1. Who We Are
Homebrew Health ("Homebrew", "we", "us", "our") is a personal health assistant service. We are based in Singapore and operate under the Personal Data Protection Act 2012 (PDPA). We also comply with the EU General Data Protection Regulation (GDPR) for users in the European Economic Area.
Contact: liewvlian@gmail.com
2. Data We Collect
We collect the following categories of personal data:
- Account data: Email address and name provided via Google OAuth when you sign in.
- Health data: Symptoms, health history, and other information you voluntarily enter in conversations and your health profile.
- Usage data: AI usage metrics (token counts, costs) used for billing and rate-limiting. No conversation content is stored for this purpose.
- Payment data: Stripe handles all payment processing. We store only a Stripe customer ID and subscription status — never full card numbers.
- Technical data: Standard server logs (IP address, browser user-agent, request timestamps) retained for security and debugging.
3. How We Use Your Data
- To provide and operate the Homebrew health assistant service.
- To send your health queries to OpenAI for AI processing. See Section 5.
- To manage your subscription and process payments via Stripe.
- To enforce usage limits and detect abuse.
- To improve the service (aggregated, anonymised analytics only — no individual health data used for training).
We do not sell your personal data. We do not use your health data for advertising.
4. Legal Basis for Processing (GDPR)
For EEA users, we rely on the following legal bases:
- Contract performance: Processing necessary to provide the service you signed up for.
- Legitimate interests: Security logging, fraud prevention, and service improvement.
- Explicit consent: Processing of health data, which is a special category under GDPR Article 9. By entering health information into Homebrew, you give explicit consent to its processing for the purpose of providing the health assistant service. You may withdraw consent at any time by deleting your account.
5. Third-Party AI Providers
Your conversation messages are sent to OpenAI for AI processing:
OpenAI is bound by its own privacy policy and data processing agreement. We use their API under terms that prohibit them from using your data to train their models — please review OpenAI's current API terms for the latest details.
For GDPR purposes, OpenAI acts as a data processor, and we enter into a data processing agreement with them. Data may be transferred outside the EEA to the United States. Such transfers rely on OpenAI's Standard Contractual Clauses or equivalent safeguards.
6. Data Storage and Security
Your data is stored on reputable cloud infrastructure with industry-standard security controls. All data is encrypted in transit (TLS) and at rest. Access controls ensure that each user can only access their own data.
Anonymous (non-signed-in) usage data is stored only in your browser's local storage and never sent to our servers.
7. Data Retention
- Account and health data: Retained for as long as your account is active.
- On account deletion: All personal data is permanently deleted within 30 days.
- Server logs: Retained for up to 90 days for security purposes.
- Payment records: Retained as required by financial regulations (typically 7 years).
8. Your Rights
Under PDPA and GDPR, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your account and all associated data (available in Settings → Account).
- Portability: Request your data in a portable format.
- Objection / Restriction: Object to or restrict certain types of processing.
- Withdraw consent: Withdraw consent for health data processing at any time by deleting your account.
To exercise any of these rights, email liewvlian@gmail.com. We will respond within 30 days.
9. Cookies
We use only functional cookies required for authentication (Supabase session cookies). We do not use advertising or tracking cookies.
10. Children
Homebrew is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this policy from time to time. We will notify registered users by email for material changes. Continued use of the service after changes constitutes acceptance.
12. Governing Law
This Privacy Policy is governed by the laws of the Republic of Singapore.