Legal

Privacy Policy

Effective date: March 27, 2026

1. Who we are

This Privacy Policy describes how Theon Health (“Theon”, “we”, “us”, “our”) collects, uses, stores, and shares information when you use our websites (including theon.health and theon.life), our web and installed applications (including app.theon.health and app.theon.life), and related services (collectively, the “Services”).

For privacy questions or requests, email us at info@theon.health.

2. Information we collect

Depending on how you use the Services, we may process:

  • Account and authentication data — for example, if you sign in with Google, we receive identifiers and profile details allowed by that sign-in method (such as name, email address, and profile image) as described in Google’s policies and your account settings.
  • Profile and usage data — information you provide in onboarding or account settings (such as role, preferences, and practice-related settings where applicable).
  • Health and clinical context — information you or your care team enter, upload, or generate in the Services (for example, messages, notes, documents, timeline or record entries, scheduling information, and audio or transcripts from visits where those features are used).
  • Technical and service data — IP address, device and browser type, approximate location derived from IP, timestamps, diagnostic logs, and similar data needed to operate, secure, and improve the Services.
  • Communications — content you send to us (for example, support or feedback messages) and related metadata.
  • Push notifications — if you opt in, data needed to deliver notifications to your device (such as push subscription endpoints managed by the platform/browser).

3. How we use information

We use the information above to:

  • Provide, maintain, and improve the Services (including AI-assisted features offered in the product);
  • Authenticate users, enforce authorization, and protect against fraud and abuse;
  • Deliver notifications and in-product experiences you request;
  • Comply with law and respond to lawful requests;
  • Analyze reliability and performance in aggregated or de-identified form where appropriate.

Not medical advice. The Services may include decision-support or informational features. They do not replace professional medical judgment or emergency care. If you think you may have a medical emergency, call your local emergency number.

4. Legal bases (where GDPR applies)

Where the EU/UK General Data Protection Regulation applies, we rely on one or more of the following:

  • Contract — processing necessary to provide the Services you request;
  • Legitimate interests — for example, securing the Services, improving reliability, and understanding aggregate usage, balanced against your rights;
  • Consent — where required for optional features (such as certain notifications or cookies, where applicable);
  • Legal obligation — where we must retain or disclose information to comply with law.

Special categories of personal data under GDPR may be processed where you or your organization provide such data in the course of using health-related features, based on applicable grounds such as explicit consent, health or social care purposes with appropriate safeguards, or contract with a health professional, as permitted by law.

5. Sharing of information

We may share information with:

  • Service providers who assist us with hosting, infrastructure, authentication, communications, security monitoring, and similar functions, subject to contractual obligations;
  • Other users and organizations where the product workflow requires it (for example, care teams or connected accounts you authorize);
  • Authorities or third parties when required by law, or to protect rights, safety, and security.

We do not sell your personal information as that term is commonly defined in U.S. state privacy laws.

6. International transfers

We may process and store information in countries other than where you live, including the United States and the European Economic Area, using appropriate safeguards where required (such as standard contractual clauses).

7. Retention

We retain information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods vary depending on the type of data and your organization’s settings where applicable.

8. Security

We implement technical and organizational measures designed to protect information. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

9. Your rights and choices

Depending on your location, you may have rights to access, correct, delete, or export personal data, to restrict or object to certain processing, and to withdraw consent where processing is consent-based. You may also have the right to lodge a complaint with a supervisory authority.

Your health record on Theon belongs to you. You can export it in standard formats and take it with you.

To exercise these rights, email us at info@theon.health. We may need to verify your request.

10. Children

The Services are not directed to children under 13 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children without appropriate parental authority where required.

11. Cookies and local storage

We and our service providers may use cookies, local storage, and similar technologies that are essential for sign-in, preferences, and security. If we use non-essential analytics or marketing technologies, we will describe them and, where required, obtain consent.

12. Changes

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the effective date above. If changes are material, we will provide additional notice as required by law.

Contact·Home