Privacy Policy

HEKMA ("we", "our", or "us") is committed to protecting your privacy and handling your health information with the highest standards of care. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our platform at hekma.ai. By registering or using HEKMA, you agree to the practices described in this Policy. If you do not agree, please do not use our services.

We collect the following categories of information: • Personal Identifiers: Name, email address, date of birth, country of residence, language preference. • Health Information: Primary health condition, diagnosis date, current medications, condition severity notes, and trial preferences. • Usage Data: Pages visited, features used, trial cards viewed, and search queries — collected anonymously without linking to your identity. • Device & Technical Data: Browser type, device type (mobile/tablet/desktop), approximate country (via IP), session identifiers. • Communications: If you contact our support team, we retain records of those communications. We do not collect Social Security numbers, passport numbers, financial account information, or insurance details.

Your data is used to: • Match you with relevant clinical trials based on your condition, location, and preferences. • Personalise your dashboard, saved trials, and notifications. • Send trial alerts, health awareness updates, and platform news you subscribe to. • Improve our matching algorithms and platform features (using anonymised, aggregated data only). • Comply with our legal obligations and respond to lawful requests. • Detect and prevent fraud and abuse. We do not use your data for advertising, sell it to third parties, or share it with pharmaceutical companies without your explicit consent.

HEKMA is a patient education and referral platform, not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). However, we voluntarily apply HIPAA-equivalent standards to all health information you share with us: • Your health data is encrypted at rest (AES-256) and in transit (TLS 1.3). • Access to health data is restricted to authorised personnel only. • We maintain audit logs of all access to personal health information. • We do not share individually identifiable health information with sponsors or research sites without your explicit written consent. If you choose to connect with a clinical trial coordinator through HEKMA, only the information you authorise will be shared with that specific site.

If you are located in the EEA or UK, you have the following rights under the General Data Protection Regulation (GDPR): • Right of Access: Request a copy of the personal data we hold about you. • Right to Rectification: Correct inaccurate or incomplete data. • Right to Erasure ("Right to be Forgotten"): Request deletion of your data where we have no legitimate reason to retain it. • Right to Restrict Processing: Ask us to limit how we use your data. • Right to Data Portability: Receive your data in a machine-readable format. • Right to Object: Object to processing based on legitimate interests or for direct marketing. • Rights related to Automated Decision Making: We do not make solely automated decisions with legal effects. Our legal bases for processing are: (1) performance of contract (providing the trial matching service), (2) legitimate interests (platform improvement, fraud prevention), and (3) your consent (marketing emails, optional features). To exercise any GDPR right, email us at privacy@hekma.health. We will respond within 30 days.

HEKMA operates services in the UAE and complies with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) and its implementing regulations. Under UAE PDPL, you have the right to: • Know what personal data we hold about you. • Request correction of inaccurate data. • Request deletion of your data (subject to legal retention requirements). • Withdraw your consent at any time. • File a complaint with the UAE Data Office. Sensitive personal data (health information) is processed only with your explicit consent, which you provide during registration. You may withdraw this consent at any time via your account settings or by contacting privacy@hekma.health.

We share your information only as follows: • Service Providers: Trusted vendors who operate our infrastructure (cloud hosting, email delivery, analytics). These providers are bound by strict data processing agreements. • Clinical Trial Sites: Only with your explicit consent, and only the specific information needed to assess your eligibility for a trial you expressed interest in. • Legal Requirements: When required by law, court order, or governmental authority. • Business Transfers: In the event of a merger or acquisition, your data would be subject to the same privacy protections. We do NOT sell your data. We do NOT share your data with advertisers.

We implement industry-leading security measures: • AES-256 encryption for all data at rest. • TLS 1.3 for all data in transit. • Row-level security on our database — users can only access their own data. • Regular security audits and penetration testing. • Strict access controls and multi-factor authentication for all staff. • Automatic session expiry and anomaly detection. In the event of a data breach affecting your rights, we will notify you within 72 hours (GDPR) or the applicable regulatory timeframe.

We retain your personal data for as long as your account is active, plus: • Account data: 3 years after account closure (for regulatory compliance). • Health information: Deleted within 90 days of account closure, unless you consent to longer retention for research purposes. • Analytics data: Anonymised — retained indefinitely. • Communications with support: 2 years. You may request deletion of your data at any time by contacting privacy@hekma.health.

We use cookies and similar technologies to operate the platform and measure usage. See our Cookie Policy for full details. You can manage your cookie preferences at any time via the banner that appears on your first visit, or by contacting us.

For any privacy-related questions, requests, or complaints: Email: privacy@hekma.health Address: HEKMA Health Intelligence, Data Protection Officer You also have the right to lodge a complaint with your local data protection authority (ICO in the UK, Data Protection Commission in the EU, or the UAE Data Office).