Consumer Health Data Privacy Notice

1. Categories of consumer health data we collect

• Health profile: age, sex, height, weight, body composition, declared goals, medical history, current medications.
• Biometrics: weekly weight, waist, neck, hip, body fat percentage, notes.
• Bloodwork: laboratory marker values, reference ranges, source lab, date drawn.
• Tracked compounds: compounds you log, doses, vial sizes, frequencies.
• Genetic data (when ingestion goes live): raw genotype data from consumer DNA tests (23andMe, AncestryDNA, MyHeritage, Nebula formats).
• Variant interpretations (when ingestion goes live): individual variant calls derived from raw data, paired with reference-database annotations.
• Atlas chat history referencing the above (your messages and Atlas's responses).

2. Categories of sources

• Directly from you, via onboarding forms, the Upload page, and (when live) the Health Data upload surfaces.
• From PDFs you upload (Labcorp, Quest, Empower, etc.) processed in-memory and discarded after structured fields are extracted.
• From genetic-test raw data files you upload (23andMe, AncestryDNA, MyHeritage, Nebula) — parsed on Novex infrastructure; raw files discarded after parsing.

3. Purposes for collecting and processing

• To present your tracked health and lab data back to you in the product surfaces.
• To generate AI-assisted informational analysis of your data, framed against the published literature (educational research; not medical advice).
• To run hard-coded interaction checks against your declared medical history.
• To bill you for the service (handled via Clerk Billing + Stripe).
• To respond to support requests and comply with legal obligations.

4. Categories of consumer health data we share, and with whom

• AI inference providers: when you use Atlas, your decrypted health data is transmitted to third-party model providers (today: NVIDIA NIM; planned: Anthropic and OpenAI) under zero-data-retention agreements where available. Providers do not retain or train on your data under those agreements.
• Neon: the Postgres provider that hosts your encrypted data at rest. Operates as a data processor.
• Vercel: the hosting platform that runs Novex's application code. Operates as a data processor.
• AWS KMS: stores the master wrap-key used in the per-user envelope-encryption scheme. AWS never sees plaintext health data; it sees only ciphertext-wrap operations.
• Clerk: authentication and billing. Sees your email and Stripe-mediated payment metadata, never your health data.
• Resend (when wired): transactional email (deletion receipts, breach notifications). Sees your email address, never your health data.

We do not sell your consumer health data. We do not share it with advertisers or data brokers. We do not use it to train any model. We do not disclose genetic information to insurers or employers.

5. Categories of third parties and affiliates

Novex has no affiliates. The third parties named in Section 4 are service providers / processors, not data recipients in the CCPA “sharing” sense. Novex does not engage in cross-context behavioral advertising based on consumer health data.

6. How to exercise your rights

Under the Washington My Health My Data Act, California GIPA, the CCPA / CPRA, and analogous state laws, you have the following rights with respect to consumer health and genetic data:

• Right to access: request a copy of the consumer health data Novex holds about you.
• Right to delete: request that Novex delete your consumer health data. Genetic data deletion requests will be honored within 30 days as required by CA GIPA.
• Right to withdraw consent: revoke any previously-granted consent (storage, analysis, AI processing, third-party transmission) at any time. Take effect immediately on a forward-looking basis.
• Right to correct: correct inaccurate health data via the in-product profile / data surfaces.
• Right to appeal: if Novex denies any of the above requests, you may appeal in writing to privacy@novex.bio; we will respond within 45 days.

How to submit a request: use the in-product Settings → Health Data surface for revocation and per-data-type deletion, OR email privacy@novex.bio with your account email and the request type. We may need to verify your identity before fulfilling access or deletion requests (typically by sending a confirmation email to your account address).

Authorized agents: you may designate an authorized agent to submit requests on your behalf by providing the agent with written, signed permission and verifying your identity directly with us.

Timing: Novex responds to access, deletion, and correction requests within 45 days, extendable by an additional 45 days when reasonably necessary with notice to you.

Non-discrimination: Novex will not deny services, charge different prices, or provide a different level of service because you exercise these rights.

7. Genetic data — California GIPA disclosures

This section is provided to comply with the California Genetic Information Privacy Act (Cal. Civ. Code §§ 56.18 et seq.). If you upload genetic data via Novex:

• Information collection: Novex collects raw genotype data from consumer DNA test exports you upload (23andMe, AncestryDNA, MyHeritage, Nebula). Novex does not collect biological samples — there are none to destroy.
• Information use: to generate variant interpretations and the AI-assisted informational analysis you see in the product. Not used for any other purpose without your further separate consent.
• Information disclosure: only to the AI inference providers named in Section 4, under the consents you grant at upload time. Never to insurers, employers, advertisers, or data brokers.
• Procedures for revoking consent: at any time, via Settings → Health Data. Revocation takes effect immediately on a forward-looking basis. Past analyses already generated remain accessible to you in your account until you also exercise deletion rights.
• Procedures for deletion: genetic-data deletion requests are honored within 30 days. Cryptographic deletion via the per-user envelope-encryption key destruction takes effect immediately; database backups (point-in-time recovery) may retain restorable copies for up to 7 days post-key-destruction, after which the data is cryptographically unrecoverable for any party including Novex.
• Security procedures: per-user envelope encryption (AES-256-GCM with AAD-bound per-column ciphertext) using AWS KMS as the master wrap-key; TLS in transit; isolated database tables with strict per-user access; audit logging of all access events; vendor sub-processors under written data-processing terms.
• Complaint process: contact privacy@novex.bio. You may also contact your state attorney general (California AG enforces GIPA; Illinois GIPA has a private right of action that may also be available).

8. Retention

• Active accounts: consumer health and genetic data are retained as long as your account is open and you have not exercised deletion rights for the relevant data category.
• Per-data-type deletion: takes effect immediately at the application layer; restorable from backup for up to 7 days before becoming cryptographically unrecoverable.
• Account deletion: cryptographically irreversible at the moment of per-user-key destruction.
• Audit logs: retained for 24 months for security and compliance purposes; do not contain plaintext health data.

9. Children

Novex is for adults 18 and older only. We do not knowingly collect consumer health or genetic data from anyone under 18. If you believe a minor has provided us such data, contact privacy@novex.bio and we will delete it promptly.

10. Changes to this Notice

Novex may update this Notice from time to time. Material changes will be communicated to registered users by email at least 30 days before taking effect, and (where required by law) may require renewed consent before continuing to process consumer health data.

11. Contact

Privacy inquiries: privacy@novex.bio
Data access / deletion / revocation: privacy@novex.bio
General support: support@novex.bio