Back to Home

Privacy Policy

Last updated: May 21, 2026

01Introduction

At ROX BIO, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. As a healthcare intelligence platform, we are committed to the highest standards of data protection and patient confidentiality.

02Information We Collect

We collect information that you provide directly to us, including:

  • Personally Identifiable Information (Name, email address, phone number)
  • Protected Health Information (PHI) when submitted for analysis
  • Professional credentials for clinicians
  • Usage data and platform interactions

03How We Use Information

We use the collected information to:

  • Provide AI-driven pre-diagnostic analysis and clinical support
  • Facilitate doctor-patient scheduling and practice management
  • Ensure compliance with healthcare regulations and internal security policies

04No Patient Data Used to Train AI Models

We do not use any patient data to train our AI models. Patient health information, conversations, reports, and any other Protected Health Information (PHI) submitted to the ROX BIO platform is used solely to deliver care to the individual patient and is never used to improve, fine-tune, or train any artificial intelligence or machine learning model. Our AI systems are trained exclusively on publicly available, ethically sourced datasets that contain no patient data.

Data Security Commitment

All medical data is encrypted using AES-256 at rest and TLS 1.3 in transit. We implement strict access controls and regular security audits to protect your information against unauthorized access or disclosure.

05Google Calendar & Google Meet Integration

Limited Use of Google User Data

ROX BIO's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Clinicians may optionally connect their Google account from Settings → Google Meet so that ROX BIO can create a Google Meet video room for each telehealth appointment they accept. This integration is strictly opt-in and can be disconnected at any time.

Scopes we request and why

  • https://www.googleapis.com/auth/calendar.events — used exclusively to call events.insert with a conferenceData.createRequest on the connected clinician's primary calendar, returning the Google Meet URL that ROX BIO stores on the booking so both the patient and clinician can join the same room. We do not read existing events, modify events we did not create, or list events.
  • https://www.googleapis.com/auth/userinfo.email and openid — used solely to display the connected Google account email back to the clinician in Settings so they can confirm which account is linked.

What we do NOT do with Google user data

  • We do not sell or transfer Google user data to any third party for advertising, marketing, or any other purpose.
  • We do not use Google user data to develop, improve, or train generalized AI or machine-learning models.
  • We do not allow humans to read Google user data unless we have the clinician's explicit consent, it is necessary for security (e.g. investigating abuse), or required by law.
  • We do not read or list any calendar event other than the ones ROX BIO created for booked appointments.

Storage, retention & revocation

ROX BIO stores the long-lived OAuth refresh token issued by Google in our database, restricted to server-side access via Supabase Row Level Security and the service role. Clinicians can revoke ROX BIO's access at any time by either disconnecting from Settings → Google Meet (which deletes the token from our database and calls Google's token revoke endpoint) or by removing the app from https://myaccount.google.com/permissions. Disconnection takes effect immediately and prevents any further Google API calls on the clinician's behalf.