Do Today — Privacy Policy
Effective date: July 2026
Last updated: July 2026
Applies to: dotoday.com.au, the Do Today web app, the @dotoday_abraham_bot Telegram companion, and the Do Today MCP server.
1. Who we are and what this policy covers
Black Health Intelligence Pty Ltd (ACN 693 026 112, ABN 23 693 026 112), trading as Do Today ("Do Today", "we", "us", "our"), is an Australian company. We are an APP entity and we handle your personal information in accordance with the Privacy Act 1988 (Cth) (the "Privacy Act") and the 13 Australian Privacy Principles (APPs).
Do Today is a paid, conversational AI health companion for adults (18 years and over) who are in a medically-supervised weight-management program. It is designed to support you between appointments with your treating practitioners. Our AI companion is called Abraham. Abraham is an AI: it does not diagnose, it is not a medical device, and it does not replace your Nurse Practitioner, Dietician, Psychologist, or other treating practitioner. (See our Terms of Service.)
Do Today is not an emergency or crisis service. If you are in crisis or think you may harm yourself or someone else, call 000, or contact Lifeline on 13 11 14.
This policy explains what personal information we collect, why, how we use and disclose it (including overseas, because our AI runs on offshore providers — see Section 6), how we store and protect it, how long we keep it, and the rights you have over it. It satisfies our APP 1 obligation to maintain a clearly expressed and up-to-date privacy policy. If you would like this information in another format, contact us (Section 14).
2. The information we collect
Because Do Today is a health product, much of what we collect is sensitive information under the Privacy Act. Health information is sensitive information, and the Act gives it a higher level of protection — we generally must not collect it without your consent (APP 3). We collect it only after you give express consent to health-information processing — an affirmative, per-scope consent captured before you use the health features (the health-information processing scope) — and, separately, express consent to the overseas AI processing described in Section 6 (the overseas AI processing scope). We do not treat the mere act of providing health information as implied consent on its own.
We collect the following categories.
2.1 Account and identity information
- Email address and display name.
- Authentication data (managed through our authentication provider, Supabase).
- Age confirmation (you must confirm you are 18 or over — we operate a hard 18+ gate).
- Subscription and entitlement status (e.g. active subscriber, trial, Downscale-patient grant, admin).
2.2 Health and wellness information (sensitive information)
- Diary entries across the health domains: nutrition and food logs, hydration, activity and exercise, sleep, mood and mental-wellbeing entries, journal entries, intimacy entries, and clinical/medication entries.
- Medications you record and medication-adherence logs.
- Body metrics and body composition: weight, height, waist and other measurements, and (where you provide them) body-composition figures.
- Medical conditions, allergies, dietary requirements, pregnancy/breastfeeding status, and fluid-restriction information you tell us — used to run safety checks (for example, allergen, dietary, injury, pregnancy/GLP-1, and fluid-restriction warnings).
- Goals and targets (e.g. calorie, macro, hydration, and activity targets).
- Photographs you choose to submit for meal analysis. The photo is sent to our AI provider to be analysed, and Do Today stores only the values it extracts (e.g. an estimated calorie figure), not the photograph itself.
- Voice notes you send (e.g. via Telegram, or using the in-app microphone). These are transcribed to text by our transcription provider (OpenAI Whisper — see Section 6) so Abraham can act on them; Do Today stores the resulting text, not the audio recording.
2.3 Conversation and AI-companion information
- The messages you send to Abraham and its replies, across web, Telegram, and the MCP server.
- AI "memory": facts we derive and store to personalise your experience (e.g. preferences, goals, and medical facts you have confirmed). You can have Abraham forget a remembered fact by asking it directly in chat, and all AI memory is deleted when you delete your account — see Section 10.
2.4 Payment information
- We use Stripe to process subscription payments. Your card details are entered into and handled by Stripe — we do not store your full card number, and we do not send your health information to Stripe. We receive limited billing metadata (e.g. subscription status, the fact of payment).
2.5 Usage and technical information
- How you interact with the app and AI features (for product analytics and safety/telemetry). We minimise the personal and health content in our operational logs and telemetry.
- Device and technical data such as browser type, device information, and IP address.
- Cookies and similar technologies used to keep you signed in and to enforce the guest free-message limit.
2.6 Guests (logged-out use)
You can try the Abraham chat without an account, up to a small number of free messages (tracked by a cookie in your browser). As a guest you do not have an account and we do not build a stored health record for you. Your guest messages are still processed by our overseas AI providers to generate a reply (Section 6), and our safety checks — including the crisis check — still apply. To use the full companion, memory, and health features you must create an account and give the consents described above.
2.7 Information we do NOT collect
- We do not knowingly collect information from anyone under 18.
- We are not connected to the national My Health Record system and do not collect Healthcare Identifiers.
- We do not collect racial/ethnic, political, religious, or similar sensitive information beyond health information, and you should not enter it.
3. Why we collect and how we use your information (APP 6)
We use your personal information only for purposes related to providing Do Today, and for directly-related purposes you would reasonably expect. Specifically, to:
- Provide, personalise, and operate the Do Today service and the Abraham companion.
- Generate AI-powered insights, coaching, reminders, and suggestions from your logged data.
- Run clinical-safety checks (allergen, dietary, injury, pregnancy/GLP-1, fluid-restriction, and crisis checks).
- Compute your targets and trends (e.g. BMR/TDEE, hydration targets, body-composition change) — these calculations are done deterministically in our own code.
- Deliver reminders and share cards over the channels you enable (in-app, Telegram, email).
- Manage your subscription, billing, and entitlements.
- Maintain security, prevent fraud and misuse, and keep an accountable record of certain events.
- Provide support and respond to your requests.
- Comply with our legal obligations.
We handle your health information only for the health-companion purposes above. We will not use your health information for a different, unrelated purpose without your consent, except where the Privacy Act permits or requires it.
Data residency (where your information is stored). Your personal and health information is stored in Australia — held at rest in our database in the Sydney region (Section 7). The only step that leaves Australia is the AI-processing step: to generate Abraham's responses, transcribe voice, analyse a meal photo, or create the text embeddings used for memory and search, content is sent to overseas AI providers to be processed and returned. This overseas processing happens only with your consent (APP 8 — see Section 6).
3.1 Consent for collecting health (sensitive) information
Before you use the health features, we ask for your express consent to health-information processing (an affirmative step captured at signup, or the first time you send health information). We handle the health information you then provide — by logging entries, telling Abraham about a condition, or sending a voice note or photo — under that express consent, for the purposes in this Section 3. We do not treat the act of entering health information as implied consent on its own. You can withdraw consent at any time (Section 10.5); withdrawing may limit or stop parts of the service that depend on that information.
3.2 What we do NOT do
- We do not sell your personal information.
- We do not share your health information with advertisers or data brokers.
- We do not use your personal information to train our own AI models.
- The overseas AI providers that process your data do not, under their standard API terms, use data submitted through their APIs to train their models. Your data is sent to them transiently, for processing only, to generate your result — which is precisely why we obtain your express consent before it happens (Section 6).
4. Direct marketing (APP 7)
If we send you marketing communications (e.g. product news), we will only do so where permitted, and every marketing message will contain an easy unsubscribe. We will not use your health information to target marketing to you. You can opt out of marketing at any time without affecting your subscription or the service.
5. How we collect it, and collection notices (APP 3 & APP 5)
We collect information directly from you when you sign up, log entries, chat with Abraham, submit a photo, send a voice note, or contact us.
Where you are a patient of a partner clinic (for example, on the Downscale free-access grant), we may confirm your patient or active-membership status with that clinic's Australian practice-management system (Halaxy) so we can grant your access. This is an inbound check of your membership status; we do not send your Do Today health record to Halaxy.
At or before the point we collect sensitive information — particularly the first time you send health information to the AI — we give you a short, just-in-time collection and consent notice telling you what is being collected, why, and the key disclosures (including the overseas AI processing in Section 6). This policy is our standing APP 5 notice.
6. AI processing and overseas disclosure — please read this (APP 8)
This is the most important disclosure in this policy.
Do Today's AI companion (Abraham) is powered by large-language-model and related AI services accessed through the Vercel AI Gateway. The AI providers we currently use are Anthropic (Claude models, for chat, meal-photo and image analysis, and some safety checks) and OpenAI (Whisper for voice-note transcription, and text-embedding models for memory and search). These providers, and the Vercel AI Gateway that routes to them, operate on infrastructure located in the United States (and potentially other countries outside Australia).
What this means: when you chat with Abraham, or when we generate insights, run some safety checks, transcribe a voice note, or analyse a meal photo, the content involved — which can include your health information and other personal information about you — is disclosed to these overseas providers so they can process it and return a result.
- The information is sent for processing only, to generate your result. Under the providers' standard API terms, they do not use data submitted through their APIs to train their models. Do Today does not sell your personal information and does not use it to train our own models.
- Data residency. Your account and health information is stored in Australia — our database of record is hosted in the Sydney, Australia region (Section 7), so your stored data stays onshore. The only step that crosses the border is this AI-processing step: content is passed to the overseas providers transiently to generate a result. Because this step takes your data outside Australia, we treat it as an overseas disclosure and obtain your express consent for it.
- Other services that may process limited data overseas or via overseas infrastructure include our hosting and AI-gateway provider (Vercel), our transactional-email provider (Resend), our web-search provider used for some lookups (Tavily, via a server-side proxy), and — where you connect it — the Telegram messaging platform. For some clinical questions Abraham may query an evidence-search service, which receives only the clinical query text, not your identity or health record.
Your consent and our accountability (APP 8 and s 16C): Under the Privacy Act, before we disclose your personal information overseas we must either take reasonable steps to ensure the overseas recipient handles it consistently with the APPs — and we generally remain accountable for what they do with it — or rely on your express, informed consent to the overseas disclosure. Because health information is involved, we obtain your express consent to this overseas AI processing as a distinct, per-scope consent (the overseas AI processing scope) before your health information is first sent to the AI, and we take reasonable steps (using reputable providers under their standard API terms) as well. The app blocks the AI-companion path until this consent is recorded, and this gate is fail-closed — if we cannot confirm your consent, the AI path stays blocked. If you do not consent, we cannot provide the AI-companion features, because they cannot function without this processing.
You can withdraw this consent later (Section 10.5); doing so disables the AI-companion features until you turn it back on.
7. Where your information is stored, and how we protect it (APP 11)
7.1 Storage and data residency
- Your account and health data are stored in a PostgreSQL database hosted by Supabase in the Sydney, Australia region — your data is held onshore. (The exception is the AI-processing step in Section 6, which sends content overseas transiently for processing.)
- The application is hosted and served via Vercel.
- Payments are handled by Stripe.
7.2 Security measures
- Data is protected in transit and at rest using industry-standard encryption.
- Access to your data is restricted by row-level security so that, as a general rule, only you can read your own records; server-side operations run under controlled credentials.
- We minimise the personal and health content in our operational telemetry and logs.
- Meal photos are analysed and not stored as images — we retain only the extracted values. Voice notes are transcribed and we retain only the text, not the audio.
No system is perfectly secure, but we take reasonable steps to protect your information from misuse, interference, loss, and unauthorised access, modification, or disclosure.
7.3 Data-breach notification (Notifiable Data Breaches scheme)
We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If a data breach involving your personal information is likely to result in serious harm and we cannot prevent that harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required by law, and tell you what steps you can take.
8. Who we disclose your information to (APP 6)
We disclose personal information only as needed to run the service, and to the following categories of recipient:
| Recipient | What they do | Data involved | Where |
|---|---|---|---|
| Supabase | Database, authentication, storage | Account + health data (at rest) | Sydney, Australia |
| Vercel | App hosting + AI Gateway routing | Content routed to AI providers | United States / global |
| Anthropic | Generate Abraham's chat and image-analysis responses; some safety checks | Message + health content, sent for processing | United States |
| OpenAI | Voice-note transcription (Whisper); text embeddings for memory/search | Voice and message/health content, sent for processing | United States |
| Stripe | Subscription payment processing | Billing/payment data (no health data) | United States |
| Resend | Transactional email (reminders, account and service emails) | Your email address and the content of that email | United States |
| Tavily (via our server-side proxy) | Web/evidence lookups for some answers | Search query text (we avoid sending identifying health detail) | United States |
| Telegram (only if you connect it) | Deliver the companion + reminders over Telegram | Messages you exchange over Telegram | Overseas |
| Evidence-search service (some clinical questions) | Fetch current clinical evidence | Clinical query text only (not your identity or record) | — |
We do not currently disclose your individual health information to your clinic or treating practitioners through Do Today. Any future feature that would share your progress with your clinic will be turned on only with your explicit consent, and you will be able to opt out.
We may also disclose personal information where required or authorised by law, to protect someone's life or safety, or in connection with a sale or reorganisation of our business (in which case your information stays subject to protections at least equivalent to this policy).
We do not sell your personal information, and we do not disclose your health information for advertising.
9. Quality of your information (APP 10)
We take reasonable steps to ensure the personal information we collect and use is accurate, up-to-date, and complete. Much of your health data is self-reported, so its accuracy depends on what you enter. You can review and correct your information at any time (Section 10). Where we present a figure derived from your data, we aim to show its source and confidence, and you can ask "why this number?" in the app.
10. Your rights and choices
10.1 Access (APP 12)
You can request access to the personal information we hold about you. You can also export your data yourself from within the app, which produces a machine-readable (JSON) copy of your records — including your profile, diary entries, metrics, hydration, body-progress, AI memories, and your consent history. We will respond to access requests within a reasonable period and, in most cases, at no cost.
10.2 Correction (APP 13)
You can ask us to correct information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading. You can edit much of your data directly in the app. For the facts Abraham has remembered about you, you can ask Abraham in chat to forget a specific fact (there is currently no separate settings screen for managing individual memories). If we cannot agree on a correction, you can ask us to attach a statement noting your requested correction.
10.3 Deletion
You can delete individual entries, ask Abraham to forget a remembered fact, and delete your account. When you delete your account we permanently delete your health records, profile, diary history, conversation history, and AI memory, and we cancel any active subscription. We retain only records we are legally required to keep and minimal accountability records (Section 11).
10.4 Data portability
Your in-app export gives you a portable, machine-readable copy of your data.
10.5 Withdrawing consent
Where our handling relies on your consent (for example, collecting health information and the overseas AI processing in Section 6), you can withdraw that consent at any time in your account settings, and you can turn it back on again there. Withdrawal is prospective and disables the features that depend on it: while the data-processing consent is withdrawn, Abraham's AI features (chat, meal-photo analysis, meal plans, voice transcription, and the MCP AI tools) are paused, though your logged data stays exactly as it is.
10.6 Anonymity and pseudonymity (APP 2)
Because Do Today is a personalised, paid health companion tied to your account and health record, we generally cannot provide the service anonymously or under a pseudonym. You can, however, control how much identifying detail you enter, and you can try the guest chat without an account (Section 2.6).
10.7 How to make a request or complaint
Contact us at office@dotoday.com.au (Section 14). If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
11. How long we keep your information (APP 11.2)
We keep personal information only for as long as we need it for the purposes above, or as required by law, and then we destroy or de-identify it.
- Your health records, profile, conversation history, and AI memory: kept while your account is active; deleted when you delete your account (Section 10.3), or individually via the in-app controls and the in-chat forget command.
- Meal photos and voice audio: not stored by Do Today — we keep only the extracted values and transcribed text.
- Billing records: kept as required by tax and financial-record law.
- Consent history: the append-only record of what you consented to and when is retained as part of our accountability obligations, and is included in your data export.
- Accountability records: we may retain minimal records that certain events occurred (for example, security or clinic-membership events), and any records we are legally required to keep.
12. Children
Do Today is for adults only. You must be 18 or over to use it, and we enforce an age gate. We do not knowingly collect information from anyone under 18. If you believe a minor has provided us information, contact us and we will delete it.
13. Changes to this policy
We may update this policy from time to time. When we make material changes — particularly changes to what we collect, how we use it, or our overseas-disclosure practices — we will update the "Last updated" date and, where appropriate, notify you in-app or by email. If a change materially expands how we handle your health information, we will seek any consent the Privacy Act requires before it applies to you. Where we materially change the consent wording, we may ask you to re-accept it before continuing to use the AI features.
14. Contact us
Black Health Intelligence Pty Ltd — Privacy
- Email: office@dotoday.com.au
- Postal: 112 Taylors Road, Gaythorne QLD 4051, Australia
- Privacy enquiries and complaints: office@dotoday.com.au
If you are not satisfied with how we handle a privacy matter, you can contact the OAIC (oaic.gov.au / 1300 363 992).
This policy is governed by the laws of New South Wales, Australia.