HomePrivacy Policy

Privacy Policy

Last Updated: January 1, 2026
Contents
Introduction 1. Definitions 2. Scope And Applicability 3. Information We Collect 4. How We Use Your Information 5. Hipaa Compliance And Protected Health Information 6. How We Share Your Information 7. International Data Transfers 8. Data Retention 9. Cookies And Tracking Technologies 10. Children's Privacy 11. Your Rights And Choices 12. Security 13. Third-Party Links And Integrations 14. AI-Generated Content Disclaimer 15. Phishing And Fraudulent Communications 16. Changes To This Privacy Policy 17. Contact Us

Introduction

Reporty ("Reporty," "we," "us," or "our") is committed to protecting your privacy and the security of your personal and health-related information. This Privacy Policy describes how we collect, use, disclose, store, and protect information obtained from users of our platform, website (www.reporty.sa), mobile applications, and related AI-powered services (collectively, the "Platform" or "Services"). Reporty operates globally and is headquartered in the Kingdom of Saudi Arabia. Our Services are available to healthcare providers, clinics, hospitals, pharmacies, patients, and other users worldwide (collectively, "Users," "You," or "Your"). By accessing or using our Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Platform immediately.

1. Definitions

For purposes of this Privacy Policy: e¢ "Personal Data" means any information relating to an identified or identifiable natural person, including name, contact details, location data, online identifiers, and any information specific to the physical, physiological, mental, economic, cultural, or social identity of that person. ¢ "Protected Health Information (PHI)" means individually identifiable health information transmitted or maintained in any form or medium, as defined under the U.S. Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations. e "AI Services" means Reporty's artificial intelligence features, including but not limited to virtual receptionists, virtual doctors, virtual pharmacists, virtual marketing specialists, and AI-assisted medical imaging analysis tools. e "Meta Platforms" means Facebook, Instagram, and WhatsApp, owned and operated by Meta Platforms, Inc. e "Healthcare Provider" means any clinic, hospital, dental clinic, pharmacy, physician, dentist, or other licensed healthcare entity using Reporty's Services. e¢ "Patient" means any individual whose information is processed through the Platform in connection with healthcare services.

2. Scope And Applicability

This Privacy Policy applies to: All Users of the Reporty Platform worldwide, regardless of location; All Personal Data and PHI processed through the Platform; All communications facilitated through Meta Platforms (WhatsApp, Instagram, Facebook) as part of our Services; All AI-generated interactions conducted on behalf of Healthcare Providers via the Platform. Depending on your location, additional jurisdiction-specific rights and obligations may apply, including but not limited to: European Union / European Economic Area users: The General Data Protection Regulation ("GDPR") (EU) 2016/679; United Kingdom users: The UK GDPR and the Data Protection Act 2018; California, USA users: The California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"); Kingdom of Saudi Arabia users: The Personal Data Protection Law ("PDPL") issued by Royal Decree M/19 and its implementing regulations; United States users (healthcare context): HIPAA and the HITECH Act; Other jurisdictions: All applicable local, national, and international data protection laws.

3. Information We Collect

3.1 Information You Provide Directly Account Registration Information: Full name, email address, phone number, professional license number (for Healthcare Providers), clinic or facility name, physical address, and password. Healthcare Provider Information: Clinic or hospital details, specialty, operating hours, staff information, and service listings. Patient Information: Name, date of birth, contact information, appointment history, medical history, diagnoses, treatment records, prescriptions, medical imaging (including dental radiographs and X-rays), clinical notes, and consent forms. Payment Information: Billing details, subscription preferences. Payment transactions are processed via secure third-party payment gateways. We do not store credit card or bank account information directly. Communications: Messages, queries, feedback, or other content you submit to us or through the Platform.

3.2 Information Collected Automatically Device Information: Device type, hardware model, operating system and version, unique device identifiers (including IMED), browser type, and mobile network information. Usage Data: Pages visited, features used, session duration, click-stream data, referring and exit URLs, search queries, and timestamps. Location Data: With your permission, we may collect precise or approximate geographic location data from your device to personalize Services and match you with nearby providers. You may disable location services at any time through your device settings. Log Data: IP addresses, browser type, internet service provider, error reports, and system activity. Cookies and Tracking Technologies: We use cookies, web beacons, pixel tags, and similar technologies to collect information about your interactions with the Platform. Please refer to our Cookie Policy for more detail.

3.3 Information Collected Through Meta Platform Integrations Reporty integrates with Meta Platforms (WhatsApp Business API, Facebook Messenger, and Instagram Direct Messages) as primary delivery channels through which Reporty's AI-powered Services are provided. This means patients and healthcare providers may interact with Reporty's AI virtual agents (including virtual receptionists, virtual doctors, virtual pharmacists, and virtual marketing agents) directly through WhatsApp conversations, Facebook Messenger chats, and Instagram DMs. Through these integrations, we may process: Patient phone numbers, Messenger IDs, and Instagram account identifiers; Full message content exchanged between Reporty AI agents and patients through WhatsApp, Facebook Messenger, and Instagram DM; Appointment requests, health inquiries, and follow-up responses submitted via these channels; Medical information shared by patients within messaging threads where a Healthcare Provider's AI agent has been configured to receive it; Consent and opt-in/opt-out status for communications via each messaging channel. Such data is processed in accordance with this Privacy Policy, Meta's Platform Policies, and applicable messaging regulations including the CAN-SPAM Act, GDPR, and equivalent laws. Healthcare Providers are responsible for obtaining valid patient consent before initiating or enabling any AI-powered communication channel through our Platform.

3.4 Information From Third Parties We may receive information about you from Healthcare Providers, referral partners, integrated healthcare systems, and third-party services you authorize to connect with our Platform.

4. How We Use Your Information

We use collected information for the following purposes:

4.1 Provision of Services ¢ Operating the AI virtual receptionist, virtual doctor, virtual pharmacist, and virtual marketing specialist features; ¢ Scheduling and managing patient appointments; ¢ Sending appointment reminders, follow-up messages, and medical notifications; ¢ Facilitating remote signing of medical consent and procedure authorization forms; e Processing dental and medical imaging analysis using AI tools; e Delivering pharmaceutical reminders and information.

4.2 AI Processing and AI-Assisted Medical Communications Our AI Services process patient and provider data to generate responses, recommendations, and content on behalf of Healthcare Providers. This may include AI-generated messages that contain medical information, post- visit instructions, medication reminders, or health guidance — all of which are produced based on clinical information, instructions, and protocols configured by the responsible Healthcare Provider. The Healthcare Provider is solely responsible for the clinical accuracy and appropriateness of all AI-generated medical communications delivered on their behalf. Reporty's AI does not operate autonomously on medical matters; it generates outputs grounded in the Healthcare Provider's own input, templates, and clinical direction. Al- generated communications do not replace the judgment of a licensed healthcare professional, and patients are encouraged to consult their Healthcare Provider directly for any clinical concerns.

4.3 Communication via Meta Platforms ¢ Delivering AI-powered patient engagement services through WhatsApp, Facebook Messenger, and Instagram DM on behalf of Healthcare Providers, including appointment reminders, health follow-ups, and patient education messages; e Sending WhatsApp and Instagram marketing campaigns on behalf of Healthcare Providers to their patients, subject to valid patient consent; ¢ Sending newsletters and promotional materials (with opt-out options).

4.4 Platform Improvement e Analyzing usage trends and service performance; e Training, tuning, and improving AI models using de-identified or aggregated data only, unless express written consent is obtained; ¢ Conducting research and development.

4.5 Legal and Compliance ¢ Complying with applicable laws, regulations, and legal processes; e Enforcing our Terms of Use and other agreements; e Preventing fraud, unauthorized access, and abuse; ¢ Protecting the rights, property, and safety of Reporty, its users, and third parties.

4.6 Business Operations e Processing payments and managing subscriptions; e Providing customer support; ¢ Facilitating mergers, acquisitions, or other corporate transactions.

5. Hipaa Compliance And Protected Health Information

5.1 Business Associate Obligations Where Reporty processes Protected Health Information on behalf of covered Healthcare Providers subject to HIPAA, Reporty acts as a Business Associate as defined under 45 CFR § 160.103. In such cases, Reporty and the Healthcare Provider will execute a Business Associate Agreement ("BAA") that governs the permissible uses and disclosures of PHI. Healthcare Providers subject to HIPAA must contact us at privacy@reporty.sa to establish a BAA before transmitting any PHI through the Platform.

5.2 Safeguards We implement administrative, physical, and technical safeguards designed to protect PHI as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C), including: ¢ Encryption of PHI in transit and at rest; e Access controls and audit logging; e Employee training on privacy and security obligations; ¢ Breach notification procedures consistent with 45 CFR §§ 164.400-414.

5.3 Minimum Necessary Standard We limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose, consistent with 45 CFR § 164.502(b).

5.4 Breach Notification In the event of a breach of unsecured PHI, Reporty will notify affected parties and relevant authorities in accordance with applicable law, including the HIPAA Breach Notification Rule and equivalent regulations in other jurisdictions.

6. How We Share Your Information

We do not sell your Personal Data or PHI. We may share information in the following circumstances:

6.1 With Healthcare Providers Patient information is shared with the Healthcare Provider through whose Platform account the data was collected, for the purpose of delivering care and related services.

6.2 With Service Providers and Sub-Processors We engage trusted third-party vendors to provide technology infrastructure, AI processing, payment processing, cloud storage, analytics, and customer support. These vendors are bound by data processing agreements and are prohibited from using your data for their own independent purposes.

6.3 With Meta Platforms To enable WhatsApp, Instagram, and Facebook-based communications, certain data (including patient phone numbers and message content) is transmitted to Meta in accordance with Meta's Platform Terms and Privacy Policy. Users and Healthcare Providers should review Meta's privacy practices independently.

6.4 For Legal Compliance We may disclose your information to law enforcement, government authorities, courts, or other third parties where required by applicable law, regulation, court order, or legal process, or where necessary to protect the rights, safety, or property of Reporty or others.

6.5 Business Transfers In connection with a merger, acquisition, reorganization, asset sale, or similar transaction, your information may be transferred to the successor entity, subject to equivalent privacy protections. We will notify you of any such transfer as required by law.

6.6 With Your Consent We may share your information with third parties when you have provided explicit prior consent to such sharing.

7. International Data Transfers

Reporty operates globally and your data may be transferred to, stored in, and processed in countries other than your country of residence, including countries that may have different data protection standards. Where required, we apply appropriate safeguards, including: e Standard Contractual Clauses approved by the European Commission; e Adequacy decisions issued by competent data protection authorities; ¢ Binding Corporate Rules or equivalent transfer mechanisms; ¢ Compliance with the Saudi PDPL's provisions on cross-border data transfers. By using the Platform, you acknowledge and consent to such transfers, subject to the protections described herein.

8. Data Retention

We retain Personal Data and PHI for as long as necessary to: e Provide our Services and fulfill the purposes described in this Policy; ¢ Comply with legal obligations (including applicable minimum healthcare record retention periods); ¢ Resolve disputes and enforce agreements. Upon expiration of the applicable retention period, data is securely deleted or anonymized. Healthcare Providers may request deletion of their account data in accordance with Section 11 below.

9. Cookies And Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on the Platform. You may control cookie settings through your browser preferences. Disabling certain cookies may affect Platform functionality. We do not honor browser-initiated "Do Not Track" (DNT) signals at this time, as no universal standard for DNT compliance has been adopted. However, you may opt out of certain third-party analytics and advertising tracking via our Cookie Preference Center.

10. Children's Privacy

The Platform is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction, which may be higher). We do not knowingly collect Personal Data from children without verifiable parental or guardian consent. If you believe we have inadvertently collected such data, please contact us immediately at privacy@reporty.sa and we will promptly delete it. Where Healthcare Providers use our Platform in connection with the treatment of minors, the Healthcare Provider is responsible for ensuring all applicable parental consent and data protection requirements are met.

11. Your Rights And Choices

Depending on your location and applicable law, you may have the following rights with respect to your Personal Data: e Access: Request a copy of the Personal Data we hold about you. ¢ Rectification: Request correction of inaccurate or incomplete data. e Erasure ("Right to be Forgotten"): Request deletion of your Personal Data, subject to legal and contractual retention obligations. e Restriction: Request restriction of processing in certain circumstances. ¢ Data Portability: Receive your data in a structured, machine-readable format. ¢ Objection: Object to processing based on legitimate interests or for direct marketing purposes. e¢ Withdrawal of Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. ¢ Opt-Out of Marketing: Unsubscribe from promotional communications at any time via the unsubscribe link in emails or by contacting us. ¢ CCPA Rights (California): California residents have the right to know, delete, opt-out of sale, and non- discrimination in connection with their personal information. To exercise any of these rights, contact us at privacy@reporty.sa. We will respond within the timeframe required by applicable law (generally 30 days, extendable in complex cases).

12. Security

We implement industry-standard administrative, technical, and physical security measures to protect your information from unauthorized access, disclosure, alteration, or destruction. These include: e TLS/SSL encryption for data in transit; e AES-256 encryption for data at rest; e Role-based access controls; e Regular security assessments and penctration testing; e Audit logs and intrusion detection systems. No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You use the Platform at your own risk and are encouraged to use strong passwords and protect your account credentials.

13. Third-Party Links And Integrations

The Platform may contain links to third-party websites or integrate with third-party services (including Meta Platforms, payment gateways, and electronic health record systems). We are not responsible for the privacy practices of such third parties. We encourage you to review their privacy policies before sharing any information with them.

14. AI-Generated Content Disclaimer

Reporty's AI agents (including Maha, Dr. Norah, Dr. Aziz, Dr. Hamad, and Badr) are automated systems. Their communications are generated by artificial intelligence and do not constitute professional medical, dental, pharmaceutical, or marketing advice. All clinical decisions remain the responsibility of licensed Healthcare Providers. Patients should not rely solely on AI-generated communications for medical guidance.

15. Phishing And Fraudulent Communications

Reporty will never request sensitive personal, financial, or password information via email or messaging platforms without authentication. If you receive a suspicious communication purporting to be from Reporty, do not respond and report it to privacy@reporty.sa immediately.

16. Changes To This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or a prominent notice on the Platform at least 30 days before the changes take effect, where required by law. Continued use of the Platform after the effective date of any update constitutes your acceptance of the revised Policy.

17. Contact Us

For questions, concerns, or to exercise your rights under this Privacy Policy, please contact: Reporty — Privacy & Data Protection Email: privacy@reporty.sa Website: www.reporty.sa For HIPAA-related inquiries or to establish a Business Associate Agreement: Email: privacy@reporty.sa (Subject: "BAA Request") This Privacy Policy was prepared for informational and compliance purposes. It does not constitute legal advice. Reporty recommends consulting qualified legal counsel to ensure compliance with all applicable laws in your jurisdiction.