "our", or "us") collects, uses, stores, and protects your personal information when you use the Dama Assist Platform.
1. Who We Are
DAMA HEALTH LTD is a limited company registered in England and Wales (Company number 13379931). We are the data controller for personal data collected through the Dama Assist Platform.
2. What Data We Collect
2.1 Information You Provide
- Account information: Name, email address, password (hashed)
- Professional credentials: Occupation (e.g. MD, NP, PA), practice setting (e.g. hospital, private practice, academic medical centre), general location (e.g. city, state, or region), NPI number (for US healthcare credential verification)
- Chat content: Clinical questions and queries you submit through the AI chat interface
- Feedback and support requests: Any messages you send us
2.2 Information Collected Automatically
- Usage data: Pages visited, features used, buttons clicked, chat messages sent (aggregate counts), folders created — collected via PostHog analytics (only with your consent)
- Device and connection data: IP address, browser type, operating system, screen resolution — collected via PostHog analytics (only with your consent)
- Authentication data: Session tokens and login timestamps, stored as cookies on your device (strictly necessary for the service to function)
2.3 Information from Third Parties
- Payment information: When you subscribe, Stripe (our payment processor) collects your payment card details and billing address. We do not store your full card number — we receive only a partial card number, card brand, and billing email from Stripe for record-keeping.
- NPI Registry: When you verify your credentials, we query the public NPPES registry to validate your NPI number and retrieve your registered provider name, taxonomy, and practice location.
2.4 Information We Do NOT Collect
- We do not collect or process Protected Health Information (PHI) as defined by HIPAA.
- We do not collect Special Category Data (e.g. health data about you personally) under UK GDPR.
- Users are reminded not to enter patient-identifiable information into the chat. See our Terms of Use for details.
3. How We Use Your Data (Purposes and Lawful Basis)
Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for each way we use your personal data.
| Purpose | Data Used | Lawful Basis (GDPR Art. 6) |
|---|---|---|
| Provide and operate the Platform (account, auth, chat) | Account info, credentials, chat content | Contract performance |
| Process payments and manage subscriptions | Email, billing info (via Stripe) | Contract performance |
| Verify healthcare professional credentials | NPI number, name, occupation | Contract performance |
| Send product emails (welcome, payment terms, password reset) | Email, name | Legitimate interest — you can opt out of non-essential emails in Settings |
| Send marketing emails | Email, name | Legitimate interest — you can opt out of non-essential emails in Settings |
| Product analytics (PostHog) | Usage events, device info, IP | Consent — only collected after you accept analytics cookies |
| Error tracking and debugging | Error logs, stack traces | Legitimate interest — service reliability and security |
| Respond to support requests | Email, name, message content | Legitimate interest |
| Comply with legal obligations | As required | Legal obligation |
| Understand how the Platform is used and share aggregated, anonymized insights with enterprise clients and partners (see Section 5.1) | Query categories and topics, grouped by attributes such as general location, practice setting, and clinician type (aggregated and de-identified prior to use for the purpose) | Legitimate interest |
We do not use your data for automated decision-making or profiling.
5. Data Sharing and Sub-Processors
We do not sell, rent, or share your identifiable personal data with third parties for their own marketing purposes. We contractually require all recipients of aggregated, anonymized insights to maintain the data in de-identified form and not to attempt to re-identify any individual from the data.
We use the following service providers (sub-processors) to operate the Platform. Each processes data strictly on our behalf and under our instructions:
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Convex, Inc. | Database and backend infrastructure | All user data, chat content, credentials, subscriptions | United States |
| PostHog, Inc. | Product analytics and error tracking | Usage events, device info, IP address, email (if identified and consented) | United States |
| Stripe, Inc. | Payment processing | Payment card details, billing address, email | United States |
| Resend, Inc. | Transactional email delivery | Email address, name | United States |
| Klaviyo, Inc. | Marketing email delivery | Email address, name | United States |
| Google Cloud (Vertex AI) | AI model inference for chat responses | Chat queries and conversation context | United States / Global |
| Exa (Exa Labs, Inc.) | Web search (used by AI during chat) | Search queries derived from your questions | United States |
| Vercel, Inc. | Website hosting and content delivery | IP address, request logs | United States / Global |
We may update this list as we add or change service providers. Material changes will be reflected in updates to this Privacy Policy.
6. AI Data Processing
When you use the Dama Assist chat, your questions are sent to Google's Vertex AI (Gemini) for processing. This is necessary to generate AI-powered responses.
- Your chat queries are processed in real-time and are not used by Google to train or improve their AI models (per our Google Cloud data processing terms).
- We store your chat history in our database (Convex) so you can access past conversations.
- During chat, the AI may use external search tools (Exa) to find relevant medical literature. These searches are derived from your questions but do not contain your personal information.
- AI outputs may be incomplete or incorrect. You must independently verify all information. See our Terms of Use for the full AI disclaimer.
7. International Data Transfers
Dama Health Ltd is based in the United Kingdom. Most of our sub-processors are based in the United States. This means your personal data is transferred from the UK to the US.
We ensure these transfers are lawful under UK GDPR by relying on:
- UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses (SCCs) with our sub-processors
- Data processing agreements with each sub-processor that include appropriate safeguards
The UK has not issued an adequacy decision for the United States as a whole. Where we rely on SCCs/IDTA, we have assessed that appropriate supplementary measures are in place (encryption in transit and at rest, access controls, contractual obligations).
You may request a copy of the relevant transfer safeguards by contacting us at support@damahealth.com.
8. Data Security
We implement appropriate organisational and technical measures to safeguard your data, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Encryption at rest for stored data
- Access controls and role-based permissions
- Authentication via secure session tokens
- Regular review of security practices and third-party tools
- No storage of full payment card details (handled entirely by Stripe)
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information (name, email) | Until you delete your account or request deletion |
| Chat history | Until you delete individual threads or your account |
| Professional credentials (NPI) | Until you delete your account or request deletion |
| Subscription and billing records | As required by law (typically 6 years under UK tax law) |
| Transactional email logs | 12 months |
| Analytics data (PostHog) | Per PostHog retention settings (default 1 year) |
| Authentication sessions | Auto-expire after inactivity; cleared on sign-out |
When you request account deletion, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g. billing records for tax purposes).
10. Your Rights Under UK GDPR
If you are in the UK or EU, you have the following rights under data protection law:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): Request deletion of your data (subject to legal retention requirements).
- Right to restrict processing: Request that we limit how we use your data in certain circumstances.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interest.
- Right to withdraw consent: Where processing is based on consent (e.g. analytics cookies, marketing emails), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, contact us at support@damahealth.com. We will respond within one month.
If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
11. Your Rights Under California Law (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights:
11.1 Right to Know
You have the right to request that we disclose:
- The categories of personal information we have collected about you
- The specific pieces of personal information we have collected
- The categories of sources from which we collected your information
- The purposes for which we use your information
- The categories of third parties with whom we share your information
11.2 Right to Delete
You may request that we delete personal information we have collected from you, subject to certain exceptions (e.g. completing a transaction, legal obligations).
11.3 Right to Correct
You may request that we correct inaccurate personal information.
11.4 Right to Opt-Out of "Sale" or "Sharing"
We do not sell your personal information in the traditional sense. However, under the broad CCPA definition, sharing data with analytics providers (PostHog) for cross-context behavioural analytics may constitute "sharing." You can opt out of this by declining analytics cookies via our cookie consent banner.
11.5 Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing or service quality.
11.6 How to Exercise Your Rights
To submit a CCPA request, email us at support@damahealth.com. We will verify your identity before processing your request and respond within 45 days.
11.7 Categories of Personal Information Collected
Under CCPA categories, we collect:
- Identifiers: Name, email address, NPI number, IP address
- Professional information: Occupation, credential type
- Internet activity: Browsing history on our Platform, search queries, interaction with features (only with consent)
- Commercial information: Subscription plan, billing history
We do not collect: biometric data, geolocation data, sensory data, or protected classification characteristics.
12. Children
You must be 18 years or older to use the Platform. We do not knowingly collect information from anyone under the age of 18. If we learn that we have collected personal data from a child under 18, we will delete it promptly.
13. Updates to this Policy
We may update this Privacy Policy from time to time. The date of the most recent update will always be posted at the top of this page. For material changes, we will notify you by email or by a prominent notice on the Platform.
We encourage you to review this policy periodically.
14. Contact Information
For privacy concerns or to exercise your rights, please contact: