Privacy Policy

Effective date: March 16, 2026  ·  Last updated: March 16, 2026

Plain English Summary Cordio is a cardiovascular health app. We collect your health data (like cholesterol and blood pressure) to calculate your heart risk score. We never sell your data. We never share it with advertisers. Everything is encrypted. You can delete your data at any time.

1. Who We Are

Cordio ("we", "us", "our") is a cardiovascular health application that provides personalised heart age and cardiovascular risk assessments using the Framingham Heart Study 2008 model. We are operated by Cordio Health and can be reached at privacy@cordio.app.

This Privacy Policy applies to our mobile application (Cordio for iOS and Android) and our website at cordio.app.

2. Important Disclaimer

Cordio is not a medical device and does not provide medical advice, diagnoses, or treatment. The risk scores and heart age calculations provided by Cordio are for educational and informational purposes only. Always consult a qualified healthcare professional for medical advice.

3. Data We Collect

We collect the following categories of data when you use Cordio:

Account Data

  • Email address
  • Full name (optional)
  • Phone number (optional)
  • Date of birth
  • Password (stored as a cryptographic hash — we cannot read it)

Health and Biometric Data

  • Sex assigned at birth
  • Height and weight
  • Ethnicity (used for QRISK3-based risk adjustments)
  • Country of residence
  • Blood test results you upload or enter manually, including: LDL cholesterol, HDL cholesterol, total cholesterol, triglycerides, HbA1c (blood sugar), Apolipoprotein B (ApoB), high-sensitivity C-reactive protein (hsCRP), Lipoprotein(a) (Lp(a))
  • Blood pressure readings (systolic)
  • Coronary artery calcium (CAC) score if provided
  • Medical history: diabetes diagnosis, blood pressure medication, prior cardiovascular events, family history of early heart disease
  • Lifestyle information: smoking status, alcohol consumption, physical activity level, sleep hours, stress level
  • Cardiac test results if entered: ECG, echocardiogram, stress test, Holter monitor results

Uploaded Files

  • PDF lab reports you upload for automated biomarker extraction
  • These files are processed to extract health values and are stored encrypted on our servers

Usage Data

  • App interaction data (which screens you view, features you use)
  • Device type, operating system version, app version
  • Push notification token (to send health alerts)
  • IP address (used for security purposes, not profiling)
  • Crash reports and error logs

4. How We Use Your Data

We use your data exclusively to provide and improve the Cordio service:

  • Risk calculation: Your health data is used to calculate your 10-year cardiovascular risk score and heart age using the Framingham Heart Study 2008 model
  • Personalised recommendations: Your profile data generates a personalised action plan and risk driver analysis
  • Doctor's reports: Your data is formatted into a PDF report you can share with your doctor
  • Progress tracking: Historical data is used to show your heart age trend over time
  • Pattern detection: We analyse your biomarker history to detect clinically significant patterns and alert you to changes
  • Push notifications: We send health-related alerts and reminders based on your preferences
  • Customer support: If you contact us, we use your account data to assist you
  • App improvement: Anonymised, aggregated usage data helps us improve the app

We never use your health data for advertising, profiling for third parties, or any purpose other than providing Cordio's health assessment services.

5. AI Features and Data Processing

Cordio uses artificial intelligence to generate personalised action plans and risk explanations. The AI system processes your health data on our secure servers. Specifically:

  • Your biomarker values and risk profile may be sent to Anthropic's Claude API to generate personalised health recommendations
  • Only the minimum necessary health data is sent — no personally identifiable information (name, email, or contact details) is included in AI processing requests
  • Anthropic's data processing is governed by their privacy policy and our data processing agreement
  • PDF lab report processing uses our own secure servers — your documents are not sent to third-party AI services

6. Data Sharing and Third Parties

We share your data only in the following limited circumstances:

  • Amazon Web Services (AWS): Our infrastructure provider. All data is stored on AWS servers with encryption at rest and in transit. We have a HIPAA Business Associate Agreement (BAA) with AWS
  • Anthropic: Our AI provider for generating health recommendations (anonymised health data only — see Section 5)
  • Legal requirements: We may disclose data if required by law, court order, or to protect the safety of users or others
  • Business transfer: If Cordio is acquired or merges with another company, your data may be transferred. We will notify you before this happens

We do not sell, rent, or trade your personal data to any third party, ever.

7. Data Security

We take the security of your health data seriously:

  • All data is encrypted in transit using TLS 1.2 or higher
  • All data is encrypted at rest using AES-256
  • Uploaded lab reports are stored in encrypted S3 buckets with no public access
  • Passwords are hashed using bcrypt and are never stored in plain text
  • Access to production databases is restricted to essential personnel only
  • We conduct regular security reviews of our infrastructure

No system is 100% secure. If we become aware of a data breach that affects your personal health data, we will notify you within 72 hours as required by applicable law.

8. Your Rights

You have the following rights regarding your data:

  • Access: You can request a copy of all data we hold about you by emailing privacy@cordio.app
  • Correction: You can update your health profile and personal information directly in the app at any time
  • Deletion: You can delete your account and all associated data from the app (Profile → Account → Delete my data). We permanently delete all your data within 30 days of this request
  • Data portability: You can request an export of your data in a machine-readable format
  • Objection: You can opt out of non-essential data processing (such as app analytics) in the app settings
  • Notification preferences: You can control all push notifications from the app's notification settings

For US users (HIPAA and state privacy laws): Cordio treats all health information in accordance with HIPAA guidelines. You have the right to request restrictions on how your protected health information is used and disclosed.

For Indian users (DPDPA 2023): Cordio complies with the Digital Personal Data Protection Act 2023. You have the right to access, correct, and erase your personal data. You may nominate a person to exercise your rights on your behalf in the event of death or incapacity.

9. Data Retention

We retain your data for as long as your account is active. Specifically:

  • Account data: retained until you delete your account
  • Health and biomarker data: retained until you delete your account or delete specific lab reports
  • Uploaded PDF reports: retained until you delete them or your account
  • Aggregated, anonymised analytics: retained indefinitely (cannot be linked back to you)
  • After account deletion: all personal data is permanently purged within 30 days. Backup copies are purged within 90 days

10. Children's Privacy

Cordio is not intended for users under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that a child under 18 has provided us with personal data, we will delete it immediately. If you believe a child has registered, please contact us at privacy@cordio.app.

11. International Data Transfers

Cordio is operated from servers located in the United States (AWS us-east-1). If you are accessing Cordio from India or another country, your data may be transferred to and processed in the United States. By using Cordio, you consent to this transfer. We ensure appropriate safeguards are in place for such transfers in accordance with applicable data protection laws.

12. Cookies and Tracking

The Cordio mobile app does not use cookies. Our website (cordio.app) uses only essential cookies required for the site to function. We do not use advertising cookies, tracking pixels, or third-party analytics on our website.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via push notification and email at least 14 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent version.

Your continued use of Cordio after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

We will respond to all data requests within 30 days.