Privacy Policy

Last updated: 11 June 2026

This Privacy Policy is provided in English. Translations are available on request.

This Privacy Policy explains how Cira ("we", "us", "our") collects, uses, stores, shares and protects your personal data when you use askainurse.com and related services (the "Service"). It is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR and similar privacy laws. Cira is currently in beta and is not a licensed medical service.

1. Data controller

The data controller responsible for your personal data is:

  • Askainurse (the operator of askainurse.com)
  • Registered address: la boue, Charn Issara Tower 1 - Ground Floor, Bangkok, 41250, Thailand
  • Privacy contact / DPO: privacy@askainurse.com

If you are an EU/EEA or UK resident and need to reach our representative, use the privacy email above.

2. Information we collect

  • Account data: name, email, hashed password, authentication provider (email / Google).
  • Health profile: age, biological sex, height, weight and any other inputs you provide.
  • Vitals data: heart rate, blood pressure, breathing rate, HRV, BMI, stress index and risk indicators derived from the Shen AI face scan. The face video is processed on-device and is never uploaded.
  • Chat content: messages you exchange with Cira, including symptoms and AI-generated assessments.
  • Usage & device data: device type, browser, IP address, pages visited, timestamps, anonymous device identifier (cira_device_id) for guest rate-limiting.
  • Cookies & local storage: see Section 9.
  • Payment data: processed by our payment provider; we do not store card numbers.

3. Purposes & lawful basis

PurposeData usedLawful basis (GDPR Art. 6 / 9)
Provide AI nurse chat and vital scansAccount, health profile, vitals, chatContract (Art. 6(1)(b)) + explicit consent for health data (Art. 9(2)(a))
Generate clinical reports (PDF)Health profile, vitals, chatContract + explicit consent
Security, rate-limiting, fraud preventionUsage, device ID, IPLegitimate interest (Art. 6(1)(f))
Anonymous analytics (Google Analytics)Usage, anonymised IPConsent (Art. 6(1)(a)) — via cookie banner
Service emails (account, security)EmailContract
Comply with legal obligationsAs requiredLegal obligation (Art. 6(1)(c))

4. Sub-processors & sharing

We share data only with service providers strictly necessary to operate Cira:

Sub-processorPurposeLocation
Anthropic (Claude)AI chat responsesUSA
Shen AI SDKOn-device biometric processing only — no data leaves your browserN/A (client-side)
Hosting & MySQL databaseApplication hosting, encrypted backupsEU / Global
Google AnalyticsAggregate usage metrics (only if you consent)USA
Stripe / PaddlePayment processingUSA / Global

We do not sell your personal or health data.

5. International transfers

When personal data is transferred outside the EU/EEA or UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) or, for the UK, the UK International Data Transfer Agreement, together with supplementary measures (encryption in transit, access controls).

6. Data retention

DataRetention
Account & profileUntil you delete your account
Vital scans & reports24 months from creation, then anonymised
Chat conversations12 months, then deleted
Security & audit logs90 days
Payment recordsAs required by tax law (typically 7 years)

On account deletion we erase or irreversibly anonymise your data within 30 days, except where retention is required by law.

7. Your rights (GDPR)

Under GDPR you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectify inaccurate data via your profile page (Art. 16).
  • Erasure ("right to be forgotten") — delete your account from the profile page (Art. 17).
  • Restrict processing in certain circumstances (Art. 18).
  • Data portability — download a machine-readable copy from Profile → Privacy & data → Export my data (Art. 20).
  • Object to processing based on legitimate interests (Art. 21).
  • Withdraw consent at any time via the cookie banner or by deleting your account (Art. 7).
  • Lodge a complaint with your local supervisory authority (e.g. CNIL, ICO, Datatilsynet).

To exercise these rights, use the in-app controls or email privacy@askainurse.com. We respond within 30 days.

8. Automated processing & AI

Cira uses AI models to generate responses and risk indicators. These outputs are informational only and do not constitute a medical diagnosis. They are not solely automated decisions with legal or similarly significant effects under GDPR Art. 22 — a qualified clinician should review every assessment.

9. Cookies & local storage

We use three categories of cookies / local-storage entries:

  • Strictly necessary — JWT auth token, anonymous device ID, consent record. Always on.
  • Analytics — Google Analytics with anonymised IP. Off by default; only loaded after you accept.
  • Functional — language preference, UI state. Off by default.

You can change your choice at any time: .

10. Security

We use TLS encryption in transit, hashed passwords (bcrypt), JWT-based authentication, role-based access controls and encrypted backups. The Shen AI face scan runs entirely on-device — your video is never transmitted. No system is 100% secure; you use the Service at your own risk while we are in beta.

11. Children

Cira is not intended for users under 16 in the EU/EEA and UK. We do not knowingly collect data from children.

12. Breach notification

In the event of a personal-data breach likely to result in risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform affected users without undue delay.

13. Changes to this policy

We may update this Privacy Policy. Material changes will be communicated via the app or by email. Continued use after changes means you accept the updated policy.

14. Contact

Questions or requests: privacy@askainurse.com.