Privacy Policy
Last updated: 11 June 2026
This Privacy Policy is provided in English. Translations are available on request.
This Privacy Policy explains how Cira ("we", "us", "our") collects, uses, stores, shares and protects your personal data when you use askainurse.com and related services (the "Service"). It is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR and similar privacy laws. Cira is currently in beta and is not a licensed medical service.
1. Data controller
The data controller responsible for your personal data is:
- Askainurse (the operator of askainurse.com)
- Registered address: la boue, Charn Issara Tower 1 - Ground Floor, Bangkok, 41250, Thailand
- Privacy contact / DPO: privacy@askainurse.com
If you are an EU/EEA or UK resident and need to reach our representative, use the privacy email above.
2. Information we collect
- Account data: name, email, hashed password, authentication provider (email / Google).
- Health profile: age, biological sex, height, weight and any other inputs you provide.
- Vitals data: heart rate, blood pressure, breathing rate, HRV, BMI, stress index and risk indicators derived from the Shen AI face scan. The face video is processed on-device and is never uploaded.
- Chat content: messages you exchange with Cira, including symptoms and AI-generated assessments.
- Usage & device data: device type, browser, IP address, pages visited, timestamps, anonymous device identifier (
cira_device_id) for guest rate-limiting. - Cookies & local storage: see Section 9.
- Payment data: processed by our payment provider; we do not store card numbers.
3. Purposes & lawful basis
| Purpose | Data used | Lawful basis (GDPR Art. 6 / 9) |
|---|---|---|
| Provide AI nurse chat and vital scans | Account, health profile, vitals, chat | Contract (Art. 6(1)(b)) + explicit consent for health data (Art. 9(2)(a)) |
| Generate clinical reports (PDF) | Health profile, vitals, chat | Contract + explicit consent |
| Security, rate-limiting, fraud prevention | Usage, device ID, IP | Legitimate interest (Art. 6(1)(f)) |
| Anonymous analytics (Google Analytics) | Usage, anonymised IP | Consent (Art. 6(1)(a)) — via cookie banner |
| Service emails (account, security) | Contract | |
| Comply with legal obligations | As required | Legal obligation (Art. 6(1)(c)) |
4. Sub-processors & sharing
We share data only with service providers strictly necessary to operate Cira:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic (Claude) | AI chat responses | USA |
| Shen AI SDK | On-device biometric processing only — no data leaves your browser | N/A (client-side) |
| Hosting & MySQL database | Application hosting, encrypted backups | EU / Global |
| Google Analytics | Aggregate usage metrics (only if you consent) | USA |
| Stripe / Paddle | Payment processing | USA / Global |
We do not sell your personal or health data.
5. International transfers
When personal data is transferred outside the EU/EEA or UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) or, for the UK, the UK International Data Transfer Agreement, together with supplementary measures (encryption in transit, access controls).
6. Data retention
| Data | Retention |
|---|---|
| Account & profile | Until you delete your account |
| Vital scans & reports | 24 months from creation, then anonymised |
| Chat conversations | 12 months, then deleted |
| Security & audit logs | 90 days |
| Payment records | As required by tax law (typically 7 years) |
On account deletion we erase or irreversibly anonymise your data within 30 days, except where retention is required by law.
7. Your rights (GDPR)
Under GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate data via your profile page (Art. 16).
- Erasure ("right to be forgotten") — delete your account from the profile page (Art. 17).
- Restrict processing in certain circumstances (Art. 18).
- Data portability — download a machine-readable copy from Profile → Privacy & data → Export my data (Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Withdraw consent at any time via the cookie banner or by deleting your account (Art. 7).
- Lodge a complaint with your local supervisory authority (e.g. CNIL, ICO, Datatilsynet).
To exercise these rights, use the in-app controls or email privacy@askainurse.com. We respond within 30 days.
8. Automated processing & AI
Cira uses AI models to generate responses and risk indicators. These outputs are informational only and do not constitute a medical diagnosis. They are not solely automated decisions with legal or similarly significant effects under GDPR Art. 22 — a qualified clinician should review every assessment.
9. Cookies & local storage
We use three categories of cookies / local-storage entries:
- Strictly necessary — JWT auth token, anonymous device ID, consent record. Always on.
- Analytics — Google Analytics with anonymised IP. Off by default; only loaded after you accept.
- Functional — language preference, UI state. Off by default.
You can change your choice at any time: .
10. Security
We use TLS encryption in transit, hashed passwords (bcrypt), JWT-based authentication, role-based access controls and encrypted backups. The Shen AI face scan runs entirely on-device — your video is never transmitted. No system is 100% secure; you use the Service at your own risk while we are in beta.
11. Children
Cira is not intended for users under 16 in the EU/EEA and UK. We do not knowingly collect data from children.
12. Breach notification
In the event of a personal-data breach likely to result in risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform affected users without undue delay.
13. Changes to this policy
We may update this Privacy Policy. Material changes will be communicated via the app or by email. Continued use after changes means you accept the updated policy.
14. Contact
Questions or requests: privacy@askainurse.com.