Back to Home

Data Security and AI Policy

Last updated: April 12, 2026

1. Purpose

This Data Security and AI Policy explains how Tsneviseqimi LLC protects personal data and health data processed through the Platform, and how we approach artificial intelligence and automated tools in connection with our services.

This document is intended to complement our Privacy Policy. If there is any inconsistency between this document and the Privacy Policy, the Privacy Policy prevails with respect to personal data processing disclosures.

2. Our Security Approach

Because the Platform processes health data and other sensitive information, we apply technical and organisational safeguards designed to protect confidentiality, integrity, and availability.

Our approach is based on the following principles:

  • least-privilege access;
  • need-to-know handling of health data;
  • secure transmission and storage;
  • accountability through logs and auditability;
  • minimisation of data exposure;
  • vendor controls and contractual safeguards; and
  • regular improvement of operational security.

3. Core Security Measures

Depending on the system component and service involved, our controls may include:

3.1 Encryption and secure transport

  • use of HTTPS/TLS for data transmitted between users and the Platform;
  • secure transmission channels for integrations with service providers;
  • encrypted or otherwise protected storage environments where data is stored.

3.2 Access management

  • role-based access controls for patients, doctors, administrators, and support personnel;
  • restrictions so that users can access only the information necessary for their role;
  • internal access approval processes where appropriate;
  • immediate or prompt removal of access when no longer needed.

3.3 Authentication and session security

  • passwords stored in hashed form rather than plain text;
  • secure session handling;
  • protection against common authentication abuse patterns;
  • controls intended to reduce the risk of unauthorised account access.

3.4 Audit trails and monitoring

  • logging of important access and record-change events;
  • auditability for sensitive actions, particularly involving health records;
  • technical monitoring, alerting, and investigation support for security and reliability issues.

3.5 Application and infrastructure security

  • input validation and sanitisation;
  • secure development practices intended to reduce common web application risks;
  • segregation of environments where appropriate;
  • backup and recovery measures to support resilience.

4. Role-Based Access

We design the Platform to reduce unnecessary access to health data.

Patients

Patients should be able to access their own account information, appointments, records, and permitted platform features.

Doctors

Doctors should only be able to access patient information needed for patients with whom they have a legitimate treatment or care relationship through the Platform.

Administrative and support personnel

Administrative or support access is limited to the extent reasonably necessary for operations, compliance, support, billing, or security. Such access is restricted and subject to confidentiality obligations.

5. Third-Party Providers

We use external providers where necessary to operate the Platform, such as hosting, authentication, payment processing, communications, email delivery, video consultation infrastructure, storage, and technical support tools.

When engaging providers, we aim to:

  • choose providers with a security posture appropriate to the nature of the service;
  • limit data shared to what is reasonably necessary;
  • use contractual protections;
  • restrict provider use of the data to the agreed service purpose; and
  • review the provider relationship when appropriate.

The use of an external provider does not mean the provider may use health data for its own unrelated purposes.

6. Payment Security

Payments are handled through external payment providers. We do not intentionally store full payment card numbers on our own servers.

Where payment tokens, transaction identifiers, or billing metadata are used, they are processed only for billing, reconciliation, saved-payment functionality where available, fraud prevention, refunds, and legal/accounting obligations.

7. Incident Handling

If we detect a security incident, suspected unauthorised access, or other event affecting the confidentiality, integrity, or availability of the Platform, we may:

  • investigate the event;
  • contain and remediate the issue;
  • temporarily restrict access to affected systems or accounts;
  • coordinate with relevant service providers;
  • preserve relevant logs and records; and
  • notify affected persons or authorities where required by applicable law.

Users should report suspected security issues to: support@tsneviseqimi.ge

8. User Responsibilities

Security is also supported by users. You should:

  • use a strong and unique password;
  • keep login credentials confidential;
  • not share your account;
  • log out from shared devices;
  • keep your device and browser reasonably up to date; and
  • notify us promptly if you believe your account has been compromised.

9. AI and Automated Tools

9.1 Current position

At the date of this Policy:

  • we do not use AI to independently diagnose medical conditions;
  • we do not use AI to prescribe medication or determine treatment without doctor involvement;
  • we do not use AI to make solely automated decisions with legal or similarly significant healthcare effects on users;
  • we do not use user health data to train external AI models without a lawful basis, transparent notice, and appropriate safeguards.

9.2 Rule-based tools that are not AI

The Platform may perform basic rule-based or mathematical functions such as:

  • BMI calculations;
  • averages of submitted measurements;
  • categorisation according to pre-set thresholds or guidelines;
  • scheduling and workflow automation.

These functions are not substitutes for a licensed doctor’s judgment.

9.3 Future AI use

If we introduce AI-supported features in the future, we will first assess their legal, privacy, clinical, and security implications.

Before material AI use involving user data, we expect to address at least:

  • the purpose of the AI feature;
  • what data is used;
  • whether the feature is optional or mandatory;
  • whether any third-party AI provider is involved;
  • what human oversight exists;
  • whether any automated decision-making rights are triggered;
  • whether additional consent or another legal basis is required; and
  • what notices or policy updates are needed.

9.4 Human oversight

All medical decisions affecting diagnosis, treatment, and patient care must remain subject to licensed human professional judgment. Any future AI-supported functionality must not be treated as a replacement for a doctor’s medical responsibility.

10. Data Minimisation and Confidentiality

We seek to limit the collection, access, and disclosure of data to what is reasonably necessary for the relevant service, security, or legal purpose.

Persons with access to confidential or health-related data are expected to be bound by confidentiality, professional secrecy, contractual duties, or equivalent obligations, as applicable.

11. Changes to This Policy

We may update this document from time to time to reflect changes in our systems, providers, legal obligations, or product features.

The latest version will always be published on the Platform with the updated effective date.

12. Contact

For security or AI-related questions, contact:

Tsneviseqimi LLC

Email: support@tsneviseqimi.ge