1. Introduction

Welcome to Zempy (an app by Kyral Labs, Inc.). Zempy is a wellness‑tracking application designed for individuals using GLP‑1 medications. By accessing or using our app, you agree to comply with and be bound by these Terms and Conditions ("Terms").

We never sell, rent, or share your identifiable personal or health data—period. Any disclosures of de‑identified data are governed by our Privacy Policy.

2. What Information We Collect

Health & Wellness Data

• GLP‑1 medication intake (shot dates, medication type, dosage, NDC)

• Side‑effect logs & Patient‑Reported Outcomes (PROs)

• Weight, water, protein and fiber tracking

• Transformation images (before‑and‑after photos for the Journey Card feature; faces are blurred or cropped before any external use)

• Photos of meals (for nutrition analysis)

• Activity, sleep and movement tracking (if synced via Apple Health or other wearables)

• Pharmacy fill & refill confirmations (days‑supply, quantity dispensed)

User‑Provided Data

• Preferences and settings you select in the app

• Shot‑preparation checklist usage

• Electronic signatures on informed consent & e‑consent documents (21 CFR Part 11 compliant)

• Any manual data entries related to your progress

System‑Generated Metadata

• Audit logs (timestamps, hashed user IDs) necessary for compliance with HIPAA, ISO 27001, and state pharmacy‑board regulations

3. How We Collect Data

Manual entry inside the app, including:

1. Photo uploads

2. e‑Prescription & pharmacy integrations (with your explicit authorization)

3. Third‑party integrations such as Apple Health (opt‑in)

4. App interaction telemetry (preferences and checklist usage)

All collection points are encrypted in transit (TLS 1.2+) and logged in an immutable audit trail.

4. Why We Collect Data

We collect data to:

• Track and manage your GLP‑1 treatment effectively

• Offer reminders and support tools (e.g., shot‑prep checklists)

• Analyze trends to support your progress

• Improve app functionality and user experience

• Generate de‑identified, aggregated real‑world evidence (RWE) that may be licensed to third parties such as academia, payers, or life‑science companies for legitimate research, healthcare operations, or public‑health purposes

5. Data We Do Not Collect

Zempy does not collect or store the following data:

• Precise GPS location

• Contacts or phone‑usage data

• Government‑issued identification numbers

• Protected class characteristics not relevant to treatment (e.g., religion, political affiliation)

6. De‑Identification & Secondary Use

Before any dataset leaves our secure environment it undergoes HIPAA Safe‑Harbor de‑identification or an expert‑determination process. Direct identifiers are removed or tokenised; dates are generalised to the week; ZIP codes are truncated to the first three digits where required. De‑identified data is not considered Protected Health Information (PHI) under HIPAA. We reserve the right to license such de‑identified and aggregated insights for research, analytics and product development. Individuals cannot be re‑identified from this information.

7. Data Storage & Security

Encryption in transit (TLS 1.2+) and at rest (AES‑256)

• ISO 27001‑certified infrastructure

• Annual HIPAA security‑risk assessments

• Immutable, time‑stamped audit logs

• Data residency in U.S.‑based SOC 2 Type II data centers

• Regular penetration testing & third‑party code reviews

• Disaster Recovery: We maintain encrypted backups and test disaster‑recovery procedures at least annually.

• Breach Notification: If a breach of unsecured PHI occurs, we will notify affected users and the U.S. Department of Health & Human Services within 60 days, as required by HIPAA §§164.400‑414.

Retention: We store your identifiable data only while you maintain an account or as required by law.

If you delete your account, all PHI is permanently destroyed within 30 days; de‑identified derivatives may be retained indefinitely. We keep these anonymized records solely to improve public‑health evidence and product safety; they can never be linked back to you, and you may opt out of such licensing at any time in your in‑app privacy settings.

8. Data Sharing

Identifiable Data:

We do not sell or share your identifiable personal or health data with third parties except:

1. With your explicit, granular consent (e.g., sharing a progress report with your clinician).

2. As required by law or subpoena.

3. With contracted sub-processors bound by HIPAA Business‑Associate Agreements (BAAs).

De‑Identified & Aggregated Data:

We may license de‑identified, aggregated datasets to trusted research partners, payers, or life‑science companies under strict contractual terms that prohibit re‑identification.

9. User Rights & Choices

Access, correct, or delete your data directly in‑app

• Data portability (machine‑readable export)

• Withdraw consent to any optional data feed at any time

• We will fulfill verified requests within 30 days (45 days for California residents).

• Opt‑out of de‑identified data licensing via settings (will not affect your care)

10. Consent & Policy Updates

By signing the electronic informed‑consent form and using Zempy, you agree to this Privacy Policy. We’ll notify you of significant changes via in‑app messaging and request renewed consent where legally required. Continued use after updates constitutes acceptance of revised terms.

11. Legal Compliance

• Not for users under 16.

• Zempy provides informational support; it is not a substitute for medical advice.

• We comply with state pharmacy‑board rules (including CA & NY) for prescription‑data handling.

12. Contact

For any questions regarding these Terms and Conditions, please contact us at:

• Email: support@myzempy.com

Thank you for trusting Zempy with your information. Your privacy matters to us.