“When something feels off, Buoy it”
Buoy Health is a U.S. digital health/AI tool for symptom checking, initial clinical assessment, triage, and care navigation.
End users can enter symptoms via chat/quiz and receive possible causes, guidance on urgency, and recommendations for next steps in care. In addition, Buoy offers clinically editorially supervised health content, disease-specific AI quizzes, as well as an API for integration into apps, websites, and patient portals.
Buoy Health
When something feels off, Buoy it
Location: USA ⓘ Buoy Health, Inc., 580 Harrison Ave., Suite 1W, Boston, MA 02118, USA
Third-Party Services / Care Navigation Buoy can direct users to third-party providers, health services, or care pathways; availability and terms depend on the respective partner.
Target audience
Buoy Health is primarily aimed at people who want to quickly assess symptoms and understand the next sensible step in care. In addition, according to the official pages, Buoy also addresses employers, health plans, providers, patient portals, and developer teams that want to integrate the triage logic into their own digital journeys via API. For traditional EU compliance-driven companies, the target audience fit is functionally present, but from a data protection perspective it is not sufficiently safeguarded publicly.
Outstanding features
The most notable features include the free AI symptom checker, disease-specific AI quizzes, clinician-reviewed health articles, guidance on the appropriate level of care, and the API for embedding the symptom and triage engine into apps and portals. Buoy positions its system as clinically informed, mentions in-house physician/clinician oversight, and refers to published research or a JAMA-related presentation of results on the product page.
Key use cases
Buoy is particularly suitable for the digital initial assessment of symptoms, patient-facing navigation to appropriate care, pre-qualification of health concerns in patient portals, and as a supplement to employer or health plan offerings. In addition, it can serve as a content/research interface for symptom- and disease-related health information. According to the Terms, the tool is expressly not intended for medical emergencies or binding diagnoses.
Use & notes
Use is web-based: users enter symptoms, answer follow-up questions, and receive an initial assessment along with recommended actions. The legal and professional limitations should be taken seriously: Buoy is not a doctor, does not establish a doctor-patient relationship, is not intended for emergencies, and according to the Terms is only intended for users residing in the USA; the service should not be used for infants under two years of age. From a data protection perspective, it is important that although Buoy communicates itself as “private,” the Privacy Notice also describes website analytics, advertising partners, and ML use of de-identified data.
| Target audience | Assessment |
|---|---|
| Private individuals in the USA | Suitable – for initial guidance on symptoms, possible causes, and indications of appropriate care. |
| Patients with simple health questions | Conditionally suitable – as an information and triage aid, but not as a substitute for medical diagnosis or treatment. |
| Healthcare providers / insurers / digital health products | Suitable – Buoy offers an API for symptom checking and triage integration into proprietary applications. |
| Private individuals in the EU | Rather not suitable – the Terms are expressly aimed at users residing in the USA and state that US law is authoritative. |
| EU companies / regulated healthcare providers | Rather critical – due to the US focus, health data, unclear GDPR contractual situation, and lack of EU data residency. |
Hosting & Data
1) On-prem / local hosting
Meaning: The company operates the solution on its own hardware or within its own infrastructure. In the strictest sense, not only the application runs locally, but ideally the model as well.
2) Private cloud / data center
Meaning: The solution runs in a dedicated or more clearly separated cloud environment, often with a hosting provider or hyperscaler, but in a German data center or in a particularly controlled environment.
3) EU SaaS / managed
Meaning: The provider operates the solution itself as a service. The company uses the tool as a ready-made cloud service, ideally with EU data residency.
4) Hybrid
Meaning: One part of the processing remains internal / local / in a private cloud, while another part runs in an external cloud or EU SaaS.
5) AVV / DPA
Meaning: This is the data processing agreement or Data Processing Addendum. It governs that the provider processes personal data on behalf of the customer and is bound by the customer's instructions.
6) No training
Meaning: The provider does not use your prompts, uploads, attachments, chat histories, or outputs for training or improving the general model — ideally excluded by contract.
7) Open-source / transparency path
Meaning: There is a path toward greater technical transparency and sovereignty, for example through:
- open models
- documented components
- self-hostable parts
- traceable architecture
- export / switching options
| On-prem / local hosting | ❓ |
| Private cloud / data center | ❓ |
| EU SaaS / Managed | ❓ |
| Hybrid | ❓ |
| DPA / AVV | ❓ |
| No training on customer data | ❓ |
| Open source / transparency path | ❓ |
On-prem / local hosting: indirect / not available
No on-prem, local, or self-hosting option was found on the website. The website describes web services and APIs, but does not mention operation on customer infrastructure.
Private Cloud / Data Center: Unclear
There is no specific information regarding dedicated customer environments, private cloud models, or dedicated EU/EEA data centers.
EU SaaS / Managed: Indirect / Not Available
The website does not specify EU/EEA data residency or EU-operated SaaS. Instead, the privacy policy refers to U.S. control and U.S. law.
Hybrid: unclear
The website does not provide a reliable description of a hybrid model involving a combination of internal/local and external processing.
DPA: Indirect / Not Available
No DPA was found on the website. The only mention is of a HIPAA “Business Associate Agreement” for certain U.S. enterprise programs, which does not constitute evidence of a GDPR DPA for EU/EEA customers.
No Training: Indirect / Not Available
No robust opt-out or contractual exclusion regarding the use of user inputs or history for general AI training was found on the website. On the contrary, the website states that Buoy’s medical models are regularly updated using “Buoy user data and feedback”; furthermore, the Terms of Service grant Buoy extensive rights to use “Your Information,” except where HIPAA/PII exceptions apply.
Open Source / Transparency Path: Indirect / Not Available
No open-source components, open models, self-hostable parts, or a documented transparency/sovereignty path were found on the website.
Data Processing
The website describes Buoy as a web-based solution featuring a symptom checker, chat interaction, and API integration. It processes health information, location information via IP address, and other personal data. There is general security information and a HITRUST statement, but no specific details regarding EU/EEA data residency, data center locations, subprocessors, or GDPR data transfer mechanisms.
Conclusion
For a German-language tool directory with ratings covering the entire EU/EEA region, the documentation provided on the provider’s website is insufficient for a GDPR-compliant classification. The provider documents its U.S. affiliation and the U.S. legal framework, but does not provide information on EU data residency, a Data Processing Agreement (DPA), or a transparent hosting or subprocessor structure. Consequently, based on the website, there is no evidence of reliable, GDPR-compliant use for EU/EEA users.
Sources
| On-prem / local hosting | ❓ |
| Private cloud / data center | ❓ |
| EU SaaS / Managed | ❓ |
| Hybrid | ❓ |
| DPA / AVV | ❓ |
| No training on customer data | ❓ |
| Open source / transparency path | ❓ |
On-prem / local hosting: indirect / not available
No on-prem, local, or self-hosting option was found on the website. The website describes web services and APIs, but does not mention operation on customer infrastructure.
Private Cloud / Data Center: Unclear
There is no specific information regarding dedicated customer environments, private cloud models, or dedicated EU/EEA data centers.
EU SaaS / Managed: Indirect / Not Available
The website does not specify EU/EEA data residency or EU-operated SaaS. Instead, the privacy policy refers to U.S. control and U.S. law.
Hybrid: unclear
The website does not provide a reliable description of a hybrid model involving a combination of internal/local and external processing.
DPA: Indirect / Not Available
No DPA was found on the website. The only mention is of a HIPAA “Business Associate Agreement” for certain U.S. enterprise programs, which does not constitute evidence of a GDPR DPA for EU/EEA customers.
No Training: Indirect / Not Available
No robust opt-out or contractual exclusion regarding the use of user inputs or history for general AI training was found on the website. On the contrary, the website states that Buoy’s medical models are regularly updated using “Buoy user data and feedback”; furthermore, the Terms of Service grant Buoy extensive rights to use “Your Information,” except where HIPAA/PII exceptions apply.
Open Source / Transparency Path: Indirect / Not Available
No open-source components, open models, self-hostable parts, or a documented transparency/sovereignty path were found on the website.
Data Processing
The website describes Buoy as a web-based solution featuring a symptom checker, chat interaction, and API integration. It processes health information, location information via IP address, and other personal data. There is general security information and a HITRUST statement, but no specific details regarding EU/EEA data residency, data center locations, subprocessors, or GDPR data transfer mechanisms.
Conclusion
For a German-language tool directory with ratings covering the entire EU/EEA region, the documentation provided on the provider’s website is insufficient for a GDPR-compliant classification. The provider documents its U.S. affiliation and the U.S. legal framework, but does not provide information on EU data residency, a Data Processing Agreement (DPA), or a transparent hosting or subprocessor structure. Consequently, based on the website, there is no evidence of reliable, GDPR-compliant use for EU/EEA users.
Sources
Strengths & weaknesses at a glance
| Strengths | Weaknesses |
|---|---|
| • Low barrier to entry: free symptom checker and free account. | • No medical diagnosis or treatment service; explicitly no doctor-patient relationship. |
| • Clinical integration: according to Buoy, content is reviewed and/or guided by doctors/clinicians. | • Terms require US residency; this limits international/EU use. |
| • Broad mix of features including AI triage, health content, quizzes, and care navigation. | • Sensitive from a data protection perspective: health data + US legal nexus + analytics/advertising + ML use of de-identified data. |
| • API/enterprise suitability for healthcare organizations and patient portals. | • No publicly available EU compliance documentation such as SCC notices, EU representative, EU hosting, or public AVV/DPA. |
| • Reference to a peer-reviewed JAMA paper on the product page. | • Not for children under 13 and, according to the Terms, not intended for infants under 2 years old. |
Reviews
0 reviews in total
There are no confirmed reviews for this tool yet.
Submit review
Your review will only become visible after email confirmation. This protects the portal against abuse.
Report review
Please select the reason why this review should be checked.
GDPR-compliant usage possible?
Although the website includes a privacy policy and general security information, it does not provide any reliable details regarding EU/EEA data residency, EU data centers, data processing agreements (DPAs), subprocessors, or a GDPR-specific processing framework. On the contrary, the privacy policy explicitly states that Buoy is operated from the United States and that data processing is subject to U.S. law. For users throughout the EU/EEA, the website therefore does not demonstrate fully GDPR-compliant use.
Positive
Positive aspects include a publicly accessible privacy policy, references to technical and organizational security measures such as encryption, firewalls, identity management, and intrusion prevention/detection, as well as a mentioned HITRUST certification. In addition, Buoy describes options for filing complaints and contacting the company via email.
Negative
A particular negative factor for an EU/EEA GDPR assessment is that the website describes Buoy as being controlled and offered in the U.S., and the privacy policy explicitly states that U.S. law—and not the law of other jurisdictions—applies. Furthermore, the Terms of Service state that users must be located in the U.S. to use the services. The website does not specify EU server locations, EU data residency, SCCs/transfer mechanisms, AVV/DPA, a list of subprocessors, the option to opt out of AI training for general models, or on-premises/self-hosting options.
Server Location
Not specified on the website. The Privacy Policy merely states that Buoy is controlled and offered from the United States; specific server or data center locations in the EU/EEA are not mentioned.