At DocChat, we value your privacy. This policy explains how we collect, use, store, and protect your personal and medical information.
Effective date: June 10, 2026 Contact: digital@brilworks.com
Introduction
At DocChat, we value your privacy. This policy explains how we collect, use, store, and protect your personal and medical information.
Data We Collect
We collect information necessary to operate DocChat and provide its services, including:
- Account information: phone number and authentication data (via Firebase Authentication).
- Profile information: name, photo, age, professional credentials (doctors), clinic affiliation, and other profile fields you provide.
- Communications: chat messages, images, and media you send or receive through the app.
- Content you upload: photos and files stored in Firebase Storage.
- Notifications: device FCM tokens used to deliver push notifications.
- Usage and diagnostics: analytics and crash reports (PostHog and Expo), device and OS metadata, and network/usage telemetry.
- Real-time call metadata: information required to join Agora audio/video channels (channel names, temporary tokens, connection logs).
How We Use Your Data
We use the information we collect to:
- Provide and improve the app, including authentication, profiles, chat, and appointment booking.
- Deliver push notifications and in-app messages.
- Store and retrieve media you upload (profile photos, chat images, posts).
- Enable real-time audio/video calls using Agora (temporary tokens and channel data).
- Analyze app usage and performance to improve features (PostHog analytics and session replay with masked inputs).
- Detect and prevent abuse and protect the security of our users and services.
Third-Party Services
DocChat uses third-party providers to deliver core functionality. Key providers include:
- Firebase (Google): Authentication, Cloud Firestore, Cloud Functions, Cloud Storage, and FCM for push notifications.
- PostHog: Product analytics and optional session replay. Session replay is configured to mask text inputs to reduce capture of sensitive text. PostHog may process analytics and telemetry in the United States (host: us.i.posthog.com).
- Agora: Real-time audio and video. Agora handles media streams; we use temporary tokens and do not permanently store raw audio/video streams in our servers unless explicitly uploaded by users.
We do not sell your personal data to third parties. We may share data with service providers who perform services on our behalf and only as necessary to provide those services.
Push Notifications
We use Firebase Cloud Messaging (FCM) to send push notifications. To deliver notifications we store device tokens (FCM tokens) under your user document. You can opt out of push notifications in your device settings or within the app (if available).
Analytics and Session Replay
We use PostHog to collect anonymous analytics about app usage to improve the product. Session replay is enabled to help diagnose issues and understand UX; text inputs are masked by default to protect sensitive entries. You can opt out of analytics by disabling analytics in the app (if available) or contacting us.
Chat and Media
Messages and media you send via DocChat (text, photos, attachments) are stored in Cloud Firestore and Firebase Storage to enable delivery and retrieval. Chat metadata (sender and recipient IDs, timestamps, read receipts) is also stored. You should avoid sending highly sensitive personal data through in-app chat unless necessary.
Data Retention
We retain user data according to the following general retention schedule unless a different period is required by law or agreed with you:
- Account & Profile Data: Retained while your account is active. After account deletion or a verified deletion request, we permanently delete or de-identify account and profile information within 30 days.
- Chat Messages & Media: Retained until you delete the message/media or delete your account. After account deletion, messages and media are removed within 30 days; media stored in backups may be removed within 90 days.
- Notifications & FCM tokens: Retained while associated with an active user; tokens are removed when you sign out or delete the app account and are cleaned up from our servers within 30 days.
- Analytics & Aggregated Logs: Aggregated, non-identifying analytics data is retained for up to 24 months for product improvement. Raw logs and diagnostic data used for troubleshooting are retained up to 180 days.
- Backups: Backups and snapshots may persist up to 90 days and may include de-identified or limited user data necessary for recovery.
In some cases we may retain certain information for longer periods when required to comply with legal obligations, resolve disputes, enforce our terms, prevent fraud, or for legitimate business purposes.
If you request deletion of your account or data, we will take steps to remove your personal data from our active systems within 30 days and remove such data from backups within 90 days, except where retention is required by law.
Security
We use industry standard protections including transport encryption (HTTPS/TLS) and Firebase security controls. Access to production systems is restricted and logged. While we take reasonable measures to protect data, no system can be guaranteed fully secure.
Children
DocChat is not intended for children under 13. We do not knowingly collect information from children under applicable age thresholds. If you believe we have collected data from a child in error, contact us and we will take steps to delete it.
Your Rights
Depending on your jurisdiction, you may have rights to access, correct, request deletion, or obtain a copy of your personal data. To exercise these rights:
- Request deletion: You can delete your account from within the app or by contacting us at digital@brilworks.com. Include your account phone number and UID (if known). We will verify your identity and process deletion within 30 days.
- Request data export: To receive a copy of your personal data, contact us and we will provide a machine-readable export within 30 days, subject to verification.
- Request correction: To correct or update your data, use the app profile editor or contact us and we will assist.
- Verification: For security we may ask for information to verify your identity before fulfilling requests. We will not accept deletion or access requests appearing to be from someone other than the account owner without appropriate verification.
Note: After we delete your data from active systems (within 30 days), copies may remain in backups for up to 90 days. Certain information may be retained longer when necessary for legal compliance, fraud prevention, or to resolve disputes.
International Data Transfers
Data collected by DocChat may be processed and stored in the United States and other countries. By using the app you consent to this transfer. We take reasonable steps to protect personal data when transferred across borders.
Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices. We will display the effective date at the top of this page. Significant changes will be communicated by in-app notice or email when feasible.
Contact
If you have questions, requests, or concerns about this Privacy Policy, contact us at digital@brilworks.com