Privacy Policy

What we collect

• Account data: email, password (hashed by Clerk), authentication events. Collected when you sign up.
• Health profile: age, sex, height, weight, body composition, declared goals, medical history, current medications. Collected via onboarding and the profile page.
• Biometrics: weekly weight, waist, neck, hip, body fat percentage, notes. Collected via the Upload page.
• Bloodwork: laboratory marker values, reference ranges, source lab, date drawn. Collected via PDF upload or manual entry.
• Tracked compounds: compounds you log, doses, vial sizes, frequencies.
• Genetic data (when ingestion goes live): raw genotype data from consumer DNA test exports you upload.
• Chat history with Atlas: your messages and Atlas's responses, plus the tools it called and the results.
• Payment data: handled entirely by Clerk Billing + Stripe (we never see your card number).
• Technical / audit data: IP address (for security + abuse prevention), authentication events, audit-log entries for sensitive data access, cookie identifiers (see /legal/cookies).

Several of the categories above (health profile, biometrics, bloodwork, tracked compounds, genetic data, chat history referencing the above) are sensitive personal information (SPI) under the California Consumer Privacy Act (Cal. Civ. Code § 1798.140(ae)) and consumer health data under the Washington My Health My Data Act. We process them only for the purposes disclosed in this Policy and in the linked Consumer Health Data Privacy Notice.

Categories of sources

• Directly from you, via onboarding, the Upload and Health Data surfaces, and Atlas chat.
• From PDFs and raw-data files you upload (processed in-memory; raw files discarded after structured fields are extracted).
• Automatically from your device when you use the service (cookies, IP address, request metadata) — see /legal/cookies.

How we use it

• To power Atlas's analysis (every reply cites your tracked compounds + bloodwork + biometrics).
• To run interaction checks (hard-coded rules against your medical history).
• To bill you accurately (via Clerk Billing).
• To respond to support requests.
• To detect fraud and abuse; to debug; to comply with legal obligations.
• To improve the product in aggregate (de-identified analytics only — no model training on user data).

Third parties we share with

• Clerk — authentication + billing (operates as our data processor).
• Stripe — payment processing (via Clerk Billing).
• Neon — Postgres database (data at rest; processor).
• AWS KMS — master wrap-key for per-user envelope encryption. AWS never sees plaintext health data.
• NVIDIA NIM — current AI inference provider (today). Sees decrypted chat / health-data context in memory at inference time; does not retain or train on it under our agreement.
• Anthropic + OpenAI — planned AI inference providers. Will be enrolled under zero-data-retention addenda before any health data flows to them.
• Vercel — application hosting (processor).
• Resend (when wired) — transactional email (deletion receipts, breach notifications).

We do not sell your personal information. We do not share it with advertisers or data brokers. We do not use your health data to train any model. We do not engage in cross-context behavioral advertising. We do not disclose genetic information to health insurers, life insurers, long-term care insurers, or employers.

Data retention

• Active accounts: retained while you have an account.
• Per-data-type deletion: takes effect immediately at the application layer; restorable from backup for up to 7 days before becoming cryptographically unrecoverable.
• Account deletion: cryptographically irreversible at the moment of per-user-key destruction.
• Audit logs: retained for 24 months for security and compliance; do not contain plaintext health data.
• Billing records: retained as required by tax/accounting law (typically 7 years).

Your rights (CCPA / CPRA / state comprehensive laws / consumer health data acts)

Depending on your state of residence, you may have some or all of the following rights with respect to your personal information. Novex honors them on a consolidated basis (i.e., Novex provides the union of state rights to all US users rather than gating by state):

• Right to know: the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties.
• Right to delete: request that we delete your personal information.
• Right to correct: request that we correct inaccurate personal information.
• Right to limit use of sensitive personal information: restrict our use of SPI to purposes specified by the CPRA.
• Right to opt-out of sale or sharing: Novex does not sell or share personal information for cross-context behavioral advertising; this commitment applies by default to all users.
• Right to non-discrimination: Novex will not deny services, charge different prices, or provide a different level of service because you exercise these rights.
• Right to portability: export your plan history + bloodwork + tracked compounds + chat history as JSON via Settings → Data → Export.
• Right to withdraw consent: revoke any consent you have given (including consent to AI processing of your health or genetic data) at any time via Settings → Health Data.
• Right to appeal: if we deny a rights request, you may appeal in writing to privacy@novex.bio; we will respond within 45 days.
• Authorized agents: you may designate an authorized agent to submit requests on your behalf.

How to submit a request: use the in-product Settings → Data and Settings → Health Data surfaces for export / deletion / consent revocation, OR email privacy@novex.bio with your account email and the request type. We may need to verify your identity before fulfilling access or deletion requests (typically by sending a confirmation email to your account address).

Timing: we respond to verifiable requests within 45 days, extendable by an additional 45 days when reasonably necessary with notice to you.

Do Not Sell or Share / Limit Use of Sensitive Personal Information

Novex does not sell or share personal information within the meaning of the CCPA / CPRA, and Novex limits its use of sensitive personal information to the purposes disclosed in this Policy and in the Consumer Health Data Privacy Notice. No further opt-out action is required. If you would like a written confirmation of this for your records, email privacy@novex.bio.

Security

Health data is encrypted at rest with per-user envelope encryption (AES-256-GCM with AAD-bound per-column ciphertext) using AWS KMS as the master wrap-key. Transport is TLS 1.2+. Sensitive columns are isolated; access is scoped per-user and audited. Novex follows industry-standard security practices and reviews them periodically. No system is perfectly secure; if a security incident affects your data, we will notify you as required by the FTC Health Breach Notification Rule (16 CFR Part 318) and applicable state laws.

Children

This service is for adults 18 and over only. We do not knowingly collect data from anyone under 18. We do not sell or share the personal information of consumers under 16. If you believe a minor has provided us data, contact privacy@novex.bio and we will delete it promptly.

International users

Novex is currently US-only. We do not knowingly serve EU/EEA/UK users and have not configured the product for GDPR or UK-GDPR compliance. If you are located outside the US, please do not use Novex.

Changes

We may update this Policy from time to time. Material changes will be emailed to registered users at least 30 days before taking effect. We review this Policy at least annually.

Contact

Privacy concerns: privacy@novex.bio
Data deletion requests: privacy@novex.bio
General support: support@novex.bio