Skip to main content
Karova Health
Legal

Privacy Policy

Last updated: June 8, 2026. This policy describes how Karova Health collects, uses, shares, and protects information.

1. Scope

This Privacy Policy applies to karovahealth.com and the Karova Health application ("Services"). It does not apply to Protected Health Information (PHI) processed on behalf of healthcare providers, which is governed by HIPAA and the Business Associate Agreement (BAA) between Karova Health and the covered entity.

2. Information we collect

  • Account information you provide (name, work email, organization, role).
  • Communications you send us (sales inquiries, support requests).
  • Technical data automatically logged by our infrastructure (IP address, user agent, request timestamps) for security, abuse prevention, and service operation.
  • Strictly necessary cookies used to keep you signed in and remember your privacy preferences. We do not use advertising or cross-site tracking cookies.

3. How we use information

  • To provide, secure, and improve the Services.
  • To respond to inquiries and support requests.
  • To comply with legal obligations, including HIPAA.
  • To detect, prevent, and respond to fraud or abuse.

4. We do not sell or share personal information

Karova Health does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA) or similar U.S. state privacy laws. You can confirm or exercise this right at any time via our Do Not Sell or Share My Personal Information page.

5. Global Privacy Control (GPC)

We honor the Global Privacy Control browser signal as a valid opt-out of sale/share under CCPA/CPRA. When your browser sends a GPC signal, we automatically record your opt-out preference and do not show the cookie banner.

6. Third-party service providers

We use a limited set of vetted service providers ("processors") who act on our instructions under written data-protection terms. Each is covered by a Business Associate Agreement where PHI may be processed.

  • Cloud hosting & database: Supabase (PostgreSQL, authentication, storage) and Cloudflare (edge compute, CDN, DDoS protection).
  • Email delivery: transactional email provider for account and support messages.
  • Error monitoring: internal error reporting used solely to detect and fix application issues. No advertising identifiers are collected.
  • AI processing: Lovable AI Gateway is used for AI-assisted features under contractual data-handling terms; inputs are not used to train third-party foundation models.

We do not embed advertising networks, social media trackers, session-replay tools, or cross-site analytics on our marketing site.

7. Data retention

We retain personal information only as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. PHI retention is governed by the applicable BAA and provider's record-retention requirements.

8. Security

We use administrative, technical, and physical safeguards aligned with HIPAA, including encryption in transit and at rest, role-based access controls, and audit logging.

9. Your privacy rights

Depending on your jurisdiction (e.g., California, Colorado, Virginia, EU/UK), you may have rights to access, correct, delete, or port your personal information, and to opt out of sale, share, or targeted advertising. We do not engage in those activities, but you can still submit a request to privacy@karovahealth.com.

10. Children

The Services are not directed to children under 13, and we do not knowingly collect personal information from children.

11. Changes

We will update this policy as needed. Material changes will be posted here with a new "Last updated" date.

12. Contact

Questions? Email privacy@karovahealth.com.