Privacy Policy

Cenvar Health ("Cenvar," "we," "us," or "our") operates a secure, web-based clinic management platform ("the Platform") designed for licensed healthcare clinics and their authorized staff. This Privacy Policy explains what information we collect, how we use and protect it, and your rights with respect to that information.

By accessing or using the Platform, you agree to the practices described in this policy. If you do not agree, do not use the Platform.

This policy applies to:

• Clinic staff users — nurses, managers, clinic admins, and other authorized personnel who access the Platform through their clinic's account
• Clinic administrators — individuals responsible for managing clinic accounts and user access
• Patient data — information about patients entered into the Platform by authorized clinic staff

The Platform is operated as a business-to-business (B2B) service. Patients do not directly access the Platform. Patient information is entered and managed by clinic staff on behalf of their clinic.

We use the information collected solely to:

• Operate and deliver the Platform to your clinic
• Enable authorized clinic staff to log visits, manage inventory, and maintain patient records
• Maintain audit logs for compliance and operational accountability
• Authenticate users and manage account access
• Send account-related communications, including staff invitation emails
• Investigate and resolve errors or technical issues
• Improve the reliability, security, and functionality of the Platform

We do not sell, rent, or share your data with third parties for marketing or advertising purposes.

The Platform is built on Google Firebase, including Firebase Authentication and Cloud Firestore (Google Cloud). All data is stored and processed within Google's infrastructure.

By using the Platform, you acknowledge that your data is stored within Google Cloud's systems, subject to Google's security and compliance standards. Information about Google Cloud's data protection practices is available at cloud.google.com/security.

All data is scoped to the individual clinic account. Clinic staff can only access data belonging to their own clinic. Platform administrators may access data across clinics for the purpose of system oversight and support.

Users may authenticate using:

• Email and password — passwords are managed through Firebase Authentication and are subject to minimum complexity requirements enforced by the Platform
• Google OAuth — if a user chooses to sign in with Google, authentication is handled by Google's identity services

We do not store plain-text passwords. Staff accounts are created by clinic admins and activated through an invite link sent to the staff member's email address.

The Platform is designed for use by licensed healthcare clinics and may be used to store and process Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA).

Clinics using the Platform to store PHI are responsible for ensuring their use of the Platform complies with applicable HIPAA obligations. Cenvar Health may enter into a Business Associate Agreement (BAA) with covered entities and business associates as required by law.

If your clinic requires a BAA, please contact us at support@cenvarhealth.com.

We take the security of your data seriously. Security measures include:

• Role-based access controls that limit each user to the data and functions their role permits
• Firebase Authentication with enforced password complexity requirements
• All data transmitted between users and the Platform is encrypted in transit via HTTPS
• Audit logging of all actions within the Platform, providing a tamper-proof record of every change
• Clinic-scoped data architecture that prevents users from accessing data belonging to other clinics

No system can guarantee absolute security. If you believe your account or the Platform has been compromised, contact us immediately at support@cenvarhealth.com.

We retain data for as long as your clinic's account is active or as needed to provide the Platform. Audit logs are retained as a permanent compliance record and are not subject to routine deletion.

If you wish to request deletion of your clinic's data, contact us at support@cenvarhealth.com. Note that certain records may be subject to retention obligations under applicable law, including healthcare regulations, and may not be eligible for deletion upon request.

Authorized clinic users and clinic administrators may:

• Request access to the data associated with their account
• Request correction of inaccurate account information
• Request deactivation of their user account by contacting their clinic admin

Patients whose information has been entered into the Platform by clinic staff should contact their clinic directly to exercise rights over their health records. Cenvar Health processes patient data on behalf of the clinic and does not independently control patient records.

The Platform may use browser cookies or local storage to maintain user sessions and authentication state. These are functional and required for the Platform to operate. We do not use tracking cookies or third-party advertising cookies.

The Platform relies on the following third-party services:

• Google Firebase — authentication, database, and cloud infrastructure
• Google OAuth — optional user sign-in method

These services are governed by their own privacy policies and terms of service. We are not responsible for the data practices of third-party providers.

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. Continued use of the Platform after any update constitutes acceptance of the revised policy.

We encourage clinic admins to review this policy periodically.

If you have questions about this Privacy Policy or how your data is handled, please contact us:

Cenvar Health
Email: support@cenvarhealth.com

This Privacy Policy was last updated on May 5, 2026.