Security and privacy

HIPAA posture (read carefully)

Ovamira is not a HIPAA-covered entity. We are a direct-to-consumer wellness tool, not a healthcare provider, health plan, or healthcare clearinghouse. That means HIPAA does not apply to the data you give us. We still treat your data as sensitive: encryption in transit and at rest, no third-party sharing, no advertising trackers, deletion on request.

If you require HIPAA-covered data handling, do not use Ovamira for protected health information. Talk to a HIPAA-covered provider instead.

We do not train models on your health data.

When we use Anthropic's Claude API to interpret your wearable trends or lab values, the request is sent with zero-day retention. Anthropic does not use your data to train their models. We do not sell, share, or monetize your health data in any way.

Encryption

TLS 1.2+ in transit. AES-256 at rest (Postgres on Supabase, AWS RDS). Lab PDFs stored in private Supabase Storage buckets with signed URLs.

Where your data lives

Application data: Supabase (US East). API processing: Anthropic (US). Wearable token storage: Supabase. Email delivery: Resend (US). We do not currently offer EU data residency.

What we collect

Account email and password hash (Supabase Auth; passwordless magic-link sign-in and Google SSO also supported). Wearable OAuth tokens (Fitbit, Oura). Daily wearable metrics (HRV, sleep, RHR, activity). Cycle and pregnancy info if you provide it. Lab values from PDFs you upload. Symptom logs you create. Analytics: PostHog (no third-party cookies, no ad trackers).

Deletion

Account deletion is in-product (Settings - Delete account). All your data is purged within 30 days. Wearable tokens are revoked at the provider on deletion.

Compliance posture (honest read)

Ovamira is an early-access product run by a single founder. Not SOC 2 certified. Not FDA-cleared. Not HIPAA-covered. We're transparent about that because you should be making an informed call about what to share.