Privacy Policy

1. Who We Are

Veriva LLC is a Virginia limited liability company operating the Veriva medication management platform at veriva.health and app.veriva.health. We are the data controller for personal information collected through the Service. Questions about this policy can be directed to privacy@veriva.health.

2. Information We Collect

Information you provide directly

• Account information: Email address, name (if provided), password (stored as a secure hash — we never see your actual password)
• Medication data: Medication names, dosages, schedules, pharmacy information, and Rx numbers you enter into the app
• Dose history: Records of doses taken, skipped, or missed that you log through the app
• Symptom logs: Side effects and symptoms you choose to record
• Caregiver relationships: Email addresses of caregivers you invite and their access permissions
• AI conversations: Messages you send to the Veriva AI health companion

Information collected automatically

• Usage data: Pages and features you access, timestamps of activity, and general app usage patterns
• Device information: Browser type, operating system, and device type (for compatibility purposes)
• IP address: Collected by our infrastructure providers for security and abuse prevention

Information from Epic FHIR integration (optional)

If you choose to connect your Epic MyChart account, prescription data including medication names, dosages, frequencies, and prescriber information is imported into your Veriva account. See Section 6 for details.

3. How We Use Your Information

We use your information solely to provide and improve the Veriva Service:

• Displaying your medication schedule and tracking your doses
• Sending medication reminders and missed-dose notifications (with your permission)
• Checking for drug interactions using your medication list
• Enabling caregiver access you have explicitly authorized
• Powering the AI health companion feature using your medication context
• Processing subscription payments through Stripe
• Sending transactional emails (account confirmation, password reset, subscription receipts)
• Analyzing anonymized, aggregated usage patterns to improve the Service
• Complying with legal obligations

We will never use your health data to serve you advertisements or sell it to data brokers, insurance companies, employers, or any other third parties.

4. Third-Party Service Providers

We share your data with a limited set of trusted service providers who help us operate the Service. Each provider is contractually bound to protect your data and may only use it for the purposes we specify:

Provider	Purpose	Data shared
Supabase	Database and authentication hosting	All app data (stored encrypted at rest)
Stripe, Inc.	Payment processing	Email address, payment card data (see Section 5)
Netlify	Web hosting and serverless functions	IP address, request logs
Anthropic, Inc.	AI health companion feature	Medication list and AI conversation messages (when you use AI features)
Resend	Transactional email delivery	Email address, email content

We do not share your data with any other third parties without your explicit consent, except as required by law.

5. Payment Processing (Stripe)

Premium subscription payments are processed by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. When you subscribe to Veriva Premium:

• Your payment card information is entered directly into Stripe's secure payment form and transmitted directly to Stripe
• Veriva never sees, stores, or has access to your full card number, CVV, or banking credentials
• Veriva receives a Stripe customer ID and subscription status token only
• Stripe's use of your payment data is governed by Stripe's Privacy Policy

Subscription receipts are sent to your account email address. Your billing history is visible in your account settings.

6. Epic FHIR Integration

Veriva offers optional integration with Epic-connected health systems (including MyChart). This integration uses the industry-standard OAuth 2.0 and SMART on FHIR protocols:

• You authenticate directly with Epic — your Epic username and password are never transmitted to or stored by Veriva
• Veriva requests only read access to your prescription and medication data
• Imported prescription data is stored in your Veriva account and governed by this Privacy Policy
• You can disconnect your Epic integration at any time in Settings

7. AI Features

The Veriva AI health companion is powered by Anthropic's Claude API. When you use AI features:

• Your medication list and conversation messages are sent to Anthropic's API to generate responses
• Anthropic processes this data in accordance with their API data usage policies
• AI conversations may be stored in your account to provide context in future sessions
• We do not use your AI conversations to train AI models

AI responses are not medical advice. See our Terms of Service for the full medical disclaimer.

8. Caregiver Access

If you invite a caregiver to your Veriva account:

• The caregiver will be able to view the portions of your data you authorize (medication schedule, dose history, and/or refill information)
• Caregivers may receive email notifications about missed doses if you enable this setting
• You can revoke caregiver access at any time in your account settings
• Caregivers' email addresses are stored to manage the access relationship

9. Data Security

We take data security seriously and implement industry-standard measures to protect your information:

• All data is encrypted in transit using TLS 1.2 or higher
• All data is encrypted at rest in our Supabase database
• Row-level security policies ensure users can only access their own data
• Authentication is handled by Supabase Auth with secure password hashing
• Access to production systems is restricted to authorized personnel only

No security system is perfect. In the event of a data breach affecting your personal information, we will notify you by email within 72 hours of discovery, as required by applicable law.

10. Data Retention

We retain your data for as long as your account is active. If you delete your account:

• Your personal data and health information will be deleted from our active database within 30 days
• Backup copies may persist for up to 90 days before being permanently purged
• Payment records are retained for 7 years as required by financial regulations
• Anonymized, aggregated usage statistics that cannot identify you may be retained indefinitely

11. Your Rights and Controls

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct inaccurate data through your account settings
• Deletion: Request deletion of your account and associated data
• Portability: Request your data in a machine-readable format
• Objection: Object to our processing of your data for certain purposes

To exercise these rights, contact us at privacy@veriva.health. We will respond within 30 days.

You can manage notification preferences, caregiver access, and Epic connections directly within the app at any time.

12. Children's Privacy

Veriva is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us at privacy@veriva.health and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by email at least 14 days before the changes take effect. Your continued use of Veriva after the effective date constitutes acceptance of the updated policy.

The "Last updated" date at the top of this page reflects when the policy was last revised.

14. Contact Us

Questions, concerns, or requests regarding your privacy:

• Email: privacy@veriva.health
• General: hello@veriva.health
• Mail: Veriva LLC, c/o Northwest Registered Agent, 8401 Mayland Dr, Suite A, Richmond, VA 23294