This page is published in English as the authoritative version. Translations of headings are provided for convenience; the legal text below remains in English.

Privacy & Terms

U.S. residents. If you are a U.S. resident, your consumer health data is additionally governed by our Consumer Health Data Privacy Policy (covering the Washington My Health My Data Act, Nevada SB 370, Connecticut CHD provisions, and the California CPRA's sensitive-personal-information rules). Where that policy and this one differ for consumer health data, the Consumer Health Data Privacy Policy controls. The U.S. Intended Use section covers our FDA, FTC HBNR, HIPAA, and DSHEA position.

Legal documents governing the use of the MyDosha platform. Last updated: May 2026.

Effective date: April 2026

Controller: MyTrueDosha (operating brand) / Thomas Thijs, Sorano, Italy. See imprint for the full legal notice.

Contact: hello@mydosha.org

1. Introduction

MyDosha ("we", "our", "the platform") is an AI-powered patient intake service for Ayurvedic practitioners. This Privacy Policy explains how we collect, use, store, and protect personal data in connection with the MyDosha service at mydosha.org and its subdomains.

We are committed to processing personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable Dutch data protection law.

2. Who this policy applies to

This policy applies to two categories of data subjects:

  • Practitioners — Ayurvedic practitioners who use MyDosha to manage patient intake (customers of the service).
  • Patients — individuals who complete an intake assessment via a practitioner's branded subdomain (e.g. yourname.mydosha.org).

3. Data we collect

From practitioners (during setup and subscription)

  • Name and email address
  • Clinic name and professional details
  • Billing information (processed by Stripe — we do not store payment card details)
  • Communication history (support emails, onboarding notes)

From patients (during the intake assessment)

  • Name and email address
  • Age and gender
  • Health-related self-report data: constitution indicators, lifestyle patterns, chief health complaint, current medications, allergies and conditions, consultation goals
  • Language preference
  • GDPR consent timestamp and confirmation

Patient health data is special category data under GDPR (Article 9). It is processed on the basis of explicit consent obtained from each patient during the intake process. Patients are clearly informed about the purpose and scope of data collection before providing consent.

4. Legal basis for processing

  • Practitioners: Processing is necessary for the performance of a contract (Article 6(1)(b) GDPR) and our legitimate interests in operating the platform (Article 6(1)(f)).
  • Patients: Processing is based on explicit consent (Article 6(1)(a) and Article 9(2)(a) GDPR), obtained during the intake conversation. Patients may withdraw consent at any time by contacting the practitioner or emailing hello@mydosha.org.

5. How we use personal data

  • To generate the AI clinical dossier and deliver it to the relevant practitioner
  • To store intake records in the practitioner's portal
  • To send transactional emails (patient confirmation, dossier notification)
  • To operate and improve the MyDosha platform
  • To comply with legal obligations

We do not use patient data for any marketing, profiling, or purposes beyond the clinical intake service. We do not sell personal data to any third party.

MyDosha does not share patient data with health insurers, other healthcare providers, accountants, or other third parties on the practitioner's behalf. If a practitioner shares an exported file, care note, referral, or invoice outside MyDosha, that sharing is controlled by the practitioner and should follow their own confidentiality, consent, and professional-record obligations.

6. AI processing and Anthropic

The intake conversation, dossier generation, practitioner AI chat, plan-drafting support, dictation parsing, import parsing, and polish tools may be powered by Anthropic's Claude API. Patient responses and relevant practitioner-entered context are transmitted to Anthropic only for the AI feature being used. Anthropic processes this data as a data processor on our behalf, under a data processing agreement. Anthropic's own privacy policy governs their handling of data: anthropic.com/legal/privacy.

Patient data is not used to train Anthropic's AI models under the current API terms. Anthropic's published API retention position is that API inputs and outputs are normally deleted from its backend within 30 days, except where a different contract, zero-data-retention agreement, policy-enforcement need, or legal requirement applies.

Practitioners can disable AI globally or per feature from Account & Settings. The available controls cover AI patient intake, AI dossier generation, AI chat and text polishing, AI dictation parsing, and AI import parsing. These controls are enforced server-side.

7. Data storage, sub-processors & cross-border transfers

Patient intake data (including special category health data under GDPR Article 9) is stored by the following sub-processors. Each has a Data Processing Agreement in place with MyTrueDosha that incorporates the EU Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914) as the lawful mechanism for any transfer outside the EEA. Transfer impact assessments (TIAs) have been conducted for each US processor.

  • Supabase Inc — primary data processor for patient intake records, clinical notes, dossier JSON, and (since 2026-04-29) practitioner inventory metadata (herb / formula stock; no patient PII beyond a record reference + name on dispense events, which are already covered under the patient data scope).
    Location: US-based company; data stored on AWS infrastructure. See Supabase's security practices at supabase.com/security.
    DPA: MyDosha × Supabase Data Processing Addendum signed 2026-04-28 (PandaDoc: "Supabase User DPA (March 12, 2026)", signed by Thomas B. Thijs). Incorporates the 2021 EU Standard Contractual Clauses (Commission Decision (EU) 2021/914) under Module 2 (controller → processor) and Module 3 (processor → sub-processor) as applicable. Competent supervisory authority: Garante per la protezione dei dati personali (Italy).
    Sub-processor list: supabase.com/privacy#subprocessors.
    Article 9 lawful basis: Art. 9(2)(a) — the patient's explicit informed consent, captured via a tick-box at the start of the intake naming Supabase as the storage processor and the transfer mechanism.
  • Anthropic, PBC — AI processing of intake responses and dossier generation (stateless per call; no training on our API traffic).
    Location: USA.
    Legal basis for transfer: Anthropic DPA incorporating the EU SCCs.
    Retention at processor: inputs and outputs are normally deleted from Anthropic's API backend within 30 days, except where a different contract, zero-data-retention agreement, policy-enforcement need, or legal requirement applies. They are not used for model training under the API terms.
  • Resend, Inc. — transactional email delivery (welcome emails, OTP codes, care-plan notes, access links).
    Location: USA.
    Legal basis for transfer: Resend DPA with EU SCCs.
  • Google Ads / Google Tag — public marketing and signup conversion measurement only.
    Scope: Google Ads tags are not loaded in the doctor portal, patient portal, journal, invoice view, or patient intake page.
    No clinical data: MyDosha does not send patient intake answers, dossier data, journal data, clinical notes, or invoice contents to Google Ads.
  • Vercel, Inc. — platform hosting and serverless function execution. No persistent patient data; transient request/response processing only. Vercel Blob object storage is not used for clinical photos or any patient-derived data: intake responses, dossiers, and clinical photos (Article 9 health data including tongue, face, and skin images) are all stored exclusively in the Supabase Postgres database under the patient record (clinical_json column), never as files on Vercel Blob or any public object store.
    Location: USA/EU (edge-regional).
    Legal basis for transfer: Vercel DPA with EU SCCs.
  • Stripe, Inc. (currently inactive — to be enabled when subscription billing launches) — payment processing for practitioner subscriptions only. No patient data; only the practitioner's billing details. As of the last-updated date below, MyDosha does not process subscription payments via Stripe; the v1 invoice system covers receipts and manual "Mark Paid" only. This entry is listed pre-emptively so that data subjects can see the planned sub-processor list.
    Location: EU and USA.
    Legal basis for transfer (when activated): Stripe DPA with EU SCCs.

8. Data retention

MyDosha is the data processor; the practitioner (or their clinic) is the data controller for patient records and is responsible for meeting the statutory retention requirements that apply to them. MyDosha is an intake and practitioner-workspace tool, not the practitioner's statutory long-term medical archive. We retain data while the practitioner's account is active and provide self-serve export tools so the practitioner can download and keep their own patient file archive before unsubscribing.

Statutory retention by jurisdiction (controller obligation)

Practitioners must keep patient records for at least the longest applicable period below. These are controller obligations and floors, not ceilings.

Jurisdiction Medical / clinical records Tax / invoice records
Netherlands20 years from last contact (WGBO art. 7:454 BW)7 years (Algemene Wet inzake Rijksbelastingen)
Germany10 years (BGB §630f); some specialties (radiology, transplant) longer10 years (HGB §257, AO §147)
United Kingdom10 years from last contact (NHS Records Management Code of Practice 2021); maternity 25 years; paediatric until age 256 years (HMRC; longer for VAT-registered businesses)
Portugal5–20 years depending on context (Decreto-Lei n.º 156/2005; hospital records 20 years)10 years (Código do IVA, art. 52)

What MyDosha keeps and for how long

  • Patient intake, dossier, exam, plan, photos, journal entries: retained for the duration of the practitioner's active subscription. The practitioner can export the patient archive from the doctor portal at any time and should download it before unsubscribing if they need to satisfy WGBO or similar file-retention duties.
  • Financial administration: MyDosha currently processes subscription and account-administration data for practitioners only. Patient invoice generation and health-insurer care-note support are not part of the live product unless separately agreed in writing.
  • Practitioner account data and clinic settings: retained for the duration of the subscription plus 24 months for billing, support, and legal compliance purposes.
  • Audit log: Append-only record of significant events such as exports and deletes. Retained for 24 months.
  • Daily database backups: retained off-platform for 90 days (GitHub Actions artifact). Backups are operational recovery copies, not the practitioner's long-term legal archive.
  • AI intake conversation transcript: not retained beyond dossier generation. Only the structured output (the 19-section dossier) is stored.

Right to erasure - controller instructions

Where MyDosha is processor and the practitioner is controller, deletion requests normally reach us via the practitioner. If the practitioner has a legal reason to keep a copy, such as a WGBO patient-file duty or tax-retention duty in their own administration, that retained copy is the practitioner's responsibility outside MyDosha.

  • Data in MyDosha: deleted or exported according to the practitioner's verified instruction and the active account terms.
  • Practitioner's own archive: retained, restricted, or destroyed by the practitioner under the law and professional rules that apply to their practice.

9. Your rights under GDPR

Data subjects have the following rights:

  • Right of access — to obtain a copy of your personal data
  • Right to rectification — to correct inaccurate data
  • Right to erasure — to request deletion of your data ("right to be forgotten")
  • Right to restrict processing — to request that we limit how we use your data
  • Right to data portability — to receive your data in a machine-readable format
  • Right to object — to processing based on legitimate interests
  • Right to withdraw consent — at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, email hello@mydosha.org. Practitioners can additionally export their patient archive (CSV) self-serve from the doctor portal at any time, satisfying the right to portability without contacting us. We will respond to direct requests within 30 days. You also have the right to lodge a complaint with the Italian Garante per la protezione dei dati personali (garanteprivacy.it) — our lead supervisory authority — or with the supervisory authority of your habitual residence (Article 77 GDPR). See the imprint for the full list.

French residents may lodge a complaint with the French data-protection authority (in addition to, or instead of, the Italian lead authority): CNIL — Commission Nationale de l'Informatique et des Libertés, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France — www.cnil.fr. France transposes the GDPR via the Loi Informatique et Libertés (loi n° 78-17 du 6 janvier 1978, telle que modifiée par la loi n° 2018-493 du 20 juin 2018).

9b. How to make a data-subject request

Email your request to privacy@mydosha.org (or tbthijs@gmail.com while that inbox is being configured). Please include:

  • The request type (access, rectification, erasure, restriction, portability, objection, or withdrawal of consent);
  • Enough information for us to identify you in our records (typically the email you used for the intake, and the clinic name);
  • What specific data or processing the request relates to, if applicable.

We will acknowledge the request within 72 hours and respond substantively within one month of receipt, in line with GDPR Article 12(3). If the request is complex, we may extend this by up to two further months and will let you know why. There is no charge for a first request; repeated or manifestly unfounded requests may incur a reasonable fee.

If you are unhappy with our response, you can lodge a complaint with your national data protection authority — see the imprint for supervisory authority contact details.

9c. Logging and audit trail

MyDosha uses logs for security, accountability, support, and incident response. We do not treat logs as a practitioner medical archive, and we design logging paths to avoid storing secrets, full query-string URLs, patient free-text, or full patient records in runtime logs.

  • Audit log: append-only Supabase table for sensitive events such as exports, deletes, login/security events, invoice actions, and frontend error beacons. The Privacy Policy states a 24-month retention period for this audit log.
  • Runtime logs: Vercel function logs used for debugging errors, rate limits, and delivery failures. Email addresses are redacted where logged; magic-link tokens and query strings are stripped from frontend error beacons.
  • Email delivery logs: Resend message IDs, delivery status, bounces, and transactional email troubleshooting metadata.
  • Database backups: daily operational recovery copies retained off-platform for 90 days. These are not the practitioner's statutory archive.

For a short operational overview, see Trust & AI Processing.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include HTTPS encryption in transit, access controls on the practitioner portal, and limited staff access to patient data.

The practitioner portal is password-protected. Practitioners are responsible for maintaining the security of their portal credentials.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to practitioners by email. The current version is always available at mydosha.org/privacy.

Effective date: April 2026

Service provider: MyTrueDosha (operating brand) / Thomas Thijs, Sorano, Italy. See imprint for the full legal notice.

Contact: hello@mydosha.org

1. Agreement

These Terms of Service ("Terms") govern your access to and use of the MyDosha platform ("Service"), operated by MyTrueDosha / Thomas Thijs ("we", "us"). By registering for or using the Service, you agree to these Terms. If you do not agree, do not use the Service.

2. The Service

MyDosha provides AI-powered patient intake technology for Ayurvedic practitioners. The Service includes a branded patient intake form hosted at a subdomain of mydosha.org, AI-generated clinical dossier delivery, and (for Clinic plan subscribers) a practitioner portal for managing patient records.

3. Account and access

Access to the Service requires a practitioner account. You are responsible for maintaining the confidentiality of your portal credentials and for all activity that occurs under your account. You must notify us immediately of any unauthorised access at hello@mydosha.org.

You must be a qualified Ayurvedic practitioner (or equivalent healthcare professional) to use the clinical features of the Service.

4. Subscriptions and payment

  • Solo plan: €49/month
  • Practice plan: €149/month
  • Academy plan: custom pricing — contact us
  • Setup fee: €200 (one-time, covers subdomain, branding, and onboarding)

Subscriptions are billed monthly. Payment is processed via Stripe. You may cancel at any time — cancellation takes effect at the end of the current billing period. There are no refunds for partial months.

We reserve the right to change pricing with 30 days' notice to active subscribers.

5. Acceptable use

You agree to use the Service only for its intended purpose: managing patient intake for your Ayurvedic practice. You must not:

  • Use the Service for any unlawful purpose
  • Share portal access credentials with unauthorised persons
  • Attempt to reverse-engineer, scrape, or extract data from the platform
  • Use the AI-generated dossiers as a substitute for your clinical examination or medical diagnosis
  • Misrepresent the AI dossier's nature to patients (it is a structured summary of self-reported data, not a clinical diagnosis)

6. Clinical disclaimer

The AI dossiers generated by MyDosha are derived entirely from patient self-report and are intended solely to support the practitioner's clinical preparation. They do not constitute medical diagnoses, clinical assessments, treatment recommendations, or medical opinions.

You are solely responsible for your clinical decisions and the treatment you provide to your patients. MyDosha expressly disclaims any liability arising from clinical decisions made in reliance on AI-generated dossiers. Your physical examination and professional judgment always supersede any AI-generated output.

7. Practitioner responsibilities regarding patients

By using the Service, you represent that:

  • You will ensure patients understand that the intake is for clinical preparation purposes, not diagnosis
  • You will comply with applicable data protection law in your jurisdiction when collecting patient data
  • You will not use the Service to process data from patients under 16 years of age without appropriate guardian consent
  • You have the professional qualifications required to interpret and act on the clinical information contained in the dossiers

8. Intellectual property

The MyDosha platform, its design, and its underlying AI prompt architecture are the intellectual property of MyTrueDosha. You are granted a limited, non-exclusive, non-transferable licence to use the Service for your practice during your active subscription.

Patient data remains the data of the patient and, by extension, the responsibility of the practitioner. We make no claim to ownership of intake responses or AI-generated dossiers.

9. Service availability

We aim to maintain 99% uptime but do not guarantee uninterrupted access. Maintenance, updates, and circumstances beyond our control may cause temporary unavailability. We will communicate planned downtime in advance where possible.

10. Limitation of liability

To the maximum extent permitted by applicable law, MyTrueDosha shall not be liable for any indirect, incidental, special, or consequential damages arising from your use of the Service, including but not limited to loss of data, clinical outcomes, or business interruption.

United States — additional terms

For practitioners and patients in the United States, the following additional terms apply alongside the rest of these Terms:

  • FDA. MyDosha has not been evaluated by the U.S. Food and Drug Administration. The Service is not a drug, dietary supplement, or medical device, and is not intended to diagnose, treat, cure, or prevent any disease.
  • Scope of practice. Ayurveda is not a state-licensed health profession in most U.S. jurisdictions. Practitioners using MyDosha are responsible for understanding and complying with their own state's laws on the unauthorized practice of medicine, including limits on diagnosis, prescription, and disease-treatment claims. Practitioners must not present MyDosha-generated content to patients as medical diagnosis, treatment, or prescription.
  • HIPAA. MyDosha does not currently offer a HIPAA Business Associate Agreement and is not appropriate for use with Protected Health Information by U.S. covered entities (as defined under 45 CFR §160.103) without one. Most independent Ayurvedic practitioners are not covered entities; if you are a covered entity, please contact us at hello@mydosha.org before using the Service with patient data.
  • Testimonials. Personal stories on our marketing pages reflect individual experience, are not typical, and do not represent guaranteed outcomes.

Regulatory position & practitioner responsibility

MyDosha is an intake-summarisation and reference tool. It is not a medical device under Regulation (EU) 2017/745 (MDR) and does not hold a CE marking for medical purposes. MyDosha does not provide diagnosis, treatment recommendations, drug-interaction screening, or any clinical decision support within the meaning of MDCG 2019-11 Rev.1. See Intended use for the full qualification position.

By using MyDosha you acknowledge and agree that: (a) you are a qualified Ayurvedic practitioner or healthcare professional in your jurisdiction; (b) all clinical decisions — including but not limited to diagnosis, prescription, treatment planning, drug-safety screening, and referral — are your sole responsibility; (c) MyDosha's AI-generated outputs are a reorganisation of patient self-report or reference-library content, not clinical findings or recommendations; (d) you will exercise independent clinical judgment in reliance on any information MyDosha presents; (e) you will inform patients that MyDosha is an administrative tool used by you, not an autonomous clinical system.

You indemnify MyTrueDosha against any claim, loss, damage, or regulatory action arising from clinical decisions you make in reliance on MyDosha's outputs.

Our total liability under these Terms shall not exceed the total fees paid by you in the 12 months preceding the event giving rise to the claim.

11. Termination

Either party may terminate the subscription at any time. We reserve the right to suspend or terminate access immediately in cases of material breach of these Terms, non-payment, or where continued access poses a risk to the platform or other users.

Upon termination, you may request an export of your patient records within 30 days. After this period, records will be deleted in accordance with our retention policy.

12. Governing law

These Terms are governed by the laws of Italy. Any disputes shall be subject to the exclusive jurisdiction of the competent court at the operator's main establishment (Sorano, Province of Grosseto, Italy), unless mandatory consumer-protection law in your country provides otherwise.

13. Changes to these Terms

We may update these Terms from time to time. Material changes will be communicated by email with at least 14 days' notice. Continued use of the Service after the notice period constitutes acceptance of the revised Terms.

Questions about these Terms: hello@mydosha.org.