Version 5.0 │ April 2026

IMPORTANT NOTICE: INTERPRETIVE HEALTH’S MOBILE APPLICATION AND SITE (“Nucora”) IS A GENERAL WELLNESS AND FITNESS TOOL. Nucora is designed solely to support general health, fitness, and wellness. Nucora is not a medical device. Nucora, including its Artificial Intelligence (AI) features, does not provide medical advice, diagnosis, cure, mitigation, treatment, monitoring, or prevention of any disease. If you have a medical emergency, call 911 immediately.

1. Introduction

Interpretive Health, LLC (“We,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal and health information (“User Data”) when you use the Nucora mobile application and website. User Data includes personal information such as name, email, health history, wellness goals, diet information, and other personal health information.

Nucora is intended for use only by individuals 18 years of age or older. Nucora is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact us immediately at support@nucora.ai and we will delete that information.

2. Definitions and Scope

To ensure clarity and compliance with the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the California AI Transparency Act (SB 942), we use the following definitions:

“Consumer Health Data (CHD)” means personal information linked or reasonably linkable to you that identifies your past, present, or future physical or mental health status, including data derived from non-health sources if used to infer health status.

“Generative AI System” means the artificial intelligence models used to create Nucora’s Health Blueprint, Podcast, and AI analysis features. These systems generate content based on your inputted data.

“Transient Data” means data ingested from third-party APIs that is cached temporarily for processing and deleted within contractual timeframes after analysis is complete.

“Epigenetic Data” means data regarding biological age derived from blood-based DNA methylation analysis, distinct from raw genomic sequence data.

“AI-Generated Content” means any report, podcast, analysis, or output produced by Nucora’s AI systems based on your inputted data, as required to be disclosed under the California AI Transparency Act (SB 942).

3. Data We Collect

We collect the following categories of User Data:

a. Personal Information

  • Name, email address, and mailing address
  • Date of birth, height, weight, and sex (used for reference-range calculations)
  • Ethnicity (optional, collected for analytics context)

b. Personal Health and Medical Information

  • Health history and wellness goals
  • Family medical history
  • Personal diet and nutrition information
  • DEXA body composition scan results
  • Blood and urine biomarkers
  • Gut microbiome test results
  • Blood-based DNA methylation and biological age data

c. Data from Connected Third-Party Platforms

When you choose to connect third-party platforms to Nucora (see Section 4 of the Terms of Use for the full list), we receive data from those platforms via their APIs. The data we receive depends on the platform you connect and may include:

  • Apple Health: Activity, workout, sleep, heart rate, and other health metrics you choose to share
  • Garmin Connect: Activity, sleep, heart rate, stress, body composition, and other wellness metrics
  • Cronometer: Food logs, nutrition data, and dietary intake information
  • Hevy: Weight training logs, exercise history, and workout data
  • Viome: Gut microbiome test results and related recommendations
  • BodySpec: DEXA body composition scan data
  • Function Health: Blood and urine biomarker results
  • Blueprint Speed of Aging: Blood-based biological age and DNA methylation data
  • TinyHealth: Gut microbiome test results

Each of these platforms has its own privacy policy that governs how they collect and handle your data. We encourage you to review the privacy policies of any platforms you connect to Nucora. Once data reaches Nucora, this Privacy Policy governs how we use and protect it.

Please note – a third-party platform may be located outside of the United States and your data may be transmitted outside of the United States. The laws and regulations of the country of the third-party platform govern the privacy of your data located in that country.

We do not sell data received from any connected third-party platform.

d. Usage Data

  • Interactions with AI-powered features (analysis, podcast, Health Blueprint)
  • Supplement and diet logs
  • User data summaries generated for your use
  • Site interactions and app activity

e. Device and Technical Data

  • Mobile device identifier (IDFV on iOS, ANDROID_ID on Android)
  • Device model, manufacturer, operating system, and version
  • IP address and general geographic location derived from IP

f. Epigenetic Data

  • DNA methylation patterns and biological age data as defined in Section 2

g. Transient Data

  • Certain data from connected third-party platforms (described in Section 3c above) is cached temporarily during computational processing and deleted after your requested analysis is complete. Data transmitted to OpenAI for AI analysis is subject to zero data retention and is not stored by OpenAI after processing.

4. How We Use Your Data

We use your User Data for the following purposes:

  • To provide AI-generated health analysis, personalized podcasts, and Health Blueprint reports based on your inputted data
  • To operate and improve the Nucora platform, including identifying and resolving software errors, improving computational accuracy, and improving the quality of reports, podcasts, and other outputs
  • To communicate with you about updates, notifications, and service-related matters
  • To generate educational supplements and data summaries for your personal use
  • To comply with applicable laws, including CCPA, CPRA, and other applicable state and federal laws
  • To detect and prevent fraud, unauthorized access, and other illegal activity
  • To enforce our Terms of Use and protect our legal rights
  • To conduct general business analysis using aggregated, non-personally-identifiable information

Platform improvement. We use your data to improve Nucora’s platform quality. This includes identifying and resolving bugs in our computational systems, improving the accuracy of our mathematical and analytical algorithms, and improving the quality of reports, podcasts, and other outputs we generate for you. This is internal product improvement, not AI model training. Your data is not used to train any third-party AI models, and Interpretive Health, LLC does not train its own AI models on your data. When your data is used for platform improvement purposes, access is limited to authorized personnel on a need-to-know basis.

5. Data Processing Architecture

a. How Your Data Is Processed

Your User Data is stored on Nucora’s cloud infrastructure, hosted by Amazon Web Services (AWS) in the United States. Data is encrypted at rest using AES-256 encryption via AWS Key Management Service (KMS) or server-side encryption (SSE-S3). Data in transit is protected using TLS 1.2 or higher.

Nucora uses proprietary algorithms and artificial intelligence to analyze your data and generate your requested reports, podcasts, and other outputs. As part of this process, your data is transmitted to OpenAI and Google Cloud AI services for AI-powered analysis and content generation. OpenAI operates under a zero-data-retention agreement — your data is not stored by OpenAI after processing is complete and is not used to train OpenAI’s models. Only HIPAA-eligible API endpoints are used for AI data transmission. Google Cloud AI services operate under a data processing addendum and HIPAA business associate agreement with enterprise-grade data protections; Google does not use your data to train its AI models.

b. Third-Party Data Ingestion

When you connect a third-party data source (such as Garmin Connect or Cronometer), data flows from that platform to Nucora’s servers via the platform’s API. Nucora does not share your data back to those platforms except as necessary to maintain the integration connection. Each third-party platform is an independent data controller responsible for its own data handling practices.

6. AI Transparency Disclosures (California SB 942)

In compliance with the California AI Transparency Act (SB 942), we make the following disclosures:

a. AI-Generated Content

Nucora produces AI-generated reports, podcasts, and analyses. All outputs produced by Nucora’s AI systems are generated based exclusively on data you provide and contain both visible labels and technical provenance signals. These outputs are for educational and informational purposes only and do not constitute medical advice. AI-generated outputs are not a substitute for the services of properly trained and licensed healthcare professionals.

b. How to Identify AI-Generated Content

All Nucora reports, podcast episodes, and analyses are AI-generated. Each output includes a disclosure statement identifying it as AI-generated content. Podcast episodes include an audible disclaimer at the beginning of each episode.

For questions about how Nucora’s AI systems work or how AI-generated content was produced, contact us at support@nucora.ai.

7. Data Security and Privacy Standards

a. Regulatory Status

Interpretive Health, LLC is not a HIPAA Covered Entity, and Nucora is not subject to the HIPAA Privacy Rule or Security Rule. However, we recognize that the health and wellness data you entrust to us deserves strong protection regardless of regulatory classification. We have adopted security and privacy practices consistent with HIPAA standards and contractually require our service providers to do the same.

b. Security Measures

We implement the following security measures to protect your User Data:

  • Encryption at rest: User data is encrypted at rest using AES-256 encryption via AWS Key Management Service (KMS) or server-side encryption (SSE-S3)
  • Encryption in transit: Data in transit is protected using TLS 1.2 or higher
  • Infrastructure security: We implement AWS security measures including Virtual Private Cloud (VPC), subnets, Network Access Control Lists (ACLs), and monitoring via CloudTrail and CloudWatch
  • Access controls: Access to your data is limited to authorized employees, contractors, and service providers who need it to perform their functions, on a need-to-know basis
  • Vendor security requirements: All service providers that process your health and wellness data operate under agreements that require security safeguards consistent with or exceeding HIPAA standards, including Amazon Web Services (cloud infrastructure), OpenAI (AI analysis, under zero-data-retention with HIPAA-eligible endpoints), Google Cloud AI services (AI content generation, under data processing addendum and HIPAA business associate agreement), Google Workspace (support communications), and Cronometer (food and nutrition log data, under HIPAA business associate agreement)

c. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities after becoming aware of the breach, in accordance with applicable laws. Notification will be provided via your registered email address or in-app notification. Because we rely on third-party service providers for certain infrastructure and processing functions, the time required to detect and investigate a breach may vary depending on when our service providers notify us.

d. Your Responsibility

You are responsible for maintaining the confidentiality of your login credentials. We are not liable for unauthorized account access resulting from your failure to protect your credentials. USERS ASSUME ALL RESPONSIBILITY FOR ANY LOSS OF PRIVACY OR OTHER HARM RESULTING FROM THEIR VOLUNTARY DISCLOSURE OF PERSONALLY IDENTIFYING INFORMATION.

8. Sharing Your Information

We do not sell your personal information. We may share your User Data in the following limited circumstances:

a. Third-Party Service Providers

We share data with authorized service providers who perform services on our behalf, including:

  • OpenAI — AI analysis and report generation (under zero-data-retention agreement using HIPAA-eligible endpoints only; OpenAI does not retain or train on your data)
  • Google Cloud AI services — AI content generation (under data processing addendum and HIPAA business associate agreement; Google does not use your data to train its AI models)
  • Amazon Web Services (AWS) — Cloud infrastructure and data storage (under HIPAA business associate agreement with encryption and audit requirements)
  • Google Workspace — Support email communications (under HIPAA business associate agreement)
  • Cronometer — Food and nutrition log data integration (under HIPAA business associate agreement)

These providers are contractually prohibited from using your data for any purpose other than providing services to us or as required by law.

b. Aggregated and De-Identified Data

We may share aggregated, de-identified information that cannot reasonably identify you with third parties, including advisors and investors, for general business analysis and platform development.

We may disclose User Data when required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, prevent fraud, or protect the safety of our users or the public.

d. Business Transfers

In the event of a merger, acquisition, or sale of assets, your User Data may be transferred to the successor organization. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

We may share your information for other purposes with your explicit consent.

9. Data Retention

We retain your User Data for as long as your account is active or as needed to provide services. Specifically:

  • Active account data is retained for the duration of your account
  • After account deletion, we retain data for up to 12 months to prevent fraud, and resolve disputes or for as long as necessary to fulfill legal, contractual, or legitimate business purposes.
  • Transient data from third-party integrations is deleted within 30 days of processing
  • Data transmitted to OpenAI for AI analysis is not retained by OpenAI after processing is complete (zero data retention)
  • Backup copies may be retained for up to 90 days after deletion from active systems
  • We may retain certain data longer if required by applicable law or for legitimate business purposes such as fraud investigation

10. Your Privacy Rights

Depending on your location, you may have the following rights regarding your User Data:

a. California Residents (CCPA/CPRA)

California residents have the following rights:

  • Right to Know: You may request information about the categories and specific pieces of personal information we collect, use, and disclose.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions permitted by law.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising.
  • Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive personal information, including health data, to purposes necessary to provide the services you requested.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

b. Residents of Other States

Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, and others) may have similar rights to access, delete, correct, and opt out of certain uses of their personal data under applicable state law. Contact us at the information in Section 13 to submit a request; we will respond in accordance with the law applicable to your location.

c. How to Exercise Your Rights

To exercise any of these rights, contact us at support@nucora.ai or through your account settings. We will respond to verified requests within 45 days. We may extend this period by an additional 45 days where necessary, in which case we will notify you of the extension within the initial 45-day period. We may need to verify your identity before processing your request.

11. Mobile Device and Analytics

  • Device Identifiers: We collect a standard mobile device identifier (IDFV on iOS, ANDROID_ID on Android) to secure your account and manage device sessions.
  • Location: We do not access or track precise location information from your mobile device. We may determine general geographic location from your IP address.
  • Push Notifications: We send push notifications for service-related matters if you opt in. You may disable these in your device settings.
  • Mobile Analytics: We use analytics software to understand app functionality and usage patterns. Analytics data is aggregated and not linked to your personally identifying information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the app and by email to your registered address. The date of the most recent revision appears at the top of this document. Continued use of Nucora after changes constitutes acceptance of the updated policy.

13. Contact

For questions about this Privacy Policy, to exercise your privacy rights, or to submit a data deletion request:

Interpretive Health, LLC

2108 N St, Ste N, Sacramento, CA 95816

Email: support@nucora.ai

Nucora.ai provides a contact form for submitting privacy rights requests.

Effective Date: 2026-05-10 │ © 2026 Interpretive Health, LLC

Initialize Beta Test