How we collect, use, and protect your information
Morava Care LLC ("Morava," "we," "us," or "our") operates a mobile application and website (moravacare.com) designed to help SoonerCare, Medicaid, and uninsured patients in Oklahoma find and connect with healthcare providers. Morava is a healthcare technology platform — we are not a healthcare provider, medical practice, or insurance company.
This Privacy Policy applies to the Morava mobile app, the provider dashboard at dashboard.moravacare.com, and all related services (collectively, the "Service"). It governs how we collect, use, share, and protect your personal information, including Protected Health Information ("PHI") where applicable.
This Privacy Policy is incorporated by reference into our Terms of Service. In the event of a conflict between this Privacy Policy and our Terms of Service regarding the treatment of personal data or PHI, this Privacy Policy controls. For healthcare providers with whom we have executed a Business Associate Agreement ("BAA"), that BAA governs our handling of PHI on your behalf.
Questions? Contact us at support@moravacare.com or (432) 803-0136.
| Data Element | Why We Collect It | HIPAA Category |
|---|---|---|
| First and last name | Account personalization; shared with providers at booking | PHI when linked to appointment |
| Email address | Account creation, verification, notifications, password reset | Personal Information |
| Birth year | COPPA age verification only (13+) — no other purpose | Personal Information |
| Insurance type | Filter providers who accept your coverage | PHI when linked to appointment |
| Insurance plan name | Show relevant providers; saved to profile for convenience | PHI when linked to appointment |
| Appointment details | Date, time, provider, reason for visit — to manage bookings | PHI |
| Health profile (optional) | Shared with booked providers to support appointment preparation | PHI |
| Location (optional) | GPS or city/ZIP to find nearby providers; not stored permanently | Personal Information |
| Profile photo (optional) | Account personalization only; not shared with providers | Personal Information |
We do not collect: Social Security Numbers, Medicaid ID numbers, or government-issued ID numbers · Medical records, diagnoses, prescriptions, or treatment histories · Payment or financial account information · Phone contacts, camera, or microphone data (unless you explicitly grant permission for a specific feature) · Precise GPS coordinates stored to a database (location is used in-session only, not persisted) · Biometric data of any kind.
The Morava mobile app does not use third-party advertising cookies or tracking pixels. The web dashboard at dashboard.moravacare.com may use session cookies and local storage strictly necessary for authentication and functionality. We do not use cookies for behavioral advertising or cross-site tracking. We do not participate in any advertising networks or data exchanges.
We use the information we collect only for the following purposes:
We do not use your information for advertising — ever. We do not sell, rent, trade, license, or share your personal information or PHI with any third party for marketing or advertising purposes. Morava does not display advertisements and has no plans to do so. This is a founding principle of Morava and will not change.
Consistent with HIPAA's minimum necessary standard (45 CFR § 164.502(b)), Morava limits its use and disclosure of PHI to the minimum amount necessary to accomplish the intended purpose. We do not access, process, or transmit more PHI than is required for the specific function being performed.
Where we use data for analytics, product improvement, or research, we apply de-identification methods consistent with 45 CFR § 164.514(b) to ensure that individuals cannot reasonably be identified. De-identified data is not subject to HIPAA restrictions and may be used to improve the Service.
We share your information only in the following limited circumstances:
When you request an appointment, the provider receives your name, contact information, and the health profile details you authorized for sharing. This disclosure is made solely to facilitate your appointment. Providers are independent covered entities subject to their own HIPAA privacy obligations.
| Service Provider | Purpose | Data Shared | BAA Status |
|---|---|---|---|
| Google Firebase (Firestore, Auth, Hosting) | Database, authentication, cloud hosting | All user data including PHI | BAA executed |
| Google Maps API | Provider location display, geocoding | Location coordinates only (no PHI) | Not required |
| Sentry | Crash monitoring and error reporting | PII-scrubbed, anonymized error reports | BAA signed May 2026 |
| Twilio | SMS appointment notifications | No PHI transmitted until BAA executed | BAA PENDING — SMS paused |
| Expo / EAS | App builds and over-the-air updates | No personal data | Not required |
All service providers who process PHI on our behalf are required to execute a Business Associate Agreement with Morava before handling any PHI. We contractually require all service providers to: (a) use PHI only as necessary to provide the contracted services; (b) implement appropriate safeguards to protect PHI; and (c) report any breach or security incident to Morava without unreasonable delay.
We may disclose information when required to do so by: (a) a valid legal process, such as a court order, subpoena, or government demand; (b) to comply with applicable federal or state law; or (c) to protect the rights, property, or safety of Morava, our users, or the public. To the extent permitted by law, we will notify you of any such compelled disclosure unless prohibited by court order or applicable law.
If Morava is involved in a merger, acquisition, bankruptcy, or sale of all or substantially all of its assets, your information may be transferred as part of that transaction. We will provide notice of any such transfer and the opportunity for you to delete your account. Any successor entity will be required to honor this Privacy Policy or obtain your consent before materially changing how your PHI is used. PHI transferred in a business transaction remains subject to HIPAA obligations.
In any other circumstance not described above, we will share your information only with your explicit, informed consent.
We never sell your data. No exceptions. No future carve-outs. This is a founding principle of Morava. We will not sell, rent, trade, or otherwise monetize your personal information or PHI. This commitment applies regardless of any future changes to our business model.
Your data is stored on Google Firebase (Firestore and Firebase Authentication), a secure cloud platform operated by Google LLC under a HIPAA Business Associate Agreement with Morava. All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
Morava maintains a comprehensive information security program aligned with HIPAA's Security Rule (45 CFR Part 164, Subpart C), including:
Morava conducts periodic risk assessments of its systems, infrastructure, and processes that involve PHI, consistent with HIPAA Security Rule requirements (45 CFR § 164.308(a)(1)). Identified risks are tracked and mitigated according to documented remediation plans.
We use Sentry for crash monitoring under a signed BAA (executed May 2026). Before any error data is transmitted to Sentry, the app automatically strips all PII fields including names, emails, phone numbers, insurance information, and appointment details. Stack traces are truncated in production to prevent data leakage through file paths.
Despite these measures, no electronic transmission or storage system is 100% secure. You use the Service at your own risk. You are responsible for maintaining the security of your account credentials and notifying us immediately of any suspected unauthorized access at support@moravacare.com.
Morava is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn we have inadvertently collected such information, we will delete it within 72 hours.
Morava requires all users to provide their birth year during account creation. If a user indicates they are under 13, account creation is blocked and they are directed to contact us with a parent or guardian.
Birth year is collected solely for COPPA age verification. It is stored in your user record but is never used for profiling, analytics segmentation, advertising, or any purpose other than verifying that you are 13 or older.
For users aged 13 to 17: A parent or legal guardian may contact us at support@moravacare.com to: (a) review the minor's account information; (b) request correction of inaccurate data; or (c) request deletion of the minor's account and all associated data. We will respond to such requests within 72 hours.
If you believe a child under 13 has created an account or submitted personal information, please contact us immediately at support@moravacare.com. We will delete the account and all associated data within 72 hours of verification.
To the extent Morava holds PHI on behalf of a covered entity healthcare provider, you may have the following rights, which must be exercised through the applicable provider:
You can deny location permission at any time in your device settings. Location access is optional and is never required to use the core features of the Service. When location is used, it is processed in-session only and is not stored to a database.
Morava's analytics are collected internally and are never shared with advertising networks, data brokers, or any third party. There is no behavioral advertising opt-out required because we do not engage in behavioral advertising.
To exercise any of the rights described above, contact us at support@moravacare.com, (432) 803-0136, or Morava Care LLC, 14556 N Pennsylvania Ave, Building B Apt 305, Oklahoma City, OK 73134. We will respond to all privacy rights requests within 30 days. For requests involving children's data, we respond within 72 hours. We may need to verify your identity before processing certain requests to protect against unauthorized access.
In addition to your HIPAA rights, Oklahoma residents may have rights under the Oklahoma Health Records Act (63 O.S. § 1-501 et seq.) and the Oklahoma Consumer Privacy Act ("OCPA"), where applicable. These may include:
To exercise any Oklahoma-specific rights, contact us at support@moravacare.com. We will direct your request appropriately and cooperate with applicable regulatory authorities.
| Data Type | Retention Period | Basis |
|---|---|---|
| Account information | Until account deletion + 30 days | Service operation |
| Appointment records | 12 months from appointment date | Operational need |
| Health profile (PHI) | Until account deletion or withdrawal of consent | HIPAA; user consent |
| Audit logs | 6 years from creation | HIPAA (45 CFR § 164.530(j)) |
| Analytics events | 24 months (aggregated, anonymized) | Product improvement |
| Crash reports (Sentry) | 90 days | Sentry default; PII-free |
| Server/security logs | 90 days | Security monitoring |
| Location data | Not stored — in-session use only | Privacy by design |
| Birth year | Until account deletion | COPPA compliance |
| BAA-required records | 6 years from creation or last effective date | HIPAA (45 CFR § 164.530(j)) |
When you delete your account, all personal data is removed from active systems within 30 days. Audit logs are retained for the required 6-year period in a form that may be anonymized where feasible. Backups containing your data are purged on a rolling 90-day cycle following deletion.
Morava maintains comprehensive safeguards to protect your information. In the event of a data security incident involving your Protected Health Information (PHI), Morava will comply with HIPAA's Breach Notification Rule (45 CFR §§ 164.400–164.414):
We will provide notification by email (to the address associated with your account) or, if email is unavailable, by prominent notice on moravacare.com and in the app.
Report a Suspected Security Incident. If you believe your account or health information may have been compromised, contact us immediately at support@moravacare.com or (432) 803-0136. You may also report a HIPAA violation to HHS OCR at www.hhs.gov/ocr or 1-800-368-1019.
Morava's founding member voucher program tracks the total number of signups using an atomic counter. If you are among the first 100 users to create an account, your user record is flagged with voucherEligible: true. This flag:
Voucher eligibility data is treated as personal information under this Privacy Policy and is deleted when you delete your account.
The Service may contain links to third-party websites, applications, or services, including provider websites, telehealth platforms, and health information resources. Morava does not control, endorse, or assume responsibility for third-party privacy practices or content.
We recommend reviewing the privacy policy of any third-party site or service before submitting personal or health information. Your interactions with third-party services are governed by their own terms and privacy policies, not this Privacy Policy.
Your data is stored and processed in the United States on Google Firebase infrastructure. Morava does not transfer personal data or PHI to servers outside the United States. If you access the Service from outside the United States, you acknowledge that your information will be transferred to and processed in the U.S., where privacy laws may differ from those in your jurisdiction.
Some web browsers transmit "Do Not Track" signals to websites. Because Morava does not engage in behavioral tracking or cross-site advertising, Do Not Track signals do not materially change how we operate. We do not track your activity across third-party websites.
We may update this Privacy Policy as Morava grows and adds new features. The version number and effective date at the top of this page reflect the most recent revision.
For material changes — changes that significantly affect your rights or how we use your data — we will: (a) notify you by email to the address associated with your account at least 14 days before the change takes effect, and (b) display a prominent in-app notice. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
If we make changes that affect how we handle PHI, we will provide notice as required by HIPAA and applicable law, which may include obtaining your updated authorization or acknowledgment. We will not materially change our use or disclosure of your PHI without your prior consent where required by HIPAA.
For privacy questions, requests, complaints, or concerns about this Privacy Policy or how we handle your data, contact us:
We respond to all privacy requests within 30 days. For matters involving children's data or suspected breaches, we respond within 72 hours.
For HIPAA concerns or to file a HIPAA complaint, you may also contact the U.S. Department of Health and Human Services, Office for Civil Rights (OCR): www.hhs.gov/ocr · 1-800-368-1019 (toll-free) or 1-800-537-7697 (TDD) · Centralized Case Management Operations, 200 Independence Avenue, S.W., Room 509F, HHH Bldg., Washington, D.C. 20201.