Privacy Policy

Lipa Health (“Lipa”, “we”, “us”) operates lipa.health, my.lipa.health, and related services. This Privacy Policy describes how we collect, use, store, and protect personal information when you use the Service.

For questions or to exercise your rights, contact us at hello@lipa.health.

2.1 Anonymous use

By default, you can use Lipa without providing identifying information. We assign a randomly-generated session identifier so the conversation can persist on your device. We collect:

• The text of your conversation with Lipa
• Health information you voluntarily share (symptoms, medications, supplements, bloodwork values, family history, goals)
• Files you upload (e.g., bloodwork PDFs) — see “Bloodwork files” below
• Standard device + connection metadata: browser type, IP address, timestamps (used for security and abuse prevention only)

2.2 Identified use (after you provide email)

If you choose to save your conversation across devices, you provide an email address. We then collect:

• Your email address
• Account creation and last-login timestamps

2.3 Payment information

If you subscribe, our payment processor (Stripe, Inc.) collects your billing details. Lipa never sees or stores your full card number. We retain only a Stripe customer ID, subscription status, and tier.

2.4 Bloodwork files

When you upload a lab report, the file is processed in-memory by our analysis pipeline (which uses Anthropic Claude for biomarker extraction). The file itself is not retained. We keep only the extracted biomarker values, units, reference ranges, and an audit row recording that an upload occurred.

We use the information described above to:

• Provide, operate, and improve the Service (interpreting your questions, generating responses, analyzing bloodwork)
• Maintain conversation context across your visits
• Process payments, manage subscriptions, and send transactional emails (magic links, receipts)
• Prevent fraud, abuse, and security incidents
• Comply with legal obligations

We do not use your conversation data, bloodwork, or any health information to train AI models. We do not sell, rent, or share your data with advertisers, data brokers, or any third party for marketing purposes.

If you are in the EU, EEA, UK, or Switzerland, our legal basis for processing depends on the activity:

• Performance of a contract (Art. 6(1)(b) GDPR) — processing necessary to provide the Service you request, including health-related conversation and analysis
• Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR) — for processing of health data (special category data), where you voluntarily provide health information by using the Service
• Legitimate interest (Art. 6(1)(f) GDPR) — for security, abuse prevention, and Service improvement that does not infringe on your rights
• Legal obligation (Art. 6(1)(c) GDPR) — for record-keeping, tax, and regulatory compliance

By using the Service and voluntarily sharing health information, you consent to our processing of that information for the purposes described in this Policy. You may withdraw consent at any time by deleting your data (see Section 9).

We share data only with the third-party providers necessary to operate the Service. We do not sell or share data with any other party.

Each provider is bound by data processing agreements that restrict use of your data to the purposes described above. Conversation text is processed by Anthropic Claude (via AWS Bedrock for EU residents) on a zero-data-retention basis — prompts are not stored beyond the immediate processing window.

We host primary data in the European Union. Some sub-processors (notably Anthropic, Vercel, OpenAI, Stripe) operate in the United States. International transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by technical safeguards (encryption in transit and at rest, zero-data-retention for AI inference where supported).

• Conversations and bloodwork values — retained as long as your account exists. Deleted within 30 days of account deletion (including from automated backups).
• Bloodwork PDF files — not retained. Processed in-memory and discarded after biomarker extraction.
• Authentication logs and security events — up to 12 months for fraud prevention.
• Payment records — retained as required by tax law (typically 7 years), via Stripe and our accounting systems.
• Anonymous usage metrics (aggregate page views, feature adoption) — indefinitely, but contains no personally identifying information.

We implement industry-standard security measures: encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access controls for our team, audit logging on administrative actions, and routine vulnerability monitoring on our infrastructure.

No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify affected users without undue delay (and within 72 hours, where required by GDPR Article 33).

You have the following rights regarding your personal information:

• Access — request a copy of the data we hold about you
• Correction — ask us to correct inaccurate data
• Deletion — ask us to erase your data (the “right to be forgotten”)
• Restriction — ask us to limit how we use your data
• Portability — request your data in a portable, machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — withdraw consent for processing of health data at any time

To exercise any of these rights, use the Delete everything button in My Lipa, or email hello@lipa.health. We respond within 30 days.

If you are in the EU/EEA, you also have the right to lodge a complaint with your local supervisory authority (e.g., the CNIL in France, the Garante in Italy, the Datenschutzbehörde in Austria).

Lipa is not intended for users under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with information, contact us and we will delete it promptly.

Lipa uses only the cookies and local storage strictly necessary to operate the Service: an authentication session cookie, your active conversation context, your saved facts, and your text-size preference. We do not use advertising cookies, cross-site tracking pixels, or third-party analytics that profile users.

We may update this Privacy Policy from time to time. We will post the updated version with a new effective date and, for material changes, notify users by email or in-app notice. Your continued use of the Service after the effective date of the updated Policy constitutes acceptance of the changes.

Questions, requests, or complaints about this Policy or our data practices: hello@lipa.health.

For our Terms of Service, see lipa.health/terms.