SahtiSahti

Privacy Policy

Last updated: April 26, 2026

1. Introduction

Sahti ("we," "our," or "us") provides an AI-powered health consultation platform designed for users in the United Arab Emirates. This Privacy Policy explains how we collect, use, store, and protect your personal information, including health data classified as sensitive personal data under UAE law.

This policy is governed by the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, "PDPL") and UAE Federal Law No. 2 of 2019 on the Use of ICT in Health Fields ("Health Data Law").

By using Sahti, you agree to the practices described in this policy. If you do not agree, please do not use our services.

2. Information We Collect

2.1 Account Information

Email address, name (if provided), date of birth (for age verification), and authentication credentials managed through our identity provider.

2.2 Health Information

Symptoms, medical history, medications, allergies, vital signs, prescriptions (uploaded images), family history, social history, immunizations, procedures, hospitalizations, and other health-related information you share during consultations.

2.3 Consultation Data

Messages exchanged during AI consultations, clinical assessments generated by the AI, and consultation summaries.

2.4 Technical Data

IP address, browser type, and device information collected automatically for security, rate limiting, and audit logging purposes.

3. How We Use Your Information

  • AI-Powered Consultations: Your health information is processed by our AI system to generate clinical assessments. Only your age and biological sex are shared with the AI model — your name and contact details are never sent to the AI provider.
  • Health Record Management:To maintain your health record across consultations so you don't have to repeat information.
  • Prescription Processing: Uploaded prescription images are analyzed by AI to extract medication data and add it to your health record. Images are processed in memory and are not permanently stored.
  • Security and Compliance: IP addresses and access patterns are logged for audit trail purposes, rate limiting, and fraud prevention.

4. AI Processing and Transparency

Sahti uses artificial intelligence to assist with clinical intake assessments. It is important to understand the following:

  • AI assessments are not medical diagnoses. They are informational summaries intended to help you and your healthcare provider.
  • The AI model has been developed using general medical knowledge. It has not been trained on your specific medical history prior to your first consultation.
  • AI outputs may be inaccurate or incomplete. You should always consult a licensed healthcare professional for medical advice, diagnosis, or treatment.
  • Data minimization: Only your age, biological sex, and clinical information (symptoms, conditions, medications) are sent to the AI provider. Your full name, email, phone number, insurance details, and database identifiers are never sent.
  • You may revoke your consent for AI processing at any time from the Settings page.

5. Third-Party Data Processors

We use the following third-party services to operate Sahti:

  • AI Provider (OpenAI / Azure OpenAI): Processes de-identified health data for AI consultations and prescription extraction. Your name and contact details are never transmitted to the AI provider.
  • Amazon Web Services (AWS): Hosts our database and infrastructure in the UAE region (me-central-1).
  • Vercel: Hosts our web application. No health data is stored on Vercel — it processes requests transiently.

We maintain Data Processing Agreements (DPAs) with our third-party processors where required by applicable law.

6. Data Storage and Localization

In accordance with UAE Federal Law No. 2 of 2019 (Health Data Law), your health data is stored on infrastructure located within the United Arab Emirates:

  • Database: AWS RDS PostgreSQL in the UAE region (me-central-1), with storage-level encryption and enforced SSL/TLS connections.
  • Authentication: Self-hosted authentication service on AWS infrastructure in the UAE region.
  • AI Processing: We are transitioning AI processing to Azure OpenAI in UAE North (Dubai) to ensure health data is processed within the UAE. During this transition, health data (excluding your name and contact details) may be processed outside the UAE with your explicit consent.

7. Data Security

We protect your data through:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS/HTTPS.
  • Encryption at rest: Sensitive personal identifiers (name, date of birth) are encrypted using AES-256-GCM before storage, in addition to database-level encryption.
  • Access controls: Row-Level Security policies ensure each user can only access their own data. Your health records are isolated at the database level.
  • Audit logging: All access to health data is logged with timestamps, action type, and source information.
  • Network isolation: Our database operates in a private network that is not directly accessible from the internet.

8. Consent

We process your health data based on your explicit consent, as required by Article 5 of the UAE PDPL. Before your health data is processed by our AI system, you must provide explicit consent. You can manage your consents at any time from the Settings page, including:

  • AI Processing: Required for AI consultations. Without this consent, the AI will not process your data.
  • Data Storage: Allows your health records to be stored for future consultations. Granted by default on signup; you may revoke it at any time.

Revoking AI processing consent prevents future AI consultations but does not delete existing data. To request deletion, see Section 10 (Your Rights).

9. Data Retention

UAE Federal Law No. 2 of 2019 requires health data to be retained for a minimum of 25 years from the date of the last health record entry. In accordance with this requirement:

  • Health records: Retained for a minimum of 25 years from your last health record activity. If you delete your account, your personal identifying information (name, date of birth, contact details) is removed immediately, but de-identified health data is retained for the legally required period and then automatically deleted.
  • Anonymous consultations: Sessions created without an account are automatically deleted after 24 hours.
  • Share links: Expire after 5 days and are automatically deleted. You can revoke them early from the app.
  • Audit logs: Retained for a minimum of 2 years for security and compliance purposes.

10. Your Rights

Under the UAE PDPL, you have the following rights:

  • Access: View all your health data through the Health Record section of the app.
  • Rectification: Edit or correct your health records at any time.
  • Deletion: Delete your account from Settings. Your personal identifying information is removed immediately. De-identified health data is retained for the legally required 25-year period, after which it is automatically deleted.
  • Consent withdrawal: Revoke AI processing or data storage consent at any time from Settings. Existing data is preserved but no new processing occurs.
  • Data portability: Export your consultation summaries as PDF documents.
  • Restriction of processing: Request that we limit how your data is processed by revoking specific consents.

11. Children's Privacy

Sahti is not intended for use by individuals under 18 years of age. We enforce age verification during the signup process and do not knowingly collect health information from minors. If you believe a minor has provided us with health data, please contact us and we will delete it promptly, in accordance with UAE Federal Decree-Law No. 26 of 2025 on Child Digital Safety.

12. Cross-Border Data Transfers

Your health data is stored within the United Arab Emirates. For AI processing, de-identified health data (excluding your name, contact details, and database identifiers) may be processed outside the UAE with your explicit consent, until our transition to UAE-hosted AI processing is complete.

We ensure that any cross-border transfers comply with Article 22 of the UAE PDPL and are subject to appropriate safeguards, including data minimization and contractual protections with our processors.

13. Data Breach Notification

In the event of a data breach affecting your personal data, we will notify the UAE Data Office within 72 hours as required by the PDPL. If the breach poses a high risk to your rights, we will also notify you directly with details of the breach, its likely consequences, and the measures we are taking.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the app or via email. If we make changes that materially affect how your health data is processed, we will request your renewed consent before applying the changes.

15. Contact Us

For questions about this Privacy Policy, your health data, or to exercise your rights under the UAE PDPL, contact us at privacy@sahti.health.