Medivault is a personal health record service operated by Novus Digital Initiative (“we”, “us”, “our”). We are committed to protecting your personal data in accordance with applicable data protection laws, including Singapore’s Personal Data Protection Act 2012 (“PDPA”) and other internationally recognised data protection principles.
Data Protection Contact:
Email: hello@novusdigi.com
We will acknowledge requests within 24 hours and respond within 10 business days.
We collect the minimum data necessary to operate the service.
| Category | Examples | Purpose | Basis |
|---|---|---|---|
| Account data | Email, hashed password, ID number | Authentication and identity verification | Consent |
| Health records | Documents, lab results, medications, vitals | Providing the personal health record service | Consent |
| Profile data | Name, date of birth, gender, height, weight | Personalising the experience | Consent |
| AI interaction data | Document text sent for analysis, chat messages | AI-powered extraction and health Q&A | Explicit consent (separate AI toggle) |
| Push notification tokens | Browser push endpoint | Medication reminders | Consent (browser permission) |
Medivault is built on a zero-knowledge architecture. All health records, documents, medications, lab results, and vitals are encrypted on your device before being transmitted, using:
Encrypted data is stored on infrastructure hosted in Singapore (ap-southeast-1), operated by Supabase, Inc. Singapore is subject to the Personal Data Protection Act 2012 (PDPA), one of Asia’s strongest data protection frameworks.
We engage the following sub-processors to deliver the service.
Supabase, Inc.
Role: Cloud database and file storage. Processes encrypted ciphertext only — Supabase cannot read your plaintext health data.
Location: Singapore (ap-southeast-1)
Privacy Policy →AI Processing Provider — only when AI features are enabled
Role: AI document analysis and health Q&A. When you enable AI features, plaintext content of your documents is transmitted to our AI provider’s servers for processing.
Data retention: We enforce zero data retention on all AI API calls — our AI provider does not retain your data for model training after each request completes.
Location: United States
We do not sell your data. We do not use your health records for advertising. We do not share your data with any party beyond the sub-processors listed above.
Processing purpose: Automated extraction of medical information from documents you upload; AI-powered Q&A about your own health records.
Categories of data: Plaintext content of uploaded medical documents, including health information, names, dates, and clinical values visible in the document.
Retention: Documents are processed transiently. Zero data retention is enforced — data is not stored by our AI provider after each API call.
Basis: Your explicit consent, given via the AI toggle in onboarding or Settings.
Withdrawing consent: Toggle AI off in Settings at any time. No further documents will be sent for AI processing.
Your encrypted data is stored in Singapore. AI processing occurs in the United States. When we transfer data across borders, we ensure adequate safeguards are in place, including contractual protections with our sub-processors. We apply the principle of data minimisation — only the minimum necessary data is transferred for each operation.
Regardless of where you are located, you have the following rights over your personal data:
Access: You can view all your health records within the app at any time. Your data is decrypted locally on your device.
Correction: You can edit any record, medication, vital, or profile field directly in the app.
Erasure / Right to be Forgotten: You can delete your entire account and all associated data from Settings → Delete Account. Deletion is permanent and cascading — all database records and stored files are removed.
Withdraw consent: You can withdraw AI consent at any time via Settings. You can delete your account at any time.
Complaints: Contact us at hello@novusdigi.com. You may also lodge a complaint with your local data protection authority.
In the event of a personal data breach that is likely to result in significant harm, we will notify affected users and relevant authorities within 72 hours of becoming aware, in accordance with PDPA obligations. Because all health data is encrypted with keys only you hold, a breach of our servers would expose ciphertext only.
Medivault is not intended for use by persons under 18. We do not knowingly collect personal data from minors. If you believe a minor’s data has been submitted, contact hello@novusdigi.com and we will delete it promptly.
We will notify you of material changes by email or in-app notification at least 30 days before they take effect. Continued use after the effective date constitutes acceptance of the updated policy.
This policy is governed by the laws of Singapore, including the Personal Data Protection Act 2012. Where you are located in a jurisdiction with its own data protection requirements, we comply with those requirements to the extent they apply to our service.
Data Protection contact / complaints:
hello@novusdigi.com
We acknowledge within 24 hours and respond within 10 business days.