Privacy Policy

Praneya (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Praneya cardiac wellness application and related services (collectively, the “Service”). By using the Service you agree to the practices described here.

Praneya is a wellness application, not a Software as a Medical Device (SaMD). Nothing in this policy or the Service constitutes medical advice, diagnosis, or treatment. Always consult a qualified healthcare provider for medical decisions.

1. Information We Collect

Account & Profile Data

When you create an account we collect your email address, chosen display name, and authentication credentials managed by Supabase Auth. If you sign in via a third-party provider (e.g., Apple, Google) we receive only the profile fields you authorize that provider to share.

Health Profile

To power risk scoring and personalized insights we collect demographic and lifestyle information you voluntarily provide, including age, biological sex, height, weight, smoking status, family cardiac history, and any existing diagnoses you choose to enter.

Lab & Imaging Results

You may upload blood panel reports and imaging summaries (PDF, image, or structured data). We extract biomarker values from these files using automated parsing and store the structured results in your health record. Original uploaded files are stored in Supabase Storage.

Wearable & Biometric Data

With your explicit permission, Praneya connects to health platforms (e.g., Apple Health, Google Fit) to import metrics such as resting heart rate, heart rate variability, blood pressure readings, step count, sleep duration, and SpO₂. We pull only the metric types you authorize at the time of connection.

Habit & Check-in Data

You may log lightweight habit completions (e.g., movement, sleep window) and periodic wellness check-ins. These entries are stored and used to personalize your wellness insights.

Usage & Technical Data

We automatically collect standard technical information including your IP address, device type, operating system, browser type, pages visited, feature interactions, and error logs. This data is used solely for service reliability and improvement and does not contain personal health data such as biomarker values or medical history.

2. How We Use Your Information

Risk scoring & trending: We compute validated cardiac risk scores (e.g., Framingham, ASCVD) and track biomarker trends over time using your lab results, biometrics, and health profile.
Personalized wellness tips: Your profile, check-in entries, and wearable data inform lifestyle suggestions tailored to your patterns.
Doctor report sharing: When you initiate a share, we generate a time-limited, token-protected report for your chosen healthcare provider.
Lab request cards: We format your historical results into practitioner-friendly summaries at your request.
Service operation & security: Account management, authentication, fraud prevention, abuse detection, and debugging.
Product improvement: Aggregate, de-identified analytics to improve algorithms and user experience. We do not sell or share identifiable health data for advertising.

What we send. When you upload a lab report photo, Praneya sends the photo to Anthropic, PBC (a US-based AI service) so it can read the numeric values printed on the report.

What we do not send separately. Praneya does not transmit your name, date of birth, biological sex, or any other profile field alongside the photo. The prompt to Anthropic instructs the model to extract lab values only. The photo itself may, however, show information printed on the lab report (such as your name as it appears on the report header).

Anthropic’s use of the data. Anthropic processes the photo under their Privacy Policy. Anthropic does not use API-submitted data to train its models under their standard API terms.

Your control. Before the first lab-photo upload, Praneya asks for your explicit agreement in-app. You can revisit and revoke this consent any time under Settings → AI Privacy. If you revoke, the next upload will ask again before any photo leaves your device. Manual entry of lab values does not involve Anthropic and is not gated by this consent.

4. Storage & Security

Data residency: Your structured health data and uploaded files are hosted in the European Union (Frankfurt, eu-central-1) on infrastructure operated by Supabase. We chose EU-region hosting so that users in the United Kingdom and European Economic Area benefit from local data-protection-law jurisdiction by default. Users elsewhere in the world also have their data processed under EU-grade safeguards. Standard Contractual Clauses are in place with our sub-processors where applicable.
Database: All structured health data is stored in Supabase PostgreSQL, which encrypts data at rest using AES-256.
File storage: Uploaded documents and images are stored in Supabase Storage with server-side encryption.
Transit encryption: All data in transit is protected by TLS 1.2+ with HSTS enforced.
Row-Level Security (RLS): Database access is governed by Supabase RLS policies so that each user can only read and write their own data at the database layer, not just the application layer.
Session caching: Short-lived session data (e.g., rate-limit counters) is stored in Upstash Redis with TTL-based expiration. No personal health data is stored in Redis.
No personal health data in logs: Our logging pipelines are configured to exclude identifiable health values. Error logs contain only anonymized identifiers and stack traces.

Despite these measures, no internet-based service is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@praneya.com.

5. Data Sharing & Disclosure

We do not sell your personal health data. We share data only in the following circumstances:

At your explicit direction: Doctor sharing via a time-limited, revocable token or lab request cards generated and shared by you.
Service providers (sub-processors): Supabase (database, auth, storage), Anthropic (language model inference), RevenueCat (subscription management), and Upstash (session caching). Each receives only the minimum data required for their function. See Section 8 for details.
Legal obligations: If required by law, court order, or to protect the rights, property, or safety of Praneya, our users, or the public.
Business transfer: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a materially different privacy policy.

6. Your Rights & Choices

You have the following rights with respect to your personal data. These rights are available to all users; users in the European Economic Area, United Kingdom, Switzerland, California (under CCPA / CPRA), and other comparable jurisdictions have statutory enforcement avenues described below.

Access (GDPR Art. 15 / UK-GDPR equivalent): Request a copy of the personal data we hold about you.
Export & portability (GDPR Art. 20): Receive your data in a structured, commonly used, machine-readable format. The mobile and web apps both offer self-serve export under Settings → Account → Export my data; you will receive a download link by email once the export is ready.
Rectification (GDPR Art. 16): Update inaccurate or incomplete data directly in the app or by contacting us.
Erasure / “right to be forgotten” (GDPR Art. 17): Request deletion of your account and all associated personal data. The mobile and web apps both offer self-serve account deletion under Settings → Account → Delete account. See Section 7 for retention timelines.
Restriction & objection (GDPR Art. 18, 21): In certain circumstances, request that we restrict processing or object to specific uses.
Withdraw consent (GDPR Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
Lodge a complaint: EEA / UK users may complain to their local supervisory authority. Praneya operates from New Zealand under Cirakas Healthcare Ltd; users may also contact the New Zealand Office of the Privacy Commissioner.

To exercise any of these rights, contact us at privacy@praneya.com. We will respond within 30 days (extendable by an additional 60 days for complex requests, with notice). We may need to verify your identity before fulfilling a request.

Data Processing Agreement (DPA): If you process personal data on behalf of others (e.g., a clinic offering Praneya to staff or patients), we provide a DPA on request. Email privacy@praneya.comwith subject “DPA request” and your organization details.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. When you request account deletion:

Your account is deactivated immediately and your data is no longer accessible through the Service.
All personally identifiable health data is permanently deleted from our production systems within 30 days of a verified deletion request.
Encrypted backups may retain data for up to an additional 90 days before they are rotated out, after which deletion is complete across all systems.
Aggregate, de-identified analytics derived from your data are not deleted as they cannot be re-associated with you.

8. Third-Party Services

Supabase

Provides our PostgreSQL database, authentication, and file storage. Supabase receives all structured health data and uploaded files. Praneya’s Supabase project is hosted in the European Union (Frankfurt, eu-central-1) on infrastructure compliant with SOC 2 Type II. Supabase is GDPR-aligned and offers a Data Processing Addendum to its customers. Supabase Privacy Policy.

Anthropic

Provides the Claude API for reading lab-report photos. Anthropic receives the photo you upload so the model can extract numeric values; Praneya does not transmit your name, date of birth, or other profile fields alongside the photo. Anthropic does not use API-submitted data to train its models under standard API terms. See Section 3 for the in-app consent surface and your control over revoking it. Anthropic Privacy Policy.

RevenueCat

Manages subscription state and purchase verification. RevenueCat receives your app user identifier, subscription product identifiers, and purchase receipts from the App Store or Google Play. RevenueCat does not receive your health data. RevenueCat Privacy Policy.

Stripe

Processes web subscription payments and manages billing. Stripe receives your email address and payment information when you subscribe through the Praneya website. Stripe does not receive your health data. Stripe Privacy Policy.

Upstash Redis

Provides serverless Redis for rate limiting and short-lived session caching. Upstash receives only anonymous session tokens and counter values. No health data or personally identifiable information is stored in Redis. Upstash Privacy Policy.

9. Children’s Privacy

Praneya is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected data from a minor, we will delete it promptly. If you believe a minor has provided data to us, contact privacy@praneya.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via in-app notification or email at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy. We encourage you to review this page periodically.

11. Contact Us

For privacy-related questions, requests, or concerns, please contact our Privacy Team:

Email: privacy@praneya.com
Subject line: Privacy Request, [your request type]

We aim to respond to all inquiries within 30 calendar days. If you are located in the European Economic Area and believe we have not addressed your concern, you have the right to lodge a complaint with your local data protection authority.

1. Information We Collect

Account & Profile Data

Health Profile

Lab & Imaging Results

Wearable & Biometric Data

Habit & Check-in Data

You may log lightweight habit completions (e.g., movement, sleep window) and periodic wellness check-ins. These entries are stored and used to personalize your wellness insights.

Usage & Technical Data

2. How We Use Your Information

Risk scoring & trending: We compute validated cardiac risk scores (e.g., Framingham, ASCVD) and track biomarker trends over time using your lab results, biometrics, and health profile.
Personalized wellness tips: Your profile, check-in entries, and wearable data inform lifestyle suggestions tailored to your patterns.
Doctor report sharing: When you initiate a share, we generate a time-limited, token-protected report for your chosen healthcare provider.
Lab request cards: We format your historical results into practitioner-friendly summaries at your request.
Service operation & security: Account management, authentication, fraud prevention, abuse detection, and debugging.
Product improvement: Aggregate, de-identified analytics to improve algorithms and user experience. We do not sell or share identifiable health data for advertising.

What we send. When you upload a lab report photo, Praneya sends the photo to Anthropic, PBC (a US-based AI service) so it can read the numeric values printed on the report.

Anthropic’s use of the data. Anthropic processes the photo under their Privacy Policy. Anthropic does not use API-submitted data to train its models under their standard API terms.

4. Storage & Security

Data residency: Your structured health data and uploaded files are hosted in the European Union (Frankfurt, eu-central-1) on infrastructure operated by Supabase. We chose EU-region hosting so that users in the United Kingdom and European Economic Area benefit from local data-protection-law jurisdiction by default. Users elsewhere in the world also have their data processed under EU-grade safeguards. Standard Contractual Clauses are in place with our sub-processors where applicable.
Database: All structured health data is stored in Supabase PostgreSQL, which encrypts data at rest using AES-256.
File storage: Uploaded documents and images are stored in Supabase Storage with server-side encryption.
Transit encryption: All data in transit is protected by TLS 1.2+ with HSTS enforced.
Row-Level Security (RLS): Database access is governed by Supabase RLS policies so that each user can only read and write their own data at the database layer, not just the application layer.
Session caching: Short-lived session data (e.g., rate-limit counters) is stored in Upstash Redis with TTL-based expiration. No personal health data is stored in Redis.
No personal health data in logs: Our logging pipelines are configured to exclude identifiable health values. Error logs contain only anonymized identifiers and stack traces.

Despite these measures, no internet-based service is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@praneya.com.

5. Data Sharing & Disclosure

We do not sell your personal health data. We share data only in the following circumstances:

At your explicit direction: Doctor sharing via a time-limited, revocable token or lab request cards generated and shared by you.
Service providers (sub-processors): Supabase (database, auth, storage), Anthropic (language model inference), RevenueCat (subscription management), and Upstash (session caching). Each receives only the minimum data required for their function. See Section 8 for details.
Legal obligations: If required by law, court order, or to protect the rights, property, or safety of Praneya, our users, or the public.
Business transfer: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a materially different privacy policy.

6. Your Rights & Choices

Access (GDPR Art. 15 / UK-GDPR equivalent): Request a copy of the personal data we hold about you.
Export & portability (GDPR Art. 20): Receive your data in a structured, commonly used, machine-readable format. The mobile and web apps both offer self-serve export under Settings → Account → Export my data; you will receive a download link by email once the export is ready.
Rectification (GDPR Art. 16): Update inaccurate or incomplete data directly in the app or by contacting us.
Erasure / “right to be forgotten” (GDPR Art. 17): Request deletion of your account and all associated personal data. The mobile and web apps both offer self-serve account deletion under Settings → Account → Delete account. See Section 7 for retention timelines.
Restriction & objection (GDPR Art. 18, 21): In certain circumstances, request that we restrict processing or object to specific uses.
Withdraw consent (GDPR Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
Lodge a complaint: EEA / UK users may complain to their local supervisory authority. Praneya operates from New Zealand under Cirakas Healthcare Ltd; users may also contact the New Zealand Office of the Privacy Commissioner.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. When you request account deletion:

Your account is deactivated immediately and your data is no longer accessible through the Service.
All personally identifiable health data is permanently deleted from our production systems within 30 days of a verified deletion request.
Encrypted backups may retain data for up to an additional 90 days before they are rotated out, after which deletion is complete across all systems.
Aggregate, de-identified analytics derived from your data are not deleted as they cannot be re-associated with you.

8. Third-Party Services

Supabase

Anthropic

RevenueCat

Stripe

Upstash Redis

9. Children’s Privacy

10. Changes to This Policy

11. Contact Us

For privacy-related questions, requests, or concerns, please contact our Privacy Team:

Email: privacy@praneya.com
Subject line: Privacy Request, [your request type]

1. Information We Collect

Account & Profile Data

Health Profile

Lab & Imaging Results

Wearable & Biometric Data

Habit & Check-in Data

Usage & Technical Data

2. How We Use Your Information

3. Third-Party Processing (Anthropic Claude)

4. Storage & Security

5. Data Sharing & Disclosure

6. Your Rights & Choices

7. Data Retention

8. Third-Party Services

Supabase

Anthropic

RevenueCat

Stripe

Upstash Redis

9. Children’s Privacy

10. Changes to This Policy

11. Contact Us

Privacy Policy

1. Information We Collect

Account & Profile Data

Health Profile

Lab & Imaging Results

Wearable & Biometric Data

Habit & Check-in Data

Usage & Technical Data

2. How We Use Your Information

3. Third-Party Processing (Anthropic Claude)

4. Storage & Security

5. Data Sharing & Disclosure

6. Your Rights & Choices

7. Data Retention

8. Third-Party Services

Supabase

Anthropic

RevenueCat

Stripe

Upstash Redis

9. Children’s Privacy

10. Changes to This Policy

11. Contact Us