Regulatory compliance transparency
Alyus operates under the following frameworks — here we indicate the actual status of each at this stage.
Privacy Policy
Last updated: February 23, 2026 · Applies to doctors and patients
Alyus ("the Platform") is a medical management SaaS solution with artificial intelligence operated by Alyus Inc. We are committed to protecting the privacy of our two types of users: doctors (primary platform users) and patients (whose data is managed through it). This document applies to all Alyus services.
1Data we collect
| Category | Specific data | User | Legal basis |
|---|---|---|---|
| Doctor identity | Name, professional license, specialty, profile photo | Doctor | Service contract |
| Patient identity | Name, date of birth, sex, CURP (optional) | Patient | Explicit consent |
| Health data | Symptoms, diagnoses, medications, allergies, clinical history, lab results, medical images | Patient | Consent + medical care |
| Questionnaire data | Triage responses, pain scale, consultation reason | Patient | Explicit consent |
| Platform usage | Access logs, device, IP, features used | DoctorPatient | Legitimate interest / security |
| Payment data | Last 4 digits of card, billing history (processed by Stripe) | Doctor | Contract performance |
| Communications | Platform messages, follow-up notifications, survey responses | DoctorPatient | Consent |
2How we use your data
We use the collected information only for the following purposes:
| Purpose | Description | Applies to |
|---|---|---|
| Service delivery | Appointment management, clinical records, prescriptions and follow-up | DoctorPatient |
| Intelligent Medical Assistant (AI) | AI medical agent assisting the doctor in pre-diagnosis, Medical Scribe, clinical alerts and treatment plans. For patients: active follow-up, reminders and alarm detection. Never replaces professional medical judgment. | DoctorPatientClinic |
| Automated follow-up | Medication reminders, post-consultation surveys and alerts via app, SMS, WhatsApp or email | Patient |
| Lymbika medical catalog | For any health question or emergency, the patient has access to the Lymbika Healthcare medical catalog to locate and contact an available physician. Operated by Lymbika Healthcare under its own terms. | PatientDoctor |
| Service improvement | Anonymous usage analysis to improve the platform. Never linked to individual identities. | Both |
| Security and fraud | Detection of unauthorized access and suspicious activity | Both |
| Legal compliance | Response to competent authority requests under court order | Both |
3Who we share information with
We share data only with the following categories of third parties, all under strict confidentiality agreements:
| Provider / Category | Purpose | Country | Data shared |
|---|---|---|---|
| Google Cloud / Firebase | Cloud infrastructure and database | USA (BAA under negotiation) | All data encrypted AES-256 |
| Lymbika Healthcare | Patient generation platform and operational coordination. Lymbika may use usage data (not identified clinical data) for marketing, commercial and advertising purposes in accordance with user consent. | Mexico / USA | Encrypted usage and contact data. Clinical data: aggregated and anonymized only. Never identified health data for commercial purposes. |
| Anthropic / OpenAI | AI models for the Intelligent Medical Assistant | USA | Pseudonymized clinical data |
| Zoom Video Communications | Teleconsultation API for remote medical visits | USA | Session metadata, name and contact |
| Stripe | Payment processing (PCI DSS Level 1) | USA | Billing data only |
| SendGrid / Twilio | Notifications and follow-up email | USA | Name and contact data |
| WhatsApp Business API (Meta) | Follow-up messaging, medication reminders, doctor-patient communication and AI medical agent notifications via WhatsApp | USA / Global | Name, phone number, follow-up messages. Messages have Meta end-to-end encryption. |
| Treating physician / Clinic / Hospital | Full access to their own patient records | Mexico / Provider country | Complete clinical record |
| Competent authorities | Only under court order or verifiable legal mandate | Per jurisdiction | Exclusively what is required by law |
4Information security
We implement hospital-grade technical and organizational controls to protect your data:
5Data retention and deletion
Patient health data is retained during the active period of the doctor-patient relationship and for a minimum of 5 years after the last consultation, in compliance with NOM-004-SSA3-2012 (Clinical Record) and NOM-024-SSA3-2012. Upon cancellation, the doctor may export all data within 30 days. HL7 FHIR R4 format is on the implementation roadmap for Q4 2026; export is currently available in JSON/CSV format. After that period, data will be securely deleted.
Terms and Conditions of Service
Apply to doctors registered as Alyus account holders
By registering and using Alyus, the doctor ("the User") accepts these terms. These terms constitute a binding contract between the User and Alyus Inc.
1Acceptable use of the platform
| ✅ Allowed | ❌ Prohibited |
|---|---|
| Manage exclusively patients within their legitimate medical practice | Share access credentials with unauthorized third parties |
| Use AI as a clinical diagnosis support tool | Use AI suggestions as definitive diagnosis without clinical evaluation |
| Export data of their own patients for continuity of care | Extract data massively for purposes other than medical care |
| Register informed patient consent before processing their data | Register patient data without their knowledge or consent |
| Report security vulnerabilities to the Alyus team | Attempt to access data of other doctors or their patients |
2Medical responsibility and AI limitation
Alyus is not a certified medical device for definitive diagnosis. The AI models used have estimated accuracy that varies by specialty and data quality. The User must always contrast AI results with their clinical experience, physical examination and professional judgment.
3Subscription, payments and cancellation
| Concept | Condition |
|---|---|
| Billing | Monthly or annual, charged on activation date. Price in MXN or USD per plan. |
| Trial period | 14 days free without credit card. Upon expiry, payment method required to continue. |
| Cancellation | Anytime. Access continues until end of billed period. No additional charges. |
| Refunds | Monthly plans: non-refundable. Annual plans: proportional refund within first 30 days. |
| Price changes | 30 days advance notice. User may cancel at no charge if they do not accept the new price. |
| Taxes (Mexico) | Prices exclude VAT (8% border zone / 16% rest of Mexico). CFDI 4.0 issued. US state taxes may apply per jurisdiction. |
4Service availability and SLA
Alyus garantiza una disponibilidad objetivo del 99.5% mensual (equivalente a menos de 3.6 horas de inactividad al mes), excluidas ventanas de mantenimiento programado que se notifican con 48 horas de anticipación. En caso de incumplimiento, el Usuario podrá solicitar créditos en su siguiente factura proporcionales al tiempo de inactividad.
5Intellectual property
El software, diseño, algoritmos de IA y marca de Alyus son propiedad exclusiva de Alyus Inc. Los datos clínicos ingresados por el médico y sus pacientes pertenecen al médico y al paciente en todo momento. Alyus no adquiere ningún derecho de propiedad sobre los datos médicos. El médico otorga a Alyus Inc. una licencia limitada, no exclusiva y revocable, únicamente para procesar dichos datos con el fin específico de prestar el servicio contratado.
6Jurisdiction and applicable law
These terms are governed by the laws of the United Mexican States. For any dispute, the parties submit to the jurisdiction of the courts of the State of Delaware, USA, without prejudice to compliance obligations in Mexico under LFPDPPP and applicable NOMs, waiving any other jurisdiction that might apply.
Special Processing of Medical Data
Special category data under LFPDPPP and NOM-024-SSA3-2012
Los datos de salud constituyen una categoría especial de datos sensibles bajo la legislación mexicana. Su tratamiento requiere el consentimiento expreso, informado, libre e inequívoco del titular (el paciente). Alyus implementa salvaguardas adicionales específicas para este tipo de información.
1Digital clinical record
The Alyus clinical record is designed following the guidelines of NOM-004-SSA3-2012 and NOM-024-SSA3-2012. Formal compliance verification with both norms is scheduled for Q3 2026. The following functionalities are already implemented:
2Artificial Intelligence: what it does and does not do
| AI feature | What it does | What it does NOT do |
|---|---|---|
| Pre-diagnosis | Suggests probable diagnoses with percentages based on questionnaire symptoms, using ML models trained on medical literature. | Does not issue definitive diagnosis. Does not prescribe treatments autonomously. |
| Medical Scribe | Generates structured clinical note draft from consultation data for physician review. | Does not sign or validate clinical notes. The physician must review and approve each note. |
| Follow-up alerts | Detects risk patterns (medication abandonment, worsening symptoms) and alerts the physician. | Does not take autonomous actions or contact emergency services without human intervention. |
| Prescription verification | Reviews possible drug interactions and registered allergies, alerting the physician. | Does not block prescriptions or replace the pharmacist or medical judgment. |
3Patient consent
Before registering a patient's data, the physician is responsible for obtaining their informed consent. Alyus provides a standard digital consent form that complies with Mexican regulation, available in Spanish and English. This consent must include: description of data to be collected, processing purpose, patient rights (ARCO), and AI participation in the analysis of their data.
User Rights
ARCO rights + extended rights for patients
Tanto médicos como pacientes gozan de los siguientes derechos sobre sus datos personales, ejercibles en cualquier momento sin necesidad de justificación:
Access
Know what personal data we have about you, for what purpose we process it and with whom we share it. Response within max. 20 business days.
Rectification
Correct inaccurate or incomplete data. For medical data, the treating physician must validate the correction in the record.
Cancellation
Request deletion of your data. Exceptions apply for data with legal retention obligations (clinical record minimum 5 years).
Opposition
Object to the processing of your data for specific purposes such as sending communications or statistical analysis.
Portability
Receive your data in structured, readable and portable format (JSON / HL7 FHIR). Available for doctors and patients.
No AI discrimination
Patients have the right that no definitive medical decision be made solely by automated systems without human review.
Legal Contact and DPO
Privacy Officer and official contact channels
For inquiries related to privacy, data protection, vulnerability reporting, exercise of ARCO rights or any legal matter related to Alyus:
Alyus reserves the right to update this Privacy Policy and Terms of Service. Material changes will be notified at least 30 days in advance by email and through prominent notice on the platform. Continued use of Alyus after the effective date of changes constitutes acceptance thereof.