PRIVACY POLICY & HIPAA NOTICE
Your genome is the most personal data that exists. We built Inevid's entire architecture around protecting it — not as an afterthought, but as the foundation every other decision rests on.
What data we collect
Inevid collects only the health data you choose to upload and the account information needed to operate the platform:
Account data
Name, email address, hashed password
Genomic data
VCF files from sequencing providers (23andMe, Nebula, Sequencing.com, etc.)
Bloodwork
Lab result PDFs from Quest, LabCorp, Function Health, or physician portals
Supplements & Rx
Supplement names, doses, frequencies, prescriptions
Medical imaging
DICOM files, CAC scores, CIMT measurements, radiology reports
Wearable data
Oura Ring, Fitbit — sleep, HRV, activity (via authorized OAuth)
Activity logs
Training entries you manually log
Medical records
Doctor notes, specialist reports you upload
Conversations
Your chats with Eddie (our AI health companion)
We do not collect: social security numbers, financial account numbers, insurance information, or any data beyond what you explicitly provide.
How we use your data
Your data is used exclusively to provide you with personalized health intelligence. Specifically:
Eddie (our AI) analyzes your genomic variants, biomarker values, supplements, and medications to give you personalized recommendations. The threshold engine computes genotype-adjusted optimal ranges for your biomarkers. The physician letter generator creates documents for your healthcare providers.
We never use your data for advertising, marketing to third parties, or any purpose beyond delivering the Inevid platform to you.
How we protect your data
Every piece of health data is encrypted with AES-256 at rest and TLS 1.3 in transit. Each user gets a unique encryption key generated at account creation, stored in AWS Key Management Service (KMS) — not in our application database.
Genome files travel directly from your browser to encrypted AWS S3 storage via time-limited presigned URLs. The file bytes never pass through Inevid's application servers.
Encryption at rest
AES-256 via AWS KMS — one key per user
Encryption in transit
TLS 1.3 for all connections
Genome upload path
Browser → S3 direct (never touches our servers)
Key rotation
Annual per AWS best practices
Infrastructure
AWS EC2 + RDS + S3 in us-east-2, all HIPAA-eligible services
Business Associate Agreements
Executed with AWS and Anthropic
De-identified AI pipeline
When Eddie analyzes your health data, we send only extracted variant rsIDs, genotypes, biomarker names and values, and supplement/medication names to the AI model. Your full name, email address, date of birth, and all other HIPAA identifiers are stripped by our PHI sanitization layer before any external API call.
Your first name is included so Eddie can address you personally — a first name alone does not constitute a HIPAA identifier under Safe Harbor when all other 17 identifiers are removed.
Raw genome files sent to AI
Never
Email in AI prompts
Never
Full name in AI prompts
Never (first name only, Safe Harbor compliant)
Date of birth in AI prompts
Never (computed age only)
AI provider BAA
Executed with Anthropic
AI audit logging
Every API call logged with sanitized payload preview
Your rights under HIPAA
As a covered platform handling Protected Health Information, you have the following rights under the HIPAA Privacy Rule (45 CFR §164.524-528):
View and download all your health data at any time through the platform. Request a complete export in structured format.
Request deletion of your account and all associated data. Your encryption key is destroyed within 30 days, making data permanently unrecoverable.
Export your genomic variants, biomarker history, supplement stack, and all health records in machine-readable format.
Request correction of any inaccurate health information in your profile.
Request a record of every instance your PHI was accessed, by whom, and for what purpose. Our audit log tracks all access per HIPAA §164.312(b).
Request that we limit how your data is used, including opting out of AI analysis.
You will be notified within 72 hours of any security incident and within 60 days if a breach of your PHI is confirmed, per HIPAA §164.404.
Breach notification
In the unlikely event of a data breach involving your Protected Health Information, Inevid will:
1. Notify you individually within 60 calendar days of discovering the breach, as required by HIPAA §164.404.
2. Notify the U.S. Department of Health and Human Services within the same timeframe.
3. If the breach affects 500 or more individuals, provide notice to prominent media outlets in the affected jurisdiction.
4. Include in the notification: a description of what happened, the types of information involved, steps you should take, what we are doing to investigate and mitigate, and contact information.
No data selling — ever
FOUNDING PRINCIPLE — NON-NEGOTIABLE
Inevid will never sell, license, or transfer your health data or genomic data to any third party for any commercial purpose. This commitment is written into our organizational documents and cannot be changed by any future terms of service update without your explicit individual consent — regardless of acquisition, merger, or change in control.
Cookies & tracking
Inevid uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics that identify you. We do not participate in any ad network or data broker ecosystem.
Session cookies
Required — keeps you logged in
Analytics cookies
None
Advertising cookies
None
Third-party trackers
None
Contact
For privacy questions, data access requests, HIPAA inquiries, or to exercise any of your rights:
Email: [email protected]
You will receive a substantive response within 10 business days.
Inevid Privacy Policy & HIPAA Notice of Privacy Practices · Version 2.0 · March 2026