About this policy
This Privacy Policy describes how Rymeda, Inc. ("Rymeda", "we", "us") collects, uses, stores, and shares information when you visit our website, sign up for the private beta, or use the Rymeda mobile app distributed through Apple TestFlight. By using Rymeda you agree to this policy.
Rymeda is a US-based company. Our products include the Rymeda Community, Care Portal (which includes the Rymeda Medical Card), and ORIS, a health AI guide. You can reach our privacy team at privacy@rymeda.com. You can also use our contact page.
What we collect
We collect the categories of information described below. We try to keep this list complete and specific.
Account data
When you create an account we collect your name, email address, and a password. Passwords are stored as a salted hash, not in plain text.
Profile data
You choose a display name, which may be a pseudonym. You can add a profile photo, a short bio, and optional interests or topics. Only your display name and the profile fields you choose to publish are visible to other members.
Content you create
Posts, comments, reactions, replies, videos, and any other content you share inside the Rymeda Community. This content is visible to other members based on the audience you select.
Interaction data
How you use the app, such as the screens you open, the posts you scroll past or react to, what you search for, and how often you return. We use this to understand which parts of the product work and which do not.
Technical data
Device type, operating system version (for example, iOS 19.2), Rymeda app version, language and time zone, crash logs, and your IP address at the time of a request. IP addresses are used for security and to estimate region. We do not use them to build a precise location profile.
Beta sign-up data
If you fill out the form at /join-beta on this website we collect your name, email address, the role you selected (Person, Provider, Organization, Advocate, or Other), your free-text answer about why you want to join, and any optional health topics you choose to share. This information is used to evaluate beta requests and to email you about beta access.
TestFlight data
The Rymeda mobile app is distributed through Apple TestFlight. Apple collects information directly from beta testers, including device identifiers, install and crash data, and TestFlight feedback you submit through the TestFlight app. Apple is the data controller for that information. See the Apple Privacy Policy at apple.com/legal/privacy and Apple's TestFlight terms for details.
Care Portal data
Care Portal is your personalized health hub inside the Rymeda app. It is protected by a 6-digit PIN that you set, and it is separated from the Rymeda Community feed by design. Care Portal information is tied to your real identity, not to your community pseudonym.
The information you choose to add to Care Portal may include:
- Rymeda Medical Card. The fields you fill in for your in-app medical card, which may include name, date of birth, blood type, allergies, conditions, primary care provider, and emergency contact.
- Medications. Names of medications you add, dosages, schedules, and notes you write yourself.
- Vitals. Values you enter yourself for categories like heart rate, blood pressure, glucose, sleep, weight, oxygen, and mood, along with timestamps and any notes.
- Care Team. Provider names, roles, and contact details you choose to add.
- Appointments. Upcoming visits, prep notes, and any post-visit summary you write or attach.
- My Programs. Care programs you indicate you are enrolled in, along with progress notes you keep.
- Records. Documents, files, and reports you choose to upload to Care Portal.
- Emergency. Emergency contact details, conditions, allergies, and other information you mark as available in an emergency.
- Insurance. Member ID, plan name, and other insurance details you choose to enter.
All Care Portal information is user-entered by you. Rymeda does not import medical records from your hospital, clinic, insurer, or any third-party system. Care Portal is not a certified electronic medical record. It is a personal health hub designed to help you keep your own information in one place.
Care Portal information is held by Rymeda in our standard infrastructure. It is not currently regulated by HIPAA because Rymeda is not a HIPAA covered entity in this beta phase. We treat Care Portal information with care regardless. Sharing your Care Portal information with another person is always a deliberate action you take.
What we do NOT collect
It is just as important to be clear about what Rymeda does not collect.
- Protected Health Information in the HIPAA sense. Rymeda is not a HIPAA covered entity in this beta phase. We do not collect, store, or process health information that is provided to us by, or on behalf of, a covered entity such as a hospital, clinic, or health plan. The content you choose to share in the Rymeda Community or with ORIS is treated as personal user content, not as PHI under HIPAA.
- Apple Health records. We do not request, read, or sync data from Apple Health, HealthKit, or any similar device health store.
- A clinical medical history from your providers. We do not request or import medical records, charts, lab results, or histories from your hospital, clinic, insurer, or any third-party system. The only health-related information we hold is what you choose to enter yourself, either as part of the Rymeda Community, in a message to ORIS, or inside your own Care Portal.
- Real-time location. We do not collect precise GPS location.
- Contacts or photo library. We do not silently scan your contacts or your photos.
How we use information
We use the information we collect for the following purposes.
- To operate, maintain, and improve Rymeda, including the website, the mobile app, and ORIS.
- To send transactional emails, such as account verification, password resets, beta access notices, and important policy updates.
- To keep the Rymeda Community safe, including moderation, abuse prevention, spam detection, and enforcement of our Terms.
- To analyze usage in aggregate so we can prioritize what to build, fix, and remove.
- To respond to your questions and support requests.
- To comply with legal obligations and to enforce our rights.
We do not use the content of your ORIS conversations or your private posts to train third-party large language models. See Section 7 for how ORIS works.
Pseudonymity and your real name
Pseudonymity is a core feature of Rymeda. You may participate in the Rymeda Community under a chosen display name instead of your real name. Other members see only your display name and the public parts of your profile.
Rymeda still holds your real name and email address internally. We do this for a small number of important reasons: to verify that there is a real person behind each account, to enable safety and moderation when serious harm or illegal conduct is reported, to comply with legal process, and to operate the account itself (for example, password resets). Your real name and email are not exposed to other members through normal product use.
We may, in limited cases, link a real identity to a display name internally when investigating violations of our Terms, threats of harm, or court orders. We will not link a real identity to a display name for marketing.
Community content and visibility
Content you post in the Rymeda Community is visible to other members based on the audience you select. Public posts and comments may also be visible to people who join the relevant community or topic later. You are responsible for the content you share. Do not share information that you would not want other members to see.
We may retain copies of content for moderation, safety, abuse investigations, and required backups even after you delete it from the visible product surface. See Section 13 for retention details.
ORIS and your data
ORIS is a health AI guide. When you ask ORIS a question, the text of your message is sent to an AI processing provider so that a response can be generated and returned to you. We may retain your ORIS conversation history so that you can see past sessions in the app and so that we can improve the quality of ORIS over time. We do not sell ORIS conversations to advertisers or data brokers.
Please do not share specific personal health identifiers with ORIS, such as your full legal name combined with specific diagnoses, account numbers, insurance member IDs, or other identifiers tied to your medical records. ORIS is a guide, not a clinical system. It is not designed to receive, store, or protect that kind of information.
ORIS does not diagnose, prescribe, or provide medical care, and ORIS is not an emergency service. If you may be in a medical emergency, call your local emergency number.
Sharing with third parties
We share information with a small set of service providers strictly to operate Rymeda.
- Apple. The Rymeda mobile app is distributed through Apple TestFlight and, later, the App Store. Apple receives device, install, and crash information directly from your device.
- AI processing provider for ORIS. ORIS prompts are processed by a third-party large language model provider so that responses can be generated. We send only the content needed to generate a response and we do not send your name, email, or account identifier as part of the model prompt where it can be avoided.
- Cloud hosting and database providers. We use commercial cloud infrastructure to host the backend, store data, and run the application.
- Transactional email provider. We use a third-party email service to deliver account, beta, and product notifications.
- Error and crash analytics. We may use error and crash reporting tools to diagnose problems in the app. These tools receive technical information and limited interaction context, not the content of your private conversations or posts.
- Legal and safety. We may disclose information when required by law, valid legal process, or to protect the rights, safety, or property of Rymeda, our users, or the public.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
Cookies and tracking
On the rymeda.com website we use a small number of first-party cookies and similar storage to remember your session, keep the site secure, and measure basic page analytics. We do not run third-party advertising trackers, retargeting pixels, or social network share trackers on our marketing pages.
Inside the mobile app we use local storage to remember your session, your preferences, and to cache content for offline use.
Your choices and rights
You have the following rights with respect to your personal information.
- Access. You can request a copy of the personal information we hold about you.
- Correction. You can ask us to correct information that is wrong or out of date.
- Deletion. You can ask us to delete your account and associated personal information. Some information may be retained as described in Section 13.
- Export. You can request an export of your account data in a portable format.
- Withdraw consent. Where we rely on your consent, you can withdraw it.
To exercise any of these rights, email privacy@rymeda.com. We will respond within a reasonable time.
California residents
Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, California residents have the right to know what categories of personal information we collect, the right to access and delete that information, the right to correct inaccurate information, and the right to opt out of the sale or sharing of personal information. Rymeda does not sell personal information and does not share personal information for cross-context behavioral advertising, so there is nothing to opt out of in those categories. You will not be discriminated against for exercising any of these rights. To submit a request, email privacy@rymeda.com.
Children
Rymeda is intended for adults who are 18 years of age or older. We do not knowingly collect personal information from children under 13, and we do not direct the Rymeda product to children. If you believe a child under 13 has provided us with personal information, please contact us at privacy@rymeda.com and we will delete it.
International users
Rymeda is operated from the United States and our infrastructure is hosted in the United States. If you access Rymeda from outside the United States, your information will be transferred to, stored in, and processed in the United States. United States data protection laws may be different from the laws of your country. By using Rymeda you consent to this transfer and processing.
If you are in the European Economic Area, the United Kingdom, Switzerland, or another region outside the United States, you have additional rights and protections described in our International Privacy Notice. For those users, that notice supplements this policy.
Data retention
We keep different categories of information for different periods of time. The general retention windows below apply unless a longer period is required by law, an active investigation, or to resolve a dispute.
- Account data. While your account is active and for up to 90 days after a verified deletion request.
- Content you posted. While your account is active. After deletion, content is removed from public surfaces and queued for permanent removal within 90 days.
- ORIS conversation history. While your account is active, unless you delete it sooner from within the app.
- Server and security logs. Typically retained for 30 days.
- Beta sign-up data. Up to 12 months from submission unless the beta request converts into an account, in which case it is governed by account retention.
- Moderation and safety records. Records related to terms violations, safety incidents, and abuse investigations may be retained for a longer period to enforce our Terms and protect the community.
Data security
We take reasonable steps to protect your information. Network traffic between the app, the website, and our backend is encrypted in transit using TLS. Passwords are stored as salted hashes, not in plain text. Access to production data is limited to a small number of authorized engineers and is reviewed.
No system is perfectly secure, and we cannot guarantee absolute security. Rymeda has not undergone a SOC 2 audit and has not been certified as HIPAA compliant during this beta. If we ever experience a security incident that affects your personal information, we will notify you as required by applicable law.
Advertising and sponsored content
You may see sponsored content on Rymeda from verified health partners, including pharmaceutical companies, hospital systems, health systems, and accredited care organizations. We accept this kind of content so that Rymeda can stay free for members while remaining honest about how we earn revenue.
We do not share, sell, or use your individual health conversations, your ORIS questions, your post history, your direct messages, or any personal health information to target advertising.
Sponsored content is selected by topic context, not by who you are. That means a sponsored post about a specific condition may appear inside a community or topic about that condition, because the topic is the target. We do not build a profile of you for advertisers and we do not pass any individual data to advertisers in order for them to target you.
Health partners must be verified before they can participate. Any sponsored content that involves prescription drugs must comply with applicable Food and Drug Administration rules, including fair-balance requirements that present risk and safety information alongside benefit claims. Every sponsored unit is clearly labeled "Sponsored" and shows the advertiser's verified organization identity, so you always know who is talking.
You can report or hide sponsored content the same way you report or hide any other content. We will also offer a Settings control to opt out of contextual sponsored content.
For California residents under the California Consumer Privacy Act, as amended by the California Privacy Rights Act: contextual sponsored content as described in this section is not a "sale" of personal information and is not "sharing" for cross-context behavioral advertising as those terms are defined under California law, because no individual personal information is shared with advertisers for advertising purposes.
Changes to this policy
We may update this policy from time to time. When we make a material change we will update the "Last updated" date at the top of this page and, for material changes, notify beta participants by email or in-app notice. A complete revised policy will be published before Rymeda exits beta and reaches General Availability.
Contact
If you have a question about this policy, want to exercise one of your rights, or would like to report a privacy concern, please email privacy@rymeda.com. You can also visit our contact page.
Imagery used in Rymeda marketing surfaces is illustrative. Some lifestyle photos have been AI-touched and do not depict real Rymeda members or events.
