Your family's health history is some of the most sensitive information you have. We protect it with the kind of controls used in healthcare settings, applied to a deliberately small, simple footprint, so there is less to expose in the first place. Here is exactly how, in plain language.
All data is encrypted in transit using TLS and at rest. Your family health information is protected whether it is moving between your device and our servers or sitting in our database.
Your identifying details, your name and email, are segregated from your health information at the database level, not just in the app. Row-level security in our database means no user can reach another user's health data, and family data is visible only through workspace permissions you explicitly grant. The separation is enforced by the infrastructure itself.
Internal access is role-based, logged, and reviewed, so only authorized systems and people can reach sensitive data. A small team with documented permissions is harder to compromise than a large one with implicit access. Access and consent events are recorded in an audit log.
Consent at signup is explicit and unbundled, with no pre-checked boxes, and every consent event is written to an immutable consent log that records what you agreed to and when. If we make a material change to our legal terms, you are asked to consent again before continuing. You can withdraw consent or delete your data at any time.
Third-party services that touch your data are held to the same standards we hold ourselves to, under data processing agreements that limit them to the specific function they perform. We evaluate vendors before integration and review their practices annually. No vendor is permitted to use your data for its own commercial purposes.
Our breach response procedures align with the FTC Health Breach Notification Rule. In the unlikely event of a data breach, we will notify affected users promptly and transparently, and we will tell you what happened, what we are doing, and what you can do.
We collect only the information necessary to provide the service. We retain identifiable data only as long as needed, and you can request deletion of your data at any time. The strongest privacy protection is not collecting what you don't need.
A privacy policy lists what is permitted. These are the commitments we hold ourselves to no matter what, the lines we will not cross with your family's health data.
Kinvera is not a HIPAA-covered entity, since it is not a doctor's office, hospital, or insurer. We are honest about that. But we apply protections to your health data that meet or exceed those standards, and we hold ourselves to the strictest applicable privacy rule across all users, regardless of state. Where state laws conflict, we adopt the more protective one. The frameworks we align with:
Have questions about our security practices? We're happy to discuss them.
Kinvera Health LLC
Email: hello@kinverahealth.com