HIPAA Compliance

Vivy, Inc. ("Vivy") is committed to complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

Vivy operates as a Business Associate for covered entities that use our platform. Where applicable, we enter into a Business Associate Agreement (BAA) that defines the permissible uses and disclosures of Protected Health Information (PHI).

Protected Health Information (PHI) on Vivy may include: biomarker measurements, protocol logs, medication and supplement records, health goals, and any other individually identifiable health information you enter into the app.

PHI is stored under your authenticated user ID in Firebase Firestore and is governed by our Firestore security rules, which enforce strict user-level isolation.

Permitted uses. We use PHI only to provide the Vivy service — including protocol tracking, AI-powered health recommendations, and biomarker analysis — and as otherwise permitted by our BAA and HIPAA.

No sale of PHI. We do not sell, rent, or otherwise monetize PHI.

Minimum necessary. We apply the HIPAA minimum necessary standard, limiting access to PHI to what is required to perform a specific function.

Third-party AI services. We do not send raw PHI to third-party AI model providers. AI inference that may involve PHI is performed within our own Firebase Cloud Functions environment, under BAA coverage.

Under HIPAA, you have the right to access your PHI, request corrections, receive an accounting of disclosures, and request restrictions on use.

To exercise any HIPAA right, contact our Privacy Officer at support@heyvivy.com. We will respond within the timeframes required by HIPAA (generally 30 days, with one possible 30-day extension).

You may also delete your account and all associated PHI at any time through the app (Settings → Account → Delete Account).

In the event of a breach of unsecured PHI, we will notify affected individuals, the Secretary of the U.S. Department of Health and Human Services (HHS), and, where applicable, the media — within the timeframes required by the HIPAA Breach Notification Rule.

We maintain an incident response plan that is reviewed and tested annually. Our team is trained to identify and escalate potential breaches immediately.

Vivy signs BAAs with covered entities that require them before any PHI is shared. We also maintain signed BAAs with our key infrastructure providers, including Google Cloud (Firebase).

To request a BAA with Vivy, or to obtain a copy of our BAA template, contact support@heyvivy.com.

If you believe your HIPAA rights have been violated, you may file a complaint with our Privacy Officer at support@heyvivy.com or directly with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr.

We will not retaliate against any individual for filing a good-faith complaint.