Privacy Policy

Surna Care is operated by Surna Care, Inc., a healthcare technology company incorporated in Delaware and headquartered in Cambridge, Massachusetts. We build digital tools to support people through IVF, pregnancy, postpartum recovery, and early parenting.

For privacy inquiries, contact our Privacy Team at privacy@surnacare.com or our Data Protection Officer at dpo@surnacare.com.

This Policy applies to all information collected through the Surna Care web application, mobile applications, and any related services (collectively, the "Service"). It does not apply to third-party services or websites that may be linked from our Service.

By using the Service you consent to the practices described in this Policy. If you do not agree, please do not use the Service.

We collect information in the following categories:

We use the information we collect to:

• Create and manage your account and authenticate your identity.
• Personalize your experience — including AI-generated summaries, wellness recommendations, and care reminders — based on your health profile and activity.
• Operate the Silent Support passive monitoring system to detect potential changes in wellbeing and surface timely check-in reminders.
• Generate the PPD (postpartum depression) composite risk score, which is displayed to you privately and is not shared with third parties.
• Send transactional emails (OTP verification, partner invitations, reminders).
• Deliver in-app and push notifications for community activity, partner events, and care reminders.
• Provide partner access to the limited data modules you explicitly authorize.
• Comply with legal obligations and enforce these Terms.
• Analyze aggregate, de-identified usage patterns to improve the Service. We do not use identifiable PHI for product analytics.
• Investigate and prevent fraud, abuse, and security incidents.

We do not use your health information to build advertising profiles. We do not sell personal information.

Surna Care is designed to operate in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act, to the extent applicable to our service category.

Health information you enter — including mood data, assessment scores, journal entries, baby data, AI conversations, and reproductive profile details — is treated as Protected Health Information (PHI). We apply the following safeguards:

• Minimum necessary access: Your PHI is accessible only to you and, where explicitly authorized, your designated partner. Platform administrators have access only to account-level operational data (name, email, account status) — never your clinical data.
• Encryption in transit and at rest: All data is transmitted over TLS 1.2+. PHI stored in our PostgreSQL databases on Microsoft Azure is encrypted at rest using AES-256.
• Audit logging: Access to PHI tables is logged and monitored. Unauthorized access attempts trigger alerts.
• Business Associate Agreements: We maintain BAAs with all sub-processors that may handle PHI, including Microsoft Azure and our AI providers.
• No PHI in analytics: Behavioral analytics use de-identified, aggregated data only. Individual PHI is never sent to third-party analytics or monitoring services.

If you believe your PHI has been improperly disclosed, please contact us immediately at privacy@surnacare.com. You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint.

We do not sell, rent, or trade your personal information or PHI. We share information only in the following limited circumstances:

We use cookies and similar technologies to operate the Service, maintain your session, and remember your preferences. We do not use third-party advertising cookies.

• Session cookies: Required for authentication. Deleted when you close your browser.
• Persistent cookies: Store your theme preference (dark/light) and session tokens. Expire after your session timeout period.
• localStorage: Used to persist UI preferences (theme). The only exception is a temporary password stash in sessionStorage during the OTP verification flow, which is cleared immediately after sign-in.

Most browsers allow you to control cookies through settings. Disabling cookies may prevent you from logging in or using core features of the Service.

We retain your personal information and PHI for as long as your account is active or as needed to provide the Service. We also retain data as necessary to comply with legal obligations, resolve disputes, and enforce agreements.

When you close your account, we will de-identify or delete your PHI within 90 days, except where we are required to retain it by law (for example, for HIPAA record-keeping requirements). Aggregated, de-identified data derived from your usage may be retained indefinitely.

Community posts and replies may remain visible after account closure if other users have interacted with them; upon request, we will either anonymize or delete them.

We implement and maintain technical, administrative, and physical safeguards designed to protect your information against unauthorized access, use, alteration, and destruction. These safeguards include:

• TLS 1.2+ encryption for all data in transit.
• AES-256 encryption for PHI stored at rest on Azure PostgreSQL.
• Bcrypt password hashing (12 rounds) — we never store plaintext passwords.
• Role-based access control: platform employees access only the data needed for their role.
• Regular security reviews and penetration testing.
• Anomaly detection and audit logging on PHI access.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. If you discover a security vulnerability, please report it responsibly to security@surnacare.com.

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete information.
• Deletion: Request deletion of your account and personal data, subject to legal retention requirements.
• Portability: Request an export of your health data in a machine-readable format.
• Restriction: Request that we limit processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@surnacare.com. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

You may also access and update most of your information directly through your account settings.

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@surnacare.com and we will delete that information promptly.

Baby tracking data (feeding, sleep, diapers, growth) relates to an infant associated with an adult account holder. We do not create profiles for infants or use infant data for any purpose other than providing the baby tracker feature to the adult account holder.

Surna Care is based in the United States and the Service is currently available only to U.S. residents. Your information is stored and processed on servers located in the United States (Microsoft Azure West US 2 region).

If you access the Service from outside the United States, you acknowledge that your information will be transferred to and processed in the United States, where privacy laws may differ from those in your country.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• The right to know what personal information we collect, use, disclose, and sell.
• The right to delete personal information we have collected, subject to exceptions.
• The right to opt out of the sale or sharing of personal information. We do not sell or share personal information as defined under CCPA/CPRA.
• The right to correct inaccurate personal information.
• The right to limit the use and disclosure of sensitive personal information. Health information qualifies as sensitive personal information under CPRA; we use it only to provide the Service.
• The right not to be discriminated against for exercising your privacy rights.

To submit a CCPA/CPRA request, contact us at privacy@surnacare.com with "California Privacy Request" in the subject line. We will respond within the statutory timeframe.

We do not sell personal information and we do not share it for cross-context behavioral advertising.

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and notify you by email or through a prominent in-app notice at least 14 days before the changes take effect.

We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the changes.

For privacy questions, data rights requests, or to report a concern, please contact:

To file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights regarding HIPAA, visit hhs.gov/hipaa/filing-a-complaint.