重生健康Rebirthealth

隐私政策

Privacy Policy

Effective Date: 2025-07-03

Version: v1.0.0

Data Controller: Beijing Lieyi Health Management Co., Ltd. (北京猎一健康管理有限公司) — 北京猎一健康管理有限公司 / Beijing Lieyi Health Management Co., Ltd.

Registered Address: 北京市昌平区北七家枫树家园5区4号楼03

ICP Filing: 京ICP备2025132715号-1

Privacy Contact: privacy@rebirthealth.com

How to Read This Policy

This Policy has two parts:

  • Part I — Universal Provisions: applies to everyone.
  • Part II — Region-Specific Sections: additional rights and terms for users in the EEA/UK, California, Mainland China, and other regions. Find the section for where you live; if it conflicts with Part I, the region-specific section controls for you.
⚠️ Health data notice. Rebirthealth necessarily processes information about your health. Health data is treated as sensitive / special-category data under EU, California, and Chinese law. We describe below how we handle it. Please read carefully.

PART I — UNIVERSAL PROVISIONS

1. Who We Are

Beijing Lieyi Health Management Co., Ltd. (北京猎一健康管理有限公司) ("Rebirthealth," "we," "us") operates the platform at https://rebirthealth.com. For the purposes of data protection law, we are the data controller for the personal information described in this Policy. Contact: privacy@rebirthealth.com.

2. Scope

This Policy explains how we collect, use, share, retain, and protect personal information when you use the Platform, and the choices and rights you have. It should be read together with the Terms of Service and Cookie Policy.

3. Information We Collect

3.1 Information you provide

  • Account information: name or display name, email address, password, role (Publisher, Advisor, Promoter/KOL), and, where applicable, country.
  • Case and health information: descriptions of health situations, symptoms, history, uploaded documents or images, and related details that a Publisher chooses to submit. This may include sensitive health information.
  • Advisor information: self-reported background, areas of practice, and the perspectives an Advisor submits.
  • Promoter/KOL information: referral activity and, for KOL applicants, the application materials submitted.
  • Communications: messages exchanged through the Platform and communications with our support team.
  • Payment-related information: information needed to process payments. Full card numbers and similar payment credentials are handled by our payment processor(s), not stored by us. (See Section 7.)

3.2 Information collected automatically

  • Usage data: pages viewed, features used, actions taken, timestamps.
  • Device and technical data: IP address, browser type, device type, operating system, and similar technical identifiers.
  • Cookies and similar technologies: as described in the Cookie Policy.

3.3 Information from third parties

  • Payment processors (transaction confirmation status).
  • Authentication providers, if you sign in through a third-party login.

We do not purchase personal information from data brokers, and we do not engage in scraping of facial images or biometric data.

4. How We Use Information

We use personal information to:

  • Create and manage your account;
  • Operate the Platform's core function — allowing Publishers to post cases and Advisors to submit perspectives;
  • Organize, summarize, and present information, including through automated (AI) features;
  • Match cases with potentially relevant Advisors;
  • Process payments and, where applicable, commissions;
  • Provide customer support and respond to your requests;
  • Maintain the security and integrity of the Platform and prevent fraud and abuse;
  • Keep records, including records of acceptance of disclaimers and agreements;
  • Comply with legal obligations;
  • Communicate with you about your account and, where permitted, about the service.

We do not sell your personal information. (See Part II, California section, for the specific meaning of "sell" and "share" under California law.)

5. Automated (AI) Processing

The Platform uses automated systems to summarize case information, assist with matching, and present content. This processing organizes information you and others provide. It does not make legal or similarly significant decisions about you without the safeguards described in Part II for users entitled to them. AI output is an information tool only and is not advice — see the Medical Disclaimer.

6. How and With Whom We Share Information

We share personal information only as described here:

  • With Advisors: when you publish a case, the case information (de-identified where the service is designed to de-identify it) is made available to eligible Advisors so they can decide whether to respond. The scope of who can see your case may depend on the publishing tier you select.
  • Between Publisher and a participating Advisor: to enable communication regarding a case.
  • With service providers: companies that host our infrastructure, process payments, send communications, or provide analytics, acting on our instructions under contract.
  • For legal reasons: where required by law, legal process, or a lawful request by a competent authority, or to protect rights, safety, or the integrity of the Platform.
  • In a business transfer: in connection with a merger, acquisition, or sale of assets, subject to this Policy.
  • With your consent: where you have asked us to share information.
`- Stripe, Inc. (San Francisco, USA) — Payment processing
  • Alibaba Cloud (US) Inc. (Santa Clara, USA) — Cloud hosting and infrastructure
  • Vercel Inc. (San Francisco, USA) — Frontend hosting and CDN
  • SendGrid (Twilio Inc.) (San Francisco, USA) — Transactional email delivery

This list may be updated from time to time. Material changes will be notified via email or platform announcement.` A list of categories of service providers (hosting, payment, email, analytics, AI processing) and their locations should be maintained and made available, especially for EEA/UK and PRC compliance.

7. Payment Information

Payments are processed by third-party payment processor(s). We receive transaction status and limited related information. We do not store full payment card numbers. Your use of a payment processor may also be subject to that processor's own privacy terms.

`Stripe (payment processing), Alibaba Cloud (hosting), SendGrid (email)` Identify actual processors (e.g. Stripe, Alipay, WeChat Pay) and confirm what data each returns to us.

8. International Data Transfers

The operating entity is located in Mainland China. Service providers may be located in other countries. As a result, personal information — including health information — may be transferred across borders, including from the EEA/UK to China, and between China and other countries.

Cross-border transfers of this kind are subject to legal requirements in multiple jurisdictions. Where required, we rely on a lawful transfer mechanism (see Part II for the EEA/UK and Mainland China sections).

数据存储位置 / Data Storage Location: 您的个人信息存储在位于美国加利福尼亚州的阿里云服务器上。我们已采取合理的技术和管理措施保护您的数据安全。/ Your personal information is stored on Alibaba Cloud servers located in California, United States. We have implemented reasonable technical and organizational measures to protect your data.

9. Data Retention

We retain personal information for as long as needed to provide the Platform and for the purposes described in this Policy, and thereafter only as required for legal, regulatory, tax, accounting, dispute-resolution, or legitimate record-keeping purposes.

  • Account information: retained while your account is active and for a period afterward.
  • Case and health information: retained for the period described at the point of publication and afterward as required by law.
  • Disclaimer / agreement acceptance records: retained for an extended period to evidence consent (recommended minimum 7 years; confirm).
  • Some information must be retained for minimum periods under applicable law and cannot be deleted earlier even on request.
`- Account data: retained for the duration of your account plus 3 years after deletion request.
  • Health case data: retained for 5 years after case closure, then anonymized or deleted.
  • Financial/transaction records: retained for 7 years as required by tax and accounting regulations.
  • Server logs: retained for 90 days, then deleted.
  • Cookie data: retained according to the cookie-specific durations listed in our Cookie Policy.` Specific retention periods per data category to be finalized and inserted, reconciling GDPR minimization with PRC mandatory-retention rules.

10. Data Security

We use technical and organizational measures designed to protect personal information, including access controls, encryption in transit, and restricted access on a need-to-know basis. No system is perfectly secure; we cannot guarantee absolute security. If we become aware of a breach affecting your personal information, we will notify you and the relevant authorities where required by law.

11. Children

The Platform is for adults. We do not knowingly collect personal information from anyone under 18 (or under the higher age set by your local law). If we learn we have collected such information, we will delete it. (See the Mainland China section regarding users under 14.)

12. Your Choices

  • Access and update: you can access and update most account information in your settings.
  • Communications: you can opt out of non-essential communications.
  • Cookies: you can manage cookies as described in the Cookie Policy.
  • Closing your account: you may close your account; see Section 9 on retention.

Additional rights for specific regions are described in Part II.

13. Changes to This Policy

We may update this Policy. We will revise the Effective Date and, for material changes, provide reasonable notice. Continued use after changes take effect constitutes acceptance, except where applicable law requires consent.

14. Contact

Privacy questions: privacy@rebirthealth.com

Beijing Lieyi Health Management Co., Ltd. (北京猎一健康管理有限公司), 北京市昌平区北七家枫树家园5区4号楼03

PART II — REGION-SPECIFIC SECTIONS

SECTION A — Users in the European Economic Area (EEA) and the United Kingdom (GDPR / UK GDPR)

A1. Data Controller and Representative

The data controller is Beijing Lieyi Health Management Co., Ltd. (北京猎一健康管理有限公司). To be appointed if required after assessment. Contact privacy@rebirthealth.com for current status.

A2. Legal Bases for Processing

We process personal data on these legal bases:

  • Contract: to provide the Platform you have requested.
  • Consent: for processing of health data (special-category data under Article 9), for non-essential cookies, and for optional communications. You may withdraw consent at any time.
  • Legal obligation: to comply with laws that apply to us.
  • Legitimate interests: to secure the Platform, prevent fraud and abuse, and improve the service, balanced against your rights.

We rely on your explicit consent to process special-category health data. If you do not provide it, we cannot provide the core service to you.

A3. Your GDPR Rights

You have the right to: access your data; rectify inaccurate data; erase data ("right to be forgotten"); restrict processing; data portability; object to processing based on legitimate interests; and withdraw consent. You also have the right to lodge a complaint with a supervisory authority.

To exercise these rights, contact dpo@rebirthealth.com. We will respond within the period required by law (generally one month).

A4. Limits on Erasure

Where you request erasure but we are legally required to retain certain data (including under retention rules that may apply because the controller is established in China), we will, to the extent of the conflict: cease active use of the data; restrict and isolate it; anonymize identifying elements where feasible; and delete it once the legal retention period expires. We will explain this to you when we respond to your request.

A5. Data Protection Officer / Contact

dpo@rebirthealth.com: dpo@rebirthealth.com

A6. International Transfers

Your data is transferred to China and possibly other countries. Where required, we use Standard Contractual Clauses (SCCs) as adopted by the European Commission and supplementary measures. You may request information about these safeguards at dpo@rebirthealth.com.

A7. Automated Decision-Making

We do not use solely automated processing that produces legal or similarly significant effects about you without a lawful basis and applicable safeguards. AI features organize and summarize information; final decisions about cases are made by people.

SECTION B — Users in California (CCPA / CPRA)

B1. Notice at Collection

We collect the categories of personal information described in Part I, Section 3, for the purposes in Section 4. We do not sell your personal information for money.

B2. Categories of Personal Information

In the past 12 months we may have collected: identifiers (name, email, IP address); account credentials; commercial information (transactions); internet activity (usage data); geolocation (approximate, from IP); and sensitive personal information, namely health information you choose to submit.

B3. Sources and Purposes

Sources: directly from you, automatically through your use, and from service providers (e.g. payment confirmation). Purposes: as described in Part I, Section 4.

B4. Disclosure

We disclose personal information to service providers and to Advisors as described in Part I, Section 6, for business purposes. We do not sell personal information, and we do not "share" it for cross-context behavioral advertising, as those terms are defined under California law.

B5. Your California Rights

You have the right to: know what personal information we collect, use, and disclose; delete personal information, subject to legal exceptions; correct inaccurate personal information; opt out of sale or sharing (we do not sell or share, so no action is needed); and limit the use of sensitive personal information (we use health information only as needed to provide the service and as otherwise permitted without a separate "limit" obligation, but you may contact us with questions). You have the right not to receive discriminatory treatment for exercising these rights.

B6. How to Exercise Rights

Submit a request to privacy@rebirthealth.com. We will verify your request and respond within the timeframes required by law. You may use an authorized agent; we may require proof of authorization.

SECTION C — Users in Mainland China (PIPL)

C1. Sensitive Personal Information

Health information is sensitive personal information under the PIPL. We process it only with your separate consent, for the purpose of providing the Platform, and with enhanced protection. You may withdraw consent, though this may mean we can no longer provide the service.

C2. Separate Consent

By using the Platform and submitting health information, and by giving the separate consent requested at the point of collection, you consent to our processing of your sensitive personal information as described in this Policy.

C3. Cross-Border Transfer

Providing the service may involve transferring your personal information outside Mainland China to service providers. Where this occurs, we will obtain your separate consent for the cross-border transfer, inform you of the overseas recipient and the purpose, and use a lawful outbound-transfer mechanism as required by PRC law.

`Standard contractual clauses and security assessment as required under PIPL. Contact privacy@rebirthealth.com for details.` Specify the mechanism actually used (standard contract / security assessment / certification) once determined.

C4. Data Retention

We retain your personal information for the minimum period necessary and as required by PRC law. Certain records must be retained for legally mandated minimum periods.

C5. Your PIPL Rights

You may access, copy, correct, and delete your personal information, request an explanation of our processing rules, and withdraw consent, subject to legal exceptions. Contact privacy@rebirthealth.com.

C6. Minors

We do not knowingly collect personal information from minors under 18. The personal information of minors under 14, if ever processed, is children's sensitive personal information requiring guardian consent and a dedicated rule; the Platform is not intended for them.

SECTION D — Users in Other Regions

If you are outside the EEA/UK, California, and Mainland China, the Universal Provisions in Part I apply to you. You may also have rights under your local law, including rights to access, correct, or delete personal information. Contact privacy@rebirthealth.com and we will assist you in accordance with applicable law.

⚙️ NOTES — NOT PART OF THE PUBLISHED DOCUMENT

To be removed before publication.

Placeholders used:

`2025-07-03`, `v1.0.0`, `Beijing Lieyi Health Management Co., Ltd. (北京猎一健康管理有限公司)`, `枫树家园5区4号楼03`, `privacy@rebirthealth.com`, `dpo@rebirthealth.com`, `Terms of Service`, `Cookie Policy`, `Medical Disclaimer`, `To be appointed if required after assessment. Contact privacy@rebirthealth.com for current status.`, `Standard Contractual Clauses (SCCs)`, `dpo@rebirthealth.com`, `- Stripe, Inc. (San Francisco, USA) — Payment processing

  • Alibaba Cloud (US) Inc. (Santa Clara, USA) — Cloud hosting and infrastructure
  • Vercel Inc. (San Francisco, USA) — Frontend hosting and CDN
  • SendGrid (Twilio Inc.) (San Francisco, USA) — Transactional email delivery

This list may be updated from time to time. Material changes will be notified via email or platform announcement.`, `Stripe (payment processing), Alibaba Cloud (hosting), SendGrid (email)`, `- Account data: retained for the duration of your account plus 3 years after deletion request.

  • Health case data: retained for 5 years after case closure, then anonymized or deleted.
  • Financial/transaction records: retained for 7 years as required by tax and accounting regulations.
  • Server logs: retained for 90 days, then deleted.
  • Cookie data: retained according to the cookie-specific durations listed in our Cookie Policy.`, `Standard contractual clauses and security assessment as required under PIPL. Contact privacy@rebirthealth.com for details.`.

⚠️ ITEMS REQUIRING SPECIALIST REVIEW (data-protection counsel):

1. GDPR applicability + Article 27 representative. A PRC controller offering services to EEA/UK individuals is likely caught by GDPR and may be legally required to appoint an EU representative (and a UK representative). Assess and, if required, appoint.

2. EEA→China health-data transfers. This is a high-scrutiny transfer. Requires a valid mechanism (SCCs + transfer impact assessment + supplementary measures) and honest disclosure. Government-access considerations for transfers to China must be assessed.

3. PIPL outbound transfer. Transferring PRC users' personal information abroad triggers PIPL's outbound-transfer regime (security assessment / standard contract / certification, threshold-dependent), plus separate consent. Health data raises the bar further.

4. Separate consent flows. PIPL requires separate (not bundled) consent for (a) sensitive personal information and (b) cross-border transfer. The product must implement distinct consent steps, not a single "I agree."

5. Health data = special category / sensitive everywhere. GDPR Art. 9 explicit consent, CCPA sensitive PI rules, and PIPL sensitive PI rules all apply simultaneously. The consent UX must satisfy the strictest of them.

6. Retention conflict. GDPR minimization vs PRC mandatory retention is a genuine conflict; the retention schedule must be drafted with counsel so it is defensible in both regimes.

This document is a DRAFT and is not a substitute for review by qualified data-protection counsel covering the PRC, EU/UK, and California.