Privacy Policy

Xema ("we," "our," or "us") respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use the Xema mobile application (the "App"), available on iOS and Android platforms.

Xema is an eczema management application designed to help you track symptoms, predict flare-ups, analyze products and foods, monitor your skin with photos, and access educational content. By using the App, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the App.

This Privacy Policy is effective as of January 31, 2026, and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.

We collect several different types of information for various purposes to provide and improve our service to you.

2.1 Information You Provide to Us

You may voluntarily provide us with certain personally identifiable information when you use the App, including:

• Account Information: When you create an account using Apple Sign In, we collect your name, email address, and a unique identifier provided by Apple. If you use an anonymous or guest account, we generate a unique identifier but do not collect personal identification information unless you choose to provide it later.
• Health and Symptom Data: You may choose to log symptom information including itch levels, redness levels, and dryness levels on a 0-10 scale. You may also track which body areas are affected by eczema, record flare-up events, and note environmental or dietary triggers.
• Photographs: You may upload or capture skin photos to track your eczema progression over time, food photos for dietary analysis to identify potential triggers, and product photos for ingredient analysis.
• Product Scans: When you scan product barcodes or take photos of product labels, we collect the barcode numbers, product names, ingredient lists, and your personal notes or ratings about the product.
• Food Logs: Information about foods you consume, including photos, descriptions, and notes about potential reactions or triggers.
• User Preferences: Settings, notification preferences, and customization options you select within the App.
• Communications: If you contact us directly, we may receive additional information about you such as your name, email address, the contents of your message and/or attachments, and any other information you choose to provide.

2.2 Information Collected Automatically

When you access or use the App, we automatically collect certain information about your device and usage patterns:

• Device Information: Device type, model, manufacturer, operating system type and version, unique device identifiers, mobile network information, and phone number (where applicable).
• Location Data: With your explicit permission, we access your approximate or precise geographic location to provide localized weather and air quality data for flare risk predictions. You can disable location access through your device settings at any time.
• Usage Analytics: Information about how you interact with the App, including features used, time spent in the App, navigation paths, button clicks, and session frequency and duration.
• Crash Reports and Diagnostics: Technical data about App crashes, freezes, and errors to help us diagnose and fix technical issues.
• Camera and Photo Library Access: When you grant permission, we access your device camera to capture photos of skin, products, and food, and your photo library to select existing images.

2.3 Information From Third Parties

We may receive information from third-party sources:

• Weather Data Providers: We collect weather information (temperature, humidity, UV index, pollen counts) from third-party weather APIs based on your location.
• Air Quality Data: Air quality index, pollution levels, and allergen information from environmental data providers.
• Product Databases: Product information, ingredient lists, and allergen data from OpenFoodFacts and other product databases when you scan barcodes.
• Authentication Providers: When you sign in with Apple Sign In, we receive limited information from Apple as specified in their authentication flow.

We use the information we collect for various purposes, including:

• Provide Core Functionality: To enable you to track symptoms, log flare-ups, scan products, analyze food, and monitor your skin condition over time.
• Flare Prediction: To analyze correlations between your symptom data and environmental factors (weather, air quality) to generate personalized flare-up risk predictions.
• AI-Powered Analysis: To process your product photos, food photos, and skin photos through artificial intelligence services to provide ingredient analysis, allergen warnings, eczema severity assessment, and personalized recommendations.
• Product and Food Recommendations: To analyze your product scans and food logs alongside your symptom data to identify potential triggers and recommend safe alternatives.
• Data Synchronization: To sync your data across multiple devices if you opt into cloud synchronization.
• Account Management: To create and maintain your account, authenticate your identity, and provide customer support.
• Subscription Management: To process and manage your Xema Plus subscription, including billing, renewals, and access to premium features.
• Notifications: To send you symptom tracking reminders, flare risk alerts, educational content, and service-related announcements.
• Analytics and Improvement: To understand how users interact with the App, identify usage patterns, measure feature effectiveness, and improve the user experience.
• Troubleshooting: To diagnose technical problems, monitor and analyze crashes, and ensure the App operates correctly across different devices and operating systems.
• Security and Fraud Prevention: To detect, prevent, and address technical issues, fraudulent activity, and violations of our Terms of Service.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• Research and Development: To conduct aggregated, anonymized research to better understand eczema patterns and improve our predictive algorithms (no individually identifiable information is used for research purposes without explicit consent).

If you are located in the European Economic Area (EEA), our legal basis for collecting and using your personal information depends on the specific information collected and the context in which we collect it. We process your personal information based on:

• Consent: You have given explicit consent for us to process your health data, location data, and photos for the purposes described in this Privacy Policy. You have the right to withdraw your consent at any time.
• Contract Performance: Processing is necessary to provide the services you have requested through the App and to fulfill our contractual obligations to you.
• Legitimate Interests: We have a legitimate interest in operating, improving, and securing the App, preventing fraud, and conducting analytics, provided that such interests are not overridden by your data protection rights.
• Legal Obligations: Processing is necessary to comply with applicable laws and regulations.

Xema collects and processes health-related information, including symptom logs, body area tracking, skin photographs, and information about your eczema condition. We recognize that health data is highly sensitive and treat it with the utmost care and security.

Important Clarifications:

• Not HIPAA-Covered: Xema is not a healthcare provider, health plan, or healthcare clearinghouse, and therefore is not subject to the Health Insurance Portability and Accountability Act (HIPAA). The App is a wellness and self-tracking tool, not a medical device or electronic health record system.
• Not Medical Advice: The App does not provide medical advice, diagnosis, or treatment. All features, predictions, and analyses are for informational and tracking purposes only. You should always consult with qualified healthcare professionals regarding medical decisions.
• High Security Standards: Despite not being HIPAA-covered, we implement security measures that meet or exceed industry standards for health data protection, including encryption at rest and in transit, secure cloud infrastructure, and limited access controls.
• Explicit Consent: By using health tracking features, you explicitly consent to our collection and processing of your health data as described in this Privacy Policy. For users in the EEA, this constitutes explicit consent under GDPR Article 9 for processing special categories of personal data.
• Your Control: You maintain full control over your health data. You can choose what to track, view all data we store about you, export your complete health record, and delete all health data at any time through the App settings.

6.1 Local-First Architecture

Xema uses a local-first data architecture, which means your data is primarily stored on your device using MMKV (a fast, efficient, encrypted storage solution). This approach ensures:

• Your data remains accessible even without internet
• Faster performance and reduced latency
• Enhanced privacy through device-level storage
• You maintain control over your data on your physical device

6.2 Optional Cloud Synchronization

If you create an account and opt into cloud synchronization, your data is synced to Firebase Cloud Firestore and Firebase Storage. Cloud sync enables:

• Access to your data across multiple devices
• Automatic backup to prevent data loss
• Continuity when switching or upgrading devices

You can enable or disable cloud synchronization at any time through the App settings. If you disable cloud sync, your data will remain on your device but will no longer be backed up or synced to the cloud.

6.3 Security Measures

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

• Encryption at Rest: Data stored on your device is encrypted using platform-level encryption (iOS Keychain, Android Keystore). Data stored in Firebase is encrypted at rest using AES-256 encryption.
• Encryption in Transit: All data transmitted between the App and our servers uses TLS/SSL encryption to prevent interception.
• Secure Authentication: We use Apple Sign In and Firebase Authentication, which employ industry-standard security protocols including OAuth 2.0.
• Access Controls: Strict access controls limit who can access user data within our systems. Access is granted on a need-to-know basis and is logged for audit purposes.
• Firebase Security Rules: We implement strict Firebase Security Rules to ensure users can only access their own data and cannot access other users' information.
• Regular Security Audits: We regularly review and update our security practices to address emerging threats and vulnerabilities.

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your information using industry best practices.

6.4 Data Location

When you use cloud synchronization, your data is stored on Firebase servers, which are part of Google Cloud Platform infrastructure. Firebase may store data in multiple regions for redundancy and performance. Data may be processed in the United States and other countries where Firebase and our service providers operate.

The App integrates with several third-party services to provide functionality. Each service may collect and process certain data as described below. These third-party services have their own privacy policies, and we encourage you to review them.

7.1 Firebase (Google)

Services Used: Firebase Authentication, Firestore (database), Firebase Storage (file storage), Firebase Cloud Functions (serverless computing)

Data Shared: Account information, health and symptom data (if cloud sync enabled), photos (if cloud sync enabled), device information, usage analytics

Purpose: User authentication, cloud data storage and synchronization, backend processing

Privacy Policy: Firebase is part of Google Cloud Platform. Review Google's privacy policy at https://policies.google.com/privacy and Firebase-specific terms at https://firebase.google.com/support/privacy

7.2 RevenueCat

Services Used: Subscription management and in-app purchase processing

Data Shared: Anonymous user identifier, subscription status, purchase transactions, device type, App version

Purpose: Manage Xema Plus subscriptions, process in-app purchases, verify purchase status, provide access to premium features

Privacy Policy: https://www.revenuecat.com/privacy

7.3 OpenAI API

Services Used: Artificial intelligence analysis (GPT models with vision capabilities)

Data Shared: Product photos, product ingredient text, food photos, skin photos, symptom context (when relevant to analysis)

Purpose: Analyze product ingredients for potential irritants, identify foods and potential allergens, assess skin photos for eczema severity and characteristics, provide personalized recommendations

Important Notes: As of our last verification, OpenAI does not use data submitted via API for model training unless you explicitly opt in. Your photos and data sent to OpenAI are processed to provide immediate analysis and are not retained long-term by OpenAI.

Privacy Policy: https://openai.com/privacy

API Data Usage: https://openai.com/enterprise-privacy

7.4 Weather and Air Quality APIs

Services Used: Third-party weather data providers (specific providers may vary)

Data Shared: Your approximate geographic location (city/region level, not precise coordinates)

Purpose: Retrieve local weather conditions (temperature, humidity, UV index) and air quality data (pollution levels, pollen counts, allergen information) to generate flare risk predictions

We use reputable weather API providers with established privacy practices. Location data is only shared when necessary to retrieve weather information and is not stored by these providers beyond the immediate request.

7.5 OpenFoodFacts

Services Used: Open-source food product database

Data Shared: Barcode numbers when you scan products

Purpose: Retrieve product information, ingredient lists, and nutritional data for scanned barcodes

Privacy: OpenFoodFacts is an open database. Barcode lookups do not contain personally identifiable information. Learn more at https://world.openfoodfacts.org/privacy-policy

7.6 Apple App Store and Google Play Store

Services Used: App distribution, in-app purchases, subscription billing

Data Shared: Purchase information, payment details (handled directly by Apple/Google, not visible to us)

Purpose: Process Xema Plus subscriptions and in-app purchases

Privacy Policies: Apple Privacy Policy at https://www.apple.com/privacy/ and Google Privacy Policy at https://policies.google.com/privacy

Xema uses artificial intelligence to provide enhanced analysis and insights. Understanding how AI features work and what data they use is important for your privacy.

8.1 How AI Features Work

• Product Scanning: When you scan or photograph a product, the image and/or ingredient text is sent to OpenAI API for analysis. The AI identifies potential irritants, allergens, and problematic ingredients commonly associated with eczema triggers.
• Food Photo Analysis: Food photos are analyzed by AI to identify ingredients, potential allergens, and common eczema trigger foods.
• Skin Photo Analysis: Skin photos are processed by AI vision models to assess eczema severity, identify affected areas, and track changes over time. This helps you visualize your progress and identify patterns.

8.2 Data Handling in AI Processing

• Transmitted Data: Only the specific photo or text being analyzed is sent to the AI service, along with minimal context needed for analysis (e.g., "analyze this product for eczema triggers").
• No Training Use: Based on OpenAI's current API policies, data submitted through the API is not used to train or improve their models unless explicitly opted in. We have not opted in, which means your photos and data are only used to provide you with immediate analysis.
• Temporary Processing: AI providers process your data to generate results but do not retain it long-term.
• No Personal Identifiers: We do not send personally identifiable information (name, email, account ID) to AI services. Photos and ingredient text are analyzed independently without linking to your identity.

8.3 Your Control Over AI Features

Use of AI-powered analysis features is entirely optional. You can:

• Choose which photos to analyze and which to keep only on your device
• Use manual product entry instead of AI analysis if you prefer
• Track symptoms and flares without using photo analysis features
• Delete any analyzed photos from the App at any time, which also removes them from cloud storage if enabled

9.1 We Do Not Sell Your Data

We do not sell, rent, trade, or otherwise transfer your personal information to third parties for their marketing purposes. Xema does not display advertisements and does not participate in ad networks. Your health data and personal information are not commodities.

9.2 When We May Share Information

We may share your information only in the following limited circumstances:

• Service Providers: We share data with third-party service providers who perform services on our behalf (as detailed in the Third-Party Services section above). These providers are contractually obligated to use your information only to provide services to us and not for their own purposes.
• Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, government investigations).
• Protection of Rights: We may disclose information when we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others, investigate fraud, or respond to a government request.
• Business Transfers: If Xema is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
• Aggregated and Anonymized Data: We may share aggregated, de-identified, or anonymized information that cannot reasonably be used to identify you. For example, we may share statistics about eczema symptom patterns or environmental correlations for research purposes, but this data would not contain any personally identifiable information.
• With Your Consent: We may share your information for any other purpose with your explicit consent.

9.3 No Sharing with Healthcare Providers

Xema does not automatically share your data with healthcare providers, insurers, or health systems. If you wish to share your symptom logs or data with your doctor, you can export your data through the App and share it manually at your discretion.

10.1 How Long We Keep Your Data

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Active Accounts: While your account is active, we retain your data to provide ongoing service, including symptom history, photos, product scans, and preferences.
• Inactive Accounts: If you stop using the App but do not delete your account, your data remains stored according to your cloud sync settings (locally on device, and/or in the cloud if enabled).
• Deleted Accounts: When you delete your account through the App settings, we permanently delete your personal data from our systems within 30 days, subject to the exceptions below.

10.2 What Happens When You Delete Your Account

When you request account deletion:

• All symptom logs, health data, photos, and personal notes are permanently deleted from our cloud servers within 30 days
• Your account information (email, name, authentication data) is removed from Firebase Authentication
• Data stored locally on your device is cleared when you uninstall the App or delete your account within the App
• Your subscription status is marked as cancelled (subscription billing through Apple/Google is handled separately and may require cancellation through your App Store account)

10.3 Data Retention Exceptions

We may retain certain information even after account deletion in the following cases:

• Legal Obligations: Information required to be retained for tax, accounting, or legal compliance purposes (e.g., purchase records, transaction history) may be kept for periods required by applicable law.
• Aggregated Data: Anonymized and aggregated data that cannot be used to identify you may be retained indefinitely for research and analytics.
• Backup Systems: Data in backup systems may persist for a limited time (typically 30-90 days) before being permanently purged during routine backup cycles.
• Fraud and Security: If your account was involved in fraudulent activity, violations of Terms of Service, or security incidents, relevant information may be retained as necessary to prevent recurrence and protect other users.

Xema is operated from the United States. If you are located outside the United States, please be aware that information we collect, including personal information and health data, may be transferred to, stored in, and processed in the United States and other countries where our service providers operate.

These countries may have data protection laws that are different from the laws of your country. By using the App, you consent to the transfer of your information to the United States and other countries where we and our service providers operate.

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we rely on the following mechanisms for international data transfers:

• Standard Contractual Clauses: We use Standard Contractual Clauses approved by the European Commission for transfers to service providers outside the EEA.
• Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission recognizing that certain countries provide adequate data protection.
• Your Explicit Consent: By accepting this Privacy Policy and using cloud synchronization features, you provide explicit consent for the transfer of your data, including special categories of personal data (health data), to countries outside your jurisdiction.

We take appropriate safeguards to ensure that your personal information remains protected in accordance with this Privacy Policy regardless of where it is processed.

You have certain rights regarding your personal information. This section explains your rights and how to exercise them.

12.1 Rights for All Users

Regardless of your location, you have the following rights:

• Right to Access: You can access all personal data we hold about you directly through the App. Navigate to Settings > Privacy & Data to view your stored information.
• Right to Correction: You can update or correct your personal information at any time through the App interface. Edit symptom logs, update account information, or modify notes and preferences as needed.
• Right to Deletion: You can delete individual data items (symptom logs, photos, product scans) or delete your entire account and all associated data through Settings > Account > Delete Account.
• Right to Export: You can export your complete data record in machine-readable format (JSON) through Settings > Privacy & Data > Export My Data. This includes all symptom logs, photos, product scans, and settings.
• Right to Withdraw Consent: Where processing is based on consent, you can withdraw consent at any time. This includes disabling location access, camera access, cloud sync, or AI features in your device or App settings. Note that withdrawing consent may limit App functionality.

12.2 California Residents (CCPA/CPRA Rights)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights:

• Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you. You can exercise this right by contacting us at foresightsystems00@gmail.com or using the in-App data export feature.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions. Use the Delete Account feature in Settings or contact foresightsystems00@gmail.com.
• Right to Opt-Out of Sale: We do not sell your personal information as defined by CCPA. We have not sold personal information in the preceding 12 months and do not have actual knowledge of selling personal information of minors under 16 years of age.
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA privacy rights. We will not deny you services, charge different prices, or provide different levels of service for exercising your rights.
• Right to Correct: You have the right to request correction of inaccurate personal information. You can correct information through the App or by contacting foresightsystems00@gmail.com.
• Right to Limit Use of Sensitive Personal Information: While we collect sensitive personal information (health data), we only use it for purposes permitted under CCPA without requiring an opt-out option (i.e., to provide services you requested). You can limit collection by not using certain features or by deleting your account.

To exercise these rights, email foresightsystems00@gmail.com with the subject line "CCPA Privacy Request" or use the in-App tools. We will verify your identity before processing your request and respond within 45 days.

12.3 European Economic Area Residents (GDPR Rights)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access: You have the right to obtain confirmation as to whether or not your personal data is being processed, and to access that data. Use the in-App data viewer or request a copy by emailing foresightsystems00@gmail.com.
• Right to Rectification: You have the right to obtain rectification of inaccurate personal data and to have incomplete data completed. Update your information through the App or contact us for assistance.
• Right to Erasure (Right to be Forgotten): You have the right to obtain erasure of your personal data in certain circumstances, including where the data is no longer necessary, you withdraw consent, or you object to processing. Use the Delete Account feature or contact foresightsystems00@gmail.com.
• Right to Restriction of Processing: You have the right to restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing. Contact foresightsystems00@gmail.com to request restrictions.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. Use the Export My Data feature in Settings to receive your data in JSON format.
• Right to Object: You have the right to object to processing of your personal data where we rely on legitimate interests. You can disable specific features, turn off analytics, or delete your account to object to processing.
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time. This does not affect the lawfulness of processing based on consent before withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of the alleged infringement. A list of supervisory authorities is available at https://edpb.europa.eu/about-edpb/board/members_en.

To exercise any of these rights, please contact us at foresightsystems00@gmail.com with the subject line "GDPR Privacy Request" and specify which right you wish to exercise. We will respond to your request within one month, though this may be extended by two additional months in complex cases.

12.4 How to Exercise Your Rights

You can exercise most privacy rights directly through the App:

• In-App Tools: Settings > Privacy & Data provides options to view, export, and delete your data.
• Email Requests: For requests that cannot be completed through the App, email foresightsystems00@gmail.com with your request. Include your account email and specify which right you wish to exercise.
• Verification: For security purposes, we may need to verify your identity before processing certain requests. We will request information necessary to confirm you are the account holder.
• Response Time: We will respond to your requests within the timeframes required by applicable law (45 days for CCPA requests, 30 days for GDPR requests).
• No Fee: We do not charge a fee to process privacy requests unless they are manifestly unfounded, excessive, or repetitive.

Xema is not intended for use by children. We are committed to protecting the privacy of children and complying with applicable children's privacy laws.

13.1 Age Requirements

• United States and Other Jurisdictions: The App is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).
• European Economic Area: For users in the EEA, the App is not intended for children under 16 years of age without parental consent, in accordance with GDPR requirements.

13.2 Parental Consent

If you are a parent or guardian and wish to allow your child (who meets the minimum age requirements) to use Xema, you are responsible for:

• Providing consent for your child to use the App and create an account
• Understanding that health data entered into the App is sensitive and should be monitored
• Reviewing this Privacy Policy and explaining it to your child as appropriate
• Supervising your child's use of the App, particularly camera and photo features

13.3 If We Learn We Have Collected Children's Data

If we become aware that we have collected personal information from a child under the applicable minimum age without appropriate parental consent, we will take steps to delete that information as quickly as possible.

If you believe we might have information from or about a child under the minimum age, please contact us immediately at foresightsystems00@gmail.com with the subject line "Child Privacy Concern."

Some web browsers and mobile devices have a "Do Not Track" (DNT) feature that lets you tell websites and apps that you do not want to have your online activities tracked.

Currently, there is no universally accepted standard for how to respond to DNT signals in mobile applications. As such, the App does not respond to DNT signals or similar mechanisms at this time.

However, you can control data collection through the App in the following ways:

• Disable cloud synchronization to keep data only on your device
• Disable location services to prevent collection of location data
• Choose not to use AI analysis features
• Use an anonymous/guest account instead of signing in with Apple Sign In
• Control camera and photo access through device settings

If a standard for responding to DNT signals is established in the future that applies to mobile applications, we will assess our practices and update this Privacy Policy accordingly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Effective Date" at the top of this Privacy Policy.

15.1 How We Notify You of Changes

• Material Changes: If we make material changes that significantly affect your privacy rights or how we handle your personal information, we will notify you through one or more of the following methods: (a) a prominent notice within the App, (b) a push notification, (c) an email to the address associated with your account, or (d) other conspicuous means.
• Non-Material Changes: For minor changes, such as clarifications or formatting updates that do not substantively change your rights, we may simply update the Privacy Policy and post the new effective date.

15.2 Your Acceptance of Changes

Your continued use of the App after the effective date of an updated Privacy Policy constitutes your acceptance of the revised policy. If you do not agree with the updated Privacy Policy, you should discontinue use of the App and may delete your account.

For changes that require consent under applicable law (such as new uses of health data or expansion of third-party sharing), we will obtain your explicit opt-in consent before applying those changes to your existing data.

15.3 Review Regularly

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. You can always access the current Privacy Policy through the App (Settings > Legal > Privacy Policy) or on our website.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, we want to hear from you. Please contact us using the information below:

Email: foresightsystems00@gmail.com

Subject Line Guidelines: To help us route your inquiry appropriately, please use one of the following subject lines:

• "Privacy Question" - General privacy inquiries
• "GDPR Privacy Request" - For EEA residents exercising GDPR rights
• "CCPA Privacy Request" - For California residents exercising CCPA rights
• "Data Deletion Request" - To request account and data deletion
• "Data Export Request" - To request a copy of your data
• "Child Privacy Concern" - If you believe we have collected data from a child
• "Security Concern" - To report a security vulnerability or data breach concern

Response Time

We strive to respond to all privacy-related inquiries within 5 business days. For formal privacy rights requests (GDPR, CCPA), we will acknowledge receipt within 5 business days and provide a substantive response within the timeframes required by law (30 days for GDPR, 45 days for CCPA).

Data Protection Officer

While we are not currently required to designate a Data Protection Officer under GDPR, all privacy inquiries are handled by our privacy team with the same level of attention and expertise. For EEA-specific matters, please include "ATTN: GDPR Compliance" in your email.

Additional Resources

For more information about Xema, please visit:

• Terms of Service: Available in Settings > Legal > Terms of Service or on our website
• Help Center: In-App help and FAQs in Settings > Help & Support
• Security Information: For information about our security practices, email foresightsystems00@gmail.com with subject "Security Inquiry"

Thank you for trusting Xema with your health data. We are committed to transparency, security, and putting your privacy first.