Salve stores the health information you enter: medications, conditions, vitals, appointments, lab results, journal entries, and related records. We also store your email address for authentication.
If you use Sage (the AI chat), your saved conversation history is stored in Salve's database and tied to your account so you can revisit past chats. If you connect a wearable device (Oura, Fitbit, Dexcom, Withings, or Whoop), the health metrics synced from that device are also stored in Salve's database under your account.
Salve also records a small amount of product-usage telemetry (short event names like "medications section opened" or "journal entry added") so the developer can see which features are actually helping. These events are written to Salve's Supabase database, are limited to short allowlisted event names, and never include your medical content. Usage events are automatically purged after 180 days. No tracking cookies, advertising IDs, or cross-site identifiers are used.
Your data is stored in a Supabase PostgreSQL database with Row Level Security, which scopes normal in-app reads and writes to your authenticated account. Data cached on your device is encrypted with AES-GCM using a key derived from your session token.
Salve currently uses email-based sign-in through Supabase, including magic links and one-time email codes. Salve does not currently use phone or SMS authentication.
Additional account-security measures such as in-app multi-factor authentication may be added over time, but they should be considered available only when explicitly offered inside the app.
When you use AI-powered features (Sage chat, health insights, news), your health profile is sent to Google's Gemini API (free tier) or Anthropic's Claude API (premium tier) for processing. This requires your explicit consent, which you can grant or revoke at any time in Settings.
Salve stores your Sage chat history in Salve's database under your account so you can revisit past conversations. Free accounts retain up to 5 saved conversations; premium accounts have unlimited history. You can delete individual conversations at any time. Per request, Salve sends the active chat context needed for the feature you are using rather than your entire saved chat archive.
To improve personalization, Sage may extract key context from your conversations (for example, preferences or patterns you mention) and store it in your profile. This data stays in your own database and is included when you export or delete your data.
Each AI provider processes the data it receives according to their own usage policy. Salve's serverless functions act as a relay between the app and the AI provider. Salve's app code does not intentionally persist raw AI request payloads outside the chat and memory features you choose to save, but infrastructure and provider logging are governed by those third parties' own policies.
We do not sell, rent, or share your personal health data with third parties for marketing or advertising purposes. Data is transmitted to the following services only when needed to run the app or a feature you choose to use:
You have the right to:
Salve is intended for users 13 years of age or older. If you are under 13, do not create an account. Users between 13 and 18 should have parent or guardian involvement. We do not knowingly collect data from children under 13.
Salve is a personal health management tool for individual consumers. It is not a healthcare provider, health plan, or healthcare clearinghouse, and is therefore not a HIPAA-covered entity and is not subject to HIPAA regulations. This is standard for consumer health apps where you voluntarily enter and manage your own health information. We still apply serious data-protection practices (Row Level Security, at-rest encryption for on-device cache, HTTPS in transit, scoped secrets, scrubbed error reporting), but the legal protections specific to HIPAA do not apply.
Questions, privacy requests, or bug reports? Email salveapp@proton.me.