Privacy Policy
Version 1.0 — Effective May 2026
The short version: You upload your health data; we analyze it to show you trends. We don't sell your data. We share it only with the four vendors listed in Section 3 — and only as needed to run the service. You can delete everything, permanently, at any time.
1. What we collect
Data you give us directly
- Email address — used for account identity and to send you reminders and notifications.
- Lab report files — PDFs and images you upload. These are stored in Google Firebase Storage and processed by Anthropic's AI to extract marker values.
- Biometric profile — age, biological sex, ancestry, height, weight, and waist circumference — entered by you during signup and updatable in Settings. Used to compute personalized reference ranges.
- Family health history — cardiovascular disease, Type 2 Diabetes, and early-onset dementia in immediate family members. Used to contextualise your results.
- Beta invite code — used once to verify your invitation. Not retained after redemption.
Data we generate from your uploads
- Extracted marker values — name, numeric value, unit, lab reference range, and flag status — produced by AI analysis of each report you upload.
- Derived markers — computed values such as TG/HDL Ratio, HOMA-IR, and FIB-4 Index, calculated from your extracted values.
- Trend analysis — annualized slope, retest interval, and risk-level assessments computed from your marker history.
Data collected automatically
- Usage logs — server-side request logs used for debugging. Not used for advertising. Purged within 30 days.
- IP address and browser type — standard web server logs, purged within 30 days.
2. How we use your data
- To analyze your lab reports and show you marker trends and insights.
- To compute personalized reference ranges based on your age, sex, and ancestry.
- To send panel reminder emails timed to your marker trends.
- To detect which condition-specific markers need attention and display them in the Condition Monitor.
- To improve OjasVault — only in aggregate, anonymized form. We never use your individual health data for product improvement without your explicit opt-in.
We do not use your data for advertising, behavioral tracking, or sale to data brokers.
3. Who we share your data with
We share your data with exactly four vendors, and only as required to operate the service:
| Vendor | Data shared | Purpose |
|---|---|---|
| Google Firebase (USA) | Lab report files, extracted marker data, account document, biometric profile | Secure cloud storage, authentication, and hosting |
| Anthropic (USA) | Lab report text content (the text extracted from your uploaded files) | AI-powered marker extraction and analysis |
| Stripe (USA) | Email address and payment method | Subscription billing — we never see your card number |
| Resend (USA) | Email address | Sending panel reminders, notifications, and transactional emails |
We share your data with no other third parties. We do not sell, rent, license, or broker your data.
4. Data retention
- Active accounts: your data is retained for as long as your account is active.
- After account deletion: all personal data is permanently erased from active systems within 30 days.
- Backup copies: purged within 90 days of account deletion.
- Server logs: purged within 30 days on a rolling basis.
- Aggregated, anonymized analytics: may be retained indefinitely — this data cannot be linked back to you.
5. Your rights
- Access: you can view all your stored data directly within OjasVault at any time.
- Correction: update your biometric profile in Settings, or re-upload corrected lab reports at any time.
- Deletion: go to Settings → Close Account to permanently and irreversibly delete your account and all associated data.
- Export: to request a machine-readable copy of your stored data, email legal@ojasvault.ai. We will fulfil requests within 30 days.
- Opt-out of reminders: toggle off email reminders in Settings, or use the unsubscribe link in any reminder email.
California residents (CCPA)
California residents have the right to know what personal information we collect, the right to delete it, the right to opt out of its sale (we do not sell it), and the right to non-discrimination for exercising these rights. To exercise any CCPA right, email legal@ojasvault.ai. We will respond within 45 days.
6. Security
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via Google Firebase). Access is restricted to your account credentials and the vendors listed above. We conduct periodic security reviews and promptly investigate any suspected incident.
7. A note on HIPAA
OjasVault is a consumer health application. We are not a healthcare provider, health plan, or clearinghouse as defined by HIPAA, and we do not act as a Business Associate to any covered entity. Accordingly, HIPAA does not apply to OjasVault directly.
This does not mean your data is unprotected — we apply the same security standards and data minimization principles that HIPAA requires of covered entities, because we believe your health data deserves that level of care regardless of regulatory classification.
8. FTC Health Breach Notification
OjasVault is subject to the Federal Trade Commission's Health Breach Notification Rule. In the event of a breach involving your personally identifiable health information, we will notify you and, where required, the FTC within 60 days of discovering the breach. Notification will be sent to the email address on your account.
9. Children's privacy
OjasVault is not intended for users under 18. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected such data, please contact us immediately at legal@ojasvault.ai and we will promptly delete it.
10. Changes to this policy
We will notify you by email before any material change to this policy takes effect, and update the version date at the top of this page. If you continue using OjasVault after a change is announced, you accept the updated policy.
11. Contact
Questions or concerns about your privacy? Email legal@ojasvault.ai. We aim to respond within 5 business days.