Exora Privacy Policy

Privacy Policy for Exora:

Effective Date: Augist 29, 2025

We value your privacy and are committed to protecting your health and personal information in compliance with GDPR and EHDS.

Exora ("we," "our," or "us") provides a mobile application ("App") used by patients and healthcare professionals. This Privacy Policy explains how we collect, use, store, and share information. By using Exora, you consent to this Policy.

1. Purpose of Processing

Your data is processed strictly for healthcare-related purposes, including:

• Treatment tracking and recovery monitoring
• Facilitating patient-doctor communication
• Delivering questionnaires, exercise, and educational videos
• Improcing healtcare service quality and compliance

2. Information We Collect

We do not collect or use location data.

• Personal Data: First name, email, patient ID (assigned by your clinician).
• Medical data: Diagnosis, pain area, treatment, surgery details, questionnaire responses, and exercise progress. Steps, Step Cadence, Total Calories Burned, Heart Rate, Resting Heart Rate. These metrics are collected solely for healthcare purpose - they allow your doctor to remotely monitor your physical activity, recovery status, and overall healt trends as part of your treatment plan.
• Technical Data: Device info, app version.
  

3. Legal basis of Processing

Processing is based on:

• Consent: You provide explicit consent before data collection.
• Medical purposes: Processing necessary for preventive or occupational medicine, medical diagnosis, or healthcare provision (GDPR Art. 9(2)(h)).
  
• Legal obligations: Where processing is required by law.

4. Secondary Use & AI Development

In compliance with EHDS, we may use anonymized or pseudonymized health data for secondary purposes, such as:

• Training and improving artificial intelligence (AI)models
• Developing healthcare, nutrition, and exercise-related applications
• Scientific research and innovation in public health

No directly identifying information (such as your name, email, or patient ID) is ever used for these purposes. You may opt out of secondary use at any time by contacting us.

5. Data Sharing & Transfer

• Your data is stored in the Google Cloud Firebase – region asia-south1.
• We do not sell or trade your data.
• We do not transfer data outside the Asia unless required (e.g., Firebase Push Notifications, ). In such cases, Standard Contractual Clauses (SCCs) are applied.

6. Data Security

Processing is based on:

• Encryption in transit (TLS 1.2/1.3) and at rest (AES-256)
• Role-based access and least-privilege controls
• Regular security audits

7. Your GDPR Rights

• Right of access, rectification, and erasure
• Right to restrict or pause processing (without deleting your account)
• Right to data portability in standard formats (FHIR, HL7)
• Right to withdraw consent at any time
• Right to lodge a complaint with your supervisory authority

8. Data Retention

Data is retained as long as necessary for healthcare purposes or legal requirements. Data used for secondary purposes is anonymized or pseudonymized and may be retained longer for research and innovation.

9. EHDR Compliance

• Health data is stored/exported in standardized formats (FHIR, HL7).
• Patients can transfer their health data between providers and apps upon request.

10. Children's Privacy

The App is not directed to children under 13. For minors, processing must be supervised by a guardian or healthcare professional.

11. Contact & Data Protection officer (DPO)

If you have any questions or concerns about this Privacy or your data rights, please contact us at contact@brilworks.com.