Privacy Policy

Last Updated: December 15, 2025

1. Introduction

xHeal Corp. ("xHeal," "we," "us," or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy ("Policy") explains how we collect, use, share, and protect information when you use the xHeal mobile application (the "App"), our website at https://xheal.ai (the "Website"), and all related services, features, content, and functionality (collectively, the "Services").

xHeal Corp. is incorporated in the State of Florida, United States, with its principal office at 25 SE 2ND AVE, SUITE 550, MIAMI, FL 33131, USA. For the purposes of applicable data protection laws, xHeal Corp. is the data controller responsible for your personal data.

By using our Services, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please do not use our Services.

2. How We Collect Personal Data

We collect personal data in the following ways:

  • Directly from you: When you create an account, fill in your health profile, input health data, use the xHeal Chat, upload medical documents, subscribe to our Services, or contact our support team.
  • Automatically: When you use our Services, we automatically collect certain technical and usage data through cookies, log files, analytics tools, and similar technologies.
  • From third-party sources: We may receive data from connected health devices and wearables (e.g., Apple Health, Google Health Connect), third-party sign-in providers (e.g., Apple Sign-In, Google Sign-In), payment processors, and analytics providers.

3. What Personal Data We Collect

We may collect the following categories of personal data:

  • Account Information: Name, email address, password (encrypted), date of birth, gender, profile photo, and account preferences.
  • Health and Wellness Data: Vitals (e.g., heart rate, blood pressure, weight, body temperature), medical records and documents you upload, symptoms and flare-up logs, dietary information, exercise and activity data, sleep data, mental wellness inputs, and health scores generated by our Services.
  • Device and Wearable Data: Data synced from connected health devices, Apple Health, Google Health Connect, and other third-party health platforms you authorize.
  • Usage Data: Information about how you interact with our Services, including features used, pages visited, time spent, clicks, and navigation patterns.
  • Device Information: Device type, operating system and version, unique device identifiers, IP address, browser type, and language preferences.
  • Payment Information: Payment method details are processed by third-party payment processors (e.g., Apple, Google, Stripe). We do not store your full credit card number or payment credentials on our servers.
  • Communications Data: Messages sent through xHeal Chat, support inquiries, feedback, and any other communications you have with us.
  • Location Data: General location information derived from your IP address. We do not collect precise GPS location data.

4. Cookies and Similar Technologies

We use cookies, pixels, and similar tracking technologies on our Website and in our Services to enhance your experience, analyze usage, and deliver relevant content. For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy.

5. How We Use Collected Personal Data

We use your personal data for the following purposes:

  • Providing and Improving Services: To operate, maintain, and improve the Services, including generating health insights, scores, reports, and personalized recommendations.
  • AI-Powered Features: To train, develop, and improve our AI and machine learning models that power health insights and the xHeal Chat. Where we use your data for AI training, it is anonymized and aggregated so that it cannot identify you personally.
  • Account Management: To create and manage your account, process subscriptions and payments, and provide customer support.
  • Communications: To send you transactional messages (e.g., account confirmations, billing notifications, security alerts), as well as marketing and promotional communications where you have opted in.
  • Analytics and Research: To understand usage trends, monitor the effectiveness of our Services, conduct research and analysis, and develop new features.
  • Security and Fraud Prevention: To detect, prevent, and address security incidents, fraud, and other harmful activities.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.

6. How We Share Personal Data

We do not sell your personal data. We may share your personal data in the following circumstances:

  • Service Providers: We share data with trusted third-party service providers who perform functions on our behalf, such as cloud hosting (AWS), analytics, payment processing, email delivery, and customer support. These providers are contractually required to protect your data and may only use it for the purposes specified by us.
  • AI Technology Providers: We may share anonymized and de-identified data with third-party AI technology providers to power certain features of the Services, such as the xHeal Chat. We do not share personally identifiable health information with these providers without your explicit consent.
  • Legal Requirements: We may disclose your data when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect the rights, property, or safety of xHeal, our users, or others.
  • Business Transfers: In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity.
  • With Your Consent: We may share your data for other purposes with your explicit consent.

7. How You May Share Personal Data

The Services may allow you to share your health data, reports, or other information with third parties, such as healthcare providers, family members, or other individuals you designate. When you choose to share your data with third parties, their use of your data is governed by their own privacy practices and policies. xHeal is not responsible for the privacy practices of third parties with whom you share your data.

8. xHeal Chat & Third-Party AI Technology

The xHeal Chat feature is powered by artificial intelligence technology, which may include third-party AI models. When you interact with xHeal Chat:

  • Your messages and inputs are processed to generate responses and health insights.
  • We may transmit anonymized or de-identified portions of your inputs to third-party AI providers to facilitate responses.
  • We implement technical and organizational measures to minimize the personal data shared with third-party AI providers.
  • Chat conversations may be stored to improve the quality and accuracy of future interactions and to enhance our AI models.
  • You should not share highly sensitive personal information (e.g., Social Security numbers, financial account numbers) in Chat conversations.

9. Your Choices

You have the following choices regarding your personal data:

  • Account Information: You can review and update your account information through the App settings at any time.
  • Marketing Communications: You can opt out of marketing emails by clicking the "unsubscribe" link in any marketing email or by updating your communication preferences in the App settings.
  • Cookies: You can manage your cookie preferences through your browser settings or through the cookie consent mechanism on our Website. See our Cookie Policy for more details.
  • Data Portability: You may request a copy of your personal data in a structured, commonly used, and machine-readable format by contacting us at privacy@xheal.ai.
  • Account Deletion: You may request deletion of your account and associated personal data by contacting us at privacy@xheal.ai or through the account settings in the App. Please note that some data may be retained as required by law or for legitimate business purposes.
  • Connected Devices: You can disconnect health devices and wearables from the App at any time through the App settings.

10. Data Security and Retention

We implement industry-standard technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS) and at rest (AES-256), access controls, regular security assessments, and secure cloud infrastructure (AWS).

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

We retain your personal data for as long as your account is active or as needed to provide you with the Services. When your account is deleted, we will delete or anonymize your personal data within 90 days, except where retention is required by law, for dispute resolution, or for legitimate business purposes. Anonymized and aggregated data that cannot identify you may be retained indefinitely for research and analytics purposes.

11. Services Not Intended for Children

Our Services are not directed to children under the age of 13 (or 16 in the European Union). We do not knowingly collect personal data from children under these ages. If we become aware that we have collected personal data from a child under the applicable age threshold, we will take steps to delete such data promptly. If you believe that a child has provided us with personal data, please contact us at privacy@xheal.ai.

12. Changes to This Privacy Policy

We may update this Policy from time to time. If we make material changes, we will notify you by posting the updated Policy on the Website and within the App, and where required by law, by sending you an email or in-app notification. The "Last Updated" date at the top of this Policy indicates when it was last revised. Your continued use of the Services after the effective date of the revised Policy constitutes your acceptance of the changes.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

xHeal Corp.
25 SE 2ND AVE, SUITE 550
MIAMI, FL 33131, USA

14. U.S. State-Specific Privacy Notice

This section provides additional information for residents of U.S. states with comprehensive privacy legislation, including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with similar laws.

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined under applicable state privacy laws:

  • Identifiers (e.g., name, email address, account ID, IP address).
  • Personal information categories listed in the relevant state statutes (e.g., name, address, telephone number).
  • Protected classification characteristics (e.g., age, gender).
  • Commercial information (e.g., subscription history, payment records).
  • Internet or other electronic network activity information (e.g., browsing history, interaction data, device information).
  • Sensory data (e.g., health data, biometric data from connected devices).
  • Inferences drawn from the above (e.g., health scores and AI insights).

Your State Privacy Rights

Depending on your state of residence, you may have the following rights:

  • Right to Know: Request information about the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt Out: Opt out of the sale or sharing of personal information. xHeal does not sell your personal information.
  • Right to Non-Discrimination: Exercise your privacy rights without receiving discriminatory treatment.

To exercise any of these rights, contact us at privacy@xheal.ai. We will verify your identity before processing your request.

15. Trans-Atlantic Data Privacy Framework

xHeal may transfer personal data from the European Economic Area (EEA), United Kingdom (UK), and Switzerland to the United States. When we do so, we rely on the following transfer mechanisms to ensure adequate protection of your data:

  • Standard Contractual Clauses (SCCs): We enter into EU-approved Standard Contractual Clauses with our service providers and partners who process data outside the EEA.
  • Adequacy Decisions: Where applicable, we transfer data to countries that the European Commission has determined provide an adequate level of data protection.
  • Supplementary Measures: We implement additional technical and organizational measures (e.g., encryption, access controls) to supplement the safeguards provided by SCCs where necessary.

For further information about our cross-border data transfer practices, please contact our Data Protection Officer at dpo@xheal.ai.

16. Privacy Notice for European Residents (GDPR)

This section provides additional information for individuals located in the European Economic Area (EEA), United Kingdom (UK), and Switzerland, as required by the General Data Protection Regulation (GDPR) and equivalent legislation.

Legal Bases for Processing

We process your personal data on the following legal bases:

  • Contract Performance: Processing necessary to perform our contract with you (e.g., providing the Services, managing your account, processing payments).
  • Consent: Processing based on your freely given, specific, informed, and unambiguous consent (e.g., processing special categories of health data, sending marketing communications).
  • Legitimate Interests: Processing necessary for our legitimate interests, provided these interests are not overridden by your fundamental rights and freedoms (e.g., improving our Services, fraud prevention, security).
  • Legal Obligation: Processing necessary to comply with legal obligations to which we are subject.

Your Rights Under GDPR

As a data subject in the EEA, UK, or Switzerland, you have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of your personal data in certain circumstances.
  • Right to Restriction: Request restriction of processing of your personal data in certain circumstances.
  • Right to Data Portability: Receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to Object: Object to processing of your personal data based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority (supervisory authority).

To exercise any of these rights, please contact our Data Protection Officer at dpo@xheal.ai or our EU Representative at eu-representative@xheal.ai.

Special Categories of Data

Certain health and wellness data we process may constitute "special categories of personal data" under the GDPR. We process such data only with your explicit consent, which you provide when creating your account and inputting health data into the Services. You may withdraw your consent at any time by contacting us or deleting your account.

Data Retention for European Residents

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements. Upon account deletion, your personal data will be erased within 30 days, unless a longer retention period is required or permitted by law.

Get smarter about your health. Every week.

One email per week with patterns, insights, and strategies that help you understand your body better, whether you're managing a condition, optimizing your wellness, or just paying closer attention.

By subscribing, I agree to the Terms & Conditions and Privacy Policy and to receive the newsletter.