HIPAA Compliance
Last updated: February 2026
Important Notice
AaharIQ is designed for general consumer health and nutrition awareness. Depending on your use case and jurisdiction, you should assess whether HIPAA obligations apply to your specific situation. If you are a healthcare provider or covered entity, please contact us to discuss a Business Associate Agreement (BAA) before using the Service to process Protected Health Information (PHI) for clinical purposes.
1. What Is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States federal law that establishes national standards for protecting sensitive patient health information. HIPAA applies to "covered entities" (healthcare providers, health plans, and healthcare clearinghouses) and their "business associates" — third-party vendors and service providers that handle Protected Health Information (PHI) on their behalf.
PHI includes any individually identifiable health information, such as medical records, diagnoses, treatment histories, billing information, and any data that could reasonably be used to identify a patient.
2. How AaharIQ Handles Health Data
AaharIQ collects health-related information — including self-reported medical conditions, allergies, and uploaded health documents — to personalise AI-generated nutrition and product safety recommendations. We treat this data with the highest level of care:
Data Isolation
Each user's health data is stored in a per-user isolated namespace within our vector database. No user can query, access, or influence another user's data. All database queries are filtered by a user-specific identifier at the infrastructure level.
Encryption in Transit
All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints and redirect all HTTP traffic to HTTPS.
Encryption at Rest
Health data stored in our PostgreSQL database and ChromaDB vector store is encrypted at rest using AES-256. Encryption keys are managed securely and rotated periodically.
Access Controls
Only authenticated and authorised personnel have access to production systems. Access is granted on a least-privilege basis and is audited regularly. No employee or contractor can view your individual health records without explicit audit justification.
Audit Logging
All access to health data within the platform is logged with timestamps, user identifiers, and action types. Logs are retained for a minimum of 90 days for security investigation purposes.
3. Permitted Uses & Disclosures
We use the health information you provide only for:
- Generating personalised AI health and nutrition recommendations for you
- Improving the quality and accuracy of the Service (using only anonymised, aggregated data)
- Responding to support requests you initiate
We do not disclose your health information to:
- Third-party advertisers or data brokers
- Insurance companies, employers, or healthcare providers (unless you explicitly instruct us to)
- Government agencies, except as required by applicable law
- Other users of the platform
4. Your Rights Regarding Health Data
Regardless of whether HIPAA applies to your specific use of the Service, we uphold the following data subject rights for all users:
Right to Access
You can view, export, or download all health data associated with your account at any time through the platform settings.
Right to Correction
You can update or correct your medical history, conditions, and any other health data in your profile at any time.
Right to Deletion
You can delete your entire account — including all health data, scan history, uploaded documents, and chat history — by contacting us or using the in-app account deletion feature. Deletion is permanent and completed within 30 days.
Right to Restriction
You may request that we stop processing your health data for personalisation purposes. Note that this will reduce the quality of recommendations, as the Service relies on your health profile to function effectively.
Right to a Copy
Upon written request, we will provide you with a machine-readable copy of your health data in JSON or CSV format within 30 days.
5. Business Associate Agreements (BAA)
If you are a HIPAA-covered entity or business associate that intends to use AaharIQ in a context where the Service will process, store, or transmit PHI on your behalf, a Business Associate Agreement (BAA) is required before any such processing begins.
To request a BAA, please contact our compliance team with details about your organisation and intended use case. We will review your request and respond within 10 business days.
BAA Requests: compliance@aahariq.ai
6. Breach Notification
In the event of a data breach that affects your health information, AaharIQ will notify affected users without undue delay and, where applicable, within 72 hours of becoming aware of the breach in accordance with GDPR Article 33 and relevant data protection laws. Notification will be sent to the email address associated with your account.
If you suspect a breach or unauthorised access, please report it immediately to security@aahariq.ai.
7. Contact Our Compliance Team
For all HIPAA, compliance, and data protection enquiries, please reach out to our dedicated compliance team:
AaharIQ — Compliance & Privacy
Compliance: compliance@aahariq.ai
Security: security@aahariq.ai
General: contact@aahariq.com
