Privacy Policy

The data we hold falls into three categories.

What you provide directly:

• Account email and authentication metadata
• Meals, foods, and nutritional logs you record
• Training sessions, sets, and body composition you log
• Supplement protocols, doses, and cycling rules
• Documents you upload (e.g. blood panels, DEXA, microbiome)
• Profile and goal targets (weight, BMR/TDEE, IF window)
• Waitlist email if you subscribe to product updates

What we receive from connected wearables (only with your consent):

• Biometric data from wearables you explicitly connect (recovery, HRV, RHR, sleep stages, day strain, workouts)
• Health and activity data from any other device or service you authorize via OAuth

What we collect automatically:

• Minimal server logs (IP, user agent, timestamps) for security and abuse prevention
• Error reports scrubbed of personal payload
• Strictly necessary cookies for authentication sessions

Every byte we hold serves the conversation. We do not profile you for advertising. We do not enrich your data with third-party datasets.

• Power the conversational agent's replies with full context
• Sync biometric data from connected wearables
• Compute macro and energy budgets from logged meals
• Persist your vault across devices and sessions
• Detect anomalies and protect the account from abuse
• Send transactional and product-update emails (waitlist only when you opt in)

We share data only with infrastructure providers that are strictly necessary to operate the service, and only the minimum each one needs.

• Our managed database, authentication, and storage provider — EU region
• Our application hosting and edge-runtime provider
• Our AI model provider, which generates the agent's replies (see note below)
• Wearable and health-tracking services you explicitly connect via OAuth
• Our error-monitoring service, optional and disabled by default
• Our transactional and waitlist email provider, when applicable
• Authorities, only if compelled by valid legal process

Biometric and health-related data (recovery, HRV, sleep, body composition, blood panels) are sensitive categories under GDPR Article 9. We process them only on the basis of your explicit consent, stored encrypted at rest, accessible only to you, and never sold or shared with insurers, employers, advertisers, or data brokers.

Aevio Health is not a medical device and its replies are not medical advice. See our Terms of Service for the full disclaimer.

We retain your vault for as long as your account is active. If you delete your account, we permanently remove your personal data, vault entries, uploaded documents, and OAuth tokens within 30 days, except where retention is required by law. Anonymized server logs may be kept for up to 90 days for security purposes.

Under GDPR and equivalent regulations, you have the following rights over your personal data. We honor each of them at no cost.

OAuth tokens are encrypted at rest with AES-256-GCM. All connections use TLS 1.3. The database enforces row-level security so that no row is ever visible across user boundaries. Refresh tokens rotate on every use. Secrets live only in our hosting provider's encrypted env store. See our Security Policy for the full picture.

We may update this Privacy Policy as the product evolves or as regulation changes. We will post the updated version on this page and revise the "Last updated" date. Material changes will also be communicated by email if you have an account.

For privacy questions, data subject requests, or anything related to this policy, write to privacy@aevio.health.