Skip to content

Privacy Policy

How we handle the records you share with Lucy.

Effective April 26, 2026.

This Privacy Policy explains what information we collect when you use mydadshealth.com (the Site) and the Lucy companion services accessed through it (together with the Site, the Service), how we use that information, and the rights you have. We have written it in plain English wherever the law allows. The legal definitions still control where they conflict with the plain text.

1. Who we are

The Site is owned and operated by Synova Industries (the Company, we, us). The Lucy product, software, AI models, Capsule audit-chain protocol, training-provenance architecture, and related intellectual property are licensed to Synova Industries by Quantum Pipes Technologies LLC, a Wyoming limited liability company.

For the purposes of this Policy, references to we and us mean Synova Industries acting as the operator of the Service, working with Quantum Pipes Technologies LLC as our licensor and processor. You can reach us about privacy at hello@quantumpipes.com.

2. What this Policy covers

This Policy applies to mydadshealth.com, the Lucy services available through it, any applications we may publish under the Lucy or My Dad's Health name, and the related infrastructure (the Service). It does not cover third-party services you separately authorize, including your healthcare provider's patient portal or any links we provide to outside resources.

3. The current state of the Service

At the time of this Policy's effective date, the Service is in a pre-launch waitlist phase. Lucy's clinical intelligence features (records reading, literature retrieval, cited-question generation) are not yet available to the general public. The information we collect today is limited to what is described in Section 4 (Waitlist phase). When the full Service opens, the information described in Section 5 (Full-Service phase) will also apply, and we will update the effective date and notify people who have joined the waitlist.

4. What we collect today (waitlist phase)

  • Email address. When you sign up for the waitlist, we collect the email address you provide so we can contact you when Lucy opens to a first cohort of families.
  • Optional waitlist note. If you choose to tell us about your dad's situation in the optional textarea that appears after you sign up, we store that text alongside your email so Lucy can read it as her first context when she writes to you.
  • Server logs. Our hosting provider records standard server-log information (IP address, user-agent string, timestamp, requested URL) for short-term operational and security purposes. This data is retained only as long as needed for those purposes and is not used to build long-term profiles.
  • Anonymous usage analytics. If we have enabled Cloudflare Web Analytics, our hosting provider collects aggregated, cookie-free, fingerprint-free page-view information so we can see what is being read. This service does not identify you.

5. What we will collect when Lucy opens (full-Service phase)

  • Account information. Your name, your email address, and a hashed password (Argon2id; we never see your plaintext password).
  • Subscription and billing information. If you subscribe to the paid Service, our payment processor will collect the information required to charge you. We do not store your full card number; we receive only a token, the last four digits, the brand, and the expiration date, for support and reconciliation.
  • Authorization tokens. Encrypted OAuth tokens issued by your healthcare provider when you authorize Lucy to access your loved one's records via Epic SMART-on-FHIR or an equivalent standard.
  • Medical records you connect or upload. Labs, vitals, medications, conditions, clinical notes, imaging metadata, and appointments. Default storage is encrypted on your device. Optional cloud synchronization, if you choose it, is encrypted on your device before transit and operates under a signed Business Associate Agreement.
  • Your own notes and inputs. Anything you write while using the Service.
  • Capsule audit records. Every brief we deliver, every source we cite, and every access to your data is sealed in a tamper-evident Capsule chain. These records live with your account and are exportable by you.
  • Diagnostic telemetry. Aggregated, anonymized information about feature usage, error rates, and performance, used only to operate and improve the Service.

6. What we do not do, ever

  • We do not sell your personal information to anyone.
  • We do not share your personal information with advertisers or data brokers.
  • We do not use third-party advertising trackers or pixels.
  • We do not use your medical records to train any third-party generative AI model.
  • We do not use your medical records to train our own models without your explicit, informed, opt-in consent.
  • We do not knowingly collect information from anyone under eighteen years of age. The Service is not directed to children. If you believe a minor has provided information to us, contact hello@quantumpipes.com and we will delete it.

7. How we handle protected health information

When the Service handles protected health information (PHI) on your behalf, we and our licensor act as a Business Associate under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. We are not a Covered Entity ourselves. Where you are subject to HIPAA as an institution or where your healthcare provider is the source of records you connect, we will execute a Business Associate Agreement on request before any PHI is exchanged.

We implement administrative, physical, and technical safeguards that include:

  • Access controls. Only you, and caregivers you have explicitly authorized through the Service, can access records associated with your account.
  • Audit controls. Every PHI access, read, write, export, and share is recorded in the Capsule chain described above.
  • Integrity. Cryptographic hash verification (SHA3-256) is applied across the chain; any modification breaks chain integrity visibly.
  • Transmission security. AES-256-GCM encryption in transit; Ed25519 and ML-DSA-65 signatures on every Capsule (a dual classical and post-quantum signature scheme) so the chain remains verifiable even after large-scale quantum computing is practical.
  • Workforce access. Personnel with potential access to PHI receive HIPAA awareness training and are bound by written confidentiality obligations.
  • Breach response. If we discover a breach or suspected breach affecting your PHI, we will notify you and any required regulators within the timeframes required by law.

8. Where your records live, and where Lucy reads them

By default, medical records you connect or upload are stored in an encrypted local database on your device. When you ask Lucy a question, the relevant subset is read on servers configured so that nothing is retained after the request completes. No copy of your records is kept on those servers, and no content of yours is used to train any model. Optional cloud synchronization, if you turn it on, is encrypted on your device before it transits the network; the cloud cannot read your records.

9. Third parties who help us run the Service

We rely on a minimal set of third-party providers:

  • Cloudflare, Inc. Edge hosting, content delivery, denial-of-service protection, and (optionally) privacy-respecting Web Analytics. Cloudflare may briefly process IP addresses and request metadata to deliver the Site to you. Cloudflare's privacy practices are described on its own website.
  • Email delivery. When the Service is available, transactional email (waitlist confirmation, briefs, the single follow-up) is delivered through a standard transactional email provider operating under industry-standard data-processing terms.
  • Payment processing. When the paid Service is available, payments are processed through a PCI-DSS Level 1 provider. We do not see your full card number.
  • Your healthcare provider. The source of records you connect via Epic SMART-on-FHIR or an equivalent standard. Lucy receives data only with your explicit OAuth authorization and only for the purposes you specify.

We do not share your PHI with any third party other than the ones above without your explicit, per-transaction consent or a legal requirement we are bound to follow.

10. Your rights

You have the right to:

  • Access. Ask us what information we hold about you and receive a copy.
  • Export. Export your full Capsule audit trail in a machine-readable format at any time.
  • Correct. Request correction of inaccurate information.
  • Delete. Delete your account, which cascades to delete all associated records within thirty days, except where retention is required by law.
  • Revoke. Revoke any OAuth authorization at any time through the patient portal that issued it or through the Service.
  • Object and restrict. Object to or restrict certain processing, where applicable law gives you the right to do so.

Residents of jurisdictions with specific privacy frameworks have additional rights. Without limiting the rights described above, this includes:

  • California (CCPA / CPRA). The right to know, delete, correct, and opt out of the sale or sharing of personal information; the right to limit the use of sensitive personal information; and the right to be free from retaliation for exercising these rights. We do not sell or share personal information as those terms are defined under the CCPA.
  • Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon (OCPA), Texas (TDPSA), Florida (FDBR), Indiana, Iowa, Tennessee, Montana, and other US state privacy frameworks. The rights to access, correct, delete, and obtain a portable copy of your personal information; the right to opt out of targeted advertising, sale, and certain profiling; and the right to appeal a denied request.
  • European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR). The rights to access, rectification, erasure ("right to be forgotten"), restriction, portability, objection, and to lodge a complaint with your supervisory authority. Our lawful bases for processing are your consent, the performance of a contract with you, our legitimate interests in operating and securing the Service, and compliance with legal obligations.

To exercise any right, write to hello@quantumpipes.com with enough information for us to verify your identity. We will respond within the time required by applicable law and without retaliation. If you appoint an authorized agent, we may require proof of authorization before responding.

11. Retention and deletion

We retain account and waitlist information while your relationship with us is active. On account deletion, we delete associated records within thirty days, except where longer retention is required by law, regulation, the defense of legal claims, audit obligations, or another legitimate business reason. In those cases we retain only the minimum information necessary and only for the minimum time required.

12. Security

The Service uses modern cryptography throughout: Argon2id for password hashing, AES-256-GCM for symmetric encryption, SHA3-256 for hashing, Ed25519 and ML-DSA-65 for signatures, and X25519 and ML-KEM-768 for key exchange. The Capsule chain protocol that anchors our audit trail has been submitted to the National Institute of Standards and Technology.

Despite our best efforts, no method of storage or transmission is perfectly secure. You use the Service at your own risk. We recommend strong, unique passwords and two-factor authentication once it is available. If you believe you have discovered a security issue, please write to hello@quantumpipes.com.

13. International users

The Service is operated from, and its infrastructure is provisioned primarily within, the United States. If you access the Service from outside the United States, you understand that your information may be processed in the United States, where data protection laws may differ from those in your jurisdiction. Where required, we rely on Standard Contractual Clauses or other valid transfer mechanisms.

14. Cookies and similar technologies

The Site does not currently use advertising cookies or third-party trackers. We may use a small number of strictly necessary cookies or local storage entries to operate the Service (for example, to remember your draft on the waitlist form or your accessibility preferences). These do not track you across other sites.

15. Changes to this Policy

We may update this Policy from time to time. The most current version is always available at mydadshealth.com/privacy and is dated at the top. Material changes will be announced on the Site and, for registered users, by email. Your continued use of the Service after the effective date of an updated Policy constitutes your acceptance of the updated Policy.

16. How to contact us

Privacy questions, rights requests, and security reports can be sent to hello@quantumpipes.com. We will acknowledge within a reasonable time and respond as required by applicable law.

Postal mail can be addressed to: Synova Industries, Privacy Officer, c/o Quantum Pipes Technologies LLC, in care of the registered agent of record in Wyoming, United States.