Privacy Policy

Your privacy is our priority. This policy outlines how we handle your personal and health information.

Effective Date: February 6, 2026

WE NEVER SELL YOUR HEALTH DATA. YOUR PERSONAL AND HEALTH INFORMATION IS NOT FOR SALE — NOT NOW, NOT EVER.

This Privacy Policy describes how Veevo Health, a service of Veevo Technologies, Inc. ("Veevo," "we," "us," or "our"), collects, uses, discloses, and protects your personal information and health data when you use our website, mobile applications, and services (collectively, the "Service"). This policy applies to users in the United States, the European Economic Area (EEA), the United Kingdom (UK), and all other jurisdictions in which we operate. Please also review our Terms of Use and Disclosures.

1. Information we collect

We collect the following categories of information to provide and improve our Service:

a. Account and profile information

Name, email address, date of birth, and login credentials
Profile details you provide (e.g., gender, height)

b. Health and wellness data

Blood test results: Lab reports and biomarker data you upload or that we receive from laboratory partners when you order tests through the Service (e.g., cholesterol panels, blood glucose, Lp(a), ApoB)
Self-reported health data: Weight, blood pressure readings, and other health metrics you manually log
Wearable and connected device data: Information synced from Apple Health, Google Health Connect, and other compatible wearable devices (e.g., heart rate, steps, activity data, sleep data)
AI chat interactions: Questions you ask Viva (our AI health assistant), including any photos, documents, previous lab results, or other files you upload during conversations

c. Technical and usage data

Device information (device type, operating system, browser type)
Log data (IP address, access times, pages viewed, app interactions)
Cookies and similar tracking technologies (see Section 11 below)

2. How we use your information

We apply a data minimization principle — we only collect and use the information reasonably necessary for each purpose:

Provide personalized wellness insights: Analyze your blood test results, logged health data, and wearable data to deliver personalized heart health insights and educational content
Facilitate lab test ordering: When you order blood tests through the Service, we coordinate with our laboratory partners to facilitate your order and receive your results
Power Viva, our AI assistant: Process your questions, uploaded files, and health context to provide relevant, personalized responses
Operate and improve the Service: Maintain, troubleshoot, and enhance the functionality, performance, and security of our platform
Communicate with you: Send service-related notifications, respond to your inquiries, and provide customer support
Research and development: Use de-identified and aggregated data to advance cardiovascular science and improve our AI models (see Section 4)
Legal compliance: Fulfill our legal obligations, resolve disputes, and enforce our agreements

3. We do not sell or share your data

We do not sell, rent, or trade your personal information or health data to third parties for monetary or other valuable consideration. We also do not "share" your personal information for cross-context behavioral advertising as defined by the California Privacy Rights Act (CPRA). This applies to all categories of data we collect, including your blood test results, health metrics, wearable data, and AI chat interactions. This commitment applies under all applicable laws, including the CCPA/CPRA and the EU General Data Protection Regulation (GDPR).

4. Research and de-identified data

We may use de-identified and aggregated data — data that can no longer be linked back to you — for research purposes, including improving our AI models and advancing cardiovascular health science. We de-identify data using methods consistent with the HIPAA Safe Harbor standard and CCPA requirements, including removing direct identifiers and implementing technical and organizational safeguards to prevent re-identification. De-identified data is not considered personal information and is not subject to the restrictions of this policy.

If we use identifiable health data for research, we will obtain your explicit consent or ensure adequate protections are in place as required by applicable law.

5. How we share your information

We only share your information in the following limited circumstances:

Laboratory partners: When you order blood tests through the Service, we share necessary information with our HIPAA-covered laboratory partners (such as LabCorp and Quest Diagnostics) to facilitate your order. These laboratories are HIPAA-covered entities and handle your data in accordance with their own privacy practices and applicable law.
AI service providers: To power Viva, our AI health assistant, we send your messages, health data (such as blood test results and health metrics), and any photos or files you share in conversations to third-party AI services provided by Anthropic, OpenAI, and Google. These providers process your data solely to generate responses on our behalf and are contractually prohibited from using your data for their own purposes, including training their AI models.
Service providers: We share data with other third-party vendors who help us operate the Service (e.g., cloud hosting, analytics, customer support). These providers are contractually bound to use your data only as directed by us and to maintain appropriate security measures.
With your consent: We may share your information when you explicitly direct us to do so (e.g., if you choose to share insights with your healthcare provider).
Legal requirements: We may disclose your information when required by law, regulation, legal process, or governmental request.
Safety and security: We may disclose information to protect the rights, safety, or property of Veevo, our users, or the public, including to prevent fraud or address security vulnerabilities.
Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy.

6. Health data security practices

Veevo Health is a consumer wellness platform. We are not a healthcare provider, health plan, or healthcare clearinghouse, and we are generally not a HIPAA-covered entity. However, because we handle sensitive health information, we voluntarily adopt security and privacy practices that meet or exceed HIPAA-equivalent standards as a matter of best practice:

We maintain administrative, physical, and technical safeguards consistent with the HIPAA Security Rule to protect your health data.
Service providers who access your health data are bound by written agreements requiring them to maintain appropriate security measures.
When we partner with HIPAA-covered laboratory providers to facilitate blood test orders, we enter into appropriate agreements (including Business Associate Agreements where required) to protect your data throughout the process.
We apply the HIPAA minimum necessary standard as a guiding principle, limiting access to your health data to what is reasonably needed for each purpose.

7. Your rights under U.S. law

a. General data access rights

Regardless of your state of residence, you have the right to:

Access and obtain a copy of the health data we hold about you
Request correction of inaccurate health data
Request deletion of your account and associated data (see Section 12)
Download your data in a portable format

b. California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act and the California Privacy Rights Act provide you with additional rights. Below are the required statutory disclosures and your rights.

Categories of personal information we collect

Identifiers: Name, email address, IP address, account ID. Source: You provide directly or automatically via device. Purpose: Account creation, communication, security. Disclosed to: Service providers (cloud hosting, support).
Personal information under Cal. Civ. Code 1798.80: Name, address. Source: You provide directly. Purpose: Account management. Disclosed to: Service providers.
Commercial information: Subscription and purchase history. Source: Transaction records. Purpose: Billing, service delivery. Disclosed to: Payment processors.
Internet/electronic activity: Log data, device info, pages viewed, app interactions. Source: Automatically collected. Purpose: Service operation, analytics, security. Disclosed to: Analytics providers.
Sensitive personal information (health data): Blood test results, weight, blood pressure, wearable data, AI chat content including uploaded photos/documents. Source: You provide directly, connected devices, laboratory partners. Purpose: Provide personalized wellness insights, power Viva AI assistant. Disclosed to: Laboratory partners (for test ordering), service providers (cloud hosting). Retention: Duration of active account plus 90 days after deletion; limited records retained as required by law.

Sale and sharing: We do not sell any category of personal information. We do not "share" any category of personal information for cross-context behavioral advertising as defined by CPRA Section 1798.140(ah).

Your CCPA/CPRA rights

Right to know: You may request the categories and specific pieces of personal information we have collected about you.
Right to delete: You may request deletion of your personal information, subject to certain exceptions.
Right to correct: You may request correction of inaccurate personal information.
Right to opt out of sale/sharing: We do not sell or share your personal information. There is nothing to opt out of.
Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
Right to limit use of sensitive personal information: You may request that we limit use of your sensitive personal information (including health data) to what is necessary to provide the Service.

To exercise these rights, contact us at privacy@veevo.health. We will verify your identity before processing your request and respond within 45 days.

8. State consumer health data laws

Several U.S. states have enacted laws specifically governing consumer health data collected outside of HIPAA-covered relationships. Because Veevo collects health data such as blood test results, blood pressure, weight, and other health metrics, we comply with these laws where applicable.

a. Washington My Health My Data Act

If you are a Washington state resident, the My Health My Data Act provides you with the following rights regarding your consumer health data:

Consent: We collect your consumer health data only with your affirmative consent, which you provide when you create your account, upload health data, or connect wearable devices.
Right to access: You may request access to the consumer health data we have collected about you.
Right to delete: You may request deletion of your consumer health data.
Right to withdraw consent: You may withdraw your consent to the collection and sharing of your consumer health data at any time.
No sale: We do not sell your consumer health data without your authorization.
No geofencing: We do not use geofencing technology around healthcare facilities to collect or infer health data.

b. Other state health data laws

We also comply with consumer health data protections under the laws of Connecticut, Nevada, and other states that have enacted similar consumer health privacy legislation. If you are a resident of a state with consumer health data protections, you generally have the right to access, delete, and withdraw consent for the collection of your health data. Contact us at privacy@veevo.health to exercise these rights.

9. Your rights under EU/UK law (GDPR)

a. Data controller

For the purposes of the General Data Protection Regulation (GDPR) and the UK GDPR, the data controller is:

Veevo Technologies, Inc.
2261 Market Street #4000, San Francisco, CA 94114, USA
Data protection contact: privacy@veevo.health

b. EU/UK representative

As required by GDPR Article 27 and UK GDPR Article 27, we have designated a representative in the European Union and the United Kingdom for data protection matters. You may contact our EU/UK representative at privacy@veevo.health. Details of our appointed representative will be published on this page once the appointment is finalized.

c. Legal bases for processing

We process your personal data on the following legal bases:

Consent (Article 6(1)(a) and Article 9(2)(a)): We process your health data (a special category under GDPR) based on your explicit consent, which you provide when you create an account and use the Service. You may withdraw consent at any time.
Contract performance (Article 6(1)(b)): We process data necessary to provide the Service you have requested.
Legitimate interests (Article 6(1)(f)): We process data for our legitimate interests, such as improving the Service and ensuring security, where those interests are not overridden by your rights.
Legal obligation (Article 6(1)(c)): We process data where required by applicable law.

d. Your GDPR rights

Under the GDPR, you have the right to:

Access: Obtain a copy of the personal data we hold about you
Rectification: Correct inaccurate or incomplete personal data
Erasure ("right to be forgotten"): Request deletion of your personal data in certain circumstances
Restriction: Request that we limit processing of your personal data
Data portability: Receive your personal data in a structured, commonly used, machine-readable format and transfer it to another controller
Object: Object to processing based on legitimate interests or for direct marketing
Withdraw consent: Withdraw your consent at any time, without affecting the lawfulness of processing performed before withdrawal
Lodge a complaint: File a complaint with your local data protection supervisory authority

e. Automated decision-making and profiling

Veevo Health uses automated processing to generate personalized wellness insights, health scores, and AI-powered responses through Viva. This processing analyzes your health data (blood test results, logged metrics, wearable data) using algorithms and AI models to produce educational insights tailored to you.

These automated outputs are for educational and informational purposes only and do not produce legal effects or similarly significant effects on you. They are not used to make decisions about your access to services, pricing, or any other consequential outcomes. Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. If you have concerns about our automated processing, please contact us at privacy@veevo.health.

For more details on how our AI and algorithms work, see our Disclosures page.

To exercise your GDPR rights, contact us at privacy@veevo.health. We will respond within 30 days.

10. International data transfers

Veevo Health is based in the United States. If you are accessing the Service from outside the United States, your data will be transferred to, stored, and processed in the United States and potentially other countries where our service providers operate.

For transfers of personal data from the EEA or UK to countries that have not received an adequacy decision from the European Commission, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, to ensure your data receives an adequate level of protection.

11. Cookies and tracking technologies

We use cookies and similar technologies to operate our Service, analyze usage, and improve your experience. The types of cookies we use include:

Essential cookies: Required for the Service to function (e.g., authentication, security). These are first-party session cookies that expire when you close your browser or after a set period.
Analytics cookies: Help us understand how users interact with the Service so we can improve it. These may be first-party or third-party cookies with varying durations.

We do not use advertising or behavioral tracking cookies. EEA and UK users will be presented with a cookie consent mechanism that provides granular choices per cookie category, with equal prominence given to "accept" and "reject" options. You may change your cookie preferences at any time through the consent mechanism or your browser settings.

Do Not Track signals: Our Service does not currently respond to Do Not Track (DNT) browser signals. However, we do not engage in cross-site tracking or behavioral advertising.

12. Data retention and deletion

We retain your personal information and health data for as long as your account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Below are retention periods by category:

Account and profile information: Duration of active account plus 90 days after deletion
Health and wellness data: Duration of active account plus 90 days after deletion
AI chat interactions: Duration of active account plus 90 days after deletion
Technical and usage data: Up to 24 months from collection
Billing and transaction records: As required by tax and financial regulations (typically 7 years)

You can delete your account and associated data from within the app. See our Delete Account page for step-by-step instructions, including immediate deletion or a 30-day deletion request that can be canceled during the grace period. If you cannot access the app, you can also request deletion by contacting us through our Contact page.

Following account deletion, we will delete or de-identify your data within 90 days, except where retention is required by law (e.g., for tax, legal, or regulatory compliance), necessary to resolve disputes, or required for audit trails.

De-identified and aggregated data used for research may be retained indefinitely, as it cannot be linked back to you.

13. Data security

We implement industry-standard administrative, technical, and physical safeguards to protect your information, including:

Encryption of data in transit and at rest
Access controls limiting data access to authorized personnel
Regular security assessments and monitoring
Secure infrastructure hosted by reputable cloud providers

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. If you become aware of any unauthorized access to your account, please contact us immediately.

14. Data breach notification

In the event of a data breach affecting your personal information, we will notify you and applicable regulatory authorities as required by law. This includes notification within the timeframes mandated by GDPR (72 hours to supervisory authorities where feasible), applicable U.S. state breach notification laws, and other relevant regulations. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

15. Children's privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@veevo.health.

16. Third-party services and integrations

Our Service integrates with third-party platforms such as Apple Health, Google Health Connect, and laboratory partners (e.g., LabCorp, Quest Diagnostics). When you connect these services or order tests, we receive data according to the permissions you grant or as needed to fulfill your order.

We also use third-party AI services (currently Anthropic, OpenAI, and Google) to power Viva, our AI health assistant. When you interact with Viva, your messages and relevant health context are sent to these providers to generate responses. See Section 5 for details on how this data is shared and protected.

We do not control the privacy practices of these third-party services and encourage you to review their respective privacy policies.

Our website or Service may contain links to third-party websites. We are not responsible for the privacy practices of those sites.

17. Changes to this privacy policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website with a revised effective date and, if appropriate, by sending you an email notification. We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

18. Contact us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint, please contact us:

Email: privacy@veevo.health
Mail: Veevo Technologies, Inc., Attn: Privacy Officer, 2261 Market Street #4000, San Francisco, CA 94114

You may also reach us through our Contact page.

19. Complaints

If you believe your privacy rights have been violated, you may file a complaint with:

United States: Our Privacy Officer at privacy@veevo.health, or the Federal Trade Commission (FTC) at reportfraud.ftc.gov
California: The California Attorney General
Washington: The Washington State Attorney General
EEA/UK: Your local data protection supervisory authority

We will not retaliate against you for filing a complaint.