This document was last updated May 2026. Please review periodically for updates.

Privacy

Privacy Policy

Last updated: May 2026

1. Introduction

[HEMA LLC] ("Hema," "we," "us," or "our") operates the Hema platform, a consumer health technology service that helps users understand their blood test results and generate personalized health protocols.

This Privacy Policy describes how we collect, use, and share information when you use our website and services (collectively, the "Service").

Important: Hema is NOT a HIPAA covered entity. We are a consumer application where users voluntarily input their own health data. We do not receive data directly from healthcare providers, laboratories, or health plans.

2. Information We Collect

Account Data

  • Email address (used for account authentication and transactional communications)
  • Password (cryptographically hashed — we never store passwords in plaintext)
  • Biological sex (used for sex-specific biomarker interpretation)
  • Age (used for age-appropriate reference ranges and cardiovascular risk calculations)

Health Data

  • Biomarker values that you manually enter from your blood test results
  • Health metrics you provide (height, weight, activity level)

Usage Data

  • Pages visited and features used
  • Device type and browser information
  • Analytics data collected via Vercel Analytics (if enabled)

Payment Data

All payment processing is handled by Stripe. Hema never stores, processes, or has access to your full credit card numbers. We receive only limited information from Stripe necessary to manage your subscription (such as the last four digits of your card and expiration date for display purposes).

3. How We Use Your Information

We use the information we collect to:

  • Generate AI-powered interpretations of your blood test results
  • Create your personalized 12-week health protocol
  • Display your health dashboard and track progress over time
  • Process payments via Stripe
  • Send transactional emails (account confirmation, payment receipts)
  • Improve our Service and develop new features

We do NOT sell your data to third parties.

We do NOT use your health data to train AI models. Your biomarker data is used solely to generate your personal interpretations and protocols.

4. Third-Party Services

We use the following third-party services to operate Hema:

Supabase (Database & Authentication)

Stores your account information and health data. supabase.com/privacy

Anthropic (AI Interpretation)

Powers the AI-generated interpretations and protocols. We use prompt caching to improve performance; cached content is encrypted and automatically deleted, and is not used for model training. anthropic.com/privacy

Stripe (Payments)

Processes all payment transactions. stripe.com/privacy

Vercel (Hosting)

Hosts our application and may collect analytics data. vercel.com/legal/privacy-policy

5. Data Storage & Security

  • Your data is stored in Supabase (PostgreSQL) with Row Level Security (RLS) enabled
  • All data is encrypted in transit using TLS (HTTPS)
  • All data is encrypted at rest
  • Users can only access their own data — our database policies enforce strict user isolation
  • Passwords are cryptographically hashed and never stored in plaintext

6. Data Retention

  • Account data is retained while your account is active
  • You may request deletion of your data at any time by contacting us
  • Upon account deletion, your data will be permanently removed from our systems within 30 days

7. Your Rights (California Residents — CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You may request information about what personal data we collect, use, and disclose.
  • Right to Delete: You may request that we delete your personal data, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do not sell your personal data. If this changes, we will provide a clear opt-out mechanism.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at privacy@hema.health.

8. Children's Privacy

Our Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18.

If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@hema.health, and we will promptly delete such information.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, provide additional notice (such as via email). Your continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact Information

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Email: privacy@hema.health