Privacy Policy

Introduction
Droobi Health (“Droobi” or “we”) is committed to protecting your personal data in accordance with Qatar’s Personal Data Privacy Protection Law (PDPPL). This Privacy Policy explains who we are (the data controller), what personal data we collect, why we collect it, how we use and share it, and the measures we take to safeguard it. It also outlines your rights under PDPPL (such as access, correction, deletion, objection, portability, and complaint) and our data retention period. This Policy is presented to users at sign-up and is always available in-app and on our website. By using our services, you consent to the practices described in this Privacy Policy, and you agree to the collection and use of your information as described here (we will request your explicit consent for any sensitive health information or uses beyond providing our core services). Users must agree to this Privacy Policy (and our Terms of Service) when registering, ensuring we have informed consent.

Personal Data We Collect
We collect only the personal data that is necessary for the purposes of providing and improving our health coaching services. This includes:

  • Identification and Contact Information: e.g. your name, contact details, login credentials, and any information you provide when creating an account.

  • Health and Lifestyle Information: data you input about your health conditions, medical history, lab results, treatment plans, dietary and exercise habits, and other wellness-related information. This may include special categories of personal data (or “personal data of a special nature”) such as health information, which is considered sensitive under the PDPPL. We treat these with the highest care.

  • Device and Usage Information: technical data from your use of our app/website, such as IP address, device type, operating system, and usage logs (for security and performance analytics).

  • Communications: any information you send to us via support emails, in-app chat with coaches, or feedback forms.

We do not knowingly collect data from children under 13 years of age, and our services are designed for adults. (See “Children’s Privacy” below for more details.)

Legal Basis and Special Data Consent: All personal data we process is with your explicit consent or as otherwise permitted by law. In particular, any sensitive health information you provide is processed only with your clear consent and for your benefit (e.g. to personalize your coaching program). We do not collect any extraneous information: each data point we ask for is directly related to providing our services or required for a lawful purpose. If we ever need to process your data for a new purpose, we will request your consent again.

How We Use Personal Data (Purposes of Processing)
We use your personal data to deliver our services and support your health journey. This includes:

  • Providing the Droobi health coaching program – e.g. using your health and lifestyle information to generate personalized plans, track your progress, and allow our coaches to give informed guidance.

  • Improving our platform and services – analyzing usage patterns and feedback (in an aggregated or de-identified form where possible) to enhance user experience and develop new features.

  • Communication – sending you in-app notifications, weekly progress reports, or educational content as part of the program. We may also send occasional emails or messages about new features or tips for better results, but only with your prior consent for any marketing communications. (You have the right to opt out of marketing at any time – every marketing message will contain an easy way to unsubscribe or withdraw consent.)

  • Compliance and Legal Obligations – using or disclosing data as required to comply with applicable laws, regulations, or lawful requests (for example, to cooperate with health authorities or respond to a valid legal order), and to enforce our Terms of Service.

We will always ensure that any use of your data is done in a transparent and fair manner. We do not use your data for any automated decision-making that would have legal or significant effects on you without human involvement, nor do we sell your personal data to third parties.

How We Share Personal Data
We treat your personal data with confidentiality. We share it only in limited scenarios, such as:

  • With Service Providers (Processors): We may use reputable third-party service providers to host or process data on our behalf (for example, cloud hosting on Microsoft Azure, which stores our databases). These processors only act under our instructions and implement appropriate security measures. We ensure any transfer or disclosure to a processor is for lawful purposes and remains compliant with the PDPPL. We have agreements in place requiring them to protect your data and notify us immediately of any actual or suspected data breach.

  • With Healthcare Professionals: If your Droobi program is part of a clinical care plan and you have consented, we may share relevant progress reports or data with your doctor or healthcare provider. This is done only with your authorization and for the purpose of coordinating your care.

  • For Legal Reasons: If we are required by Qatari law or an official authority to disclose certain data (for example, as part of an investigation or court order), we will do so. We will only disclose the minimum necessary information and, when permissible, we will inform you of such disclosures. (Under Articles 18–21 of the PDPPL, certain government or public-interest requests can override some privacy rights – however, our policy is to not rely on any exceptions unless absolutely required. We aim to inform you and obtain consent whenever possible, and will only withhold information from you if legally compelled to do so for reasons such as national security or others’ rights.)

International Data Transfers: Droobi primarily stores and processes personal data on servers located in Qatar. In some cases, we may use cloud services or support tools based in other jurisdictions (for example, analytics or email systems) – but only in countries that have robust data protection laws or under contractual arrangements that ensure your data is protected to PDPPL standards. We have evaluated our data hosting locations and ensure they meet PDPPL requirements for safeguarding privacy. We will not transfer your personal data outside Qatar in a way that would jeopardize your privacy or security; if a transfer would pose such risk, we will refrain or seek additional safeguards. (In practice, this means all cross-border data flows are assessed and either permitted with adequate protection or blocked if not in line with PDPPL’s intent to prevent unlawful processing.) We also won’t prevent you from requesting your data to be transferred to you or a third party of your choice – in fact, facilitating your data portability is part of your rights (see below).

Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Policy or as required by law. In line with PDPPL’s data minimization and storage limitation principles, Droobi has established a retention period of 10 years for health-related personal data after you cease using our services. This period is based on medical guidelines in Qatar and ensures we can support you or provide you with your historical data for a substantial period, unless you request earlier deletion. After 10 years of inactivity (or sooner if the data is no longer needed for the original purpose), we will securely delete or anonymize your personal data.

If you request deletion of your data, we will honor that request (see “Your Rights” below) and erase your personal information from our active systems, retaining only minimal information if required for our legal obligations or legitimate business records (e.g. proof of consent or transaction records, if applicable). We have an internal procedure to automatically flag and purge accounts that have reached the end of their retention term, ensuring data is not kept indefinitely.

Data Security Measures
We have implemented strong technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse. These measures include:

  • Encryption: All personal data is encrypted both in transit and at rest. For example, communications between the Droobi app/website and our servers are encrypted via TLS/SSL, and sensitive data (especially health information) is stored encrypted in our databases. We utilize secure encryption keys managed through trusted services (such as Azure Key Vault) to prevent unauthorized decryption.

  • Access Controls: Access to personal data is strictly limited to authorized personnel who need it to perform their duties (for instance, your health coach or essential IT staff). Our internal systems require strong authentication (including multi-factor authentication) for access. We also use network security controls, such as private network links and IP restrictions, to ensure that only approved devices and locations can connect to our data repositories. Each access to user data is logged and monitored. We have role-based permissions so that each employee or contractor only sees the data necessary for their role, and all staff with access to personal data are bound by confidentiality obligations.

  • Monitoring and Alerts: Our technical team employs continuous monitoring tools to watch for any unusual activities or potential intrusions in our infrastructure. We have automated alert systems that notify us of critical security events (such as multiple failed login attempts or unexpected data download spikes) so we can respond quickly. Regular security scans and penetration tests are conducted on our application to identify and fix vulnerabilities proactively.

  • Regular Backups and Disaster Recovery: We perform encrypted backups of our databases on a regular schedule, stored securely off-site. In the event of hardware failure, accidental data deletion, or other incident, we have a tested disaster recovery plan to restore data and resume operations from backups. This includes the capability to switch to a backup environment in a different geographic location if needed, ensuring continuity of service while protecting data integrity.

  • Privacy by Design: Before launching new features or making changes that involve personal data, we follow a Privacy by Design approach. This means we conduct privacy impact assessments (when processing new sensitive data or introducing significant changes) and integrate privacy considerations into our development process. Our team is trained in secure coding and data protection best practices, and we limit personal data usage in development and testing environments.

  • Breach Response Plan: In the unlikely event of a data breach or security incident, we have a clear incident response plan. We will immediately work to contain the issue, assess the impact, and mitigate any harm. If a data breach occurs that could compromise your privacy or personal data, we will inform you without undue delay as required by Article 14 of the PDPPL. We will also notify the Qatar NDPO (the competent authority) as required by law. Our goal is to be transparent and proactive: keeping you informed of any risks and guiding you on steps to protect yourself (such as changing passwords) if needed.

In summary, we apply industry-standard security measures and continually update them in line with evolving threats and best practices. We understand the sensitive nature of the health information you entrust to us, and we treat that data with the utmost care and confidentiality.

Your Rights Under PDPPL
As a user of Droobi, you have a number of important rights regarding your personal data. In accordance with Articles 4–17 of the Qatar PDPPL, you have the right to:

  • Withdraw Consent: You may withdraw any consent you have given us to process your personal data, at any time. For example, if you previously consented to a particular optional data use or a research participation, you can change your mind. Withdrawing consent will not affect the lawfulness of processing already carried out, and it won’t affect your access to the core service; however, it may limit certain features that relied on that consent. We will honor withdrawal requests promptly – if you withdraw consent for a specific processing activity, we will stop that processing immediately.

  • Object to Processing: You have the right to object to any processing of your data that you feel is not necessary or is unlawful. This includes objecting to any direct marketing messages. If you object, we will review and cease the processing in question unless we have a compelling legitimate reason that overrides your objection or if it is required by law to continue.

  • Access Your Data: You have the right to access the personal data we hold about you and to be informed about how it is being processed and with whom it has been shared. Upon request, we will provide you with a copy of all your personal data in our possession, in a commonly used electronic format. Typically, we will provide this as a report (for example, a PDF or Excel file) that includes your profile information, health entries, and any other data associated with your account. This service is provided free of charge for reasonable requests. (If you need additional copies or the request is excessive, we reserve the right allowed by law to charge a minimal fee to cover costs, but ordinarily that won’t be necessary.)

  • Request Correction: If any of your personal data is inaccurate or incomplete, you have the right to request that we correct or update it. For instance, you can ask us to fix a misspelled name or update an out-of-date phone number. Where reasonable, we may ask for evidence to verify the correct information (especially for critical data like medical details) to ensure accuracy. We encourage you to keep your profile information up-to-date, and our app interface allows editing of certain fields. For changes that you cannot make yourself, simply contact us and we will make the correction.

  • Request Deletion: You have the right to request erasure of your personal data when the data is no longer needed for its original purpose or if you no longer wish to use our service. You can ask us to delete your account and all associated personal data. We will comply with such requests, provided that we do not have a legal obligation to retain certain data. Once we process your deletion request, your personal data will be removed (and securely disposed of) from our systems, or irreversibly anonymized, and we will confirm to you that this has been done. (Note: Even after deletion, a minimal record may be kept if required for legal compliance – for example, a record of the request or a transaction – but we will inform you if this is the case.)

  • Data Portability: Beyond accessing a human-readable copy of your data, you also have the right to data portability. This means you can request your personal data in a structured, machine-readable format that you could transmit to another service provider. If you wish to transfer your data to yourself or directly to another health app/service, let us know and we will provide your data in a commonly used format (such as CSV or JSON) that should be interpretable by other systems. We want to ensure you’re never “locked in” – it’s your data, so you can take it with you.

  • Complaint: You have the right to lodge a complaint with the Competent Department (Qatar’s NDPO – National Data Privacy Office) if you believe your personal data has been handled in violation of the law. While we encourage you to contact us first so we can address your concerns, please know that you can at any time escalate a privacy issue to the regulatory authority. An individual may file a complaint with the NDPO (through the official platform provided by the Ministry) regarding any violation of PDPPL provisions. We will fully cooperate with the authorities in resolving any such complaints.

We have established a simple, email-based process to handle all user rights requests. You can exercise any of the above rights by emailing us at [email protected]. There are no complicated forms or procedures – a clear request in writing is sufficient. For example, you might email: “Please send me a copy of all my data,” or “I want to correct my birth date,” or “Delete my account.” Our team will verify your identity (to ensure that the person making the request is actually you or an authorized representative) and then honor your request promptly and in line with legal deadlines. We aim to respond to all such requests within 30 days (and usually much sooner). If for some reason we cannot fulfill a request, we will provide you with an explanation (unless we are legally prevented from doing so). In the unlikely scenario that we must refuse a request due to a legal exception (for instance, if fulfilling your access request would infringe on another person’s privacy or an ongoing investigation, per PDPPL Article 20), we will inform you that we cannot comply and the general reason, without disclosing sensitive details.

Droobi prioritizes users’ rights and we have internal guidelines and training to ensure every request is handled consistently and transparently. We log all requests and actions taken so we can demonstrate compliance. If you have any questions about your rights or how to exercise them, please contact us at the email above.

Children’s Privacy
Our services are intended for users age 18 and above. We do not knowingly collect personal data from children under 13 years old. In fact, individuals under 13 are not permitted to use Droobi at all. If you are under the age of 13, please do not attempt to register or send us any personal information. If we become aware that we have inadvertently collected personal data from a child under 13 without proper consent, we will delete that information promptly.

For teenagers between 13 and 17 years old, parental or guardian consent is required to use Droobi. Our program is designed for adults, and we currently market and provide our services to adult users. In the event that a minor (under 18) seeks to use Droobi, they should only do so with the involvement and approval of a parent or legal guardian. We will take additional precautions to protect the data of any minor user. This includes obtaining explicit consent from the parent/guardian at the time of registration and ensuring ongoing oversight. For example, a guardian may be required to create the account on behalf of the minor, and any health coaching interactions would involve the guardian as appropriate. We would also, upon the guardian’s request, provide information about the child’s data and activity in the app, as required by Article 17 of the PDPPL.

By making our standard user base adult-only and by involving guardians for any minor participants, we ensure that the stringent requirements for children’s data protection are met. We do not collect more data from minors than is necessary, and all the protections described in this Privacy Policy (encryption, limited access, etc.) apply with even greater scrutiny to any minor’s data. In practice, our platform is not directed at children under 18, and this substantially reduces any risk of processing children’s data improperly.

If you are a parent or guardian and believe your child under 13 may have provided us personal data, please contact us at [email protected] so that we can investigate and delete any such information. We empower parents/guardians to exercise all the rights listed above on behalf of their minor children. By implementing these measures, Droobi complies with Article 17 of the PDPPL and ensures that minors’ data, if ever handled, is done so lawfully and transparently with guardian oversight.

Contact Us
If you have any questions or concerns about this Privacy Policy or about how Droobi handles your personal data, please contact us at [email protected]. We value your privacy and will respond to your inquiries promptly.

By using Droobi’s services, you acknowledge that you have read and understood this Privacy Policy. We may update this Policy from time to time (for example, if we implement new features or to reflect changes in law). If we make material changes, we will notify you through the app or via email and provide you with an updated copy. Your continued use of the service after such updates constitutes acceptance of the revised Privacy Policy.