Who this notice covers
Rymeda is not currently offered in the EEA, the UK, or Switzerland, so this notice is not yet in effect. It is written for residents of the European Economic Area (EEA), the United Kingdom (UK), and Switzerland, whose personal data is protected by the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection, respectively. The protections it describes will apply to those users if and when Rymeda launches in their region.
When it takes effect, this notice will supplement, and should be read together with, our main Privacy Policy. The Privacy Policy describes what information Rymeda collects, how we use it, who we share it with, how long we keep it, and how to contact us. This notice adds the legal bases, transfer safeguards, and data subject rights that will apply to people in those regions on launch. Where this notice and the Privacy Policy differ for users covered here, this notice will control.
Data controller and representatives
The data controller responsible for your personal data is Rymeda, Inc., a company incorporated in Delaware, United States. Rymeda decides why and how your personal data is processed when you use the Rymeda Community, Care Portal, and ORIS.
Under Article 27 of the GDPR and the equivalent UK GDPR requirement, a controller outside the EEA or UK that offers services to people in those regions may be required to appoint a local representative. Because Rymeda is not yet offered in those regions, no representative is required today. When Rymeda launches in the EEA, we will appoint a representative under GDPR Article 27, and we will appoint a separate representative for the UK when Rymeda launches there. We will publish their contact details here before the product becomes available in those regions.
In the meantime, you can contact Rymeda's privacy team directly about any matter in this notice at privacy@rymeda.com. You can also use our contact page.
Legal bases for processing
If you are in the EEA or the UK, we process your personal data only when we have a valid legal basis under Article 6 of the GDPR or UK GDPR. The bases we rely on, and how they map to Rymeda's processing, are described below.
- Performance of a contract (Article 6(1)(b)). We process your account data, profile data, and the content you create so that we can provide the Rymeda service you signed up for, such as creating and securing your account, showing you the Rymeda Community, and operating Care Portal and ORIS for you.
- Legitimate interests (Article 6(1)(f)). We process interaction data and technical data to keep the service secure, prevent abuse and spam, moderate the community, understand how the product is used in aggregate, and improve Rymeda. We balance these interests against your rights and freedoms, and we do not rely on legitimate interests where your interests override ours.
- Consent (Article 6(1)(a)). We rely on your consent for any optional processing that requires it, including processing of health and other special-category data (see Section 4) and any non-essential analytics or communications. Where we rely on consent, you can withdraw it at any time, and doing so does not affect the lawfulness of processing before withdrawal.
- Legal obligation (Article 6(1)(c)). We process personal data where we must do so to comply with a legal obligation, such as responding to valid legal process or meeting record-keeping and safety duties.
Health and special-category data
Information about your health is "special category" personal data under Article 9 of the GDPR and UK GDPR, and it receives extra protection. Health data can appear in several places in Rymeda: in posts and comments you choose to write in the Rymeda Community, in messages you send to ORIS, and in the information you enter into Care Portal, such as your Rymeda Medical Card, medications, vitals, conditions, and records.
For users covered by this notice, Rymeda's legal basis for processing health and other special-category data will be your explicit consent under Article 9(2)(a). You decide whether to share any health information, and the act of entering or posting it is a deliberate choice. You will be able to withdraw your consent at any time by deleting the relevant content, removing the information from Care Portal, closing your account, or emailing privacy@rymeda.com. Withdrawing consent does not affect the lawfulness of processing that already took place.
We will finalize the explicit-consent mechanism for special-category data before Rymeda launches in the EEA, the UK, or Switzerland. As a general matter, please share only the health information you are comfortable providing, and do not enter sensitive identifiers into ORIS as described in the Privacy Policy.
International data transfers
Rymeda is operated from the United States and our infrastructure is hosted in the United States. When you use Rymeda from the EEA, the UK, Switzerland, or elsewhere outside the US, your personal data is transferred to, stored in, and processed in the United States, and may be processed by our service providers in other countries.
When Rymeda launches in the EEA, the UK, or Switzerland, transfers of personal data out of those regions will be made subject to appropriate safeguards, and we will confirm our international data-transfer mechanism before launch. The safeguards we expect to rely on are:
- The EU-US Data Privacy Framework, together with its UK Extension and the Swiss-US Data Privacy Framework, where applicable. We will complete the relevant certification before offering Rymeda in these regions.
- The European Commission's Standard Contractual Clauses (SCCs), and the UK International Data Transfer Agreement or Addendum, with our service providers and within Rymeda, where a Data Privacy Framework certification does not cover a given transfer. We will execute these with our sub-processors before launch.
Once Rymeda is available in your region, you will have the right to request a copy of the safeguards we use for these transfers. To do so, email privacy@rymeda.com. We may redact commercially confidential or security-sensitive details.
Your rights (EEA, UK, Swiss)
Once Rymeda is available in the EEA, the UK, or Switzerland, you will have the following rights over your personal data, subject to the conditions and exceptions in applicable law.
- Access. You can request confirmation of whether we process your personal data and a copy of it.
- Rectification. You can ask us to correct personal data that is inaccurate or incomplete.
- Erasure ("right to be forgotten"). You can ask us to delete your personal data where there is no good reason for us to keep it.
- Restriction. You can ask us to limit how we use your personal data in certain circumstances.
- Objection. You can object to processing based on our legitimate interests, and to any direct marketing.
- Portability. You can ask to receive personal data you provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
- Withdraw consent. Where we rely on your consent, including for health data, you can withdraw it at any time without affecting prior processing.
- Automated decisions. You have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you. See Section 8. Rymeda does not make such decisions.
To exercise any of these rights, email privacy@rymeda.com. We may need to verify your identity before acting on a request. We aim to respond within one month of receiving your request, as provided under the GDPR, and we may extend that period by up to two further months for complex or numerous requests, in which case we will tell you. Exercising these rights is free in most cases.
Right to complain to a supervisory authority
If you are unhappy with how we handle your personal data, we would like the chance to address it, so please contact us first at privacy@rymeda.com. You also have the right to lodge a complaint with a data protection supervisory authority.
- EEA residents may complain to the Data Protection Authority in their country of residence, place of work, or the place of the alleged infringement. A list of EEA authorities is maintained by the European Data Protection Board.
- UK residents may complain to the Information Commissioner's Office (ICO) at ico.org.uk.
- Swiss residents may contact the Federal Data Protection and Information Commissioner (FDPIC).
ORIS and automated decision-making
ORIS is a health AI guide that provides plain-language health information only. ORIS does not diagnose, prescribe, provide medical care, or make decisions about you. ORIS does not carry out automated decision-making, including profiling, that produces legal effects concerning you or that similarly significantly affects you within the meaning of Article 22 of the GDPR and UK GDPR.
When you ask ORIS a question, the text of your message is sent to an AI processing provider so a response can be generated and returned to you, as described in the Privacy Policy. The output is informational and is not a determination about you. Please do not rely on ORIS for medical decisions, and consult a qualified healthcare professional. If you may be in a medical emergency, call your local emergency number.
Retention
We keep different categories of information for different periods of time, and we do not keep personal data longer than necessary for the purposes described to you. The specific retention windows that apply to your information are set out in the Data retention section of our Privacy Policy, and they apply to users covered by this notice as well.
Changes and contact
We may update this notice from time to time. When we make a material change we will update the "Last updated" date at the top of this page and, for material changes, notify beta participants by email or in-app notice. A revised notice will be published before Rymeda exits beta and reaches General Availability.
For any question about this notice or your rights, or to request a copy of our transfer safeguards, email privacy@rymeda.com. You can also visit our contact page.
Imagery used in Rymeda marketing surfaces is illustrative. Some lifestyle photos have been AI-touched and do not depict real Rymeda members or events.
