PRIVACY POLICY
Last updated: April 22, 2026
This Privacy Policy describes how Savo Health, Inc. ("Company," "we," "us," or "our") collects, uses, and shares information about you when you use our website savohealth.app and the Mile 22 platform (collectively, the "Services").
If you have questions or concerns about this Privacy Policy, please contact us at support@savohealth.app.
1. What Information We Collect 2. How We Use Your Information 3. When and With Whom We Share Your Information 4. Cookies and Tracking Technologies 5. How Long We Keep Your Information 6. How We Keep Your Information Safe 7. Information from Minors 8. Your Privacy Rights 9. Do-Not-Track Features 10. US State Privacy Rights 11. Healthcare Data and HIPAA 12. Updates to This Policy 13. Contact Us
1. WHAT INFORMATION WE COLLECT
Information you provide to us
We collect personal information that you voluntarily provide to us when you register on the Services, make a purchase, or contact us. The personal information we collect may include:
- Full name
- Email address
- Phone number
- Organization name
- Job title or role
- Account credentials (username and password)
- Plan type and subscription information
- Payment information (processed and stored by Stripe — we do not store card data directly)
- Training institution and professional credentials
- Any other information you choose to provide during registration or onboarding
Information collected automatically
When you visit, use, or navigate the Services, we automatically collect certain information. This information does not reveal your specific identity but may include:
- Device and browser information (browser type, operating system, device identifiers)
- IP address and approximate location (city/state level)
- Usage data (pages visited, features used, time spent on pages, referring URLs)
- Log and diagnostic data
This information is primarily needed to maintain the security and operation of the Services and for internal analytics and reporting purposes.
Information from program operations
Delivery partners who use Mile 22 to manage diabetes prevention programs may enter program-related data including participant enrollment records, session attendance, cohort information, and program outcomes. During the beta testing period, users are expressly prohibited from entering real protected health information (PHI) into the platform. Program data entered by delivery partners remains the property of those delivery partners.
2. HOW WE USE YOUR INFORMATION
We use personal information collected via our Services for a variety of business purposes, including:
- To create and manage your account
- To process payments and fulfill subscriptions
- To deliver and improve the Services
- To send you administrative information, such as account confirmations, verification codes, and updates
- To respond to your inquiries and provide customer support
- To send marketing and promotional communications (you may opt out at any time)
- To enforce our Terms of Service and other legal agreements
- To comply with legal obligations
- To protect the safety and security of our Services and users
- To analyze usage patterns and improve platform functionality
We may use aggregated, anonymized, or de-identified data — which cannot reasonably be used to identify you — for product improvement, research, and reporting purposes.
3. WHEN AND WITH WHOM WE SHARE YOUR INFORMATION
We disclose personal information in specific situations. We do not sell your personal information. We may share data with the following categories of third parties:
Service providers
We share your information with third-party service providers who perform services on our behalf and require access to your information to carry out that work. These include:
- Amazon Web Services (AWS) — cloud infrastructure, database hosting, and email delivery. We have executed a Business Associate Agreement (BAA) with AWS. AWS processes data in accordance with their Privacy Policy.
- Amazon SES (Simple Email Service) — transactional email delivery (verification codes, account notifications). Covered under the AWS BAA.
- Stripe, Inc. — payment processing. Stripe processes payment data in accordance with their Privacy Policy. We have accepted Stripe's Data Processing Agreement.
Legal obligations
We may disclose your information where we are legally required to do so to comply with applicable law, governmental requests, judicial proceedings, court orders, or legal processes.
Business transfers
We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
With your consent
We may disclose your personal information for any other purpose with your consent.
4. COOKIES AND TRACKING TECHNOLOGIES
We may use cookies and similar tracking technologies (like web beacons) to access or store information. Cookies are small files stored on your device. We use them for the following purposes:
- Essential cookies: Required for the Services to function. These include session authentication cookies managed by Amazon Cognito.
- Preference cookies: Remember your settings and preferences, such as dismissing the beta testing notice.
- Analytics cookies: Help us understand how users interact with the Services so we can improve them.
You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the Services from functioning correctly. For more information, see our Cookie Policy.
5. HOW LONG WE KEEP YOUR INFORMATION
We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Policy, unless a longer retention period is required or permitted by law.
When you terminate your account, we will retain your data for up to 12 months after account termination, after which it will be permanently deleted unless we are required by law to retain it longer. You may request an export of your data within 30 days of account termination by contacting us at support@savohealth.app.
Note: When the platform is cleared for use with protected health information (PHI), certain audit logs and records may be retained for up to 6 years in compliance with HIPAA requirements. This Privacy Policy will be updated to reflect those requirements prior to any PHI being entered into the system.
6. HOW WE KEEP YOUR INFORMATION SAFE
We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. Our security infrastructure includes:
- Encryption in transit (TLS 1.2+) for all data transmitted to and from the Services
- Encryption at rest using AWS Key Management Service (KMS) for all stored data
- Access controls and authentication managed by Amazon Cognito
- Audit logging via AWS CloudTrail
- Threat detection via AWS GuardDuty
- Network isolation via Amazon VPC (Virtual Private Cloud)
- HIPAA-compliant infrastructure with an executed Business Associate Agreement with AWS
However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure.
7. INFORMATION FROM MINORS
We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 years old. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data.
8. YOUR PRIVACY RIGHTS
Depending on where you are located, you may have the following rights regarding your personal information:
- Right to access: You can request a copy of the personal information we hold about you.
- Right to correction: You can request that we correct inaccurate or incomplete personal information.
- Right to deletion: You can request that we delete your personal information, subject to certain exceptions.
- Right to portability: You can request that we provide your personal information in a structured, machine-readable format.
- Right to opt out of marketing: You can opt out of receiving marketing communications from us at any time by clicking the "unsubscribe" link in any email or contacting us directly.
To exercise any of these rights, please contact us at support@savohealth.app. We will respond to your request within 30 days.
9. DO-NOT-TRACK FEATURES
Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference. At this time, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.
10. US STATE PRIVACY RIGHTS
Residents of certain US states have specific privacy rights under applicable state laws, including California (CCPA/CPRA), Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), and Texas (TDPSA). This Privacy Policy is designed to comply with the privacy laws of all US states.
Regardless of your state of residence, we provide all users with the privacy rights described in Section 8 of this Privacy Policy. If you are a California resident and have additional questions about your rights, please contact us at support@savohealth.app.
We do not sell personal information as defined under any applicable US state privacy law. We do not use personal information for targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects.
11. HEALTHCARE DATA AND HIPAA
Beta testing period: During the beta testing period, users are expressly prohibited from entering protected health information (PHI) as defined by HIPAA into the platform. Beta users have been notified of this restriction and have agreed to use fictional data only.
Post-beta: When the platform is cleared for PHI use following the conclusion of the beta testing period, this Privacy Policy will be supplemented by a full HIPAA Notice of Privacy Practices, which will be provided to all covered entities and their business associates prior to any PHI being entered into the system.
Health coaches, delivery partners, and network hub organizations using Mile 22 are independently responsible for their own HIPAA compliance obligations, including maintaining their own privacy practices, training their staff, and executing any required Business Associate Agreements with their participants and partner organizations.
Savo Health Inc. will execute Business Associate Agreements with covered entities upon request. Please contact support@savohealth.app to request a BAA.
Data collected through Mile 22 related to program delivery — including participant enrollment, session attendance, weight loss progress, and program outcomes — is used solely for the purpose of program management, CDC reporting, and platform improvement. This data is never sold to third parties.
12. UPDATES TO THIS POLICY
We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Last updated" date and the updated version will be effective as soon as it is accessible. If we make material changes to this Privacy Policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Policy frequently to stay informed about how we are protecting your information.
13. CONTACT US
If you have questions or comments about this Privacy Policy, you may contact us at:
If you are a California resident and have concerns about our privacy practices, you may also contact the California Office of the Attorney General at oag.ca.gov/privacy.