Revora Privacy Notice

Version: v1.0.1 (alpha-cohort) Effective date: [TBD — slots in at alpha cohort onboarding] Last updated: 2026-05-29 Status: DRAFT — Cowork-authored (CLO + brand-guardian roles); Chris review pending; specialist healthcare-marketing counsel review per ADR-0024 §24.6 CLO Queue Item 3 routing pre-public-launch. Amends v1.0 (2026-05-06 + 2026-05-13 amendments) — see §26 changelog for amendment provenance.

Privacy summary

This is a non-operative summary. The full Privacy Notice begins below and governs how we handle your information. We've put this summary at the top so you can understand the gist before you read the details.

Revora is a wellness service. You upload your bloodwork, we generate a supplement and lifestyle protocol from it, and we help you stay on it through cycles you re-test against your own markers. The Privacy Notice describes how we handle the information you give us and the information we generate about you.

A few things we want you to know up front:

• Your bloodwork data is yours. You can see it, export it (PDF, CSV, and structured FHIR JSON), and ask us to delete it at any time.
• We do not sell your data, and we do not share your data with employers, insurance companies, public databases, or third-party advertisers. We share data only with sub-processors that operate the service on our behalf, listed transparently in §10.
• We're a wellness service, not a healthcare provider. Revora is not a Covered Entity under HIPAA. Your information is not an electronic health record. We treat your data as wellness information governed by this notice.
• Our protocol engine is deterministic; AI supports narrow tasks such as reading uploaded bloodwork, interpreting free-text medication and supplement entries, and writing explanatory prose. Our AI providers (Anthropic, Microsoft Azure OpenAI, and Google Vertex AI) operate under contracts that prohibit retaining your data beyond the API call window and prohibit using your data to train their AI models.
• You have rights under your local privacy law. US members in any state have at minimum the rights described in §15. Members in Washington, Nevada, and Connecticut have additional rights under their state's consumer health data law, described in our Consumer Health Data Privacy Notice. UK members have rights under the UK GDPR + Data Protection Act 2018, described in §23.
• You can reach us at privacy@revora.app for any privacy question, request, or complaint.

The full notice follows.

1. Who we are and what this notice covers

This Privacy Notice describes how Revora, Inc. ("Revora," "we," "us," or "our") collects, uses, shares, and protects personal information about you when you use the Revora service (the "Service"). Revora, Inc. is a Delaware C-Corporation incorporated April 14, 2026, with its principal place of business in New York.

This notice covers personal information we collect through the Revora mobile application, the Revora website, our communications with you (email, push notifications, member support), and any features or content offered by Revora in connection with the Service.

This notice does not cover the practices of companies or services we do not own or control, including third parties whose websites or services may link to or from the Revora Service. Those third parties have their own privacy notices, which you should review before sharing information with them.

This notice does not cover information we receive from or process on behalf of enterprise customers (for example, employer-sponsored wellness programs). Revora does not have enterprise customers at v1.0; if that changes, this notice will be updated to address how enterprise-routed information is handled.

2. Our privacy principles

These three principles describe how we approach your privacy. They are not the operative legal commitments — those are described throughout the rest of the notice — but they're how we think about the work.

Your bloodwork data is yours. You decide how it's used. We make it easy to see, export, and delete your information at any time. We tell you who else sees it and why.

We don't sell your data, and we don't share it with employers, insurance companies, third-party advertisers, or public databases. We share data with sub-processors only as needed to operate the service. Every sub-processor is listed by name in §10, with the data they receive and where they process it.

We collect what's needed to deliver the service. We retain your data while you have an account or until you ask us to delete it. We minimize what we send to AI providers and sub-processors so that your sensitive information doesn't cross system boundaries unnecessarily.

3. Information we collect

We collect the following categories of personal information about you:

Account information. When you create a Revora account, we collect your name, email address, date of birth (used to confirm you are 18 or older), country of residence (US or UK at v1.0 per §17), state or region (for US members, used to apply state-specific privacy laws per §24), and account credentials (password, or authentication tokens if you sign in via Google or Apple).

Bloodwork and biomarker data. When you upload bloodwork, we collect the lab readings contained in the report: biomarker names, values, units of measurement, and reference ranges; the lab provider's name; the date the test was performed; and (where included in your lab report) information that identifies the report as belonging to you (typically your name and date of birth, which we use to confirm the report belongs to your account). We retain the original PDF or image of your lab report alongside the parsed structured data.

Protocol and adherence data. We generate a personalized supplement and lifestyle protocol based on your bloodwork and other information you give us. The protocol includes specific supplements with doses, timing, and rationale; lifestyle recommendations; and a re-test cadence for the markers being targeted. We log when you mark a recommendation as taken or skipped, when you start or end a cycle, and how each cycle's markers move at re-test.

Member context. During onboarding and as you use the service, you may give us information about your goals (for example, energy, longevity, body composition), your training (sport, intensity, frequency), your current medications and supplements, your medical history (where relevant to protocol generation — for example, "I have Hashimoto's, my doctor monitors my TSH"), your fluency level with protocol practice (new to it, has tried before, or tracks closely), and other lifestyle context (sleep, stress, alcohol). We use this information to tailor recommendations, calibrate how we present your protocol, time your reminders, and warn you when a generic recommendation might not be appropriate for your situation.

Allergies, medical conditions, and family medical history. During onboarding intake, we collect three safety-screening inputs: (a) any allergies you report (for example, "no known allergies" or specific allergens), (b) any medical conditions you confirm (for example, "thyroid disease"), and (c) family medical history if you choose to share it (for example, "parent: heart disease"). Family medical history is captured with explicit semantics — known (you confirmed a specific category), no known (you confirmed no known listed family history), and absence (you skipped the question or do not know). We treat absence as data unavailable; we never treat absence as a confirmed negative. We use these inputs to screen for safety considerations before any recommendation reaches you (for example, withholding a supplement contraindicated by a reported allergy or condition) and to contextualize your protocol. Family medical history is treated as informational safety-screening context, not as a diagnosis or treatment target.

Wearable and integration data (post-MVP). If you choose to connect a third-party device or service (for example, Apple Health, Garmin, Oura) to your Revora account, we may collect the data that integration provides — typically heart rate variability, resting heart rate, sleep stages, and activity. We do not import wearable data at v1.0; this category is reserved for future capability.

Communications data. When you contact our support team or respond to a survey or feedback request, we keep a record of the conversation and the information you provide.

Inferred and derived data. We generate inferences from your bloodwork and member context — for example, a derived "responder profile" for a particular protocol class, or a derived "expected response window" for a marker change. This derived data is part of your record and is exportable along with the source data.

Automatically-collected device and usage data. When you use the Revora app or website, we automatically collect technical information about your device (operating system, app version, device model, IP address, language settings), and information about how you interact with the Service (pages or screens viewed, features used, navigation paths, error reports, crash logs).

Device identifiers for push notification delivery. When you enable push notifications, your device provides an opaque Apple Push Notification service (APNs) token that we use to route notifications to your device. This token does not identify you outside the APNs routing infrastructure and is replaced periodically by your device. The token is stored in Revora's database to route messages addressed to your account.

We do not collect genetic data at v1.0. We do not collect biometric data (facial recognition, fingerprint, voiceprint) at v1.0. We do not collect precise geolocation data at v1.0. If we add any of these data categories in the future, we'll update this notice and seek explicit consent where required.

4. How we collect information

We collect information about you in three ways:

Directly from you. When you create an account, complete onboarding, upload bloodwork, log a meal or supplement, contact support, or respond to a feedback request, you give us information directly. This is how we collect most of your personal information.

From third-party services you choose to link. If you sign in to Revora using Google Sign-In or Apple Sign-In, those providers share a limited authentication profile with us (your email, name, profile photo, and a unique sub-identifier). If you connect a wearable or integration to your Revora account in the future, that integration will share the data it provides. We never see your password or login credentials for the third-party service.

Automatically through your interactions with the Service. Standard web and mobile-app technologies (cookies, local storage, error-reporting SDKs) capture device and usage information as described in §3 and §5.

We may also create new information by inferring or generating it from data you've provided — for example, deriving a "responder profile" or generating a protocol recommendation. This derived information is part of your record.

We do not buy bloodwork or biomarker data about you from third-party data providers. We do not enrich your account with marketing data from data brokers.

5. Cookies and similar technologies

The Revora app uses minimal tracking technologies. We do not use third-party advertising cookies. We do not participate in interest-based advertising networks.

The technologies we do use:

Strictly necessary cookies and local storage — used for session management, authentication, and remembering your preferences (for example, dark mode). Disabling these will break the Service.

Product analytics and error tracking (PostHog). We use PostHog for two combined purposes: to understand how members use the app (which features are used, where members get stuck) and to capture app crash and error diagnostics so we can fix bugs. PostHog receives a small, fixed list of event names (for example, "member opened cycle review screen" or "bloodwork upload completed") tied to a hashed account identifier, along with error contexts (stack trace, browser/device metadata, app version) for app crashes. PostHog does not receive your bloodwork data, biomarker values, medication names, protocol details, or other clinical content — both event payloads and error contexts pass through a redaction layer that strips clinical-territory keys (lab markers, medications, supplements, free-text fields) and clinical-territory value patterns (biomarker units, medication names, email addresses, dates of birth) before transmission. PostHog operates from US-region infrastructure (https://us.i.posthog.com), session replay is off, broad autocapture is off, and only the explicit event list we register is sent. You can opt out of analytics in your account settings.

Global Privacy Control. Where you have configured your browser or mobile device to send a Global Privacy Control (GPC) signal, we honor that signal as an opt-out of any "sale" or "sharing" of personal information for cross-context behavioral advertising under applicable US state law. We do not currently honor "Do Not Track" signals, which are a separate and largely deprecated mechanism.

We do not use marketing cookies, advertising IDs for cross-site tracking, or third-party trackers that retarget you on other websites. If we add any cookie-based feature in the future that goes beyond strictly necessary, we'll seek your consent first where required by law (UK / EEA) and provide an opt-out mechanism.

6. How we use your information

We use your information for the following purposes:

Service delivery. We use your bloodwork, biomarker data, member context, allergies / medical conditions / family medical history, and protocol/adherence data to generate your personalized supplement and lifestyle protocol; to screen each recommendation for safety considerations (allergies, contraindications, member-reported conditions, family-history signals) before it reaches you; to display your data, recommendations, and explanations in the Revora app; to coordinate your re-test cadence; to remember your preferences as you navigate the Service; and to provide member support when you contact us.

Audit-logged interpretations. Every time the Revora protocol engine generates a recommendation, explanation, or interpretation, we keep an internal audit record of the inputs (bloodwork snapshot, member context, protocol rule version), the outputs (the recommendation and supporting reasoning), and the model version that produced it. This lets us reconstruct, years from now, why a specific recommendation was made — useful for member transparency, advisor review, and regulatory inquiries. Members can request export of their audit record at any time per §16.

Service improvement. We use aggregated and de-identified data — data with directly-identifying fields removed — to understand how the Service is being used at the population level, where members get stuck, which protocols are responding well, and where we can improve. Aggregated data does not identify any individual member.

Communications. We use your contact information to send you service-related communications: account confirmations, password resets, lab-report processing notifications, cycle reminders, re-test reminders, and similar transactional communications. We may also send you product updates and feature announcements; you can opt out of non-transactional communications at any time per §15.

Compliance and protection. We use your information to comply with applicable law; respond to lawful subpoenas, court orders, or regulatory inquiries; protect our rights, your rights, and the rights of others; investigate fraud or abuse; and enforce our Terms of Service.

Aggregated and de-identified analytics. As described above, we may create aggregated and de-identified data from your information for internal product analytics and research. We do not sell aggregated data, and we do not share aggregated data with third parties for commercial purposes. If we do that in the future, we'll update this notice and seek consent where required.

7. Lawful basis for processing (UK members and EEA / Switzerland members)

If you are located in the United Kingdom, the European Economic Area, or Switzerland at the time we collect or process your personal information, the laws that apply require us to identify the legal basis on which we rely. Below is the legal basis for each category of processing under the UK GDPR + Data Protection Act 2018.

Service delivery, account management, payment processing, member support. Legal basis: performance of a contract (UK GDPR Article 6(1)(b)). When you create an account, you enter into a contract with us, and the processing described in §6 (Service Delivery) is necessary to perform that contract.

Bloodwork data, biomarker data, member health-related context, and any other processing that constitutes special category data under UK GDPR Article 9. Legal basis: your explicit consent (UK GDPR Article 9(2)(a) + Article 6(1)(a)). Bloodwork and biomarker data is health data and is therefore "special category" data under Article 9. We process this data only with your explicit consent, captured separately from your acceptance of our Terms of Service. You can withdraw your consent at any time, in which case we will stop new processing of your special-category data; processing already done while consent was active remains valid.

Service improvement using aggregated and de-identified data. Legal basis: legitimate interests (UK GDPR Article 6(1)(f)). Our legitimate interest is improving the Service. We have weighed this interest against your privacy rights and concluded the interest is not overridden where the data has been aggregated or de-identified.

Marketing communications. Legal basis: your consent (UK GDPR Article 6(1)(a)). You can withdraw consent at any time per §15.

Compliance with legal obligations. Legal basis: legal obligation (UK GDPR Article 6(1)(c)) where the processing is necessary to comply with applicable law.

Solely automated decision-making. Revora's protocol recommendations are produced by deterministic rule-based protocol logic. AI/LLM technology may support narrow tasks such as bloodwork parsing, free-text medication and supplement interpretation, and plain-language explanatory prose. We consider these recommendations to be informational and supportive of your own decision-making — you remain in control of whether to follow a protocol recommendation. We do not consider Revora to make decisions about you that produce legal effects or similarly significant effects within the meaning of UK GDPR Article 22. You always retain the right to ask for a human review of any recommendation you find concerning, by emailing privacy@revora.app.

UK and EEA members can exercise the additional rights described in §23.

8. AI and large language model (LLM) processing

Revora uses AI/LLM technology in narrow, auxiliary roles. The protocol engine itself is deterministic: it applies versioned rules to your bloodwork and context to assemble your protocol. AI/LLM technology may support bloodwork parsing, free-text medication and supplement interpretation, and plain-language explanatory prose around the deterministic rule output.

AI providers we use. We send AI-support requests to AI APIs operated by Anthropic, PBC (via Amazon Web Services Bedrock), Microsoft Corporation (via Azure OpenAI Service), and Google LLC (via Google Vertex AI). The specific provider used for a given request depends on the request type and our routing logic at the time. All three providers are listed in our sub-processor list in §10 (Tier 1).

Zero-retention contractual commitment. Each of these providers is contractually committed to not retaining your data beyond the API call window — they process the request, return the response, and do not store the inputs after the call completes. They are also contractually committed to not using your data to train their AI models. These commitments are part of the enterprise API agreements we have signed with each provider; we re-verify the commitments annually.

Data minimization at the API call boundary. We do not send your name, email address, phone number, or other directly-identifying values to AI providers. Where we need to associate context across a multi-turn AI request, we use an internal pseudonymous identifier rather than your account email or name. We send only the bloodwork values and member context necessary for the specific AI-support task — for example, parsing a lab report, interpreting a free-text medication entry, or writing explanatory prose around deterministic rule output. That context is sufficient for the support task but is not by itself enough to identify you to the AI provider.

US-region API endpoints only. All three AI providers are configured to use their US-region API endpoints exclusively. Your data is not routed through non-US AI infrastructure. If we add additional AI providers or change region configuration in the future, we will update this notice and the sub-processor list.

Audit log on AI-assisted content. Per §6 (Service Delivery), AI-assisted explanatory content is logged with the input snapshot, the model identifier, and the response. You can request export of your audit record at any time. This means if an AI-assisted explanation seems wrong to you years from now, we can reconstruct what was generated and why.

A note on what to share with AI features. As we add member-facing AI features in the Service (for example, conversational protocol questions), we ask you not to provide identifying information to the AI feature directly — for example, do not type your full name, address, or phone number into a conversational AI prompt. The Service's normal behind-the-scenes AI usage, where AI supports parsing, free-text interpretation, or explanatory prose around deterministic protocol logic, is governed by the data-minimization commitments described above.

9. How we share your information

We share your information with the following categories of recipients:

Sub-processors that operate the Service. Sub-processors are third-party companies that handle parts of the service on our behalf — for example, our cloud database and storage provider, our AI providers, and our product analytics + error tracking provider. Every sub-processor is listed by name in §10 with the data they receive and where they process it. Sub-processors handle your data only as we instruct, are bound by signed Data Processing Agreements, and are required to delete your data when we ask.

Affiliates. As of the effective date of this notice, Revora has no corporate affiliates. If we form or are acquired by an affiliated entity in the future, we will update this notice to describe how data may flow within the corporate group.

Legal and law enforcement. We may share your information when we believe in good faith that disclosure is required to comply with applicable law, a valid court order, subpoena, search warrant, or other legally valid request, or where necessary to protect our rights, your rights, or the rights of others, or to prevent fraud or abuse. We will scrutinize every law enforcement request and require valid legal process. Where we are not legally prohibited from doing so, we will provide you advance notice before disclosing your information in response to a legal process.

Business transfers. If Revora is involved in a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, your information may be transferred to the acquirer or successor entity. In any such transfer, this Privacy Notice will continue to apply to your data unless and until the acquirer adopts a different notice and provides you advance notice of the change (with an option to delete your account before the change takes effect).

Service providers acting on our behalf. This is the same category as sub-processors above, framed for legal purposes. Every service provider we use that handles your personal information is listed in §10.

We share your bloodwork and biomarker data, your protocol and adherence data, and your member context only with the sub-processors necessary to deliver the Service. We do not share these data categories with affiliates, business partners, advertisers, or any third party for their independent marketing or commercial use.

10. Sub-processors

Revora classifies sub-processors into three tiers based on what role they play. The full framework is documented in our internal architecture decision record ADR-0024 §24.5.1. This member-facing summary captures the practical effect.

We have signed Data Processing Agreements with every sub-processor that handles your data. These agreements require them to process your data only as we instruct, to keep it secure, and to delete it when we ask.

10.1 Tier 1 — Storage sub-processors

These sub-processors store your data on our behalf in United States-based data centers.

10.2 Tier 2 — Ephemeral transport sub-processors

These sub-processors briefly transmit data for delivery (push notifications, transactional email) but do not persist your data beyond the delivery window. They are exempt from the strict United States data residency requirement that applies to Tier 1, because the data sent to them is minimized at the source: no specific lab biomarker readings, no diagnoses, no prescription details, no member-identifying values cross the boundary in a form that would let the sub-processor reconstruct your clinical state.

We require these sub-processors to satisfy four conditions: (1) no raw directly-identifying fields in the transport payload, (2) hashed identifiers only when message routing requires it, (3) generic message content with no specific clinical readings or diagnoses, (4) the Revora app remains the source-of-truth for any clinical detail.

Resend Inc. operates in both Tier 1 (inbound bloodwork email processing, with bloodwork data in payload) and Tier 2 (outbound transactional email, with generic message content only) — one legal entity, two distinct services, two distinct DPA scopes.

10.3 Tier 3 — Authorization sub-processors

These sub-processors handle authentication when you choose to sign in to Revora using a third-party identity (Google Sign-In or Apple Sign-In). They see only the OAuth profile data needed for sign-in (your email, name, profile photo, account identifier) and authentication metadata (when you signed in). They never receive your bloodwork data, biomarker values, protocol details, or any health information.

These sub-processors are accessed through our primary backend (Supabase Auth) acting as the OAuth broker. We require these sub-processors to satisfy four conditions: (1) only the OAuth scopes Revora actively requests cross the boundary, (2) the sub-processor carries current ISO 27001 + SOC 2 Type II certifications, (3) authentication metadata cross-border processing is acceptable under UK adequacy + US Standard Contractual Clauses framework, (4) you always have an alternative sign-in path (email + password) that doesn't route through any third-party authentication provider.

Note: Apple Inc. appears in two tiers — Tier 2 (push notifications) and Tier 3 (Apple Sign-In). This reflects two distinct services from the same legal entity, with different data categories handled in each role.

Member alternative authentication path: Members who prefer not to use Google Sign-In or Apple Sign-In can authenticate with email + password directly through Supabase Auth. This path does not route any data through a Tier 3 sub-processor. The choice between authentication methods is presented at signup and can be changed in account settings.

10.4 Member rights regarding sub-processors

You have the following rights regarding our use of sub-processors:

• Notice of changes. We will update this list when we add, remove, or change sub-processors. The current list is always available at the link in our privacy notice (typically Settings → Privacy → Sub-processors).
• Right to object. You can object to specific sub-processors at any time by contacting us at privacy@revora.app. We will explain the role each sub-processor plays and what alternatives may be available; some sub-processors are essential to operating the Service (for example, our primary database) and cannot be removed without ending your membership.
• Right to data export before changes. Before any material change to our sub-processor list that would affect how your data is processed, you can request a full export of your data per §16.
• Right to deletion. You can request deletion of your data at any time per §20. Deletion requests propagate to sub-processors per our Data Processing Agreements.

10.5 How we update this list

We commit to updating this sub-processor list when we add a new sub-processor (regardless of tier); when we remove or replace a sub-processor; when a sub-processor's role, data categories, or region materially changes; or when a Tier 2 or Tier 3 sub-processor's actual behavior diverges from the conditions documented above (in which case the sub-processor is removed pending re-classification).

For Tier 1 sub-processor changes, we will provide at least 30 days' notice before the change takes effect, allowing you time to object or export your data.

For Tier 2 and Tier 3 sub-processor changes, we will provide notice but the time window may be shorter if the change is required for service continuity (for example, if a vendor terminates their service).

We re-verify Tier 2 and Tier 3 sub-processor compliance with their tier conditions at least annually.

11. Who we do NOT share with

Some categories of recipient are common in privacy notices but do not apply to Revora. We list them here so the absence is on the record:

• We do not share your bloodwork data, biomarker data, protocol or adherence data, or member context with employers, insurance companies, or any party offering insurance, benefits, or employment.
• We do not share your data with public databases or research databases.
• We do not share your data with third-party advertisers, data brokers, or marketing data co-ops.
• We do not share your data with healthcare providers, clinical practices, or hospital systems — though you can choose to share your own data with your healthcare provider yourself by exporting it from the app per §16.
• We do not release individual-level personal information to law enforcement without a valid court order, subpoena, search warrant, or other legally valid request, except where required by law to protect against imminent threats to safety. We will scrutinize every law enforcement request and, where not legally prohibited, will provide you advance notice before disclosure.
• We do not sell your data, in the ordinary sense of the word or in the broader senses defined by some US state laws.

If a request to share your data with any of the above categories would arise in the future — for example, a hypothetical employer-sponsored wellness benefit you opt into — we would obtain your separate, explicit, opt-in consent before any sharing.

12. Data security

We take security seriously. Our current security posture includes:

Encryption. All your data is encrypted at rest using AES-256 (or stronger), and encrypted in transit using TLS 1.3 (or stronger). This applies to data stored in our primary database, in object storage (lab report PDFs and images), and in transit between your device and our servers.

Access control. Internal access to member data is restricted to authorized Revora personnel with a documented business need. Multi-factor authentication is required for all internal access. Access events are logged.

Audit and event logs on protocol interpretations. Revora's protocol engine writes structured records when it generates a recommendation, explanation, or interpretation. For deterministic stack-assembly events, we capture the input snapshot, the active rule firings, the rationale, the output composition, the cycle context, and the rule and methodology version with a timestamp. For LLM-assisted narrative paths (such as "why this is in your protocol" explanations and outcome-cycle narratives), we capture the input hash, the prompt template version, the model identifier, the output, and the timestamp. These logs enable both member transparency (you can ask why a specific recommendation was made) and internal review (we can investigate any anomaly in protocol behavior). We are completing coverage of every recommendation-generation surface as part of our v1.x audit hardening; legacy generation paths and pointer-threading between successive events are rolling out incrementally. Audit and event logs are retained for the life of your account and, after account closure, for an additional period required by applicable law and prudent legal-claim defense (typically up to 7 years from the date of the recommendation, consistent with the longest applicable state statute of limitations).

Append-only event log on member-mutable clinical data. Changes to your bloodwork records, biomarker confirmations, consent decisions, item-state transitions (whether you're following a protocol item), and protocol assembly are written to an append-only event log that preserves the history of your record. Some current-state tables — for example, the table that holds your latest biomarker readings — are derived projections of the event log rather than separately tombstoned records; the event log remains the source of truth and we can reconstruct your full history from it. We are completing coverage of medication, supplement, and condition mutations through the same append-only pattern as part of our v1.x audit hardening. Soft-deletes are first-class on raw lab documents and consent decisions; when you remove an item from your account, it is marked deleted but retained until you request hard purge per §20.

Sub-processor security. Every sub-processor that handles your data is bound by a Data Processing Agreement that requires equivalent or stronger security controls. We re-verify sub-processor security posture at least annually.

Network and platform security. We use Cloudflare for content delivery and DDoS protection, Supabase for primary data hosting in US-region data centers, and standard cloud-provider security controls (private networking, security groups, audit logging on infrastructure access).

No security control is failsafe. While we work hard to protect your information, no security measure provides absolute guarantees, and we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately at privacy@revora.app.

13. Data retention

We retain your information while you have an active Revora account. Revora is built on the premise that your bloodwork and protocol history is most valuable longitudinally — biomarker trends across years tell a story that point-in-time readings cannot. Indefinite retention while your account is active reflects this design.

Specifically:

• Account information, bloodwork data, biomarker data, protocol history, adherence data, and member context are retained while your account is active. You can export this data at any time per §16, and you can request deletion at any time per §20.
• Audit and event logs on protocol interpretations are retained alongside your record while your account is active. These logs are part of your data and are exportable per §16.
• Communications data (support tickets, feedback, email exchanges) is retained while your account is active and for a reasonable period after account closure for record-keeping and legal-claim defense.
• Aggregated and de-identified data derived from your information may be retained indefinitely after your account is closed, in aggregated and de-identified form only — it does not identify you individually.
• Limited transactional records (for example, billing history, payment receipts) may be retained for accounting, tax, and audit purposes for the period required by applicable law (typically 7 years for US tax records).

Account closure and deletion. When you request account deletion, your account is immediately locked and your data is marked for purge. You are signed out of all sessions, and most internal Revora systems treat your account as closed. You have 30 days to cancel the deletion — sign back in within that window and your account is restored. After 30 days elapse without cancellation, your data is permanently purged via our automated daily cascade. The cascade deletes all biological data (bloodwork, biomarker history, protocol records, adherence logs), the audit and event logs tied to your account (the dual-table audit trail described in §12), the raw lab PDF files held in our private Supabase Storage bucket (per §10), your member-context attributes (medications, supplements, allergies, conditions, family medical history), and your communications and session records. The cascade is irreversible after the window elapses. During the 30-day window, you can still export your data — we keep the data export feature reachable so that the right to portability (UK GDPR Article 20) and the right to erasure (UK GDPR Article 17) work alongside each other rather than against each other. The only records that survive the purge are the limited transactional records and aggregated/de-identified data described above, plus a small PHI-free audit row that proves the deletion happened (the row does not contain your name, member identifier, or any health data after the cascade runs). See §20 for the full account-closure flow, including the affirmative-consent gate and how cancellation works.

14. Wellness service positioning — not a healthcare provider

This section is important enough that we want to be explicit about it.

Revora is a wellness service. We are not a healthcare provider, not a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), and not a Business Associate of any Covered Entity. The personal information you provide to us — including bloodwork data, biomarker readings, supplement protocols, and adherence logs — is not intended to be, and shall not be deemed to be, an electronic health record (EHR), an electronic medical record (EMR), or a Personal Health Record (PHR) for any purpose, including without limitation HIPAA compliance, state medical-record law compliance, or any future regulatory framework that may apply to clinical-grade health-record systems.

Your data is yours. You can use it however you like, including sharing it with your own healthcare provider, but Revora is not the source of clinical-grade medical-record handling. Recommendations from the Revora protocol engine are general wellness recommendations and are not medical advice, diagnosis, or treatment. They are not a substitute for professional medical advice from a qualified healthcare provider. If a Revora recommendation conflicts with what your doctor has told you, follow your doctor's advice. If your bloodwork shows a result that may require medical attention (for example, a value far outside the typical reference range), the app will tell you and direct you to consult your healthcare provider; Revora does not assign clinical diagnoses.

We treat your information as a wellness service governed by this Privacy Notice and our Terms of Service. If we ever change this positioning — for example, if we partner with a healthcare provider in a way that would make us a Business Associate, or if we add a clinical-tier service — we will update this notice with at least 30 days' advance notice, give you the opportunity to delete your account before the change takes effect, and where required obtain your separate explicit consent.

15. Your privacy rights

Depending on where you live, you have certain rights regarding your personal information. The rights below are available to all Revora members; additional rights specific to UK / EEA / Switzerland members are described in §23, and additional rights specific to US state residents are described in §24 and in our companion Consumer Health Data Privacy Notice (for Washington, Nevada, and Connecticut residents).

Right to access. You can ask for a copy of the personal information we hold about you. You can self-serve this by exporting your data from the app per §16, or by emailing privacy@revora.app.

Right to correction. You can ask us to correct inaccurate personal information. Most account information is editable directly in the app (Settings → Account). For information that is not directly editable, email privacy@revora.app.

Right to deletion. You can ask us to delete your personal information. Account closure is available in the app (Settings → Account → Close Account). You can also email privacy@revora.app. See §20 for the full deletion process and exceptions.

Right to portability. You can ask for a copy of your personal information in a portable, machine-readable format. Revora provides this through the export feature described in §16 (PDF, CSV, FHIR JSON).

Right to withdraw consent. Where we process your information based on your consent (most notably, special-category bloodwork and biomarker data per §7), you can withdraw your consent at any time by emailing privacy@revora.app or using the consent controls in account settings. Withdrawing consent stops new processing of that data category; processing already done while consent was active remains valid.

Right to opt out of marketing communications. You can opt out of marketing emails at any time using the "unsubscribe" link in any marketing email, or by changing your preferences in account settings. You will continue to receive transactional service communications (account confirmations, security alerts, lab-report processing notifications, cycle reminders).

Right to opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising. Revora does not "sell" or "share" personal information for cross-context behavioral advertising under any US state law. If you are configured to send Global Privacy Control signals from your browser or mobile device, we honor those signals as a matter of course.

Right to object. Where we process your information on the basis of legitimate interests (most notably, aggregated and de-identified service improvement per §6), you can object to that processing by emailing privacy@revora.app.

Right not to be discriminated against. We do not deny service, charge differently, or provide lesser quality of service based on your exercise of any privacy right.

Right to non-automated review. Where automated decision-making produces effects that concern you, you can request human review. As described in §7, we do not consider Revora's protocol recommendations to constitute solely automated decision-making with legal or similarly significant effect, but we will still review on request.

Right to appeal. If we deny a request you've made under these rights, you have the right to appeal that denial. We will explain the basis of any denial and the process for appeal in our response.

How to exercise these rights. Email privacy@revora.app with a description of the request. We may need to verify your identity before processing a request. Identity verification typically involves confirming information already on file with us (your account email, recent activity, or similar). We will confirm receipt of your request within 10 business days, and we will respond substantively within 30 days of receipt. Complex requests may be extended once for an additional 30 days, with notice to you within the original 30-day window. (Note: our 30-day response commitment is faster than the 45-day statutory window applicable under CCPA / CPRA, MHMDA, Nevada SB-370, and CTDPA; we adopt the shorter window as a member-favorable standard.)

We do not charge a fee for processing privacy rights requests, except where a request is excessive, repetitive, or manifestly unfounded under applicable law. If we determine a fee applies, we will tell you why and provide a cost estimate before completing the request.

16. Data export and portability

You can export your full Revora data at any time, in three formats, free of charge:

PDF — a human-readable summary of your bloodwork history, current and past protocols, biomarker trends, and adherence logs. The version most members print or share with a healthcare provider.

CSV — a structured, spreadsheet-friendly export of your data: one row per biomarker reading, one row per protocol recommendation, one row per adherence event. For members who want to self-analyze or import into other tools.

FHIR JSON — a structured, machine-readable export aligned with the HL7 FHIR (Fast Healthcare Interoperability Resources) standard. For any system that accepts FHIR — future provider integrations, future personal-health-record platforms, or Apple Health / Google Health Connect (where supported). Note that Revora's FHIR-aligned naming is for interoperability; it does not make Revora a clinical-grade health record per §14.

Export is always your full data. There is no truncation, no paywall, and no preference for the data we'd like you to keep visible. Data export is initiated in the app (Settings → Privacy → Export My Data) or by emailing privacy@revora.app.

If you are a UK / EEA / Switzerland member exercising your right to data portability under UK GDPR Article 20, the FHIR JSON format satisfies the structured-machine-readable-portable-format requirement.

17. International data transfers

Revora is a US-based company, and all member data is stored in United States data centers at v1.0. Specifically:

• Our primary database (Supabase) is hosted in the US (us-east-1 region).
• Our AI providers (Anthropic via AWS Bedrock, Microsoft Azure OpenAI, Google Vertex AI) operate from US-region API endpoints exclusively.
• Our other Tier 1 storage sub-processors (PostHog, Cloudflare, Apple TestFlight) operate from US regions.
• Our Tier 2 ephemeral transport sub-processors (APNs, transactional email) may operate from global infrastructure but receive only data-minimized, generic-content payloads as described in §10.2.
• Our Tier 3 authentication sub-processors (Google Sign-In, Apple Sign-In) may operate from global infrastructure but receive only OAuth profile and authentication-metadata data as described in §10.3.

For UK members: transferring your personal information from the UK to the US is permitted under the UK GDPR + Data Protection Act 2018 framework based on (a) your explicit consent for special-category bloodwork and biomarker data (UK GDPR Article 9(2)(a)), (b) Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office for general personal data, and (c) the UK adequacy decision recognizing the United States as providing an adequate level of data protection where relevant. We monitor UK regulatory developments — including potential changes to the UK adequacy framework — and will update this notice if cross-border transfer mechanisms change.

Trans-Atlantic Data Privacy Framework. As of the effective date of this notice, transfers from the UK to the US can rely on a combination of SCCs, the UK extension of the EU-US Data Privacy Framework, and your explicit consent for special-category data. We will update this section if the regulatory framework changes.

If you are concerned about international transfers — for example, you would prefer not to have your data transferred to the United States at all — you can choose not to use the Revora Service. If you have already used the Service and want to delete your data, you can do so per §20.

18. Children and minors

The Revora Service is intended for adults aged 18 or older. We do not knowingly collect personal information from anyone under 18. During account creation, we ask for your date of birth and block account creation for anyone who reports being under 18.

If we learn we have inadvertently collected information from someone under 18, we will delete that information promptly. If you are a parent or guardian and believe your child has provided us personal information, please email privacy@revora.app immediately so we can delete the information.

We do not direct any marketing or content toward minors. We do not have any features designed for minors.

19. Geographic scope and OFAC-sanctioned jurisdictions

The Revora Service is currently offered to residents of the United States and the United Kingdom only. If you are a resident of any other country, please do not use the Service. We will update this notice and our registration process if we expand to additional jurisdictions in the future.

We do not provide the Service to residents of OFAC-sanctioned jurisdictions, including Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, Luhansk, Zaporizhzhia, and Kherson regions of Ukraine. Account creation from these jurisdictions is blocked. If you become a resident of an OFAC-sanctioned jurisdiction after creating your account, please notify us at privacy@revora.app so we can ensure compliance with applicable sanctions law.

20. Account closure and data deletion

You can close your Revora account at any time. Closure is a deliberate, member-initiated action that triggers a 30-day cancellable window followed by an irreversible automated cascade purge. The flow:

Initiating closure. Account closure is available in the app (Settings → Account → Close Account). Because the consequences are irreversible after the 30-day window, the closure surface requires an explicit-affirmative gate: you type DELETE MY ACCOUNT to confirm, and the destructive button enables briefly after the phrase matches. The session you use to initiate must be reasonably fresh (≤30 minutes). You can also email privacy@revora.app to request closure.

Lockout and the 30-day cancellation window. As soon as your closure request is confirmed, your account is immediately locked. All your sessions are invalidated and you are signed out everywhere. You can sign back in to the cancel screen during the 30-day window; signing in and cancelling restores your account to active state. During the window, the only authenticated app surfaces that work are the cancel screen, the logout flow, and the data export feature — Revora keeps export reachable so that your right to portability (UK GDPR Article 20) works alongside your right to erasure (UK GDPR Article 17). Member-facing surfaces that operate via signed links (for example, coach-action links delivered by email) are also locked behind the same purge-pending guard while the window is open.

Automated cascade purge. After 30 days elapse without cancellation, a daily scheduled job runs the irreversible cascade. The cascade deletes:

• Your profile and member context (account row, member profile, member context attributes — medications, supplements, allergies, conditions, family medical history).
• Your bloodwork (lab documents, biomarker readings, parse jobs, marker state) and the raw lab PDF files stored in our private Supabase Storage bucket (per §10.1).
• Your protocol and adherence records (protocol cycles, item state, item state history, adherence logs, daily check-ins, pending triggers, safety events, outcome assessments).
• Your audit and event logs (the dual-table audit trail described in §12) tied to your account.
• Your communications and session records (sessions, reminder events, push tokens, coach-action assignments, support summaries).

What survives the purge. A small, PHI-free deletion-event audit record survives in our internal DSAR-request tracker. After the cascade runs, that record carries no member identifier — only the fact that an erasure happened and when. We retain this so we can prove the deletion took place if a regulator asks; it contains none of your personal or health data.

Limited transactional records (billing receipts, payment-processor identifiers, any identity-verification artifacts) may be retained by our payment processor for accounting, tax, and audit purposes for the period required by applicable law (typically up to 7 years for US tax records). These records do not contain your bloodwork, biomarker, or protocol data.

Aggregated and de-identified data derived from your information that does not identify you individually may be retained after the cascade runs.

Cross-references. This flow implements UK GDPR Article 17 (right to erasure) + Article 12(6) (identity verification by authenticated session, supplemented by an affirmative-consent gate) + Article 20 (data portability, accessible during the cancellation window) + CCPA §1798.105 + Washington MHMDA RCW 19.373 deletion rights.

If you have legal questions about retention exceptions or want to request specific clarification on what is retained, email privacy@revora.app.

21. Other sites and services

The Revora Service may contain links to third-party websites, services, or content (for example, links to scientific papers cited in your protocol explanation, or links to a sub-processor's privacy notice). These links are not endorsements of, or representations that we are affiliated with, the linked third parties. We do not control third-party websites or services, and we are not responsible for their privacy practices.

When you follow a link from the Revora Service to a third-party website or service, that third party's privacy notice governs how they handle your information. We encourage you to read the privacy notice of every third-party service you interact with.

If you choose to integrate a third-party service with your Revora account in the future (for example, connecting a wearable), the integration will share data between Revora and the third-party service per the integration's specific terms, and you will see and consent to the specific data being shared.

22. Changes to this Privacy Notice

We may update this Privacy Notice from time to time. The "Last Updated" date at the top reflects when we last changed it.

Material changes. If we make changes that materially affect how we collect, use, or share your personal information, we will notify you by email and through an in-app notification at least 30 days before the change takes effect. Material changes include (but are not limited to): adding a new category of personal information we collect; adding a new purpose for which we use information; adding a new sub-processor that handles bloodwork or biomarker data (Tier 1); changing our data residency posture; expanding our geographic scope to a new jurisdiction; changing this notice's positioning under §14 (wellness service vs. healthcare provider).

Non-material changes. Smaller updates — clarifications, corrections, formatting changes, the addition of a Tier 2 or Tier 3 sub-processor, or other non-material edits — may be made without advance notice. The "Last Updated" date will reflect the change.

Versioning. This notice is versioned. Past versions are available on request from privacy@revora.app. The current version is shown at the top.

Your continued use of the Service after a change indicates your acknowledgment of the updated Privacy Notice. If you disagree with a material change, you can close your account before the change takes effect per §20.

23. UK + EEA + Switzerland Privacy Notice

This section provides additional information for members located in the United Kingdom, the European Economic Area, or Switzerland at the time we collect or process your personal information. This section supplements the rest of the Privacy Notice.

23.1 Controller

Revora, Inc. is the controller of your personal information for the purposes of UK GDPR + Data Protection Act 2018 + EU GDPR (where applicable) + Swiss FADP. Our contact information is below in §25.

23.2 UK Article 27 Representative

As of the effective date of this notice, Revora is in invited alpha. We rely on the UK GDPR Article 3(2)(b) non-targeting argument: Revora does not target the UK market at alpha — UK members opt in via direct invitation, not via UK-targeted marketing. Under this framing, the UK Article 27 Representative requirement does not strictly apply.

We will engage a UK Article 27 Representative when our cohort scale, marketing scope, or other factors trigger the need. Triggers include: 10 or more UK members onboarded; UK-targeted marketing activated; UK member ratio crossing 5% of total cohort; or six months after alpha launch (whichever comes first). When we engage a UK Representative, we will update this section with their name, address, and contact email.

If you are a UK member and have a privacy question that you would have directed to a UK Representative, please contact us at privacy@revora.app. We will respond within the same 30-day window we apply to all members.

23.3 Lawful basis for processing

See §7 for the legal basis we rely on for each category of processing under UK GDPR + EU GDPR + Swiss FADP.

23.4 Your data subject rights

In addition to the rights in §15, UK / EEA / Switzerland members have the following rights under UK GDPR (or the equivalent under EU GDPR + Swiss FADP):

• Right of access (UK GDPR Article 15) — see §15.
• Right to rectification (UK GDPR Article 16) — see §15.
• Right to erasure (UK GDPR Article 17) — see §15 + §20.
• Right to restriction of processing (UK GDPR Article 18) — you can ask us to limit the use of your information in certain circumstances, for example while a dispute over accuracy is being resolved.
• Right to data portability (UK GDPR Article 20) — see §16.
• Right to object (UK GDPR Article 21) — see §15.
• Right to withdraw consent (UK GDPR Article 7(3)) — see §15.
• Right not to be subject to solely automated decision-making (UK GDPR Article 22) — see §7. We do not consider Revora's protocol recommendations to constitute solely automated decision-making with legal or similarly significant effect.
• Right to lodge a complaint with a supervisory authority. UK members can lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk. EEA members can lodge a complaint with the supervisory authority in the EEA member state of their habitual residence, place of work, or place of alleged infringement.

23.5 International data transfers

As described in §17, your information is transferred to the United States to be processed by Revora and our US-based sub-processors. We rely on a combination of (a) your explicit consent for special-category data, (b) Standard Contractual Clauses approved by the UK ICO, and (c) the UK adequacy framework (where applicable) for the transfer. You can request a copy of the SCCs we have signed with our sub-processors by emailing privacy@revora.app.

23.6 Data Protection Impact Assessment (DPIA)

As of the effective date of this notice, Revora has not yet completed a formal Data Protection Impact Assessment under UK GDPR Article 35. Revora's alpha cohort scale is below the threshold at which a DPIA is mandatory, but we recognize that processing of special-category bloodwork and biomarker data on the scale we anticipate at closed-beta will trigger the DPIA requirement. We will complete a DPIA before closed-beta launch and will update this notice at that time.

23.7 Data Protection Officer

As of the effective date of this notice, Revora has not appointed a Data Protection Officer. UK / EEA / Swiss law requires a DPO when the controller's core activities consist of large-scale processing of special-category data. At alpha cohort scale, Revora's processing is not "large-scale" within the meaning of UK GDPR Article 37. We will appoint a DPO when the threshold is reached, expected at or before closed-beta launch.

For data protection inquiries in the meantime, please contact privacy@revora.app.

24. US State Privacy Rights — Notice at Collection

This section provides additional information for residents of US states with applicable consumer privacy laws. This section supplements the rest of the Privacy Notice.

If you are a resident of California, Colorado, Connecticut, Nevada, Texas, Utah, Virginia, or any other US state with a consumer privacy law that applies to Revora at the time we collect or process your personal information, you have the rights described below.

If you are a resident of Washington, Nevada, or Connecticut, you have additional rights under your state's consumer health data law. Those rights are described in our companion Consumer Health Data Privacy Notice, which is a separate and distinct document linked from this notice and from our website.

24.1 Your rights

• Right to know what personal information we collect, use, disclose, and share.
• Right to access a copy of the personal information we maintain about you.
• Right to correct inaccurate personal information we maintain about you.
• Right to delete the personal information we have collected from you, subject to legal and operational exceptions described in §20.
• Right to data portability in a portable and (where technically feasible) readily-usable format. Revora satisfies this through the export described in §16 (PDF, CSV, FHIR JSON).
• Right to opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising. Revora does not "sell" or "share" personal information for cross-context behavioral advertising; this right is not currently exercisable in a way that changes anything for you, but we still honor Global Privacy Control signals as a matter of course.
• Right to limit use and disclosure of sensitive personal information. Revora's use of sensitive personal information (including consumer health data, biometric information where applicable, and any other categories defined as sensitive under your state's law) is limited to what is necessary to provide the Service and the purposes described in this Privacy Notice. We do not use sensitive personal information for cross-context behavioral advertising or to build profiles about you outside the current Service interaction.
• Right not to receive discriminatory treatment for exercising your privacy rights.
• Right to appeal a denial of a privacy-rights request.

24.2 Personal information categories — Notice at Collection

The table below summarizes the categories of personal information we collect, the business or commercial purposes for which we collect each category, and the categories of recipients we may disclose each category to. The table is provided to satisfy the Notice at Collection requirements under California (CCPA / CPRA) and similar requirements in other states.

We do not "sell" any of the above categories of personal information, in the ordinary sense or in the broader sense defined by California (CCPA / CPRA) or other state laws.

We do not "share" for cross-context behavioral advertising any of the above categories.

24.3 Right to opt out and Global Privacy Control

Although Revora does not currently sell or share personal information for cross-context behavioral advertising, we honor Global Privacy Control (GPC) signals as a matter of course. If you have configured your browser or mobile device to send GPC signals, no action on your part is needed — we already treat the signal as an opt-out. If you would like an explicit confirmation of opt-out status for your account, email privacy@revora.app.

24.4 California "Shine the Light" disclosure

California Civil Code § 1798.83 ("Shine the Light") permits California residents to request information regarding our disclosure of personal information to third parties for those third parties' direct marketing purposes. Revora does not disclose personal information to third parties for those third parties' direct marketing purposes.

24.5 California Right to Limit Use of Sensitive Personal Information

If you are a California resident, you have the right under CCPA / CPRA to direct us to limit our use of your sensitive personal information to those purposes that are necessary to provide the Service or as otherwise permitted by law. We already limit our use of sensitive personal information to those purposes — we do not use sensitive personal information for cross-context behavioral advertising or to build profiles outside the Service. To affirmatively exercise this right, email privacy@revora.app.

24.6 How to exercise these rights

Email privacy@revora.app with a description of the request. We may need to verify your identity before processing the request. Verification typically involves confirming information already on file (your account email, recent activity, or similar). We will respond within 30 days; complex requests may be extended once for an additional 30 days, with notice within the original 30-day window.

You may also designate an authorized agent to submit a request on your behalf. We may require verification of the agent's authorization (a signed permission form or power of attorney) and may also separately verify your identity to confirm the agent's authority.

24.7 Right to appeal

If we deny a request you've made under your state's privacy law, you have the right to appeal that denial. We will explain the basis of any denial and the appeal process in our response. If you remain dissatisfied after an appeal, you may file a complaint with your state Attorney General. Contact information for state AGs:

• California: https://oag.ca.gov/contact
• Colorado: (720) 508-6000 or https://coag.gov
• Connecticut: (860) 808-5420 or https://portal.ct.gov/AG
• Nevada: (702) 486-3132
• Texas: (800) 252-8011 or https://www.texasattorneygeneral.gov
• Utah: (801) 366-0260 or https://attorneygeneral.utah.gov
• Virginia: (800) 552-9963 or https://www.oag.state.va.us
• Washington: (800) 551-4636 or https://www.atg.wa.gov

25. How to contact us

For any privacy question, request, or concern — including exercising the rights described in this Privacy Notice — please contact us:

Email: privacy@revora.app

Mail: Revora, Inc. Attn: Privacy Contact [Mailing address — TBD; updates with corporate office]

Privacy Contact: As of the effective date of this notice, the named Privacy Contact for Revora is filled by the Revora founding team via the privacy@revora.app mailbox. Privacy-rights requests, complaints, sub-processor objections, and counsel inquiries are routed through this address. We will update this section if we appoint a named individual Privacy Contact or Data Protection Officer.

We respond to all privacy inquiries within 30 days. If your inquiry is complex, we may extend the response time once by an additional 30 days, with notice within the original 30-day window.

If you are unsatisfied with our response, you have the right to appeal (see §15 for general appeal rights, §23.4 for UK / EEA appeal rights to the ICO or relevant supervisory authority, and §24.7 for US state-by-state Attorney General complaint contact information).

26. Versioning and changelog

Past versions of this notice are available on request from privacy@revora.app.

Companion documents (member-visible)

• Consumer Health Data Privacy Notice — applies to residents of Washington, Nevada, and Connecticut. Required by Washington's My Health My Data Act, Nevada SB-370, and Connecticut Data Privacy Act. Linked here per the "separate and distinct link" requirement.

Companion documents (internal — not member-visible)

• ADR-0024 §24.5.1 — internal sub-processor tier framework decision (technical reference for engineering + Cowork)
• ADR-0024 §24.1–§24.5 — compliance floor (US + UK Tier 1)
• ADR-0023 — geography scope
• ADR-0021 — data longevity, FHIR-aligned schema, append-only event log, audit log, member data export, PHR-language blocklist
• CLEARANCE-apns-data-residency-2026-05-04 — internal clearance memo establishing the APNs Tier 2 case
• compliance-research-2026-04-18 — US + UK Tier 1 regulatory research
• DPA tracker — internal log of executed Data Processing Agreements (lives in /Projects--Revora/DPA-TRACKER.md when authored)
• Sub-processor onboarding checklist — internal operational doc covering DPA execution + region verification + privacy notice update sequence

Pre-publication checklist (for v1.0 launch)

Before this Privacy Notice ships member-visible (alpha cohort signup or earlier as standalone disclosure linked from the consent gate):

• [ ] Inbound bloodwork email vendor locked + DPA signed + region verified — fills Tier 1 placeholder (T-NEXT-inbound-email-vendor-lock)
• [ ] Outbound transactional email vendor locked + DPA signed + Tier 2 conditions verified — fills Tier 2 placeholder (T-NEXT-outbound-email-vendor-lock)
• [ ] All other Tier 1 sub-processor DPAs signed (Supabase, Anthropic, Microsoft, Google Cloud, PostHog, Cloudflare, Google Workspace, Resend) — verify per compliance-research-2026-04-18.md §8 + amendment doc 2026-05-26 (PostHog DPA signed 2026-05-27 per tracker-allowlist.json)
• [ ] Apple Developer Program License Agreement covers APNs + Apple Sign-In — accepted at Apple Developer enrollment
• [ ] Google Cloud DPA + ISO 27001 + SOC 2 Type II certifications verified — confirm on signup
• [ ] Effective date stamped at top
• [ ] Mailing address filled in §25
• [ ] Privacy Contact named or confirmed as role-based at §25
• [ ] Specialist healthcare-marketing counsel review per ADR-0024 §24.6 CLO Queue Item 3 routing — pre-public-launch (alpha can ship pre-counsel-review with Cowork + CLO sign-off per ADR-0024 line 169)
• [ ] Privacy notice URL published + linked from consent gate + Settings → Privacy
• [ ] Member-visible verification: read this notice as a non-Revora-context reader; confirm it's plain-language enough for a smart-generalist member to understand
• [ ] Brand-guardian voice review — privacy notices use formal-legal register, NOT Revora's voice register; confirm vocabulary discipline per ADR-0021 §21.5.1 holds throughout
• [ ] Cross-reference verified — ADR-0024 §24.5.1 link works; per-vendor privacy notice links work; contact email reachable; companion CHD notice link works
• [ ] Companion Consumer Health Data Privacy Notice live at the same time + linked separately from website homepage per MHMDA "separate and distinct link" requirement

Drafted by Lane C (Cowork) per CLO + brand-guardian skills, 2026-05-06. Supersedes the standalone PRIVACY-NOTICE-FRAGMENT-sub-processors-v1.0.md for member-facing purposes; the fragment remains as the technical/governance reference document. Phase 3 of privacy notice authoring per HANDOFF-privacy-notice-next-session-2026-05-05.md — DRAFT v1.0 ready for Chris review and counsel-review routing per ADR-0024 §24.6.

Return to Revora