Nucora Master Privacy Policy
Updated 1/7/2026
Preamble: The Intelligence Layer for Personal Health
Interpretive Health, LLC ("Nucora," "we," "us," or "our") operates the Nucora mobile application and platform (the "Service"). Our mission is to transform your fragmented biometric data into coherent, interpreted, actionable insights. We operate on the fundamental principle that your health data is your property, and its privacy is a prerequisite for its utility.
IMPORTANT NOTICE: NUCORA IS A GENERAL WELLNESS TOOL
Nucora is designed solely to support general health, fitness, and wellness. It is not a medical device. The Service, including its Artificial Intelligence (AI) features, does not provide medical advice, diagnosis, cure, mitigation, treatment, or prevention of any disease. The "Analyst" agents within Nucora provide informational insights based on your data. If you have a medical emergency, call 911 immediately.
Article 1: Definitions and Scope
To ensure clarity and compliance with the Washington My Health My Data Act (MHMDA), the California Consumer Privacy Act (CCPA), and the California AI Transparency Act (SB 942), we use the following definitions:
● "Consumer Health Data" (CHD): Personal information that is linked or reasonably linkable to you and identifies your past, present, or future physical or mental health status. This includes data derived from non-health sources (e.g., shopping habits) if used to infer health status.
● "Truth Substrate": The internal, encrypted database of Computable Primitives (e.g., "7-day Sleep Consistency Score") derived from your connected devices. This serves as the verified "source of truth" for our AI analysis.
● "Generative AI System": The artificial intelligence models (including the "Analyst" and "Critic" agents) used to create the "Health Blueprint," "Chat with My Data," and "Podcast" features.
● "Transient Data": Data ingested from third-party APIs that is cached temporarily for processing and strictly deleted within contractual timeframes.
● "Epigenetic Data": Data regarding DNA methylation patterns or biological age (e.g., "Speed of Aging"), distinct from raw genomic sequence data.
Article 2: The Data We Collect (Inputs)
We adhere to a strict Data Minimization standard. We ingest only the structured data necessary to generate your Health Blueprint. We do not collect free-text medical histories to prevent the accidental ingestion of acute pathological data.
2.1 Information You Provide Directly (Structured Entry)
You may provide information regarding your wellness goals and status. These inputs are restricted to structured categories:
● Account Information: Name, email address, password (hashed), and date of birth (Nucora is strictly 18+).
● Structured Wellness Profile:
○ Activity Class: Self-reported activity level (1-10 scale).
○ Wellness Goals: Selections limited to general wellness (e.g., "Improve Sleep Quality," "Optimize Nutrition").
○ Chronic Condition Management: You may select specific conditions where lifestyle intervention is a standard of care: Type 2 Diabetes, Hypertension, High Cholesterol, Obesity, and Generalized Anxiety.
○ Medications: You may log wellness-related medication classes (e.g., Statins, Metformin) for adherence tracking.
2.2 Data Ingested from Connected Devices (API Integrations)
By authorizing connections to third-party services, you permit us to ingest the following structured data into your Truth Substrate:
● Activity & Performance: Steps, cadence, power output, VO2 Max estimates (Source: Garmin, Apple Health).
● Sleep & Recovery: Sleep duration, staging (Deep/REM/Light), Nocturnal HRV, Resting Heart Rate (Source: Garmin, Apple Health).
● Metabolic & Nutrition: Macronutrient logs, micronutrient intake, glycemic variability (Source: Cronometer, CGM data).
● Strength & Load: Resistance training logs, volume, and intensity (Source: Hevy).
2.3 Epigenetic and Biomarker Data
You may upload PDF reports (e.g., Function Health, Quest) or connect lab integrations.
● Epigenetic Markers: We collect methylation-based metrics such as "DunedinPACE" or "Biological Age" to track the efficacy of your wellness interventions.
● Exclusion: We do not collect or store raw whole-genome sequencing (WGS) data (e.g., FASTQ/BAM files).
2.4 Reproductive Health Context (Optional)
You may optionally grant Nucora access to reproductive health data (e.g., menstrual cycle tracking) via Apple Health or Garmin.
● Purpose: This data is processed solely to contextualize sleep and performance metrics (e.g., correlating luteal phase with HRV trends).
● Opt-In: This collection is strictly optional and requires affirmative enablement of "Cycle Context" in Settings.
Article 3: Data Retention and Storage Architecture
Our data retention policy is designed to balance longitudinal analysis with strict adherence to third-party API agreements.
3.1 The Persistent Truth Substrate
We retain Computable Primitives (e.g., "Weekly Average Resting Heart Rate") derived from Apple Health, Garmin, and Lab Reports. This derived data is encrypted and stored to facilitate long-term trend analysis (e.g., "Year-over-Year improvements"). This data is retained until you request account deletion.
Article 4: How We Use Your Data (Processing)
We process your data solely for the following "General Wellness" purposes:
1. Health Blueprint Generation: Synthesizing disparate data streams into a coherent narrative of your current wellness state.
2. AI-Driven Analysis: Using Generative AI to identify trends (e.g., "Your Deep Sleep correlates with lower HRV") and generate summaries.
3. Service Improvement: Debugging and optimizing the accuracy of our deterministic algorithms.
Prohibited Uses:
● We do not use your data for cross-context behavioral advertising.
● We do not sell your Consumer Health Data.
● We do not use your data to train third-party public AI models (e.g., we do not allow OpenAI to use your data to train Chat GPT).
Article 5: Artificial Intelligence & Transparency (SB 942 & SB 243)
Nucora utilizes Generative AI to provide "Companion" features. We are committed to compliance with the California AI Transparency Act (SB 942) and Senate Bill 243.
5.1 Disclosure of Artificial Nature
When using "Chat with My Data" or listening to the AI generated content you are interacting with an Artificial Intelligence system, not a human being. The voices in the app are synthetic avatars.
● Manifest Disclosure: All AI-generated text and audio interfaces will display a "Clear and Conspicuous" notice stating: "AI-Generated Content. Check for Accuracy."
● Latent Disclosure (C2PA Watermarking): In compliance with SB 942, all AI-generated audio files downloadable from the Service contain embedded C2PA-compliant metadata. This digital watermark certifies the content's origin as synthetic media produced by Interpretive Health, LLC, ensuring provenance and authenticity.
5.2 Safety and Crisis Intervention (SB 243)
We have implemented Automated Crisis Detection Protocols in accordance with California SB 243.
● Crisis Routing: If our system detects inputs indicating suicidal ideation or self-harm, the AI is programmed to suspend the "Wellness" conversation and immediately provide a "Crisis Resource" card containing contact information for the 988 Suicide & Crisis Lifeline.
5.3 Limitations of AI (The Trust Layer)
Our architecture employs a "Trust Layer" to validate AI claims against your Truth Substrate. However, AI can make errors ("hallucinations"). You should verify all specific numerical data against your original lab reports. The AI cannot diagnose disease.
Article 6: Data Sharing and Service Providers
We do not sell your data. We share data only with the following categories of processors under strict Business Associate Agreements (BAAs) or Data Processing Addendums (DPAs):
● Cloud Infrastructure: Amazon Web Services (AWS) for secure, HIPAA-compliant hosting.
● AI Processing: OpenAI (Enterprise Tier) for data analysis.
○ Zero Data Retention (ZDR): Our agreement with OpenAI mandates a "Zero Data Retention" policy. Your data is processed in-memory for the duration of the request and is never stored or used to train OpenAI's models.
● Software Engineering: Technology Rivers, LLC. Authorized engineers may access system logs for maintenance and security purposes, strictly bound by confidentiality and HIPAA-compliant data handling standards.
Article 7: Data Security
We employ a "Defense in Depth" security strategy:
● Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
● Access Control: We utilize Role-Based Access Control (RBAC) to limit internal access to the minimum necessary.
● Anonymization: Wherever possible, data processed for internal analytics is de-identified.
Article 8: Location Data and Geofencing
● Geofencing Prohibition: In compliance with MHMDA, we explicitly prohibit the implementation of any geofence around any entity that provides in-person health care services (e.g., hospitals, clinics, reproductive health centers) for the purposes of identifying consumers or sending notifications.
Article 9: Your Rights (Deletion and Access)
9.1 The Right to Delete
You may request the deletion of your account and all associated data at any time via the "Settings" menu in the App.
● Active Data: Upon request, your account is immediately deactivated, and personal data is purged from our active databases.
● Backup Cycle: Residual encrypted copies of data may remain in our disaster recovery backups for up to 30 days before being strictly overwritten. This data is "put beyond use" and is not accessible for any processing.
9.2 Right to Correct
You have the right to correct inaccuracies in your data. Since your Verified Health Record is ingested from third parties (e.g., Garmin), you may need to correct the data at the source (e.g., inside the Garmin Connect app) for the change to reflect in Nucora.
Article 10: Children’s Privacy
Nucora is not intended for use by persons under the age of 18. We do not knowingly collect data from minors. If we become aware that a user is under 18, we will immediately delete their account and data.
Article 11: Changes to This Policy
We may update this policy to reflect changes in law or technology. Material changes will be communicated via email or an in-app notification.
Article 12: State-Specific Disclosures
● California Residents: See our "Notice at Collection" regarding your CCPA rights in the app settings.
● Washington & Nevada Residents: Please review the Consumer Health Data Privacy Policy Supplement below.
Consumer Health Data Privacy Policy Supplement (MHMDA)
Note: To comply with MHMDA Section 4, this document is hosted on a separate URL and linked independently from the Master Privacy Policy.
Title: Nucora Consumer Health Data Privacy Policy
Effective Date: January 7, 2026
This Consumer Health Data Privacy Policy ("Supplement") applies to "Consumer Health Data" as defined by the Washington My Health My Data Act (MHMDA) and the Nevada Consumer Health Data Privacy Law. It supplements the Nucora Master Privacy Policy.
1. Categories of Consumer Health Data We Collect
We collect the following categories of Consumer Health Data:
● Individual Health Conditions: Information regarding chronic conditions you voluntarily select (e.g., Diabetes, Hypertension) for wellness tracking.
● Bodily Functions and Vital Signs: Data regarding sleep stages, heart rate, heart rate variability, respiratory rate, and metabolic markers.
● Epigenetic Data: Methylation-based biological age metrics (e.g., DunedinPACE scores).
● Surgeries or Procedures: Information found in uploaded medical history documents.
● Reproductive or Sexual Health Data (Optional): Information regarding menstrual cycles or ovulation, strictly limited to users who affirmatively opt-in to "Cycle Context" features.
● Use of Medication: Information regarding wellness-related medication adherence (e.g., "Statins") which you voluntarily log.
● Social and Psychological Interventions: Data regarding your self-reported mood or stress states.
● Inferred Health Data: Insights derived from your activity and sleep data that may indicate a health trend.
We DO NOT collect:
● Gender-affirming care information.
● Biometric data for the purpose of unique identification (e.g., facial recognition).
● Raw genomic sequence data (DNA).
2. Sources of Consumer Health Data
We collect this data from:
● You directly: via manual entry of structured conditions and goals.
● Your connected devices: via API integrations with Garmin, Apple Health, Hevy, and Cronometer.
● Your uploaded documents: via PDF lab reports (e.g., Quest Diagnostics, Function Health, DEXA body scans).
3. Purposes of Collection
We collect and use this data strictly to provide the Nucora Service you requested:
● To generate your "Health Blueprint" and "Computable Primitives."
● To provide AI-driven wellness insights and summaries.
● To track your progress toward your stated wellness goals.
We do not use Consumer Health Data for marketing, advertising, or commercial sale.
4. Sharing of Consumer Health Data
We do not "share" your Consumer Health Data as defined by the MHMDA (which includes disclosure for commercial benefit). We disclose data only to the following "Processors" necessary to provide the service:
● Cloud Hosting: Amazon Web Services.
● AI Analysis: OpenAI (under strict "Zero Data Retention" and non-training agreements).
● Development: Technology Rivers, LLC (for maintenance and security).
We require all processors to contractually agree to process your data only on our behalf and for no other purpose.
5. Your MHMDA Rights
Under Washington law, you have the right to:
● Confirm whether we are collecting, sharing, or selling your Consumer Health Data.
● Access your Consumer Health Data, including a list of all third parties with whom we have shared it.
● Withdraw Consent for our collection and sharing of your data.
● Delete your Consumer Health Data.
6. How to Exercise Your Rights
To exercise these rights, please email privacy@interpretivehealth.com with the subject line "MHMDA Request" or use the "Delete My Data" feature in the Nucora App settings. We will respond to authenticated requests within 45 days.