Back to Home

Privacy Policy

Last Updated: June 30, 2026

HIPAA Best Practices GDPR Compliant PH DPA RA 10173 PCI-DSS

1. Introduction

Welcome to MEDVANE.

MEDVANE is a cloud-based healthcare management platform operated by INVOVANE COMPANY.

This Privacy Policy describes how INVOVANE COMPANY collects, uses, and discloses information when you use our services at medvane.net.

By using MEDVANE, you agree to this Privacy Policy and our Terms and Conditions.

2. Defined Terms

The term "SERVICE" refers to the medvane.net website, which is owned and maintained by INVOVANE COMPANY.

PERSONAL DATA refers to information on a living human who can be identified based on the information (or from those and other information either in our possession or likely to come into our possession).

USAGE DATA is data that is gathered automatically as a result of the use of the Service or as a result of the Service infrastructure itself (for example, the duration of a page visit).

COOKIES are small files that your device stores (computer or mobile device).

DATA CONTROLLER is a natural or legal person who, alone or jointly or in concert with other persons, determines the purposes and manner in which personal data are or will be processed. We are the Data Controller of your data for this Privacy Policy.

DATA PROCESSORS (OR SERVICE PROVIDERS) refers to any natural or legal person who processes data on the Data Controller's behalf. We may employ the services of a variety of Service Providers to more efficiently process your data.

DATA SUBJECT is any living individual who is the subject of Personal Data.

THE USER is the entity that makes use of our Service. The User is the Data Subject, the individual who is the subject of Personal Data.

3. Information We Collect

We collect a variety of different types of information to provide and improve our Service, including:

  • Account information — name, email address, phone number, and password when you register.
  • Patient health data — medical history, vital signs, diagnoses, prescriptions, lab tests, procedures, and insurance information entered by healthcare providers using the Service.
  • Appointment data — scheduling details, telemedicine meeting links, appointment notes, and status.
  • Usage data — IP address, browser type and version, pages visited, timestamps, device identifiers, and other diagnostic data.
  • Location data — approximate country and region derived from your IP address, used for pricing and currency determination.
  • Device fingerprint — a browser-derived identifier used exclusively to protect your account against unauthorized sessions (see Section 12).
  • Payment information — processed via PayPal; we do not store full card numbers on our servers.
  • Blockchain hashes — cryptographic SHA-256 hashes of appointment records written to the Polygon network (see Section 13). No raw PHI is written to the blockchain.
  • Audit trail data — every create, update, and delete action performed in your account, logged with timestamp, IP address, and user agent.

4. Data Types Collected

Personal Data

During your use of our Service, we may request that you provide us with personally identifiable information that can be used to contact or identify you. Among the types of personally identifiable information that may be collected are, but are not limited to:

  • Electronic mail address
  • First and last name
  • Contact telephone number
  • Country, state, province, ZIP/postal code, and city
  • Cookies and other tracking technologies

Protected Health Information (PHI)

As a healthcare management platform, MEDVANE processes Protected Health Information entered by healthcare providers on behalf of their patients. This may include: patient demographics, medical history, vital signs, diagnoses, prescriptions, lab results, procedures, insurance records, and appointment notes.

All PHI fields are encrypted at rest using AES-256-GCM authenticated encryption. Encryption keys are derived using PBKDF2-SHA512 with 100,000 iterations and are rotated on a 90-day cycle. No PHI is transmitted to external AI services — see Section 19 for details on our AI Assistant architecture.

Usage Data

We may collect information sent by your browser whenever you visit our Service or access it via any device. This Usage Data may comprise the Internet Protocol address (IP address) of your computer, browser type and version, pages of our Service that you visit, time and date of your visit, time spent on those pages, unique device identifiers, and other diagnostic data.

Location Data

We use your IP address to determine your approximate country and region. This is used solely to display the correct pricing currency and to comply with regional data protection requirements. We use IPWHO.org (a public geolocation service) for this purpose. No precise GPS location is collected.

Cookie Data

We track user behavior on our Service using cookies and similar tracking technologies. Cookies are small data files that may contain an anonymous unique identifier. You may configure your browser to refuse all cookies or to notify you when a cookie is transmitted. However, if you disable certain cookies, you may be unable to use certain features of our Service.

Cookies we utilize include:

  • Session Cookies: Required to operate our Service.
  • Preference Cookies: Store your preferences and settings (e.g., "Remember Me").
  • Security Cookies: Used for account security and HIPAA compliance audit trails.
  • Analytics Cookies: Anonymous usage data to improve the Service (opt-in).
  • Marketing Cookies: Used to display relevant advertisements (opt-in).

Additional Information

Additionally, during account registration, we may collect the following: date of birth, country of residence, telephone number, and professional credentials where voluntarily provided. Healthcare providers may also input patient data including age, date of birth, contact information, insurance information, and detailed medical records. All such information is processed solely for the purpose of operating the healthcare management features of the Service.

5. Data Utilization

INVOVANE COMPANY collects and uses data for the following purposes:

  • To provide and maintain our Service;
  • To keep you informed of changes to our Service;
  • To enable you to interact with interactive parts of our Service;
  • To offer client support;
  • To conduct analysis or collect valuable information to improve our Service;
  • To track how our Service is used;
  • To identify, avoid, and resolve technical problems;
  • To accomplish any other purpose for which it was provided;
  • To fulfill our duties and enforce our rights under any contracts entered with you, including billing and collection;
  • To send you notices regarding your account and/or subscription, such as expiration and renewal notices;
  • To send you news, special offers, and general information about other goods and services that we offer, unless you have opted out;
  • In any other manner that we may specify when you submit the information;
  • With your consent, for any other purpose.

6. Data Retention

We will retain your data for as long as necessary to fulfill the purposes outlined in this Privacy Policy. We will retain and use your data as necessary to comply with our legal duties, resolve disputes, and enforce our legal agreements and policies.

Audit Logs: All PHI access events, authentication events, and data modification events are retained for a minimum of 7 years (2,555 days) in compliance with HIPAA requirements. Audit logs cannot be deleted by users and are available for compliance audits.

Patient Records: Patient health data is retained for as long as the healthcare provider's account remains active, and for a reasonable period thereafter to allow for data export requests. Upon verified account deletion, patient data is permanently removed within 30 days, except where retention is required by applicable law.

Blockchain Hashes: Cryptographic hashes of appointment records written to the Polygon blockchain are immutable and cannot be deleted or modified. These hashes contain no personally identifiable information or PHI — only cryptographic fingerprints used to verify data integrity.

Usage Data is normally stored for a shorter period, unless this data is required to increase the security or operation of our Service, or where we are legally compelled to retain it for a longer period.

7. Data Transfer

Your information, including Personal Data, may be transferred to and retained on computers located outside of your state, province, country, or other governmental jurisdiction, where data protection regulations may differ.

If you are located outside the Philippines and prefer to give us your data, please be aware that we transfer and process data, including Personal Data, in the Philippines. Our primary database infrastructure is hosted by Supabase, which operates secure cloud infrastructure.

Your agreement with this Privacy Policy, followed by the submission of such information, constitutes your consent to that transfer.

INVOVANE COMPANY will take all reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy, and no transfer of your Personal Data to an organization or country will occur unless adequate controls are in place.

8. Data Disclosure

We may disclose personal information that we collect or that you supply in the following circumstances:

Law Enforcement Disclosure

We may be required to disclose your Personal Data in some circumstances, such as where compelled by law or in response to authorized requests by public authorities.

Business Transaction

Your Personal Data may be transferred if we or our subsidiaries are involved in a merger, acquisition, or asset sale.

Additional Circumstances

  • To our subsidiaries and affiliates;
  • To contractors, service providers, and other third-party service providers who assist us in conducting our business;
  • To accomplish the purpose for which it was provided;
  • For any other purpose that we disclose to you when you supply us with the information;
  • In all other instances, with your approval;
  • If we believe disclosure is required or appropriate to protect the Company's, our customers', or others' rights, property, or safety.

9. Data Security

We implement multiple layers of security to protect your data:

  • Encryption at rest: All Protected Health Information (PHI) fields are encrypted using AES-256-GCM authenticated encryption with randomly generated initialization vectors per record.
  • Key management: Encryption keys are derived using PBKDF2-SHA512 with 100,000 iterations. Keys are rotated on a 90-day cycle.
  • Encryption in transit: All data transmitted between your browser and our servers is protected using HTTPS/TLS.
  • Access control: Row-Level Security (RLS) enforced at the database level ensures each provider can only access their own data.
  • Authentication security: Failed login attempts are tracked, accounts are locked after repeated failures, and CAPTCHA verification is required on login and registration.
  • Rate limiting: API endpoints are rate-limited to prevent abuse and DDoS attacks.
  • Session security: Sessions are bound to your device fingerprint and expire automatically after a period of inactivity.
  • Audit logging: All access to PHI is logged with timestamp, user ID, IP address, and user agent. Logs are retained for 7 years.

While we make every effort to protect your data using commercially reasonable measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee perfect security.

10. Third-Party Service Providers

We engage the following third-party service providers to operate the Service. Each provider has access only to the data necessary to perform their function and is contractually bound to protect it:

ProviderPurposeData Shared
SupabaseDatabase hosting & authenticationAll user, patient, and appointment data (encrypted at rest)
PayPalPayment processing & subscription billingSubscription plan, billing amounts, payment status
Brevo (Sendinblue)Appointment reminder & confirmation emailsPatient email address, appointment date/time, clinic name
SendGridFallback email deliverySame as Brevo (used only when Brevo is unavailable)
OpenAIGeneral healthcare knowledge queries via AI AssistantNo PHI — only non-identifiable healthcare questions. See Section 19.
Cloudflare TurnstileCAPTCHA / bot protection on login & registrationIP address, browser signals for bot detection
Google Tag ManagerAnalytics event managementPage views, user events (no PHI)
Google Analytics 4Usage analyticsAnonymous page views, session data, conversion events
Google AdsAdvertising conversion trackingSignup, trial start, and purchase conversion events
Facebook (Meta) PixelAdvertising & remarketingPage views, registration, purchase events (no PHI)
FingerprintJSSession security / anomaly detectionBrowser-derived device fingerprint (see Section 12)
IPWHO.orgIP geolocation for currency/pricingUser IP address
Upstash RedisAPI rate limitingIP address and request count (temporary, no PHI)
Polygon NetworkImmutable blockchain audit hashingSHA-256 hashes only — no raw personal data (see Section 13)

These third parties have access to your Personal Data only to carry out their duties on our behalf and are bound to keep it confidential and not to disclose or use it for any other purpose.

11. Analytics & Advertising

We use analytics and advertising services to understand how the Service is used and to improve our marketing. No Protected Health Information (PHI) is ever shared with analytics or advertising providers.

Google Analytics 4 & Google Tag Manager

We use Google Analytics 4 (GA4), managed through Google Tag Manager (GTM), to collect anonymous data on page views, user sessions, and interaction events. This data helps us understand how users navigate the Service. Google Analytics is subject to Google's Privacy Policy. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

Google Ads

We use Google Ads conversion tracking to measure the effectiveness of our advertising campaigns. When you sign up, start a trial, or purchase a subscription, a conversion event may be reported to Google. No personal health information is included in these events.

Facebook (Meta) Pixel

We use the Facebook Pixel to track conversions from Facebook ads and to build audiences for remarketing. Events tracked include page views, registrations, and purchases. PHI is never included. You can manage your Facebook ad preferences through the Facebook Ad Preferences page.

Analytics and marketing cookies require your consent and can be disabled through our Cookie Consent banner at any time. Disabling these cookies does not affect your use of the core Service.

12. Device Fingerprinting

MEDVANE uses FingerprintJS, an open-source browser fingerprinting library, exclusively for account security purposes. A device fingerprint is a hash derived from browser and device attributes (such as browser type, installed fonts, screen resolution, and timezone) that can identify a specific device without storing cookies.

We use device fingerprints solely to:

  • Detect unusual login activity (e.g., a session being accessed from an unrecognized device);
  • Bind sessions to the device that initiated them as a security measure;
  • Identify and block automated attacks or credential stuffing attempts.

Device fingerprints are never used for advertising targeting, cross-site tracking, or sold to third parties. The fingerprint is stored in association with your session record and is discarded when your session ends.

13. Blockchain Data Processing

MEDVANE uses the Polygon (MATIC) blockchain network to create immutable audit records of appointment data. When an appointment is marked as completed, a SHA-256 cryptographic hash of the appointment record is generated and written to the Polygon blockchain.

What is hashed (not stored on-chain): Patient demographics, appointment details, vital signs, procedures, lab tests, diagnoses, prescriptions, insurance, and payment records.

What is written to the blockchain: Only the SHA-256 hash — a mathematical fingerprint with no personally identifiable information. It is computationally infeasible to reconstruct the original data from a hash.

Important: Blockchain transactions are permanent and irreversible. Once a hash is written to the Polygon network, it cannot be deleted or modified. This is by design for HIPAA audit trail immutability requirements. However, because no raw data is on-chain, a data deletion request will be fulfilled by deleting the source data in our database — the on-chain hash will remain but becomes meaningless without the source data.

Blockchain hashing is an optional feature. If you prefer to disable it for your account, please contact us at support@medvane.net.

14. Your Rights Under the General Data Protection Regulation (GDPR)

If you live in the European Union (EU) or the European Economic Area (EEA), you have certain data protection rights under the GDPR.

We will make commercially reasonable efforts to ensure that your Personal Data is accurate, complete, and up to date. If you would like to know what Personal Data we possess on you and request that it be deleted from our systems, please contact us via email at support@medvane.net.

You have the following data protection rights:

  • Right of access: Request access to, update, or deletion of the information we maintain about you.
  • Right of rectification: Request correction of inaccurate or incomplete information.
  • Right to object: Object to the way your Personal Data is being used by us.
  • Right to restriction: Request a restriction on how your personal information is processed.
  • Right to data portability: Obtain a copy of your Personal Data in a structured, machine-readable format.
  • Right to withdraw consent: Withdraw your consent at any time for processing based on consent.

Please be aware that we may require verification of your identity before responding to such requests. You have the right to lodge a complaint with a Data Protection Authority regarding how we collect and use your Personal Data.

15. California Online Privacy Protection Act (CalOPPA)

CalOPPA is the nation's first state law requiring commercial websites and online services to disclose a privacy policy. In accordance with CalOPPA:

  • Users can visit our site anonymously;
  • Our Privacy Policy link includes the word "Privacy" and is accessible from our website's home page;
  • Any modifications to our Privacy Policy will be communicated via this Privacy Policy page;
  • Users may update their personal information at any time by emailing us at support@medvane.net.

Do Not Track (DNT) Signals:

When a "Do Not Track" browser feature is enabled, we respect Do Not Track signals and do not plant cookies or employ advertising tracking. You can enable or disable Do Not Track by accessing your web browser's Preferences or Settings page.

16. California Consumer Privacy Act (CCPA) Rights

If you live in California, you have the right to request information about the data we collect about you, to have it deleted, and to have it not sold. To exercise your data protection rights, you may contact us at support@medvane.net with any of the following requests:

1. Right to Know — You may request that we disclose:

  • The categories of personal information we have collected about you;
  • The sources from which we collect your personal information;
  • The business or commercial purpose for which your personal information is collected or sold;
  • The types of third parties with whom we disclose personal information;
  • The specific pieces of personal information we have collected about you.

2. Right to Delete — You may request that we erase all personal information about you that we hold as of the date of your request.

3. Right to Opt-Out of Sale — We do not sell or rent your personally identifiable information to third parties for any purpose. We will never sell your personal information for financial gain.

We will never discriminate against you for exercising your rights. To exercise your CCPA rights, send your request to support@medvane.net.

17. Philippines Data Privacy Act (Republic Act No. 10173)

As a company headquartered in the Philippines, INVOVANE COMPANY is subject to and compliant with the Data Privacy Act of 2012 (RA 10173) and the regulations of the National Privacy Commission (NPC).

Data Subject Rights Under RA 10173

  • Right to be Informed: You have the right to be informed whether personal data about you will be, are being, or have been collected and processed.
  • Right to Access: You have the right to have access to your own personal data and to object to its processing.
  • Right to Object: You have the right to object to the processing of your personal data, including processing for direct marketing.
  • Right to Erasure or Blocking: You have the right to suspend, withdraw, or order the blocking, removal, or destruction of your personal data from our filing system.
  • Right to Damages: You have the right to claim compensation if you have suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data.
  • Right to File a Complaint: You have the right to file a complaint before the National Privacy Commission if you feel your data privacy rights have been violated.
  • Right to Data Portability: You have the right to obtain your personal data in an electronic or structured format that is commonly used and allows for further use.
  • Right to Rectification: You have the right to dispute the inaccuracy or error in your personal data and have us correct it immediately.

Lawful Basis for Processing

We process your personal data only on the following lawful bases: (a) your consent, (b) the fulfillment of a contract with you, (c) compliance with our legal obligations, (d) the protection of your vital interests, or (e) legitimate interests of INVOVANE COMPANY that do not override your privacy rights.

Data Breach Notification

In the event of a personal data breach that may give rise to a real risk of serious harm, we will notify the National Privacy Commission (NPC) within 72 hours of discovery. Affected data subjects will be notified promptly, in a manner that allows them to take necessary precautions.

Data Protection Officer (DPO)

For privacy-related inquiries under RA 10173, please contact our Data Protection Officer at:

  • Email: privacy@medvane.net
  • Support: support@medvane.net

You may also contact the National Privacy Commission (NPC) at complaints@privacy.gov.ph or visit www.privacy.gov.ph for more information about your rights.

18. HIPAA Best Practices and Healthcare Data Protection

MEDVANE is designed with HIPAA best practices to protect healthcare data. US-based covered entities requiring a formal Business Associate Agreement (BAA) should contact us at privacy@medvane.net before processing PHI through the Service.

Security Safeguards Implemented

MEDVANE implements the following safeguards aligned with HIPAA best practices:

  • Appropriate administrative, physical, and technical safeguards to protect electronic health information (ePHI);
  • PHI is used and disclosed only for the purposes described in this Privacy Policy and with appropriate authorization;
  • Security incidents and breaches are reported to affected users promptly upon discovery;
  • Audit trail data is made available upon lawful request for compliance review;
  • Upon account deletion, PHI is returned to the account holder or securely destroyed within 30 days.

Patient Rights Under HIPAA

When using MEDVANE, patients whose records are managed through the platform have rights including:

  • Right to access their PHI;
  • Right to request restrictions on use and disclosure;
  • Right to request amendments to their PHI;
  • Right to an accounting of disclosures;
  • Right to file complaints regarding privacy practices.

Technical Safeguards

  • Administrative: Access management, workforce access controls, security monitoring;
  • Physical: Hosted on secure cloud infrastructure with controlled physical access;
  • Technical: AES-256-GCM field-level encryption, audit controls, integrity controls, person or entity authentication, TLS transmission security.

Breach Notification

In the event of a confirmed breach of unsecured healthcare data, we will notify affected users and, where applicable, the relevant covered entity within 60 days of discovery.

HITECH Act Alignment

MEDVANE is designed in alignment with HITECH Act enhanced privacy and security provisions, including:

  • Breach notification procedures;
  • Audit controls and access logging for all PHI access;
  • Minimum necessary data access policies.

For US-based covered entities: If your organization requires a signed Business Associate Agreement (BAA) before using MEDVANE, please contact us at privacy@medvane.net prior to entering any patient data into the Service.

19. AI Assistant and Data Processing

Overview

MEDVANE's AI Assistant feature (available in the Premium Plan) is designed with a privacy-first architecture to ensure that Protected Health Information (PHI) and sensitive patient data are never transmitted to external third-party AI services.

How Our AI Assistant Works

MEDVANE's AI Assistant uses a dual-processing architecture:

1. Local Database Processing (PHI-Containing Queries)

  • Patient-specific queries are processed entirely within our secure local database;
  • No patient-specific information leaves our secure infrastructure;
  • Queries such as "Show me patient John Doe's appointments" are handled locally.

2. External AI Processing (General Knowledge Only — OpenAI)

  • Only general healthcare knowledge questions are processed by OpenAI;
  • Examples: "What are the symptoms of diabetes?" or "How to manage a medical practice?";
  • No PHI, patient names, medical record numbers, or identifiable information is ever sent to OpenAI.

PHI Detection and Protection System

  • Automatically scans all user queries before processing;
  • Detects and blocks sensitive information including: patient names, medical record numbers, dates of birth, contact information, addresses, and medical conditions with personal identifiers;
  • Sanitizes conversation history to remove any PHI before external processing;
  • Returns a privacy protection message if PHI is detected in queries intended for external processing.

Third-Party AI Service

  • OpenAI processes only non-PHI, general healthcare questions;
  • We do not have a Business Associate Agreement (BAA) with OpenAI, as we do not transmit PHI to their services;
  • OpenAI's data processing is governed by their own privacy policy and terms of service.

Data Retention for AI Conversations

  • Local database query results are not stored separately; they reference existing patient records;
  • General knowledge conversation history may be retained for service improvement;
  • Users can delete their conversation history at any time through the AI Assistant interface;
  • Upon account deletion, all AI conversation history is permanently removed.

20. Children's Privacy

Children under the age of 18 are not permitted to use our Services directly. We do not knowingly collect personally identifying information from children under the age of 18. Please inform us if you become aware that a child has provided us with Personal Data. If we learn that we have obtained Personal Data from children without parental consent, we will immediately delete the information from our servers.

Note: Healthcare providers may enter patient records for minors as part of their clinical practice. Such records are processed as PHI under the healthcare provider's responsibility and HIPAA authorization.

21. Modifications to This Privacy Policy

Our Privacy Policy may be updated from time to time. We will notify you of any changes by posting the revised version on this page.

Prior to the modification becoming effective, we will notify you through email and/or a conspicuous notice on our Service, and we will revise the "Last Updated" date at the top of this Privacy Policy.

We recommend that you review this Privacy Policy periodically for modifications. Changes to this Privacy Policy become effective upon their publication on this page.

22. How to Contact Us

Please contact us via email at support@medvane.net if you have any questions regarding this Privacy Policy.

HIPAA Privacy Officer

For HIPAA-related privacy concerns or to exercise your rights under HIPAA:

  • Email: privacy@medvane.net
  • Support: support@medvane.net

Philippines Data Protection Officer

For inquiries under the Philippines Data Privacy Act (RA 10173):

  • Email: privacy@medvane.net
  • National Privacy Commission: complaints@privacy.gov.ph

© 2026 MEDVANE — INVOVANE COMPANY. All rights reserved.