← Salve Security Methodology Transparency Privacy Consumer Health Data

Transparency

Last updated: May 2026

Salve exists so you can hold your own health picture in one place. That only works if you know exactly where your data goes. This page is the plain-language version. The binding details are in the Privacy Policy and the Consumer Health Data Privacy Policy.

Who processes your data, and only for what

Supabase hosts the database that stores your records and Sage chat history.
Vercel hosts the app and the serverless API relays.
Google Gemini and/or Anthropic Claude power AI features, only with your consent, with only the profile and current chat the feature needs sent per request.
Wearable APIs (Oura, Fitbit, Dexcom, Withings, Whoop) and the Terra aggregator, only if you connect a device.
Stripe handles subscription billing. No health data is sent to Stripe.
Sentry receives crash reports with request bodies dropped and health fields scrubbed.
Open-Meteo and Google's pollen and places APIs receive a location only, never health information, for the weather and location features.

What Salve never does

We do not sell your data. Ever. We never even ask for that consent.
We do not share your data for advertising, and we do not profile you for advertising.
We do not use third-party analytics, ad trackers, or cross-site identifiers. Product analytics is self-hosted in your own database as a fixed allowlist of event names with no properties and no health content.
We do not buy health data or obtain it from data brokers.
We do not place geofences around healthcare facilities.

The AI training distinction, stated plainly

Per Google's published terms, free-tier Gemini requests can be used to improve Google's products and models. Per Anthropic's published terms, premium Claude requests are not used to train their models. Your profile text is pseudonymized by default before it is sent. Pseudonymization lowers exposure but is not a zero-retention guarantee, and we do not claim one. If you want the no-training path, that is the premium tier.

What kind of service this is, legally

Salve is a personal health record app that you control, not a healthcare provider, health plan, or clearinghouse, so it is not a HIPAA covered entity. The rules that do apply include the FTC Health Breach Notification Rule, the FTC Act's prohibition on unfair or deceptive practices (our policies have to be accurate and followed), and state consumer-health-data laws such as Washington's My Health My Data Act and California's CMIA. None of this is legal advice.

The controls you have, yourself

See everything: all your data is visible in the app, and exportable (optionally encrypted) from Settings.
Correct anything: edit any record.
Delete: erase all data, or permanently delete your account, which cascades across every table and cancels billing.
Withdraw consent: turn AI and device sharing off at any time in Settings under Data, Your data rights.
Anything you cannot do yourself: email salveapp@proton.me and we respond within 45 days, with no retaliation for exercising a right.

Security covers how the data is protected. Methodology covers how Sage reasons and the guardrails on it. The Consumer Health Data Privacy Policy is the binding consumer-health-data document.