Global Privacy Policy & Data Sovereignty Architecture

1. Legislative Compliance and Policy Declaration

At Aorthea Health Inc. (a Delaware corporation), protecting user data integrity and enforcing cryptographic privacy is a non-negotiable architectural requirement. Because our services govern sensitive interactions involving human health context, this Privacy Policy details the exact forensic nature of the Personally Identifiable Information (PII) we handle, our strict adherence to health data isolation, and your absolute sovereign rights.

This document enforces strict compliance with paramount global digital sovereignty and health security mandates, explicitly including the Health Insurance Portability and Accountability Act (HIPAA) security rules, the European Union General Data Protection Regulation (GDPR), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the California Consumer Privacy Act (CCPA), and global App Store privacy enforcement guidelines mandated by Apple Inc. and Google LLC.

2. Explicit Categories of Data Processed

We categorically partition and process the following datasets solely to maintain platform functionality, ensure cybersecurity, and legally fulfill commercial contracts:

• Biographical & Contact Data: Immutable first names, last names, corporate affiliations, and heavily verified primary electronic mail addresses (e.g., used for communications via care@aorthea.io).
• Health Dialogue & Telemetry (Pseudonymized): Any medical context or lifestyle telemetry shared with the Aorthea Health AI is immediately stripped of Biographical Data. It is encrypted at-rest using AES-256 and treated strictly as "special category" data under GDPR and HIPAA.
• Cryptographic & Authentication Data: Salted password hashes, session-specific JSON Web Tokens (JWT), and OAuth2 provisioning tokens. We strictly do not store plaintext passwords.
• Session Forensics: Granular IP addresses, precise geolocation (country/state level for sovereignty routing), User-Agent attributes, and interaction algorithms utilized strictly to detect DDoS and unauthorized access attempts.
• Financial Processing Data: Handled securely via tokenization. Raw Primary Account Numbers (PAN), CVVs, and expiring card timelines are securely firewalled off our active servers and handled explicitly by our PCI-DSS compliant Merchant of Records (Stripe, Lemon Squeezy, Apple, or Google).

3. International Data Transfers and Data Sovereignty

Aorthea Health Inc. deploys globally redundant, sovereign infrastructure to comply with regional health data requirements. Health data generated by users located within the European Economic Area (EEA), the UK, and Switzerland is physically hosted and processed on localized servers domiciled within Europe. US citizen data is routed to tiered HIPAA-compliant infrastructure stateside.

In edge-case scenarios where operational telemetry must cross borders, Aorthea Health Inc. strictly relies on standard contractual clauses (SCCs) endorsed by the European Commission and cryptographic abstraction (ensuring PII is never transmitted alongside health context), maintaining an equivalent level of cryptographic protection as mandated within the EU.

4. Third-Party Vendor Ecosystem and Legal Liability

We transmit minimized, mission-critical datasets to authorized sub-processors to enable hosting, communication, and economic functions:

• Financial Processors (Stripe, Lemon Squeezy, Apple, Google): For executing legally binding transactions, global dispute resolution, and automated sales/VAT tax recalculations.
• App Store Operators (Apple & Google): For executing in-app subscriptions, telemetry parsing, and managing hardware-bound cryptographic identities.

Mandatory Sub-Processor Vetting (BAAs): Aorthea Health Inc. actively enforces rigorous contractual data protection addendums (DPAs) and Business Associate Agreements (BAAs) with all vendors. We legally mandate that any authorized third-party processor operates in strict adherence to international health and cyber regulations natively governed by their regional jurisdiction.

5. Total Data Sovereignty: User Rights & Right to Erasure

Under strict enforcement of the GDPR and CCPA/CPRA, you possess the unabridged right to assert absolute control over your digital identity. You retain the absolute right to:

• The Right of Access & Portability: To demand a structured, machine-readable export of all PII housed on Morzt architectures.
• The Right to Rectification & Restriction: To immediately correct falsely reported metrics or throttle specific machine-learning algorithmic processing of your data.
• The Right to Object & "Do Not Sell" Mandate: We explicitly declare that Aorthea Health Inc. DOES NOT AND WILL NOT SELL your personal data to data brokers or advertising conglomerates. You retain the right to formally object to any telemetric processing.
• The Right to be Forgotten (Account Deletion): You may instantaneously initiate full, forensic account deletion directly from within the Aorthea Health mobile application or via the web dashboard. Upon cryptographic execution, all associated Identifiable Data is permanently wiped from our active databases within a rigid 7-day latency window, excluding specific transactional histories mandated for preservation under federal anti-money laundering (AML) and IRS tax retention statutes.

To exercise these rights, submit a formal legal request to our compliance team exclusively via hi@aorthea.io.

6. Age Verification, Minor Data Compliance & COPPA

Aorthea Health is strictly engineered for utilization by individuals possessing the legal capacity to form binding contracts (typically 18 years of age, or 13 years with rigorously verified guardian consent depending on jurisdiction). Because Aorthea Health is an advanced educational learning platform designed to help universities and instructors leverage AI for mentorship, and explicitly NOT a social network or dating app, it is governed by standard educational and enterprise COPPA protocols.

In direct adherence with 2026 overarching App Store regulatory mandates, including COPPA in the United States, Aorthea Health actively integrates with the Apple and Google Age Signal infrastructures. We deploy filtering heuristics to prevent the unauthorized collection of juvenile PII. If we confirm we have inadvertently collected data from a recognized minor void of parental authorization, we will permanently purge the data without delay. Parents may contest or inspect accounts strictly via care@aorthea.io.