Privacy Policy – NOWA

Your fertility journey is personal, and so is your privacy. At Nowa, protecting your personal data is a top priority. This policy explains how we collect, use, and protect your data in accordance with the GDPR and the French Data Protection Act. Where applicable (e.g., use of our AI models via OpenAI), we comply with HIPAA requirements through a Business Associate Agreement (BAA).

1. Who are we?

NOWA.CARE — A simplified joint stock company with a sole shareholder (SASU)

• SIREN: 990 265 647
• RCS: Evry
• Share capital: 1,000,000 €
• Registered office: ZA Courtaboeuf, 7 avenue de Laponie, 91940 Les Ulis, France
• President: Figonia Holding
• DPO: Hugo Manoukian – dpo@nowa.care
• Contact: support@nowa.care

This legal information comes from official registers (INSEE, BODACC, RCS) and is kept up to date on Pappers.

2. What data do we collect?

a. Data you provide to us

• Account information: first name, last name, email, password.
• Medical data: age, gender, medical history, test results, treatments, sexual activity, hygiene and lifestyle, etc.
• Imported documents: analyses, reports, prescriptions.
• App input: mood, treatments, notes, daily tracking.
• Billing: name, country, postal code; payment via Stripe (Nowa does not keep your card numbers).

b. Data collected automatically

• Technical data: IP, device type, OS, language, timestamp.
• Use of the app and website.
• Cookies and trackers (see Cookies section).

c. Data received from third parties (with authorization)

• Partner healthcare professionals (with your consent).
• Connected services (Apple HealthKit, Google Fit, etc.).

3. Purposes and legal bases

4. AI, OCR and anonymization

Your medical documents can be analyzed by AI models (e.g. OpenAI) after systematic anonymization (removal of direct identifiers). This processing is used to structure information and populate your Evolving Fertility Plan, with human oversight. No medical decisions are made in a fully automated manner.

Nowa has entered into a Business Associate Agreement (BAA) with OpenAI. Data flows outside the EU are governed by Standard Contractual Clauses (SCCs) from the European Commission. You can request a human review of any automated interpretation.

5. Sharing your data

We do not sell or rent your data. Sharing is limited and contractually governed:

• Hosting: OVHcloud (France), HDS certified.
• AI: OpenAI (HIPAA BAA, SCCs for international transfers).
• Payments: Stripe (PCI-DSS certified; Nowa does not store cards).
• Analytics & marketing: PostHog (product), Google Analytics 4 & Google Tag Manager, Meta Pixel, Pinterest Tag.
• Emailing: Brevo (Sendinblue).
• Communities: WhatsApp (subscribed groups, public channel; voluntary registration).
• Health partners: doctors, clinics, laboratories only with your explicit consent.
• Authorities: when required by law.

The service providers are subject to GDPR and/or adequate guarantees (CCT, BCR, BAA). Personal data is primarily hosted within the European Union.

6. Retention periods

7. Your rights

You can exercise your rights at any time: access, rectification, deletion, opposition, portability, withdrawal of consent. To do this, write to support@nowa.care. We will respond within 30 days.

You can also contact the CNIL.

8. Security

• HDS certified hosting (OVHcloud, France).
• TLS 1.3 encryption in transit, AES-256 at rest.
• Strict access controls, MFA, logging, and audits.
• Data anonymization before external AI processing.

9. Data of minors

The application is reserved for individuals aged 18 and over. If a minor uses it without parental authorization, we will delete the data concerned.

10. International transfers

The data is hosted in the EU. Necessary transfers (e.g., AI processing) are governed by Standard Contractual Clauses and, for OpenAI, by a HIPAA BAA, ensuring an adequate level of protection.

11. Cookies & trackers

A banner allows you to manage your preferences. The following categories may be used:

• Technical (mandatory): website/app functionality.
• Functional: interface preferences.
• Analytics: PostHog (product), GA4 (website/app).
• Marketing: Meta Pixel, Pinterest Tag (measurement & retargeting).

The placement of non-essential trackers is subject to your consent. You can withdraw it at any time.

12. Communities and channels

We offer community spaces:

• Private subscriber group (WhatsApp): exchanges between members, doctors/experts; access depends on subscription status.
• Public channel (WhatsApp): information and content, without individual support or presence of doctors.

Your registration is voluntary. Your messages may be visible to other members. You can leave the group or request the deletion of your data.

13. Studies and research

Certain strictly anonymized data may be used for analyses or research projects, alone or with approved healthcare partners. No identifying information is transmitted.

14. Updates

This policy may evolve. In the event of a substantial change, we will inform you by email or in the app. The current version remains accessible on our site.

15. Summary