Legal

Privacy Policy

Your privacy matters. This policy explains how N1 Precision collects, uses, and protects your data.

Effective April 2026

At a Glance

  • We collect your Google account info and the health data you enter
  • Your data is used solely to power the service — never sold or shared for marketing
  • Stored in encrypted cloud infrastructure — HIPAA safeguards in progress
  • Caregivers and clinicians see only the data categories you choose to share — biography is never visible to delegated users
  • You can export all of your data anytime — nothing leaves your account unless you choose to share it
  • You can delete your account and all data anytime from Settings
  • No tracking cookies — authentication cookies only
  • AI features use Claude and Nova through AWS Bedrock under our AWS Business Associate Agreement — no data sold, your data never used to train external AI foundation models, biography and raw birth date never sent. Aggregate patterns from user data are used internally to improve our detectors; that is an inherent operational function of the service.
  • Caregiver accounts only — children never interact with the service

Parent questions, plain answers

You don’t need to know what HIPAA stands for to trust an app with your child’s seizure data. Here are the questions caregivers actually ask us, in plain English. The long legal version is in the sections below if you want the details.

Is my child’s information safe here?
Yes. Everything you log is stored encrypted in a cloud database that only you can access with your login. The servers are in the U.S. and use the same kind of security a hospital system would use — even though we’re a personal tracking app, not a hospital.
Can anyone see my child’s name?
No one outside of you. Seizure logs, medications, labs — none of them are stored with your name or your child’s name. Inside our database, everything is tied to a random account number, not a person. The only places a name could appear are (a) your login profile, which only you see, and (b) the biography page, where you can write your own notes. That biography text stays in our database and is never sent to anyone or anything, including the AI.
Can my doctor see this data?
Only if you deliberately share it with them. We don’t push your data anywhere. You can print reports to bring to an appointment, and you can send a secure confirmation link if you want your neurologist to verify a diagnosis in the app — but nothing leaves your account unless you make it happen.
What does the AI see when I ask it a question?
The AI sees things like “age 12, female, Dravet syndrome, 24 kg, took these medications, had these seizures on these days.” It does not see any names, your email, your address, your date of birth, or anything you typed into the biography field. Those are blocked in two different places in our code so they can’t accidentally slip through. Everything runs through AWS Bedrock (Claude and Nova) under our AWS Business Associate Agreement, and Bedrock does not use your data to train any foundation model.
Do you sell my data?
No. Never. We don’t run ads, we don’t sell lists, and we don’t share your data with marketers or data brokers. Not now, not later.
If I delete my account, is it really gone?
Yes. Anything identifying (your login, email, profile, biography notes) is permanently deleted right away. If you want the underlying health records fully erased too, just ask us — contact info is at the bottom of this page.
Wait — is this HIPAA compliant?
The honest answer: HIPAA technically doesn’t apply to you tracking your own child’s data in a personal app. HIPAA is a rulebook for hospitals, insurance companies, and clinicians. When you type your own information into a journaling app, those rules don’t kick in. We still follow the same safeguards HIPAA would require — encryption, access controls, audit logs — because we think your data deserves that level of protection even when the law doesn’t require it.
What about genetic info — SCN1A, mutations?
We do not store genetic data of any kind. No variants, no mutation reports, no sequencing results. That kind of information belongs in a proper genetic registry under its own rules, not in a seizure-tracking app. Please don’t enter it anywhere in the app, even in the biography field.
I still have questions. Who do I ask?
Jump to the Contact section below and email us directly. We answer personally — no ticket system, no bot.
01

Information We Collect

When you sign in with Google or email, we receive your name, email address, and a unique account identifier. We do not access your Google password. All health data you enter — including seizure logs, medications, daily events, and other records — is stored in our database and associated with your account.

Sensitive Identifying Fields

Out of all the data N1 Precision stores, only two fields on your profile are potentially identifying, and both are handled with strict rules:

  • Date of birth. We store only the month and year of your birth (the day is always set to the first of the month); the full date of birth is never stored. Month resolution is enough for growth-percentile and age-band calculations, which use age in months. This value never leaves our server as a raw date. When data flows to AI features, only your age in whole years is sent. When you export your data, only your birth year is included in de-identified exports — matching the U.S. HIPAA “Safe Harbor” de-identification standard.
  • Biography / medical history field. The biography field on your profile is free text and may contain names or other identifying details that you choose to enter. For that reason, it is never transmitted outside our database under any circumstance. It is not sent to the AI, not included in exports, and not shared with caregivers or clinicians through delegated access. It exists solely to help you keep personal notes on the biography page.

Beyond these two fields, clinical records (seizures, medications, labs, daily events, etc.) are referenced only by a random internal account identifier — never by your name, email, phone number, address, or any other direct identifier.

02

How We Use Your Data

Your data is used solely to provide the N1 Precision service. This includes displaying your dashboard, generating charts and analytics, and storing your records so you can access them across sessions. We do not sell, rent, or share your personal data with third parties for marketing purposes.

03

Data Storage & Security

Your data is stored in a cloud-hosted MongoDB database with encryption at rest and in transit. We use industry-standard practices to protect your information, including encrypted connections (HTTPS/TLS), authentication on all API endpoints, audit logging for clinical data access, and scoped access so that each user can only view and modify their own records. N1 Precision Insights is a personal health-tracking tool and is not itself a HIPAA-covered entity, but we voluntarily apply HIPAA-equivalent administrative, technical, and physical safeguards and are establishing Business Associate Agreements with our infrastructure providers in preparation for future clinical and research use cases.

05

Delegated & Caregiver Access

N1 Precision allows you to grant caregivers and clinicians access to your (or your child’s) clinical data through the Data Sharing settings. Access is scoped: you choose exactly which data categories (seizure logs, medications, daily events, lab results, etc.) each person can see. You can revoke access at any time from Settings.

  • All delegated access is logged in an audit trail — you can see who accessed which data and when.
  • Delegated users see only the clinical data categories you have shared. The biography field is never visible to delegated users under any circumstance.
  • AI-powered features require separate consent for delegated access. Our AI calls route through AWS Bedrock, which is covered by a Business Associate Agreement with Veda-Tegrity LLC. Even with that BAA in place, when a clinician or caregiver accesses a patient’s shared data, the patient’s explicit permission is required before AI processing runs on their behalf. Until that permission is granted, AI features are disabled for that patient’s data.
  • Access can be revoked at any time from Settings > Data Sharing. Revocation takes effect immediately.
07

Cookies & Authentication

We use cookies and local storage strictly for authentication and session management. We do not use tracking cookies or third-party analytics services that monitor your behavior across other websites.

08

Account Deletion & Data Retention

Your data is retained as long as your account is active. You can close your account at any time from Settings > Security. Account deletion follows a two-phase process:

Phase 1 — Immediate Deletion

Account credentials, email address, biography, profile name, and all personally identifiable information are permanently deleted immediately upon account closure. This action is irreversible.

Phase 2 — Retained 6 Years

De-identified clinical records (seizure logs, medications, daily events, lab results) are soft-deleted and retained for 6 years per healthcare records retention best practices. These records are referenced only by an anonymous identifier — your identity has been removed in Phase 1. After 6 years, retained records are permanently purged.

You can request immediate full erasure of all data (including de-identified records) by contacting hello@n1precision.com . We will comply within 30 days.

09

Third-Party Services & Vendors

N1 Precision relies on the following third-party services (subprocessors) to operate. Each vendor has its own privacy policy governing how they handle data.

Vendor Purpose Data Accessed Location
Amazon Web Services (AWS) Hosting, compute, authentication (Cognito), email (SES), storage All application data us-east-1
MongoDB Atlas Database All clinical and account data AWS us-east-1
AWS Bedrock (Claude + Nova) AI-powered pattern analysis and chat. All AI runs inside AWS Bedrock under our AWS BAA. Your data is never used to train any foundation model. Sanitized clinical data (age in years only, no raw birthDate, no biography, no names). BAA-covered. Delegated access additionally requires explicit AI consent. AWS us-east-1
Upstash (Redis) Caching layer Cache keys with user IDs, no clinical data stored persistently US
10

AI Processing Boundaries

N1 Precision includes optional AI-powered analysis features. All AI calls route through AWS Bedrock, which hosts Anthropic’s Claude models and Amazon Nova inside an AWS HIPAA-eligible environment. We do not call any consumer AI API directly.

BAA Status — covered

Amazon Web Services has a Business Associate Agreement (BAA) with Veda-Tegrity LLC that covers AWS Bedrock. This means every Claude and Nova invocation we make happens inside a HIPAA-compliant processing boundary. AWS is contractually bound by the BAA to handle PHI in accordance with HIPAA Privacy and Security Rules.

Your data is never used to train external AI foundation models such as Claude or Nova. Per AWS Bedrock policy and the Bedrock terms under which Anthropic and Amazon make their foundation models available, customer prompts and completions are not used to train or improve any AWS or third-party foundation model. Your inputs are not stored by Bedrock beyond the processing of your request and are not reviewed by human operators.

How we improve our detection pipeline

Separate from the external AI training question above: N1 Precision uses aggregate statistical patterns across the user base to tune and validate our detection pipeline — calibrating detector thresholds, validating detector outputs against real-world signals, and developing new detectors. This is an inherent part of the service we provide. Storing, processing, analyzing, and continuously improving the detectors that run on your data costs real money; aggregate pattern use inside our BAA-covered infrastructure is how we operate and improve the product you are using. By using N1 Precision, you agree to this operational use of aggregate patterns.

What this is not: it is not machine learning in the foundation-model sense. Our detectors are deterministic statistical code, not trained neural networks. Your individual records never leave N1’s AWS BAA-covered infrastructure and never cross patient boundaries through this process. Only aggregate statistical properties inform the code that ships back to all users.

What the AI Receives

When you initiate an AI request, a sanitized summary is sent to Bedrock. The summary includes your age in whole years (never the full birth date), gender, diagnoses, current body weight, aggregated seizure statistics, medication names and dosages, and structured clinical notes — identified only by an anonymous internal account identifier, never by name, email, phone, or address. Even though Bedrock operates under a BAA, we apply this minimization as defense-in-depth.

The biography / medical history field is NEVER sent to any AI model. Your full date of birth is also never sent; only your age in years. These exclusions are enforced at two layers: the code that builds the AI context never adds them, and a server-side sanitizer strips them again before anything is transmitted, as a second line of defense.

Delegated Access

When you share your data with a caregiver or clinician through delegated access, AI features on that shared data require your explicit AI processing consent. Without consent, AI features are completely disabled for that data. This consent is separate from the general Data Sharing grant and can be revoked at any time from Settings.

Data Retention by Bedrock

Per AWS Bedrock policy, the prompts we submit and the completions we receive are not used to train or improve any AWS or third-party foundation model, are not retained by Bedrock beyond the processing of the request, and are not reviewed by human operators. AI features are entirely opt-in — no data flows to Bedrock unless you explicitly initiate an analysis.

All AI-generated outputs are informational only and do not constitute medical advice, diagnosis, or treatment recommendations. You should always consult your healthcare provider before making decisions based on AI-generated summaries.

11

Children's Privacy

N1 Precision is designed for use by adults (18+) only — specifically caregivers and patients who manage their own health tracking. Children do not create accounts or interact with the service directly. When a parent or guardian uses N1 Precision to track health data on behalf of a minor, the parent or guardian is the "user" and retains full control over all data entered.

We do not knowingly collect personal information directly from children under 13. If we learn that a child under 13 has created an account without parental consent, we will promptly delete that account and all associated data.

For questions regarding children's data or to exercise COPPA rights, please contact us through the information provided in the Contact section below.

12

Data Subject Rights & Minor's Data Transition

The data subject (the individual whose health data is tracked) has the right to assume control of their data upon reaching the age of majority (18). To request an account ownership transition, contact us through the application to initiate the verification and transfer process.

Parents and guardians can export all data at any time via Settings > Export. Data is available in JSON and Excel formats. You may also request complete deletion of all data at any time through the account deletion feature in Settings.

Until a transition is completed, the parent or guardian who created the account retains full control over all data and account settings.

13

Changes to This Policy

We may update this privacy policy from time to time. Any changes will be reflected on this page. Continued use of the application after changes are posted constitutes acceptance of the updated policy.

14

Contact

If you have questions about this privacy policy, children’s data, COPPA compliance, or wish to request data deletion or account transition, please contact us:

  • Privacy Officer: John Greer — hello@n1precision.com
  • Compliance Officer: Judith Greer
  • Legal entity: Veda-Tegrity LLC (Delaware)

We answer personally — no ticket system, no bot.

Review our terms of use

View Terms of Service