GDPR Compliance

Arkoura processes personal data in compliance with Regulation (EU) 2016/679 (GDPR). This page explains how we collect, process, and protect the personal data of users in the European Union and European Economic Area.

We process your personal data under the following legal bases:

General account data (name, email, phone): Contractual necessity (Article 6(1)(b)) — required to provide the Arkoura service.

Health and journal data: Explicit consent (Article 9(2)(a)) — you provide this voluntarily and may withdraw consent at any time by deleting your account.

Anonymized research data: Legitimate interest (Article 6(1)(f)) — used to improve the platform; you may opt out at any time.

Under GDPR you have the following rights:

Right of access (Article 15): Request a copy of all personal data we hold about you.

Right to rectification (Article 16): Correct inaccurate or incomplete data.

Right to erasure (Article 17): Request deletion of your data. Account deletion requests enter a 30-day quarantine period before permanent erasure.

Right to restriction (Article 18): Request that we limit processing of your data.

Right to data portability (Article 20): Receive your data in a machine-readable format.

Right to object (Article 21): Object to processing based on legitimate interest.

Rights related to automated decision-making (Article 22): Arkoura does not make automated decisions with legal or similarly significant effects.

To exercise any right: privacy@arkoura.com

Identity data: name, date of birth, profile photo.

Contact data: email address, phone number.

Health journal data: conditions, allergies, medications, emergency contacts, journal entries, uploaded documents.

Technical data: IP address, browser type, device identifiers, access logs.

Usage data: feature usage patterns (anonymized).

Document de-identification: uploaded health documents (e.g. lab results, imaging reports) are processed through Google Cloud Data Loss Prevention (DLP) before being analyzed by AI — all personally identifiable information is automatically removed before the content leaves your account's security boundary. This is applied in compliance with the principle of data protection by design (Article 25 GDPR).

Account data: retained while your account is active, deleted 30 days after account deletion request.

Audit logs: retained for 24 months for security and compliance purposes.

Anonymized research data: indefinitely (no PII, not subject to erasure).

Arkoura's infrastructure is hosted on Google Cloud Platform (GCP) with primary processing in the United States. Data transfers from the EU/EEA to the US are conducted under Standard Contractual Clauses (SCCs) as approved by the European Commission.

EU/EEA users have the right to lodge a complaint with their national data protection authority. A directory of EU supervisory authorities is available at: https://edpb.europa.eu

Data Controller: Arkoura

Privacy contact: privacy@arkoura.com

For GDPR-specific requests, include "GDPR Request" in the subject line.