logo
Legal Hub

REPTWIN PRIVACY POLICY

Effective Date: 16 February 2026                   

Last Updated: 16 February 2026

Version: 1.0

This Privacy Policy describes how Doceree, Inc. (“Doceree,” “we,” “us,” or “our”) collects, uses, and discloses personal information when you access or use RepTwin at reptwin.ai (the “Site”) and related services. RepTwin may be accessed directly through the Site or as an embedded feature within Doceree’s demand-side platform and marketing platform (collectively, the “DSP/Marketing Platform”). This Policy applies regardless of how you access RepTwin, including through website embeds, messaging platforms, voice interfaces, CRM integrations, or other deployment channels.

1. INTRODUCTION AND SCOPE

1.1 Who We Are

Doceree, Inc. is a healthcare advertising technology company headquartered in New Jersey, United States. We operate RepTwin, an AI-enabled platform accessible at reptwin.ai that provides AI-powered virtual representatives for on-demand pharmaceutical product information and engagement (the “Service”).

RepTwin enables users to interact with AI-powered virtual representatives for pharmaceutical product information. RepTwin operates in HCP Engagement Mode, designed for healthcare professional use only. RepTwin may be deployed as a standalone experience at reptwin.ai or embedded within Doceree’s DSP/Marketing Platform. Available features depend on customer configuration.

1.2 Scope and Applicability

This Privacy Policy describes how Doceree collects, uses, processes, discloses, and protects personal information in connection with the RepTwin Site and Service, whether accessed directly or through Doceree’s DSP/Marketing Platform.

This Privacy Policy applies to:

  • Healthcare Professionals (HCPs), including physicians, nurses, pharmacists, and other licensed healthcare providers who access or use RepTwin;
  • Pharmaceutical Customer Users, including administrators, brand managers, agency personnel, and other personnel of pharmaceutical companies who create, configure, manage, or deploy AI virtual representatives through RepTwin or access RepTwin through Doceree’s DSP/Marketing Platform;
  • End Users who interact with RepTwin-powered experiences;
  • Internal Doceree Users, including sales, customer success, engineering, and operations personnel, who access RepTwin for sales enablement, training, platform administration, or operational purposes;
  • Site Visitors who access or interact with the RepTwin Site; and
  • Representatives of our business partners, vendors, and other third parties who interact with RepTwin.

When we use the terms “you” or “your” in this Policy, we mean any individual in the categories above who accesses or interacts with RepTwin or the Site.

Channel-Based Deployment: Data collection practices may vary depending on the deployment channel and features enabled by the deploying customer. See Section 1.3 (Modes of Deployment) for additional information.

1.3 Modes of Deployment

RepTwin may be deployed in different contexts, each affecting how personal information is collected and processed:

§  Hosted on RepTwin Site or DSP/Marketing Platform: When accessed directly through reptwin.ai or Doceree’s DSP/Marketing Platform, Doceree operates as the Business/Controller responsible for data collection and use.

§  Embedded on Customer Websites: When RepTwin is embedded on a pharmaceutical partner’s website, privacy responsibilities may be shared between Doceree and the deploying customer pursuant to applicable agreements. The customer’s privacy policy may also apply.

§  Accessed via Integrations: When accessed through third-party platforms (e.g., Veeva CRM, Salesforce, WhatsApp, voice interfaces), additional platform terms may apply and data collection practices may vary. Information collected through integrations is subject to this Policy and the applicable third-party platform’s terms.

1.4 Our Role Under Privacy Laws

Depending on the deployment context and processing activities, Doceree acts in different capacities under applicable privacy laws:

The allocation of responsibilities depends on the deployment context, applicable agreements, and the nature of processing activities.

Context

Our Role

When Doceree determines the purposes and means of processing—including operating RepTwin, collecting HCP account and interaction data, generating AI responses, improving AI models, and providing engagement analytics to pharmaceutical partners.

Business (CCPA/CPRA); Controller (state privacy laws)

CCPA/CPRA refers to the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100–1798.199.100) as amended by the California Privacy Rights Act (Proposition 24 (2020))

When processing personal information solely pursuant to a pharmaceutical partner’s documented instructions and contractual terms (e.g., customer-configured deployments where customer directs data handling).

Service Provider (CCPA/CPRA); Processor (state privacy laws)

1.5 What This Policy Does Not Cover

This Policy does not apply to:

(a) De-Identified or Aggregated Data. Information that has been de-identified in accordance with applicable law such that it cannot reasonably be used to identify, relate to, describe, or be linked to a particular individual or household. Until de-identification is complete, such data is treated as personal information and subject to applicable privacy protections. Once data is properly de-identified or aggregated, it is no longer subject to this Policy, and Doceree may use and disclose such data for any lawful purpose without restriction, including for research, analytics, product development, and commercial purposes.

(b) Publicly Available Information. Information that is lawfully made available from federal, state, or local government records, or that Doceree reasonably believes is publicly available, including NPI data, state licensing records, and professional directories. To the extent Doceree combines publicly available information with other personal information collected through the Service, this Policy applies to the combined information; however, the publicly available components of such combined information remain excluded from deletion rights.

(c) Third-Party Websites and Services. The privacy practices of third-party websites, applications, or services that may be linked to or accessible from our Site or security of any third-party sites or services. We encourage you to review the privacy policies of any third-party sites you visit.

(d) Client-Controlled Processing. When Doceree processes personal information solely on behalf of a pharmaceutical brand partner or other client pursuant to that client’s instructions and a written agreement, the client’s privacy policy governs how that personal information is collected, used, and disclosed. Individuals should direct any privacy inquiries regarding such processing to the applicable client.

(e) Business Contact Information. To the extent permitted by applicable law, this Policy does not apply to personal information reflecting a written or verbal communication or transaction between Doceree and an individual occurring solely within the context of the individual’s role as a current or former employee, contractor, owner, director, officer, or representative of a company, partnership, sole proprietorship, nonprofit organization, or government agency, where the communication or transaction occurs in the context of Doceree conducting due diligence or providing or receiving a product or service.

2. PERSONAL INFORMATION WE COLLECT

NOTICE: REPTWIN IS NOT DESIGNED TO COLLECT PROTECTED HEALTH INFORMATION (PHI) AS DEFINED UNDER HIPAA. USERS MUST NOT SUBMIT PATIENT NAMES, MEDICAL RECORD NUMBERS, DIAGNOSES, TREATMENT INFORMATION, DATES OF SERVICE, INSURANCE CLAIM NUMBERS, OR OTHER INFORMATION THAT COULD IDENTIFY A SPECIFIC PATIENT. IF PHI IS INADVERTENTLY SUBMITTED, DOCEREE MAY DELETE, MASK, OR QUARANTINE SUCH INFORMATION WITHOUT NOTICE AND WITHOUT LIABILITY, SUBJECT TO APPLICABLE SECURITY AND COMPLIANCE OBLIGATIONS (INCLUDING ADVERSE EVENT ESCALATION REQUIREMENTS). SEE SECTION 10 FOR ADDITIONAL INFORMATION.

BY USING REPTWIN, YOU ACKNOWLEDGE THAT: (A) YOU ARE RESPONSIBLE FOR ENSURING SUBMITTED INFORMATION COMPLIES WITH APPLICABLE LAWS; (B) DOCEREE MAY DELETE OR MASK PHI WITHOUT NOTICE; (C) DOCEREE DOES NOT CURRENTLY OPERATE REPTWIN AS A HIPAA-COVERED SERVICE; AND (D) SUBMISSION OF PHI IS PROHIBITED.  SEE SECTION 10 FOR DETAILS.

We collect the following categories of personal information:

Account Data: Name, email address, login credentials (username and password) for registered users, business or organizational affiliation, job title or role, and account preferences.

Chat Content and Transcripts: Prompts and queries submitted to RepTwin (including voice inputs and video interactions where such features are enabled), chat messages and conversation history, AI-generated responses, feedback provided on AI interactions, user corrections or ratings of AI outputs, and session identifiers associated with AI conversations.

Professional Information: Medical specialty and subspecialty, HCP type (physician, nurse, pharmacist, etc.), practice type and setting (hospital, clinic, private practice), employer or affiliated healthcare organization, and professional credentials.

Technical Identifiers: IP address, device identifiers (including mobile advertising IDs), browser type and version, operating system, cookie identifiers and pixel tags, session identifiers, and identifiers provided by identity resolution partners for user matching purposes.

Approximate Geolocation: General location derived from IP address (city, state, region). We do not collect precise geolocation (GPS coordinates).

Analytics and Usage Data: Browsing history on our Site and within Doceree’s DSP/Marketing Platform, clickstream data, session behavior events, pages visited, time spent, referring URLs, campaign interaction data, and information about how users interact with RepTwin features.

Admin-Uploaded Content: Documents, links, persona configurations, brand-approved content, and other materials uploaded by pharmaceutical customer administrators to configure and manage AI virtual representatives.

Inferences: Inferences drawn from the above categories to understand preferences, characteristics, and professional interests, including inferred interests in specific therapeutic areas or content topics, and propensity scores or audience segments used for advertising delivery.

De-Identified Advertising Signals: In connection with advertising workflows within Doceree’s DSP/Marketing Platform, we may receive de-identified, aggregated, or audience-level signals from advertising partners, supply-side platforms, or data providers. These signals may include age range, gender, insurance category or type, and diagnosis or procedure category codes. These signals are de-identified and are not linked to identified individuals. Doceree uses these signals solely for targeting logic, audience selection, and campaign optimization purposes, and does not attempt to re-identify individuals from such signals. De-identified advertising signals do not constitute “personal information” under this Policy to the extent they cannot reasonably be linked to an identified or identifiable individual.

NOTE: The categories above constitute “personal information” under applicable privacy laws only to the extent such information is linked or reasonably linkable to an identified or identifiable individual. Information that has been de-identified, aggregated, or is not linked to an individual does not constitute personal information under this Policy.

3. SOURCES OF PERSONAL INFORMATION

We collect personal information from the following sources:

Directly from You: When you create an account on RepTwin, interact with the AI-powered virtual representative experience, submit queries or prompts, provide feedback, communicate with us via email or other channels, or otherwise engage with the Service, including through authentication or verification processes.

From Pharmaceutical Customers: Pharmaceutical brand partners who use RepTwin to create virtual representative experiences, including product information, approved messaging content, representative persona details, and brand-approved materials such as prescribing information, safety information, and FAQs. Each content item provided by pharmaceutical customers is tracked with a Medical Content Number (MCN) for source attribution.

From Public and Commercial Sources: National Provider Identifier (NPI) Registry maintained by the National Plan and Provider Enumeration System (NPPES), a program of the Centers for Medicare & Medicaid Services (CMS), for HCP verification purposes.

Automatically Through Technology: Web tracking technologies (including cookies, pixels, and similar technologies), log files, session data, and server data, in each case in compliance with applicable law. RepTwin uses Google Analytics and may use additional analytics providers. For more information, see our Cookie Policy.

4. HOW WE USE PERSONAL INFORMATION

We use personal information for the following business and commercial purposes:

Providing and Operating RepTwin: Operating the RepTwin Service and delivering the AI-powered virtual twin experience in accordance with our Terms of Service, authenticating and verifying HCP credentials, processing and responding to user queries and prompts, generating AI-powered responses and content (subject to the AI Disclosure in Section 11), and maintaining conversation history for continuity of experience.

Improving the Service: Developing new features and capabilities, conducting research and analysis to improve AI performance and accuracy, analyzing aggregated and de-identified interaction data for quality assurance and service improvement, and analyzing usage patterns to enhance user experience.

Security and Fraud Prevention: Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activity, protecting the security and integrity of RepTwin, enforcing our Terms of Service and other agreements, and monitoring for misuse of the Service.

Analytics and Measurement: Measuring engagement and usage metrics, understanding how users interact with RepTwin, analyzing chat transcripts for quality assurance and response improvement, and providing aggregated analytics and engagement insights to pharmaceutical brand partners and Doceree’s internal teams.

Advertising and Personalization: Delivering relevant content, offers, and advertising based on your professional interests and interactions with RepTwin, personalizing your experience, and measuring advertising effectiveness. Where applicable, this may include cross-context behavioral advertising as described in Section 6.

Communications: Responding to inquiries and providing support, sending service-related communications (account notifications, technical updates), and sending marketing communications where permitted by applicable law or with your consent.

Compliance Obligations: Complying with applicable laws, regulations, and legal processes, responding to lawful requests from public authorities, and establishing, exercising, or defending legal claims.

Product Development and Quality Assurance: Testing and improving AI functionality, reviewing transcripts for accuracy and safety, conducting internal audits and troubleshooting, and ensuring quality and accuracy of AI-generated content.

5. HOW WE DISCLOSE PERSONAL INFORMATION

We disclose personal information to the following categories of third parties for business purposes:

Service Providers: We engage service providers who process personal information on our behalf, including cloud hosting and infrastructure providers (AWS), AI model providers (including OpenAI, Anthropic, and other large language model providers), analytics providers (including Google Analytics), customer support platforms, email and communication service providers, voice and video model vendors (where such features are enabled), identity resolution partners (for user matching and audience verification), and security services providers. Our service providers are contractually obligated to use personal information only for specified purposes and to implement appropriate security measures. Disclosures to service providers are not “sales” of personal information under CCPA or similar state laws.

Affiliates: We may share personal information with our corporate affiliates and subsidiaries for purposes consistent with this Policy.

Pharmaceutical Brand Partners: We provide engagement analytics, performance metrics, and usage data to pharmaceutical brand partners whose virtual representative experiences you interact with. Depending on the customer’s deployment configuration and contractual terms, this may include transcript-level data and conversation history for quality assurance, compliance monitoring, and engagement analytics purposes. Data shared with partners may include identifiable information only where expressly authorized by configuration and contract. Access to such data is governed by role-based access controls (RBAC). De-identified and aggregated analytics may also be provided to help partners understand engagement patterns.

Internal Teams: Personal information is accessible to authorized Doceree personnel on a need-to-know basis for operating and improving the Service, providing support, and fulfilling legal obligations. Access is governed by role-based access controls (RBAC) and internal data access policies designed to limit access to personnel with a legitimate business need.

Referral Sources: If you access RepTwin through a third-party website or platform, we may share limited information with that referral source to confirm your engagement, subject to our agreements with such parties.

Legal and Regulatory Disclosures: We may disclose personal information when we believe in good faith that disclosure is necessary to comply with applicable law, regulation, or legal process (such as a subpoena or court order), respond to requests from government or public authorities, protect the rights, privacy, safety, or property of Doceree, our users, or others, enforce our Terms of Service or other agreements, or detect, prevent, or address fraud, security, or technical issues.

Business Transfers: If Doceree is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice before personal information becomes subject to a different privacy policy.

6. SALE AND SHARING OF PERSONAL INFORMATION

Sale of Personal Information: Doceree does not sell personal information as that term is traditionally understood. However, we may disclose certain personal information to pharmaceutical brand partners to support targeted content delivery and engagement analytics. Under certain state privacy laws, including the CCPA, such disclosures may be classified as a “sale” of personal information where they involve the exchange of data for valuable consideration. Categories that may be disclosed in this manner include identifiers (such as hashed email addresses and device identifiers), professional information (such as specialty and practice type), and usage data (such as engagement metrics). You have the right to opt out of such disclosures as described in Section 7.

Sharing for Cross-Context Behavioral Advertising: RepTwin uses cookies and similar tracking technologies, including Google Analytics. If these technologies enable cross-context behavioral advertising (showing you ads based on your activity across different websites or applications), such use may constitute “sharing” under the CCPA. You may opt out of cross-context behavioral advertising by enabling a Global Privacy Control (GPC) signal in your browser, using the opt-out methods described in Section 7, or adjusting your cookie preferences through our cookie consent mechanism.

Sensitive Personal Information and Consumer Health Data: We do not sell or share sensitive personal information or consumer health data (as defined under Washington’s My Health My Data Act and similar state laws) for advertising or marketing purposes.

7. YOUR PRIVACY RIGHTS AND HOW TO EXERCISE THEM

Depending on your state of residence, you may have the following rights regarding your personal information:

7.1 Available Rights

Right to Know/Access: You have the right to request that we disclose the categories of personal information we have collected about you for the 12 months preceding your request, the categories of sources from which we collected personal information, the business or commercial purposes for collecting, selling, or sharing personal information, the categories of third parties to whom we have disclosed personal information, and the specific pieces of personal information we have collected about you.

Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions. We will also direct our service providers to delete your personal information from their records. We may deny your deletion request if retaining the information is necessary to complete a transaction or provide a service you requested, detect security incidents or protect against malicious, deceptive, or illegal activity, debug to identify and repair errors, exercise free speech or another legal right, comply with a legal obligation, conduct research in the public interest (with your consent), or enable solely internal uses reasonably aligned with your expectations.

Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you, taking into account the nature of the personal information and the purposes of processing.

Right to Data Portability: You have the right to request a copy of your personal information in a portable, readily usable, machine-readable format that allows you to transmit the information to another entity.

Right to Opt Out of Sale/Sharing: You have the right to opt out of the sale of your personal information and the sharing of your personal information for cross-context behavioral advertising. To exercise this right, you may email us at privacy@doceree.com with the subject line “Opt-Out Request,” enable a Global Privacy Control (GPC) signal in your browser (see Section 16), or adjust your preferences through our cookie consent mechanism on the Site. We will process your opt-out request promptly and apply it to future data processing activities.

Right to Opt Out of Targeted Advertising: Certain state laws provide a right to opt out of "targeted advertising" (the display of advertisements based on personal information obtained from your activities over time and across non-affiliated websites or applications). To opt out, use the methods described above.

Right to Opt Out of Profiling: You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. RepTwin does not currently engage in profiling that produces such effects.

Right to Limit Use of Sensitive Personal Information: Under CCPA, you have the right to limit our use and disclosure of sensitive personal information to uses necessary to perform the services or provide the goods you request, or as otherwise permitted by law. Because we use sensitive personal information only for such permitted purposes, we do not offer a separate "Limit the Use of My Sensitive Personal Information" option.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. We will not deny you goods or services, charge you different prices or rates, provide you a different level or quality of goods or services, or suggest that you will receive a different price or level of service.

7.2 Submitting and Verifying Requests

You may submit a privacy rights request by emailing privacy@doceree.com or by mail to Doceree, Inc., Attn: 150 John F Kennedy Pkwy, Suite 403, Short Hills, NJ 07078.

To process your request, we will need your name and email address, your state of residence, the nature of your request (know/access, delete, correct, opt-out), and sufficient information to verify your identity and locate your records.

To protect your privacy and security, we must verify your identity before fulfilling your request. Our verification process may include matching information you provide against information we have on file, requesting additional documentation, or using a third-party verification service. For requests to know specific pieces of personal information or requests to delete, we apply a higher standard of verification.

7.3 Authorized Agents

You may designate an authorized agent to submit a privacy request on your behalf by providing the agent with written permission signed by you, verifying your identity directly with us, and having the agent submit proof of authorization with the request. If the agent has power of attorney under California Probate Code sections 4121-4130, we may waive the requirement for direct verification.

7.4 Response Timing and Limits

We will acknowledge receipt of your request within 10 business days and provide a substantive response within 45 days of receiving a verifiable request. If we need additional time (up to 45 additional days), we will notify you of the extension and the reason. You may submit a request to know up to twice in a 12-month period. There is no limit on deletion, correction, or opt-out requests.

7.5 Right to Appeal

If we decline to take action on your privacy request, you have the right to appeal our decision. To appeal, contact us at privacy@doceree.com with the subject line “Privacy Appeal” within 45 days of receiving our response. We will respond to your appeal within the timeframe required by applicable law (typically 45-60 days). If your appeal is denied, your exclusive remedy is to contact your state’s Attorney General to submit a complaint.

8. SENSITIVE PERSONAL INFORMATION

We collect the following categories of sensitive personal information in limited circumstances: account login credentials (username and password) for RepTwin access.

We do not collect: Social Security numbers, driver's license or passport numbers, financial account numbers, racial or ethnic origin, religious beliefs, union membership, contents of private communications (other than AI chat interactions for Service delivery), genetic data, biometric data, health information about users, or sex life/sexual orientation information.

We use sensitive personal information only for purposes permitted under CCPA § 1798.121(a), including performing services you request, ensuring security and integrity, and verifying or maintaining quality and safety. We do not use or disclose sensitive personal information for purposes of inferring characteristics about consumers. We do not sell or share sensitive personal information.

9. CONSUMER HEALTH DATA (WASHINGTON AND SIMILAR STATE LAWS)

This section applies to “consumer health data” as defined under Washington’s My Health My Data Act (RCW 19.373) and similar state laws (including Nevada SB 370 and Connecticut’s consumer health data provisions).

What May Constitute Consumer Health Data: In the course of providing RepTwin, we may collect or process health-related inferences derived from user queries or content engagement (e.g., interest in specific therapeutic areas or drug categories). Where such inferences are linked to an identifiable individual, they may constitute “consumer health data” under applicable state laws.

Consent and Rights: Where required by applicable law, we obtain consent before collecting or sharing consumer health data. You may withdraw consent at any time by contacting privacy@doceree.com.

No Sale: We do not sell consumer health data or exchange it for monetary or other valuable consideration.

Your Rights: If you are a Washington resident (or resident of another state with similar protections), you have the right to confirm whether we are collecting, sharing, or selling consumer health data about you, access your consumer health data, delete your consumer health data, and withdraw consent to the collection or sharing of your consumer health data. To exercise these rights, contact us using the methods in Section 7.

Geofencing Prohibition: We do not use geofencing technology to identify or track individuals at healthcare facilities for purposes of collecting consumer health data or delivering health-related advertising.

10. HIPAA AND PROTECTED HEALTH INFORMATION

RepTwin Is Not Designed to Collect PHI: RepTwin is not designed to collect, receive, maintain, or transmit Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). Users must not submit patient names, medical record numbers, dates of birth, diagnoses, treatment information, or other patient-identifiable information via any RepTwin interface. If PHI is inadvertently submitted, it may be transiently stored in intermediate processing layers before being automatically detected, masked, or deleted. During such intermediate processing, PHI is treated as personal information and subject to applicable security controls. Doceree does not currently operate RepTwin as a HIPAA-covered service and does not enter into Business Associate Agreements (BAAs) for RepTwin in its current configuration. Any health-related signals used in advertising workflows are received in de-identified form and are not linked to identified patients. If Doceree introduces PHI-processing workflows in the future, appropriate HIPAA controls and BAA requirements would apply to those specific workflows.

Regulatory Status: RepTwin is not operated as a patient portal and is not designed to facilitate clinical care or process insurance claims. In its current configuration, Doceree does not act as a Covered Entity or Business Associate under HIPAA in connection with RepTwin. Doceree’s use of de-identified health-related signals in advertising workflows does not trigger HIPAA obligations because such signals do not constitute PHI.

User Responsibility: Users are prohibited from submitting PHI or patient-identifiable information through any RepTwin interface. If PHI or patient-identifiable information is submitted, Doceree may delete, mask, or quarantine such information in accordance with internal data handling procedures, without notice and without liability. Doceree reserves the right to suspend or terminate access for users who repeatedly submit prohibited content.

De-Identified Data from Partners: Certain RepTwin features and advertising workflows may utilize de-identified or audience-level datasets provided by pharmaceutical partners, authorized third parties, or supply-side advertising platforms. Where  Doceree receives such data, we may require contractual representations that the data has been de-identified in accordance with applicable standards, which may include HIPAA Safe Harbor or Expert Determination methods or other recognized frameworks. Doceree does not attempt to re-identify individuals from de-identified data. De-identified data is not subject to this Privacy Policy.

11. ARTIFICIAL INTELLIGENCE DISCLOSURE

RepTwin uses artificial intelligence and machine learning technologies to generate responses and provide the virtual representative experience. By using RepTwin, you acknowledge the following:

Third-Party Model Providers: RepTwin utilizes artificial intelligence models from third-party providers such as OpenAI and Anthropic, with an intent to incorporate Doceree’s proprietary layered models over time. Your prompts and interaction data, including voice inputs and video interactions where such features are enabled, may be processed by third-party model providers in accordance with their privacy practices and our data processing agreements. Where we use such providers as sub-processors, we do so under contractual terms intended to protect confidentiality and privacy. Doceree seeks to restrict its third-party AI providers from using RepTwin interaction data to train their public or general-purpose foundation models. RepTwin data is used only to provide the Service, maintain security, and support permitted operational improvements, as described in this Privacy Policy and applicable agreements.

Audio, Voice, and Video Interactions: RepTwin may support interactions via text, audio, or video, depending on customer configuration. If you elect to use audio or video interactions, the Service may process associated information including audio recordings, transcriptions of audio content, video files, and interaction metadata such as session duration and technical logs.

Doceree does not use voice interactions to identify users or for user authentication purposes. We do not create, store, or maintain “voiceprints,” biometric identifiers, or other biometric information derived from voice data for the purpose of identifying or authenticating individuals. Voice and audio data processed through RepTwin is used solely to facilitate the conversational AI experience and provide requested information, not for biometric identification.

Where required by applicable law, including Illinois, Texas, Washington, or other jurisdictions that regulate the processing of biometric information, Doceree will provide appropriate notices and obtain necessary consent prior to processing audio or video data in a manner that may be subject to such regulations. The availability of audio and video features may vary by jurisdiction based on applicable legal requirements.

Audio recordings and video files may constitute personal information under the California Consumer Privacy Act and similar state privacy laws. Such information is processed for the business and commercial purposes described in Section 4 of this Policy. Audio and video data that relates to health inquiries or therapeutic areas may be subject to the consumer health data protections described in Section 9, where applicable. Users must not submit sensitive personal information, PHI, PII, or other confidential health data through audio, video, or any other RepTwin interface. See Section 10 for additional information regarding PHI prohibitions.

Audio and video data is retained in accordance with the retention periods and policies described in Section 12. Doceree reserves the right, in its sole discretion, to transcribe audio content and delete the original audio recording, store audio/video files for the full retention period, or implement other retention practices as operationally determined. Users acknowledge that audio and video interactions may be subject to the same AI processing, quality review, and analytics activities described elsewhere in this Section 11.

Bring Your Own Model (BYOM): Pharmaceutical customers may elect to use their own AI models. Where BYOM is enabled, interactions may be processed by the customer-designated model provider in accordance with that provider’s privacy practices and applicable agreements.

AI-Generated Content: Responses provided through RepTwin are generated by artificial intelligence systems based on brand-approved content provided by pharmaceutical customers and associated knowledge bases. Where RepTwin is configured using pharmaceutical partner-provided content (including prescribing information, approved labels, FAQs, or other materials), the pharmaceutical partner is solely responsible for ensuring such content has undergone appropriate medical, legal, and regulatory review and approval (“MLR”) prior to upload. Doceree does not independently verify, validate, or approve the accuracy, completeness, regulatory compliance, or appropriateness of pharmaceutical partner-provided content. AI-generated outputs may contain errors, omissions, inaccuracies, or outdated information. Users should not rely on AI-generated content without independent verification. While we implement quality controls, Doceree does not guarantee the accuracy, completeness, or reliability of AI-generated responses. Where applicable, responses reference Medical Content Numbers (MCNs) for source attribution.

Not Medical Advice: RepTwin is an informational tool only. It does not provide medical advice, diagnosis, or treatment recommendations. RepTwin is not intended for and must not be used for emergency use, clinical decision support, diagnosis, treatment decisions, or any purpose requiring real-time medical judgment. AI-generated responses are not a substitute for professional medical judgment, clinical training, peer-reviewed literature, or official prescribing information. Healthcare professionals must independently verify all information and exercise their own professional judgment. Patients must consult their healthcare providers for medical guidance and must not rely on RepTwin for medical decisions. Users are solely responsible for independently verifying RepTwin outputs and must not rely on RepTwin responses as a substitute for professional medical training, judgment, clinical guidelines, regulatory guidance, clinical expertise or official prescribing information.

Model Training and Improvement: Doceree does not use RepTwin interaction data, including chat transcripts, metadata, or analytics outputs, to train or fine-tune third-party AI models (such as OpenAI or Anthropic models). Any use of interaction data for customer-specific response optimization is strictly limited to opt-in arrangements with the applicable customer. Doceree does not permit pharmaceutical partners or other third parties to use RepTwin interaction data to train their own AI models unless expressly authorized in a written agreement with Doceree.

Human Review: AI interactions may be reviewed by Doceree personnel or authorized contractors for quality assurance, safety monitoring, accuracy verification, and service improvement purposes. Such reviews are conducted in accordance with our data security policies and access controls.

Guardrails and Safety: RepTwin implements guardrails including fallback responses when answers are unavailable, controls for off-label query responses, adverse event escalation workflows, and user guidance discouraging submission of PHI.

Limitations: AI systems have inherent limitations. RepTwin may not have access to the most current information, may not understand context or nuance in all cases, and may produce responses that are incomplete, outdated, or not applicable to specific situations. AI outputs may be incorrect, misleading, or inconsistent. RepTwin may “hallucinate” information that appears plausible but is inaccurate. The quality and accuracy of responses depends on the content and knowledge bases provided by pharmaceutical customers and the inherent limitations of the underlying AI models.

12. DATA RETENTION

We retain personal information and related usage information only for as long as reasonably necessary to provide the Service, operate our business, comply with legal and contractual obligations, protect the security and integrity of the Service, and resolve disputes. Unless a longer retention period is required or permitted by law, we generally retain RepTwin interaction data (including chat interactions, logs, and technical telemetry) for up to twenty-four (24) months. In certain circumstances, we may retain specific records for a longer period where required for security, compliance, audit, dispute resolution, or safety reporting obligations (including adverse event escalations); see the retention table below and Section 17.6 for safety-specific retention requirements.

Retention periods vary based on the type of information and our relationship with you:

Category of Information

Retention Period

Account Data

Duration of account plus 12 months following account closure or deletion request.

Chat Transcripts and Interaction Data

24 months from creation, unless deleted earlier at your request or extended for legal holds, regulatory investigations, compliance requirements, or contractual obligations. Retention periods may vary based on customer agreements and applicable legal requirements.

Usage and Analytics Data

24 months from collection.

Cookie and Device Identifiers

In accordance with our Cookie Policy. Session cookies expire upon browser close. Persistent cookies are retained as specified in the Cookie Policy.

Security and Audit Logs

60 months from creation, to support security incident investigation, forensic analysis, and legal defense.

Safety Information and Adverse Event Records

Indefinitely, or for such period as required by applicable law, regulatory guidance, or contractual obligations with pharmaceutical partners. See Section 17.6.

Retention periods may be extended for ongoing litigation, regulatory investigation, legal compliance, or contractual obligations. When personal information is no longer required, it is securely deleted or de-identified. De-identified and aggregated data may be retained for research, analytics, and product development purposes without time limitation. Backup copies are retained for disaster recovery consistent with our backup retention schedule. To request deletion, see Section 7. Deletion requests are subject to applicable legal exceptions.

13. DATA SECURITY

Doceree implements reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, disclosure, alteration, and destruction. Our security program is designed to be appropriate to the nature of the information we process and the risks presented by our processing activities.

Administrative Safeguards: Information security policies and procedures, role-based access controls (RBAC) and need-to-know access restrictions, employee training on data protection, background checks for employees with access to sensitive data, incident response procedures, and vendor security assessments.

Technical Safeguards: Encryption of data in transit (TLS 1.2+) and at rest (AES-256), access controls and authentication requirements, intrusion detection and prevention systems, regular vulnerability assessments and penetration testing, and logging and monitoring of system access.

Physical Safeguards: Secure data center facilities with access controls, environmental controls (fire suppression, climate control), and secure disposal of hardware and media.

While we strive to protect personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

In the event of a data breach involving personal information, we will investigate and contain the breach, assess the risk of harm to affected individuals, notify affected individuals and regulators as required by applicable law, and take steps to prevent future breaches.

14. CHILDREN'S PRIVACY

RepTwin is designed for licensed healthcare professionals. We do not knowingly collect personal information from children under 16 years of age. Our Site and Service are not directed to children. If you are a parent or guardian and believe we have collected personal information from your child under 16, please contact us immediately at privacy@doceree.com. We will promptly delete such information. We do not sell or share the personal information of consumers we know to be under 16 years of age.

15. CROSS-BORDER DATA TRANSFERS

Doceree, Inc. is headquartered in the United States. For US users, personal information is stored and processed primarily in the United States. We may store personal information in other regions corresponding to the user’s location as our operations expand:

Data Residency: Personal information from users in the United States is stored by default in the United States. Personal information from users in the European Union or United Kingdom is by default stored in EU/UK regions, respectively. Controls shall be put in place to prevent personal information from being processed outside the user's region unless legally permitted through approved transfer mechanisms (such as Standard Contractual Clauses or other lawful bases). Where personal information is transferred across borders, Doceree implements administrative, technical, and contractual safeguards designed to protect such data, including role-based access controls, security monitoring, and vendor restrictions. Access to personal information is limited to authorized personnel with a legitimate business need.

Service Provider Processing: Personal information may be processed by our service providers, including LLM providers (such as OpenAI and Anthropic) and analytics providers (such as Google Analytics), in their respective locations in accordance with our data processing agreements. Personal information transmitted to LLM providers is limited to what is reasonably necessary to generate Outputs. Where feasible, data minimisation and masking techniques are applied prior to transmission. Our LLM providers are contractually restricted from retaining personal information or using it for model training.Transfer Mechanisms: Where personal information is transferred across borders, Doceree relies on lawful transfer mechanisms including Standard Contractual Clauses (SCCs) approved by relevant authorities, consent (where appropriate), and other mechanisms permitted under applicable law.

By using RepTwin or providing personal information to us, you acknowledge that your information may be transferred to and processed in the locations described above, which may have different data protection laws than your country of residence.

16. DO NOT TRACK AND GLOBAL PRIVACY CONTROL

Cookies and Tracking Technologies: RepTwin uses cookies and similar tracking technologies, including Google Analytics, to collect usage data and improve the Service. A cookie consent mechanism is implemented where required by applicable law or as a best practice. For more information about the cookies we use and how to manage your preferences, please see our Cookie Policy.

Do Not Track: Our Site does not currently respond to “Do Not Track” (DNT) browser signals, as there is no industry-standard interpretation of DNT signals.

Global Privacy Control: We recognize and honor Global Privacy Control (GPC) signals as a valid opt-out of the “sale” or “sharing” of personal information under CCPA and applicable state laws. When we detect a GPC signal from your browser, we will treat it as a request to opt out of the sale/sharing of personal information associated with that browser and apply the opt-out to the specific browser or device from which the signal is sent.

To enable GPC, visit https://globalprivacycontrol.org/ for instructions. We will also honor other opt-out preference signals that meet the technical specifications established by the California Attorney General or California Privacy Protection Agency.

17. ADVERSE EVENTS, PRODUCT COMPLAINTS, AND SAFETY ESCALATIONS

RepTwin may be used in contexts where users submit information that could indicate potential adverse events, side effects, product quality complaints, medication errors, or other safety-related information (“Safety Information”). This section describes Doceree’s role in facilitating the identification and escalation of such information to pharmaceutical partners.

17.1 Detection and Identification

RepTwin implements automated monitoring capabilities designed to identify potential Safety Information within user interactions. These capabilities may include keyword and phrase detection, AI/NLP-based classification of chat content, pattern recognition algorithms, and other detection mechanisms as configured by Doceree or pharmaceutical partners.

Detection mechanisms are designed to support, but do not guarantee, identification of Safety Information. Doceree does not warrant that all Safety Information will be detected, flagged, or escalated. Pharmaceutical partners may configure detection sensitivity, keywords, phrases, and other parameters based on their specific products, therapeutic areas, and compliance requirements.

17.2 Escalation Workflows

Where potential Safety Information is identified, Doceree may implement escalation workflows designed to facilitate transmission to appropriate pharmaceutical partner personnel. These workflows may include:

  • Automated email alerts transmitted to designated pharmaceutical partner contacts, including pharmacovigilance teams, medical affairs personnel, safety officers, or other specified recipients as configured in applicable agreements;
  • Integration with pharmaceutical partner safety databases and case management systems where such integration has been established and configured pursuant to applicable technical and contractual arrangements;
  • Flagging and queuing of potential Safety Information for pharmaceutical partner review through dashboard interfaces, reporting tools, or other access mechanisms provided through the Service.
  • Specific escalation workflows, timing, and integration pathways are configured pursuant to agreements with pharmaceutical partners.

17.3 Doceree’s Role and Limitations

Doceree is not a pharmaceutical manufacturer, marketing authorization holder, licensed distributor, or entity subject to pharmacovigilance obligations under FDA, EMA, or other regulatory frameworks. Doceree does not assume pharmaceutical partners’ regulatory pharmacovigilance responsibilities, reporting obligations, or compliance duties.

Doceree’s role is strictly limited to: (a) implementing detection and escalation workflows as configured pursuant to applicable agreements, (b) facilitating transmission of potential Safety Information to designated pharmaceutical partner contacts through established channels, and (c) retaining records as necessary to support compliance, auditability, and operational requirements. Doceree does not independently assess, evaluate, or make determinations regarding the validity, severity, causality, or reportability of potential adverse events. Pharmaceutical partners remain solely responsible for all pharmacovigilance obligations, including adverse event assessment, causality determination, regulatory reporting, and case follow-up.

17.4 User Reporting Obligations

Users who become aware of adverse events, product complaints, or safety concerns related to pharmaceutical products discussed through RepTwin should report such information directly to the relevant pharmaceutical manufacturer and/or applicable regulatory authority in accordance with applicable laws, regulations, and professional standards.

Users with professional reporting obligations, including healthcare professionals subject to regulatory or professional society requirements, must comply with all applicable adverse event reporting laws, regulations, and professional standards independent of any RepTwin escalation workflows.

RepTwin’s automated escalation workflows are designed to supplement, not substitute for, users’ independent reporting obligations. Users remain responsible for fulfilling their own legal and professional reporting requirements regardless of RepTwin’s detection or escalation capabilities.

17.5 Prohibited Conduct

Users must not use RepTwin to:

  • Conceal, suppress, or fail to report adverse events, safety concerns, or product complaints that they are legally, professionally, or contractually obligated to report to regulatory authorities, pharmaceutical manufacturers, or other entities;
  • Submit false, misleading, inaccurate, or fraudulent adverse event reports, safety information, or product complaints;
  • Interfere with, circumvent, disable, or attempt to defeat adverse event detection or escalation workflows implemented through RepTwin;
  • Misuse safety reporting features, escalation mechanisms, or detection capabilities for purposes unrelated to legitimate safety reporting or pharmacovigilance activities.

Violations of these prohibitions may result in suspension or termination of access to RepTwin and may expose users to legal liability under applicable laws and regulations.

17.6 Retention of Safety Information

Safety Information and related records, including chat transcripts, escalation logs, email communications, and associated metadata, are retained indefinitely, or for such period as required by applicable law, regulatory guidance, or contractual obligations with pharmaceutical partners, whichever is longer. Such Safety Information is stored separately from standard chat logs and is accessible only to limited, authorized teams with a legitimate need for access.

Such Safety Information and records may not be subject to deletion requests, access limitations, or other privacy rights where retention is required or permitted for: (a) compliance with legal, regulatory, or contractual obligations, (b) audit, accountability, and record-keeping purposes, (c) support of pharmaceutical partner pharmacovigilance and regulatory reporting obligations, (d) establishment, exercise, or defense of legal claims, (e) completion of ongoing safety escalation processes, or (f) other legitimate business purposes as determined by Doceree.

For general data retention policies and procedures, see Section 12 (Data Retention) of this Policy.

17.7 Disclaimers and Limitations

Doceree provides Safety Information detection and escalation workflows on an “as configured” and “as available” basis without warranties regarding detection accuracy, escalation timing, or compliance outcomes. Pharmaceutical partners are solely responsible for configuring appropriate workflows to meet their regulatory requirements. Nothing in this section creates or transfers any pharmacovigilance obligation or regulatory reporting responsibility from pharmaceutical partners to Doceree.

 

18. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this Policy, provide notice through our Site or by other means (such as email) as appropriate, and obtain consent where required by applicable law.

We encourage you to review this Policy periodically to stay informed about our privacy practices. Prior versions of this Policy are available upon request by contacting privacy@doceree.com.

19. CONTACT US

Privacy Inquiries:

Doceree, Inc.

Address: 150 John F Kennedy Pkwy, Suite 403,

Short Hills, NJ 07078

Email: privacy@doceree.com

Privacy inquiries may be submitted via email. We will respond to inquiries within the timeframes required by applicable law.

Grievance Redressal: If you have a complaint or concern about our privacy practices that has not been resolved to your satisfaction, you may contact the California Office of the Attorney General, your state’s Attorney General office, or the Federal Trade Commission at ftc.gov/complaint.

20. SUPPLEMENTAL STATE NOTICES

California Residents: This entire Policy applies to California residents. Your CCPA/CPRA rights are detailed in Section 7. To exercise your rights, use the methods described in Section 7.2.

Virginia, Colorado, Connecticut, Texas, New Jersey, and Other State Residents: Residents of states with comprehensive privacy laws have similar rights to those described in Section 7. You may exercise your rights by contacting us using the methods in Section 7.2. You also have the right to appeal our decision on your request (see Section 7.5).

Nevada Residents: Nevada residents may opt out of the sale of certain "covered information" as defined under Nevada SB 220. We do not currently sell covered information as defined by Nevada law. If you are a Nevada resident and wish to submit an opt-out request, please contact privacy@doceree.com.

21. SUPPLEMENTAL NOTICE FOR UK AND EEA USERS

This section provides additional information for users located in the United Kingdom and European Economic Area (EEA). This section supplements, and does not replace, the other provisions of this Privacy Policy. For UK GDPR purposes, Doceree, Inc. is the Controller of your personal information. Our contact details are provided in Section 19.

21.1 Legal Bases for Processing

We process your personal information under the following legal bases:

  • Contract Performance (Article 6(1)(b)): Processing is necessary to provide the RepTwin Service you have requested, including account creation and authentication, delivering AI-powered virtual representative experiences, processing queries and generating responses, and maintaining conversation history for service continuity.
  • Legitimate Interests (Article 6(1)(f)): Processing is necessary for Doceree’s legitimate interests, which include improving and developing the Service and AI models, conducting analytics and measuring engagement, marketing and advertising (including delivering relevant content and offers based on your professional interests), maintaining security and preventing fraud, protecting the integrity of the Service, and providing aggregated analytics to pharmaceutical partners. We have conducted balancing assessments and determined that these interests are not overridden by your rights and freedoms, taking into account the professional context in which RepTwin operates and the robust measures we implement to protect your information.
  • Legal Obligation (Article 6(1)(c)): Processing is necessary for compliance with our legal obligations, including responding to lawful requests from authorities, adverse event escalation and safety reporting as described in Section 17, and regulatory compliance requirements.
  • Consent (Article 6(1)(a)): Where required by applicable law, including for certain marketing communications and cookies or tracking technologies. Where we rely on consent, you may withdraw consent at any time by contacting us at privacy@doceree.com. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.

21.2 Your Additional Rights

In addition to the rights described in Section 7, UK and EEA users have the following additional rights under UK GDPR:

  • Right to Restrict Processing: You may request restriction of processing in certain circumstances, such as while we verify the accuracy of data you claim is inaccurate or while we assess your objection to processing based on legitimate interests.
  • Right to Object: You may object to processing based on our legitimate interests. We will cease such processing unless we demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. This does not affect the lawfulness of processing conducted prior to withdrawal.
  • Right to Lodge Complaint: You may lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk or your local EEA supervisory authority. Before lodging a complaint with a supervisory authority, we encourage you to contact us first so we can address your concerns directly and efficiently.

21.3 International Transfers

Your personal information may be transferred to and processed in the United States and other countries outside the UK and EEA. For transfers from the UK and EEA, Doceree relies on appropriate safeguards including: (a) UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses, (b) EU Standard Contractual Clauses, (c) adequacy decisions where applicable, and (d) other lawful transfer mechanisms recognized under applicable law. We implement appropriate technical and organizational safeguards to ensure your personal information remains protected in accordance with this Privacy Policy.

21.4 UK Controller

For users located in the United Kingdom, Doceree UK Limited acts as the controller of personal information processed in connection with RepTwin. Doceree UK Limited can be contacted at:

Doceree UK Limited

Jubilee Business Centre 213 Kingsbury Road Suite 15,

First Floor, London NW9 8AQ

Email: privacy@doceree.com

21.5 Automated Decision-Making

RepTwin does not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. While RepTwin uses AI to generate responses and provide information, these outputs are informational only and do not constitute automated decisions with legal or similarly significant effects. Users are solely responsible for independently evaluating and acting upon any information provided through the Service.

22. ADDITIONAL RESOURCES

  • Privacy Policy: reptwin.ai/privacy
  • Terms of Use: reptwin.ai/terms
  • Acceptable Use Policy: reptwin.ai/acceptable-use
  • Cookie Settings: reptwin.ai/cookie-settings

© 2026 Doceree, Inc. All rights reserved.