Privacy Policy

CardioVa ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use the CardioVa application ("the App").

1. Information We Collect

Health Data: Blood pressure readings, glucose readings, pulse, HbA1c, cholesterol, weight, medications, meal logs, and related context tags (e.g., "fasting," "post-meal") that you voluntarily enter into the App.

Account Information: Name, date of birth, gender, height, weight, email address, and phone number provided during registration.

Device Information: Device type, operating system, browser type, and app version for troubleshooting and optimization.

Usage Data: Feature usage patterns, screen views, and interaction data to improve the App experience. This data is anonymized and cannot identify you personally.

2. How We Use Your Information

• To provide core App functionality: logging, tracking, trends, and insights
• To generate personalized health insights and Health Score calculations
• To create health reports for sharing with your healthcare provider
• To send medication reminders and health alerts you have enabled
• To improve and optimize the App experience
• To provide customer support

3. Data Storage and Security

Your health data is stored securely using industry-standard encryption. Data at rest is encrypted using AES-256, and all data in transit uses TLS 1.2 or higher.

When using the App offline, data is stored locally on your device and synced to our secure servers when connectivity is restored.

Your data is stored in MongoDB Atlas clusters, and access to it is controlled by scoped JSON Web Token (JWT) authentication so that only you — or parties you have explicitly authorized through the Caregiver feature — can read or modify your own health records.

3a. Security Posture & HIPAA

CardioVa is a consumer wellness application. We are not a HIPAA-covered entity and do not act as a Business Associate for any covered healthcare provider. We nonetheless apply HIPAA-aligned security safeguards, including encryption in transit (TLS 1.2+) and at rest (AES-256), principle-of-least-privilege access controls for engineering staff, and audit logging on privileged operations. If you are a healthcare provider planning to use CardioVa with protected health information (PHI), please contact us before doing so — you may need a Business Associate Agreement that we do not currently offer.

4. Data Sharing

We do not sell your health data. We will never sell, rent, or trade your personal health information to third parties for marketing or advertising purposes.

We may share data only in these limited circumstances:

• With your consent: When you explicitly share a health report with your doctor or caregiver
• Caregiver access: If you grant a family member or caregiver access through the Caregiver feature
• Legal requirements: If required by law, court order, or government regulation
• Service providers: With trusted third-party services that help us operate the App (e.g., cloud hosting, analytics), under strict data processing agreements

5. Your Rights

You have the right to:

• Access: View all personal data we hold about you
• Export: Download your health data in CSV or PDF format at any time
• Correction: Update or correct any inaccurate personal information
• Deletion: Delete your account and all associated data permanently through Settings > Data & Account > Delete Account
• Portability: Receive your data in a structured, commonly used format
• Withdraw consent: Disable optional data processing (e.g., usage analytics) at any time

6. Cookies and Tracking

The CardioVa web app uses minimal local storage for essential functionality (authentication tokens, user preferences, language settings). We do not use third-party advertising cookies or trackers.

7. Children's Privacy

CardioVa is not intended for use by children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at support@cardiova.app.

8. International Data Transfers

CardioVa operates globally. Your data may be processed in countries outside your country of residence. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws, including GDPR.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the App or via email. The "Last updated" date at the top of this page indicates when this Policy was last revised.

10. Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

Email: support@cardiova.app