Privacy Policy

Effective: April 29, 2026 · Last updated: April 29, 2026

This Privacy Policy describes how Norvya LLC ("Norvya," "we," "us," or "our") collects, uses, discloses, and protects information when you use our mobile applications, websites, and related services (the "Services").

Health information notice. Norvya processes information about your health. We treat this information with the standards of care expected of healthcare technology, including signed Business Associate Agreements with our infrastructure and AI providers. We are not a covered entity under HIPAA, but we model our practices on those expectations.

1. Information We Collect

Information you provide to us

Account information: name, email address, password (stored as a hash), and authentication tokens.
Profile information: age, sex, height, weight, time zone, and goals you choose to share.
Health and wellness information: meals, exercise, sleep, mood, supplements, medications, protocols (e.g., GLP-1, peptides, NAD+), and check-in responses.
Skin imagery (premium plans): photographs of skin lesions you choose to capture for analysis or tracking.
Communications: messages you send to our support team or AI coach.

Information collected automatically

Device and usage: device model, operating system, app version, IP address, crash logs, and feature usage analytics.
Health platform data (with your permission): data from Apple Health or Google Fit, limited to the categories you authorize.

Information from third parties

Authentication providers (e.g., Apple Sign-In, Google) when you choose to log in with them.
Payment processors for subscription billing (we do not receive your full payment card number).

2. How We Use Your Information

To provide, maintain, and improve the Services.
To generate personalized insights, scores, AI coaching responses, and analyses you've requested.
To send you account, security, and service-related communications.
To send you optional reminders and notifications you've opted in to.
To detect, investigate, and prevent fraud, abuse, and security incidents.
To comply with legal obligations.

We do not sell your personal information. We do not use your health information for advertising, and we do not share your health information with advertisers.

3. AI Processing

To deliver AI coaching, longevity scoring, and skin analysis, we send relevant subsets of your data to our AI infrastructure providers. We use enterprise services that operate under signed Business Associate Agreements and contractual terms that prohibit using your data to train shared foundation models. Your data is used to serve you, not to train other people's experiences.

4. Sharing of Information

We share information only as described below:

Service providers: cloud infrastructure, AI processing, email delivery, analytics, and customer support providers, each bound by appropriate contractual terms.
With your direction: for example, when you choose to share results with a clinician or join a clinic through our provider portal.
For legal reasons: when required by law, valid legal process, or to protect rights, safety, and property.
Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to you and continued protection of your information.

5. Your Rights and Choices

Access: you can view your data within the app or request an export by emailing us.
Correction: you can update most information directly in the app.
Deletion: you can delete your account at any time. We will delete your personal information within a reasonable period, subject to limited retention required for legal, security, or fraud-prevention purposes.
Withdraw consent: you can disconnect health platform integrations or revoke notification permissions at any time in your device settings.
Regional rights (EEA, UK, California, and similar jurisdictions): you may have additional rights under your local laws, including the right to object to or restrict processing and the right to data portability.

6. Data Security

We use industry-standard technical and organizational measures to protect your information, including encryption in transit and at rest, role-based access control, audit logging, periodic backups with documented restore procedures, and a written incident response plan. No system can guarantee perfect security, but we work to maintain a level of protection appropriate for health data.

7. Data Retention

We retain your account and health data for as long as your account is active or as needed to provide the Services. When you delete your account, we delete or de-identify your information within a reasonable period, except where we are required or permitted by law to retain it.

8. Children

Norvya is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact us and we will delete it.

9. International Users

Norvya is operated from the United States. If you use the Services from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those of your country.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you in the app or by email. The "Last updated" date at the top of this page shows when changes were last made.

11. Contact Us

For privacy questions, requests, or concerns, contact us at:

Norvya LLC
Email: privacy@norvya.health
State of Formation: Maryland, USA