Privacy Policy

Last updated: March 1, 2026

What this policy covers

This policy describes how NoviMedis ("we", "us") collects, uses, and protects your information when you use our waitlist and coming-soon page at novimedis.com. It also provides a look forward to features coming soon.

What we collect

When you sign in and join our waitlist, we collect:

• Email address: from your Google account (or Apple account), or one you provide directly. Used to notify you when NoviMedis Care is available.
• Your name: from your Google account. Shown in your profile, just to you, while you are signed in. Not shared or stored separately.
• ZIP code: your US ZIP code, provided directly. Helps us prioritize launch order of US states and territories.
• Timestamps: when you created your account and joined the waitlist.

We do not collect health information, browsing history, or precise location data.

Installation identifier

When you first open the app, we generate a random installation identifier — a UUID (Universally Unique Identifier), which is a long string of random letters and numbers like 550e8400-e29b-41d4-a716-446655440000. This identifier:

• Is not linked to your account — it identifies your app installation, not you as a person.
• Is stored only on your device (in your browser's local storage) and sent to our servers as a header with each request.
• Helps us verify that users are real people and prevent duplicate installations or automated abuse of our service.
• Is retained in server logs for 30 days (the default Cloud Run log retention period), then automatically deleted.
• Can be reset by clearing your browser's site data for novimedis.com, which generates a new identifier on your next visit.

Automated security checks

We use Google reCAPTCHA Enterprise to help protect our services from abuse and fraud. reCAPTCHA Enterprise may collect hardware and software information, such as device and application data, and send it to Google for analysis. This data does not include any personally identifiable information. It is used solely to verify that requests are coming from legitimate users and not automated bots. Use of reCAPTCHA is subject to Google's Privacy Policy and Terms of Service.

How we use your information

• Waitlist notification: we will email you when NoviMedis Care is available in your area.
• Rollout planning: aggregated ZIP code data helps us decide where to launch next and identify usage hotspots and population gaps.
• Account management: your email and name identify your account, primarily to reconfirm it's your account you've logged into. Your name and email are:
  1. Not visible by default to our administrators.
  2. Viewable only by a very limited subset of our administrators with enhanced privileges.
  3. Viewing requires a specific action that is logged when it occurs.

Your privacy and security are paramount to our design and culture.

We do not sell your personal information. We share limited technical data with Google through reCAPTCHA Enterprise solely for security verification purposes, as described above. We do not share your personal health information or account details with third parties except as required by law.

If we utilize any of your information in the future, it will always be anonymized and in aggregate only. Our system architecture is designed to make it extremely difficult, even for us, to connect our users with their activity (see "How we protect your information" below).

How we protect your information

Our security architecture goes well beyond what is normal for healthcare software. We apply cryptographic separation techniques — including hardware-backed key management, one-way pseudonym derivation, and — for those who want full control — user-held encryption, similar to methods used by password managers and end-to-end encrypted communication tools.

Separation of identity and activity

Your identity and your activity on our platform are stored in separate systems, divided by a firewall:

• Your account data (name, email, ZIP code) is stored in a secure, isolated database (Google Firebase) keyed to your login credentials. Your account also has a randomly assigned pseudonym (an anonymous handle) which administrators see instead of your name. This label reveals nothing about your activity, providers, or contributions.
• Your activity — care team configurations, corrections, reviews, and tags — is stored in a separate database (Google Cloud SQL) using cryptographically generated pseudonyms that contain no personal information.
• There is no stored mapping between your identity and your activity. When you log in, your activity pseudonym is derived on the fly using Google Cloud Key Management Service (Cloud KMS), a hardware-backed service where keys are stored in dedicated security hardware and cannot be exported. Your pseudonym exists only in memory for the duration of your session.* No administrator — including us — can look up which activity pseudonym belongs to which user.

Three levels of care team privacy

We are building three levels of privacy protection for your care team (the providers you follow). You will be able to choose your level in Settings:*

1. Standard — by default, your care team is stored on our servers, synced across your devices automatically. This is our default, because it allows us to send you real-time updates about changes to your care team providers. Convenient, and the trade-off most of you will likely prefer.
2. Private — your care team is stored under a cryptographically derived identifier generated through Cloud KMS, replacing the direct link between your account and your care team data. Even with full server access, there is no way to determine which care team belongs to which user without a targeted, audited cryptographic operation.*
3. Locked — your care team is encrypted with a PIN that only you know. Your PIN never leaves your device and is never sent to our servers — the encryption happens entirely on your phone or browser before any data reaches us. We hold only the encrypted result, which we cannot decrypt. On a new device, you re-enter your PIN locally to unlock your data.*

Google Cloud services we rely on

• Cloud KMS (Key Management Service): hardware-backed key management for pseudonym derivation. Master keys are stored in dedicated security hardware and cannot be exported — even by us.
• Access Approval: even Google's own employees need our explicit approval before accessing any part of our Google Cloud Platform (GCP) infrastructure.
• Cloud Audit Logs: every cryptographic operation and identity access is logged and monitored. Unusual patterns trigger alerts. We never log personally identifiable information (PII).
• Firebase Authentication: manages your login securely. We never see or store your password — authentication is handled entirely by Google (via OAuth, the Open Authorization standard) and Apple.
• reCAPTCHA Enterprise (security verification): analyzes device and application signals to distinguish legitimate users from automated bots. No personally identifiable information is shared.

What this means in practice

If we were compelled by legal order to share data, the most we could provide is your account information (name, email, ZIP) and, only if you keep the default Level 1 for real-time notifications, the list of providers in your care team. At Privacy Level 2, even your care team would require a targeted cryptographic operation that produces a full audit trail. At Privacy Level 3, we could not comply by design — we do not hold the key.*

What about the encryption keys themselves?

We want to be fully transparent about the limits of our protection.

At Level 1 (Standard), the cryptographic protections described below apply to all your activity — corrections, reviews, tags, and browsing — but not your care team, which is stored on our servers for convenience and real-time notifications.

At Level 2 (Private), the same cryptographic derivation extends to your care team, meaning the link between your identity and your providers is also protected.

Our pseudonym master key was generated on an offline (air-gapped) machine and the original key material was securely destroyed after import to Cloud KMS. It is stored in Cloud KMS hardware security modules — we cannot export it, and Google cannot use it without our explicit approval (enforced by Access Approval, which requires sign-off from designated NoviMedis contacts).

However, if NoviMedis were compelled by a court order targeting a specific user and a specific provider, we could perform a targeted cryptographic operation to determine whether that user wrote a particular review. This is the realistic worst case, and here is what it involves:

• It requires a legal order served to NoviMedis (not to Google — Google cannot independently comply because they do not control our key or know how we use it).
• It requires us to build and deploy a special-purpose script with access to the Cloud KMS key. No such script exists in normal operation.
• It produces a complete audit trail — every use of the key is logged.
• It can only answer "did user X write about provider Y?" — a targeted question, not mass surveillance.

What cannot be done, even in a worst case:

• "Who wrote this review or added this tag?" — reversing a pseudonym back to an identity is computationally infeasible. The one-way cryptographic function we use (HMAC-SHA256) cannot be run in reverse.
• "Show me everything user X ever wrote" — would require repeating the derivation against every provider in our system (millions). Operationally massive, fully audited, and would require explicit legal compulsion and significant time.
• "Which users wrote about provider Y?" — would require deriving pseudonyms for every user. Same problem — computationally impractical.

At Privacy Level 3 (Locked), even the targeted operation described above is not possible. You hold the only key, and we hold only encrypted data we cannot read.*

Where your data is stored

Your data is stored in GCP infrastructure located in the United States:

• Account information is managed by Firebase Authentication.
• Waitlist data is stored in Firestore (a Google-hosted database).

Both services are operated by Google and subject to Google's security practices and certifications.

Where the rest of our data is stored

Provider records, care team data, and other non-account data are stored in Google Cloud SQL. This data is keyed to pseudonyms, not user accounts, and cannot be connected to individual users without the cryptographic derivation described above.

How long we keep your data

• Waitlist data: retained until we send you a launch notification, then for 90 days after, then deleted automatically.*
• Account data: retained as long as your account exists. When you delete your account, your data is soft-deleted immediately and held for 30 days (in case you change your mind), then permanently removed.*

Your choices

• Delete your account: you can delete your account and all associated data from the Profile screen in the app at any time. This removes your Firebase Authentication account and your waitlist record. If you've joined the friends and family or beta groups, your corrections will be retained but will be untraceable to you — they are stored under pseudonyms with no path back to your identity.*
• Change your email: you can update the email address we use to contact you from the waitlist landing page, and after that from your settings.
• Change your ZIP code: you can update your ZIP code at any time.
• Choose your privacy level: once available, you can select your care team privacy level (Standard, Private, or Locked) in Settings at any time.*

Security

We use industry-leading security measures to protect your data — applying cryptographic separation and zero-knowledge principles more commonly found in password managers than in healthcare software:

• Authentication via Google OAuth and Sign in with Apple.
• All data transmitted over HTTPS (encrypted in transit), including all connections between your browser and our servers and between our internal services.
• Pseudonym derivation via hardware-backed Cloud KMS — keys cannot be exported, even by us.
• Firestore security rules ensure you can only access your own data.
• No sensitive data is logged or stored outside of the services described above.

Children's Privacy

NoviMedis Care is not directed to or intended for use by anyone under 18 years of age. By using NoviMedis Care, you represent that you are at least 18 years old.

If you are between the ages of 13 and 18, you may use NoviMedis Care only with the consent and supervision of your parent or legal guardian. If you are a parent or legal guardian, you may use the service on behalf of your minor child. Any information you provide while using the service on behalf of your minor child will be treated as personal data as described in this policy.

We do not knowingly collect personal data from children under the age of 13. If we learn that we have collected personal data from a child under 13 without verified parental consent, we will delete that data promptly. If you believe a child under 13 may have provided us with personal data, please contact us at privacy@novimedis.com.

Changes to this policy

If we make changes to this policy, we will update the "Last updated" date at the top. For significant changes, we will notify you via the email address associated with your account.

Contact us

If you have questions about this policy or your data, contact us at:

privacy@novimedis.com

For general support questions, visit our support page or email support@novimedis.com.

Items marked with an asterisk (*) describe planned features that are not yet in production. We include them here to be transparent about our commitments and timeline.