Privacy Policy

1. Introduction and who we are

Prajnova ("Prajnova," "we," "our," or "us") operates a Continuous Health Intelligence platform available at prajnova.com and its associated web applications (collectively, the "Platform"). Our mission is to give you a complete, intelligent, and continuous picture of your health by bringing together your lab results, health device data, and personal health profile — and making it understandable through AI.

This Privacy Policy explains what personal and health information we collect, how we use, store, and protect it, who we share it with and why, and your rights and how to exercise them.

By creating an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

2. Information we collect

We collect information in three ways: information you provide directly, information generated by your use of the Platform, and information synced from third-party health services you authorize.

2.1 Account and identity information

When you register, we collect your name, username, and email address, along with basic account metadata (such as account creation and last login timestamps).

2.2 Health profile

You may voluntarily provide health profile information — such as demographics, medical history, medications, allergies, family history, lifestyle, and health goals — to help Prajnova personalize your AI insights. All fields are optional; the more you share, the more personalized your insights will be.

2.3 Lab reports and medical documents

When you upload a lab report or medical document, we collect and store the original file, basic upload metadata (such as file name and upload date), text extracted from the document, and the AI-generated analysis of its contents.

2.4 Health integration sync data

When you connect a third-party health platform or device, we receive and store the data you authorize from that platform. Currently supported connections are Apple Health, Fitbit (via the Google Health API), and Cronometer. We never write data back to any connected platform.

When you connect Fitbit, you grant Prajnova read-only access to the following Google OAuth scopes:

• https://www.googleapis.com/auth/googlehealth.activity_and_fitness.readonly — activity and fitness
• https://www.googleapis.com/auth/googlehealth.health_metrics_and_measurements.readonly — body measurements and vitals
• https://www.googleapis.com/auth/googlehealth.sleep.readonly — sleep
• https://www.googleapis.com/auth/googlehealth.profile.readonly — basic profile (used to compute BMI)

See Section 11 for our Google API Services Limited Use commitment.

2.5 Nova AI chat history

Your conversations with Nova AI — including your messages and Nova's responses — are stored along with basic session metadata.

2.6 Technical and usage data

When you use the Platform, we automatically collect technical and usage data — your approximate location (country/region), basic device and browser information, your interactions with the Platform (such as pages visited and features used), and operational and error logs. This data is used for security monitoring, performance optimization, and diagnosing technical issues. It is not used to build advertising profiles.

3. How we use your information

3.1 Providing the Platform

We use your information to authenticate your identity and secure your account, display your health data and AI-generated insights, process and analyze the lab reports and medical documents you upload, and sync data from health integrations you connect.

3.2 Powering Nova AI

When you send a message to Nova AI, we assemble a context package — including your health profile, recent integration sync data, recent lab report analyses, and the current conversation history — and send it securely to our AI providers so they can generate a personalized, health-aware response.

3.3 Lab report and medical document analysis

When you upload a lab report or medical document, we store the original file securely in Google Cloud Storage, extract the text on our own servers when possible, send the document content to an AI provider for analysis, and store the generated analysis alongside the original.

The AI provider receives the document content in one of two ways depending on the file:

• Text-extractable PDFs. Only the extracted text is sent, together with the de-identified clinical context from Section 3.2. The original PDF is not transmitted to the AI provider.
• Scanned PDFs and image uploads. If the file is not text-extractable, the file itself is sent to the AI provider for analysis. Because we do not redact the image first, it may contain printed personal identifiers such as your name, date of birth, or medical record number. The AI provider is bound by Data Processing Agreement terms that prohibit using submitted content to train their models (see Section 6.1).

In both cases, the original file remains private in Google Cloud Storage (see Section 4.4).

3.4 Security and fraud prevention

We use technical logs, IP addresses, and usage patterns to detect unauthorized access attempts, monitor for account takeover or credential stuffing attacks, investigate and respond to security incidents, and enforce our Terms of Service.

3.5 Platform communications

We use your email address for account-related communications — email verification, password resets, security notifications, and product updates (which you can opt out of at any time). We never share or sell your email address.

3.6 Aggregated analytics

We may use de-identified, aggregated data (from which personal identifiers have been removed) to understand how the Platform is used and identify areas for improvement. This aggregated data cannot be used to identify you.

4. How we store and protect your data

4.1 Infrastructure and compliance

All Prajnova user data — for every user, regardless of geographic location — is stored and processed on Google Cloud Platform (GCP) infrastructure located in the United States. This applies uniformly to users in the United States, the European Economic Area (EEA), the United Kingdom, the Middle East and Africa, Asia, India, Australia, and any other region from which the Platform is accessed. We do not maintain regional data residency in other jurisdictions.

Our infrastructure is configured to meet HIPAA Security Rule requirements, and a Business Associate Agreement (BAA) is signed with Google Cloud Platform.

4.2 Encryption

All data is encrypted at rest with AES-256 and in transit with TLS 1.2 or higher. Passwords are stored as a salted one-way cryptographic hash that cannot be reversed.

4.3 Access controls

Every API request is authenticated and scoped to the requesting user, making it architecturally impossible for one user to access another's data. Internal access to production systems is restricted to a minimal set of authorized personnel using multi-factor authentication, fully logged, and granted only as needed for each role.

4.4 File storage

Uploaded files (lab reports and medical documents) are stored privately in Google Cloud Storage with no public URLs; access is granted only through short-lived, authenticated links.

4.5 Vulnerability management

We conduct regular security reviews, apply patches promptly, and accept vulnerability reports at security@prajnova.com.

4.6 International data transfers

Prajnova operates entirely from the United States, and all user data is stored and processed exclusively in U.S. data centers. We do not maintain data centers, servers, or replicas in any other country or region.

If you access the Platform from outside the United States — including from the European Economic Area, the United Kingdom, Asia, India, Australia, or any other region — your data is transferred to and processed in the United States. By creating an account or using the Platform, you explicitly consent to this cross-border transfer.

For users in the European Economic Area and the United Kingdom, transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum (see Section 8.9). For users in jurisdictions with their own cross-border transfer requirements (such as India's DPDP Act, Australia's Privacy Act, or PIPL), the lawful basis is your explicit consent given at account creation.

The United States may have data protection laws that differ from those in your jurisdiction. Prajnova nevertheless applies the same security and confidentiality safeguards to your data regardless of where you reside.

5. Data retention

We retain your personal and health data while your account is active, plus a short post-deletion grace period of up to 90 days, after which it is permanently removed.

Operational records — such as integration sync history and access logs — are kept for limited periods as required by law or standard practice.

Anonymized, aggregated data that cannot be linked back to you may be retained indefinitely.

6. Third parties we share data with

We are highly selective about who receives your data. We share data with third parties only where necessary to operate the Platform and under strict data processing agreements.

6.1 AI providers

To generate Nova AI responses and analyze lab reports and medical documents, we use state-of-the-art large language models from frontier AI service providers under enterprise Data Processing Agreements (DPAs).

Chat content is de-identified before transmission — every direct identifier is stripped (see Section 3.2 for details). Document analysis follows two paths: extracted text is de-identified, while scanned PDFs and image uploads are sent as files and may contain printed PII (see Section 3.3 for details).

All AI service providers we use are bound by Data Processing Agreements that prohibit using submitted content to train or improve their models. Where AI services are hosted within our cloud infrastructure (see Section 6.2), they are also covered by that infrastructure's Business Associate Agreement. Data is transmitted over encrypted connections, and providers do not retain submitted content beyond the immediate request.

6.2 Google Cloud Platform (infrastructure)

All data storage, compute, and file hosting runs on Google Cloud Platform. A Business Associate Agreement (BAA) is in place. Google processes your data solely as a data processor on our behalf and is prohibited from using it for any other purpose.

6.3 Third-party health integrations (read-only, user-initiated)

When you authorize a health integration, data flows from that platform to Prajnova via OAuth-authenticated API calls. We do not transmit your Prajnova data back to these platforms. Your use of those platforms is governed by their own privacy policies.

6.4 What we never do

We never sell your personal or health information, share it with advertisers or data brokers, or use it to build advertising profiles. We do not share your data with employers, insurers, or government agencies except as required by law.

6.5 Legal disclosure

We may disclose your information without prior notice only when required by a valid court order or subpoena, applicable federal or state law, or a government agency with lawful authority. Where legally permissible, we will notify you before disclosing your data in response to a legal demand.

6.6 Business transfers

In the event of a merger, acquisition, bankruptcy, or sale of substantially all of our assets, your data may be transferred to the successor entity. We will provide reasonable advance notice via email and a prominent Platform notice before any such transfer. The successor will be required to honor this Privacy Policy or provide you the opportunity to delete your account.

7. Cookies and tracking

Prajnova uses only the cookies necessary to maintain your authenticated session and basic UI state. We do not use third-party advertising cookies, cross-site tracking pixels, analytics services that collect personally identifiable information, or fingerprinting technologies.

8. Your rights and choices

8.1 Access your data

You may request a complete export of all personal data we hold about you. Contact privacy@prajnova.com with the subject line "Data Access Request." We will respond within 30 days.

8.2 Correct your data

You may update your health profile, account information, and lab report titles directly within the Platform at any time.

8.3 Delete your data

You may request permanent deletion of your account and all associated data via the Settings page or by emailing privacy@prajnova.com. Deletion is irreversible. We will complete deletion within 90 days and confirm via email.

8.4 Data portability

You may request a copy of your data in a structured, machine-readable format (JSON) by contacting privacy@prajnova.com.

8.5 Disconnect health integrations

You may disconnect any health integration at any time from the Integrations page. Disconnecting stops all future data syncing. Data already synced remains in your account unless you separately request deletion.

8.6 Opt out of non-essential communications

You may opt out of product announcement emails using the unsubscribe link in any such email. You cannot opt out of transactional emails (account verification, password reset, security alerts) as these are necessary for account operation.

8.7 HIPAA privacy rights

To the extent your data constitutes PHI under HIPAA, you have the following rights under 45 CFR Part 164:

• Right of Access (§164.524): Request a copy of your PHI
• Right to Amend (§164.526): Request corrections to your PHI
• Right to an Accounting of Disclosures (§164.528): Request a list of disclosures of your PHI
• Right to Request Restrictions (§164.522): Request restrictions on how your PHI is used

To exercise these rights, contact privacy@prajnova.com.

8.8 California residents — CCPA/CPRA rights

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and sell
• Delete your personal information
• Correct inaccurate personal information
• Opt out of the sale or sharing of your personal information (we do not sell or share personal information)
• Non-discrimination for exercising your privacy rights

To submit a California privacy rights request, contact privacy@prajnova.com. We will verify your identity before processing the request.

8.9 EEA and UK residents — GDPR/UK GDPR rights

If you are located in the European Economic Area or the United Kingdom, we process your personal data under the following legal bases:

• Consent (Art. 6(1)(a) GDPR): For processing general personal data
• Explicit Consent (Art. 9(2)(a) GDPR): For processing special category health data

You have the right to withdraw consent at any time, access your personal data (Art. 15), rectify inaccurate data (Art. 16), request erasure (Art. 17), restrict processing (Art. 18), data portability (Art. 20), object to processing (Art. 21), and lodge a complaint with your local supervisory authority.

To exercise these rights, contact privacy@prajnova.com.

Because Prajnova is operated from the United States and all data is stored and processed in U.S. data centers (see Section 4.1 and Section 4.6), the processing of your personal data necessarily involves a cross-border transfer from the European Economic Area or the United Kingdom to the United States. These transfers are governed by the Standard Contractual Clauses approved by the European Commission and, where applicable, the UK International Data Transfer Addendum. By creating an account or using the Platform, you provide explicit consent to this transfer in accordance with Articles 9(2)(a) and 49(1)(a) GDPR.

9. Children's privacy

Prajnova is intended for users 18 years of age and older. We do not knowingly collect personal information from individuals under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact privacy@prajnova.com immediately and we will delete the information promptly.

10. Changes to this Privacy Policy

We may update this Privacy Policy as our Platform evolves or as legal requirements change. When we make material changes, we will notify you by email to your registered address, display a prominent notice on the Platform, and update the "Last Updated" date at the top of this Policy. We will provide at least 30 days' notice before material changes take effect. Your continued use of the Platform after the effective date constitutes your acknowledgment of the updated Policy.

11. Google API Services data — Limited Use commitment

Prajnova uses Google APIs for Sign in with Google (non-sensitive scopes: openid, email, profile) and the Google Health API (the four sensitive googlehealth.*.readonly scopes detailed in Section 2.4).

In particular:

• We use Google user data only to provide the user-facing Prajnova features you connected (your Insights dashboard, Nova AI responses, and lab report analysis).
• We do not transfer Google user data to third parties except as necessary to provide those features (e.g., AI providers under DPAs described in Section 6.1), to comply with applicable law, or as part of a merger or acquisition with notice to you.
• We do not use Google user data for advertising of any kind (including retargeting, personalized, or interest-based).
• We do not allow humans to read Google user data except with your explicit consent, for security investigation, to comply with law, or in aggregated and anonymized form.
• We do not use Google user data to train, fine-tune, or improve AI/ML models.

Revoking access. You may revoke Prajnova's access to your Google account at any time at myaccount.google.com/permissions or by disconnecting the Fitbit integration on the Prajnova Integrations page. Revocation stops future syncing immediately; data already synced remains unless you request deletion (see Section 8.3).

12. Contact us

For any privacy-related questions, requests, or concerns:

Prajnova

• Privacy requests and HIPAA rights: privacy@prajnova.com
• Security vulnerabilities: security@prajnova.com
• General support: support@prajnova.com

We aim to respond to all privacy inquiries within 5 business days and to fulfill verified data requests within 30 days.

This Privacy Policy applies to prajnova.com and all associated Prajnova applications and services.