Privacy Policy

[Company Name], registered under number [Commercial Registration Number], with registered office at [Full Address], Lebanon. Contact: support@daisy.app

In connection with your use of DAISY, we process the following categories of data: **Dietitian account data** • Name, email address, password (hashed) • Billing information (processed by Stripe — DAISY stores no card data) • Usage and connection data (logs, IP address, browser, device) **Patient data (processed as data processor)** • Patient identity and contact information • Health data: weight, height, BMI, dietary history, goals, medical history • Generated meal plans and progress reports • Messages exchanged via secure messaging • Patient food and sensory diary Patient health data constitutes sensitive data. It is processed under the exclusive responsibility of the Dietitian, who is the data controller. DAISY acts as data processor and only uses such data for the purpose of providing the Service.

**Account management and Service delivery** Basis: performance of the contract between the Publisher and the user **Billing and subscription management** Basis: performance of contract / legal obligation **Service improvement (anonymised analytics)** Basis: legitimate interest — data is aggregated and anonymised, no individual user is identifiable **Processing of patient health data** Basis: necessity for the provision of nutritional care, on instruction from the Dietitian as data controller **Service-related communications (onboarding, trial, renewal)** Basis: performance of contract **Marketing communications** Basis: consent — unsubscribe possible at any time via the link in each email

• Dietitian account data: retained for the duration of the contract, then 3 years from termination • Patient data: retained for the duration of the contract, then deleted within 30 days of termination, unless a prior export was requested • Billing data: 7 years (accounting obligation) • Technical logs: 12 months

Data is not sold or transferred to third parties for commercial purposes. It may be shared with the following sub-processors strictly for Service delivery: • **Stripe, Inc.** — payment processing (PCI-DSS certified) • **Cloud infrastructure providers** — secure data hosting • **OpenAI, LLC** — meal plan generation, dietetic reports and AI assistant responses. Transmitted data is minimised: anonymised nutritional profile (age, weight, goals, dietary restrictions), without the patient's full name or contact details. OpenAI is subject to a no-training policy for API data. OpenAI retention: 0 to 30 days depending on account configuration. • **Transactional email provider** — delivery of Service emails Any transfer of data to third countries is governed by appropriate contractual safeguards. The full Data Processing Agreements (DPAs) are available on request at: support@daisy.app

DAISY implements appropriate technical and organisational measures to protect your data: • Encryption in transit (TLS 1.2+) and at rest (AES-256) • Password hashing (bcrypt) • Data access restricted to authorised personnel, with audit trail • Regular encrypted backups • Access monitoring and incident detection In the event of a data breach likely to affect your rights, we will notify you without undue delay.

In accordance with applicable data protection laws, including Lebanese Law No. 81 of 2018 on Electronic Transactions and Personal Data, and the General Data Protection Regulation (GDPR) for users residing in the European Union, you have the following rights: • **Access**: obtain a copy of your personal data • **Rectification**: correct inaccurate or incomplete data • **Erasure**: request deletion of your data (subject to legal retention obligations) • **Portability**: receive your data in a structured, machine-readable format • **Objection**: object to certain processing activities • **Restriction**: request temporary suspension of processing • **Withdrawal of consent**: at any time for consent-based processing For patient data, rights must be exercised directly with the Dietitian as data controller. To exercise your rights: support@daisy.app We respond within 30 days.

DAISY uses strictly necessary technical cookies for the Service to function (session management, authentication). These cookies cannot be refused without affecting Service operation. We also use Google Analytics with IP anonymisation to analyse usage of our public pages and improve the Service. You may refuse these trackers by configuring your browser or using a tracker blocker.

This policy may be updated at any time. In the event of a material change, we will notify you by email before the changes take effect. The version in force is the one displayed on this page, with its update date.

For any questions about the protection of your personal data: support@daisy.app