Last Updated: June 30, 2026
Welcome to MEDVANE.
MEDVANE is a cloud-based healthcare management platform operated by INVOVANE COMPANY.
This Privacy Policy describes how INVOVANE COMPANY collects, uses, and discloses information when you use our services at medvane.net.
By using MEDVANE, you agree to this Privacy Policy and our Terms and Conditions.
The term "SERVICE" refers to the medvane.net website, which is owned and maintained by INVOVANE COMPANY.
PERSONAL DATA refers to information on a living human who can be identified based on the information (or from those and other information either in our possession or likely to come into our possession).
USAGE DATA is data that is gathered automatically as a result of the use of the Service or as a result of the Service infrastructure itself (for example, the duration of a page visit).
COOKIES are small files that your device stores (computer or mobile device).
DATA CONTROLLER is a natural or legal person who, alone or jointly or in concert with other persons, determines the purposes and manner in which personal data are or will be processed. We are the Data Controller of your data for this Privacy Policy.
DATA PROCESSORS (OR SERVICE PROVIDERS) refers to any natural or legal person who processes data on the Data Controller's behalf. We may employ the services of a variety of Service Providers to more efficiently process your data.
DATA SUBJECT is any living individual who is the subject of Personal Data.
THE USER is the entity that makes use of our Service. The User is the Data Subject, the individual who is the subject of Personal Data.
We collect a variety of different types of information to provide and improve our Service, including:
During your use of our Service, we may request that you provide us with personally identifiable information that can be used to contact or identify you. Among the types of personally identifiable information that may be collected are, but are not limited to:
As a healthcare management platform, MEDVANE processes Protected Health Information entered by healthcare providers on behalf of their patients. This may include: patient demographics, medical history, vital signs, diagnoses, prescriptions, lab results, procedures, insurance records, and appointment notes.
All PHI fields are encrypted at rest using AES-256-GCM authenticated encryption. Encryption keys are derived using PBKDF2-SHA512 with 100,000 iterations and are rotated on a 90-day cycle. No PHI is transmitted to external AI services — see Section 19 for details on our AI Assistant architecture.
We may collect information sent by your browser whenever you visit our Service or access it via any device. This Usage Data may comprise the Internet Protocol address (IP address) of your computer, browser type and version, pages of our Service that you visit, time and date of your visit, time spent on those pages, unique device identifiers, and other diagnostic data.
We use your IP address to determine your approximate country and region. This is used solely to display the correct pricing currency and to comply with regional data protection requirements. We use IPWHO.org (a public geolocation service) for this purpose. No precise GPS location is collected.
We track user behavior on our Service using cookies and similar tracking technologies. Cookies are small data files that may contain an anonymous unique identifier. You may configure your browser to refuse all cookies or to notify you when a cookie is transmitted. However, if you disable certain cookies, you may be unable to use certain features of our Service.
Cookies we utilize include:
Additionally, during account registration, we may collect the following: date of birth, country of residence, telephone number, and professional credentials where voluntarily provided. Healthcare providers may also input patient data including age, date of birth, contact information, insurance information, and detailed medical records. All such information is processed solely for the purpose of operating the healthcare management features of the Service.
INVOVANE COMPANY collects and uses data for the following purposes:
We will retain your data for as long as necessary to fulfill the purposes outlined in this Privacy Policy. We will retain and use your data as necessary to comply with our legal duties, resolve disputes, and enforce our legal agreements and policies.
Audit Logs: All PHI access events, authentication events, and data modification events are retained for a minimum of 7 years (2,555 days) in compliance with HIPAA requirements. Audit logs cannot be deleted by users and are available for compliance audits.
Patient Records: Patient health data is retained for as long as the healthcare provider's account remains active, and for a reasonable period thereafter to allow for data export requests. Upon verified account deletion, patient data is permanently removed within 30 days, except where retention is required by applicable law.
Blockchain Hashes: Cryptographic hashes of appointment records written to the Polygon blockchain are immutable and cannot be deleted or modified. These hashes contain no personally identifiable information or PHI — only cryptographic fingerprints used to verify data integrity.
Usage Data is normally stored for a shorter period, unless this data is required to increase the security or operation of our Service, or where we are legally compelled to retain it for a longer period.
Your information, including Personal Data, may be transferred to and retained on computers located outside of your state, province, country, or other governmental jurisdiction, where data protection regulations may differ.
If you are located outside the Philippines and prefer to give us your data, please be aware that we transfer and process data, including Personal Data, in the Philippines. Our primary database infrastructure is hosted by Supabase, which operates secure cloud infrastructure.
Your agreement with this Privacy Policy, followed by the submission of such information, constitutes your consent to that transfer.
INVOVANE COMPANY will take all reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy, and no transfer of your Personal Data to an organization or country will occur unless adequate controls are in place.
We may disclose personal information that we collect or that you supply in the following circumstances:
We may be required to disclose your Personal Data in some circumstances, such as where compelled by law or in response to authorized requests by public authorities.
Your Personal Data may be transferred if we or our subsidiaries are involved in a merger, acquisition, or asset sale.
We implement multiple layers of security to protect your data:
While we make every effort to protect your data using commercially reasonable measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee perfect security.
We engage the following third-party service providers to operate the Service. Each provider has access only to the data necessary to perform their function and is contractually bound to protect it:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database hosting & authentication | All user, patient, and appointment data (encrypted at rest) |
| PayPal | Payment processing & subscription billing | Subscription plan, billing amounts, payment status |
| Brevo (Sendinblue) | Appointment reminder & confirmation emails | Patient email address, appointment date/time, clinic name |
| SendGrid | Fallback email delivery | Same as Brevo (used only when Brevo is unavailable) |
| OpenAI | General healthcare knowledge queries via AI Assistant | No PHI — only non-identifiable healthcare questions. See Section 19. |
| Cloudflare Turnstile | CAPTCHA / bot protection on login & registration | IP address, browser signals for bot detection |
| Google Tag Manager | Analytics event management | Page views, user events (no PHI) |
| Google Analytics 4 | Usage analytics | Anonymous page views, session data, conversion events |
| Google Ads | Advertising conversion tracking | Signup, trial start, and purchase conversion events |
| Facebook (Meta) Pixel | Advertising & remarketing | Page views, registration, purchase events (no PHI) |
| FingerprintJS | Session security / anomaly detection | Browser-derived device fingerprint (see Section 12) |
| IPWHO.org | IP geolocation for currency/pricing | User IP address |
| Upstash Redis | API rate limiting | IP address and request count (temporary, no PHI) |
| Polygon Network | Immutable blockchain audit hashing | SHA-256 hashes only — no raw personal data (see Section 13) |
These third parties have access to your Personal Data only to carry out their duties on our behalf and are bound to keep it confidential and not to disclose or use it for any other purpose.
We use analytics and advertising services to understand how the Service is used and to improve our marketing. No Protected Health Information (PHI) is ever shared with analytics or advertising providers.
We use Google Analytics 4 (GA4), managed through Google Tag Manager (GTM), to collect anonymous data on page views, user sessions, and interaction events. This data helps us understand how users navigate the Service. Google Analytics is subject to Google's Privacy Policy. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
We use Google Ads conversion tracking to measure the effectiveness of our advertising campaigns. When you sign up, start a trial, or purchase a subscription, a conversion event may be reported to Google. No personal health information is included in these events.
We use the Facebook Pixel to track conversions from Facebook ads and to build audiences for remarketing. Events tracked include page views, registrations, and purchases. PHI is never included. You can manage your Facebook ad preferences through the Facebook Ad Preferences page.
Analytics and marketing cookies require your consent and can be disabled through our Cookie Consent banner at any time. Disabling these cookies does not affect your use of the core Service.
MEDVANE uses FingerprintJS, an open-source browser fingerprinting library, exclusively for account security purposes. A device fingerprint is a hash derived from browser and device attributes (such as browser type, installed fonts, screen resolution, and timezone) that can identify a specific device without storing cookies.
We use device fingerprints solely to:
Device fingerprints are never used for advertising targeting, cross-site tracking, or sold to third parties. The fingerprint is stored in association with your session record and is discarded when your session ends.
MEDVANE uses the Polygon (MATIC) blockchain network to create immutable audit records of appointment data. When an appointment is marked as completed, a SHA-256 cryptographic hash of the appointment record is generated and written to the Polygon blockchain.
What is hashed (not stored on-chain): Patient demographics, appointment details, vital signs, procedures, lab tests, diagnoses, prescriptions, insurance, and payment records.
What is written to the blockchain: Only the SHA-256 hash — a mathematical fingerprint with no personally identifiable information. It is computationally infeasible to reconstruct the original data from a hash.
Important: Blockchain transactions are permanent and irreversible. Once a hash is written to the Polygon network, it cannot be deleted or modified. This is by design for HIPAA audit trail immutability requirements. However, because no raw data is on-chain, a data deletion request will be fulfilled by deleting the source data in our database — the on-chain hash will remain but becomes meaningless without the source data.
Blockchain hashing is an optional feature. If you prefer to disable it for your account, please contact us at support@medvane.net.
If you live in the European Union (EU) or the European Economic Area (EEA), you have certain data protection rights under the GDPR.
We will make commercially reasonable efforts to ensure that your Personal Data is accurate, complete, and up to date. If you would like to know what Personal Data we possess on you and request that it be deleted from our systems, please contact us via email at support@medvane.net.
You have the following data protection rights:
Please be aware that we may require verification of your identity before responding to such requests. You have the right to lodge a complaint with a Data Protection Authority regarding how we collect and use your Personal Data.
CalOPPA is the nation's first state law requiring commercial websites and online services to disclose a privacy policy. In accordance with CalOPPA:
Do Not Track (DNT) Signals:
When a "Do Not Track" browser feature is enabled, we respect Do Not Track signals and do not plant cookies or employ advertising tracking. You can enable or disable Do Not Track by accessing your web browser's Preferences or Settings page.
If you live in California, you have the right to request information about the data we collect about you, to have it deleted, and to have it not sold. To exercise your data protection rights, you may contact us at support@medvane.net with any of the following requests:
1. Right to Know — You may request that we disclose:
2. Right to Delete — You may request that we erase all personal information about you that we hold as of the date of your request.
3. Right to Opt-Out of Sale — We do not sell or rent your personally identifiable information to third parties for any purpose. We will never sell your personal information for financial gain.
We will never discriminate against you for exercising your rights. To exercise your CCPA rights, send your request to support@medvane.net.
As a company headquartered in the Philippines, INVOVANE COMPANY is subject to and compliant with the Data Privacy Act of 2012 (RA 10173) and the regulations of the National Privacy Commission (NPC).
We process your personal data only on the following lawful bases: (a) your consent, (b) the fulfillment of a contract with you, (c) compliance with our legal obligations, (d) the protection of your vital interests, or (e) legitimate interests of INVOVANE COMPANY that do not override your privacy rights.
In the event of a personal data breach that may give rise to a real risk of serious harm, we will notify the National Privacy Commission (NPC) within 72 hours of discovery. Affected data subjects will be notified promptly, in a manner that allows them to take necessary precautions.
For privacy-related inquiries under RA 10173, please contact our Data Protection Officer at:
You may also contact the National Privacy Commission (NPC) at complaints@privacy.gov.ph or visit www.privacy.gov.ph for more information about your rights.
MEDVANE is designed with HIPAA best practices to protect healthcare data. US-based covered entities requiring a formal Business Associate Agreement (BAA) should contact us at privacy@medvane.net before processing PHI through the Service.
MEDVANE implements the following safeguards aligned with HIPAA best practices:
When using MEDVANE, patients whose records are managed through the platform have rights including:
In the event of a confirmed breach of unsecured healthcare data, we will notify affected users and, where applicable, the relevant covered entity within 60 days of discovery.
MEDVANE is designed in alignment with HITECH Act enhanced privacy and security provisions, including:
For US-based covered entities: If your organization requires a signed Business Associate Agreement (BAA) before using MEDVANE, please contact us at privacy@medvane.net prior to entering any patient data into the Service.
MEDVANE's AI Assistant feature (available in the Premium Plan) is designed with a privacy-first architecture to ensure that Protected Health Information (PHI) and sensitive patient data are never transmitted to external third-party AI services.
MEDVANE's AI Assistant uses a dual-processing architecture:
Children under the age of 18 are not permitted to use our Services directly. We do not knowingly collect personally identifying information from children under the age of 18. Please inform us if you become aware that a child has provided us with Personal Data. If we learn that we have obtained Personal Data from children without parental consent, we will immediately delete the information from our servers.
Note: Healthcare providers may enter patient records for minors as part of their clinical practice. Such records are processed as PHI under the healthcare provider's responsibility and HIPAA authorization.
Our Privacy Policy may be updated from time to time. We will notify you of any changes by posting the revised version on this page.
Prior to the modification becoming effective, we will notify you through email and/or a conspicuous notice on our Service, and we will revise the "Last Updated" date at the top of this Privacy Policy.
We recommend that you review this Privacy Policy periodically for modifications. Changes to this Privacy Policy become effective upon their publication on this page.
Please contact us via email at support@medvane.net if you have any questions regarding this Privacy Policy.
For HIPAA-related privacy concerns or to exercise your rights under HIPAA:
For inquiries under the Philippines Data Privacy Act (RA 10173):
© 2026 MEDVANE — INVOVANE COMPANY. All rights reserved.