Privacy Policy
Effective Date: [to be set on launch]
1. Introduction
Oivana Oy, a private limited company organised under the laws of Finland (Business ID / Y-tunnus: [Y-tunnus to be added], registered office at [Registered address — Finland]) (“Oivana”, “we”, “us”, “our”) operates the Oivana mobile application (“the App”).
This Privacy Policy explains how we collect, use, disclose, and safeguard your information, and is intended to comply with the EU General Data Protection Regulation 2016/679 (“GDPR”), the Finnish Data Protection Act (Tietosuojalaki 1050/2018), and other applicable data-protection laws. Where you are resident in another jurisdiction (for example California), additional rights described in Section 10 may also apply.
Oivana is built on a device-first architecture. Your wellness data is created, stored, and processed on your device whenever possible. Data is only transmitted to our servers when necessary to power the AI features you choose to use, and is protected by encryption at every stage.
2. Data Controller and Contact
For the purposes of the GDPR, Oivana Oy is the data controller of personal data processed through the App.
Oivana Oy
[Registered address — Finland]
Business ID (Y-tunnus): [Y-tunnus to be added]
Email: hello@oivana.com
For any questions about this Privacy Policy or to exercise your rights, please contact us using the email above.
Data Protection Officer: Because we process special-category health data, we maintain a dedicated point of contact for privacy matters at the email above. We will appoint a formal Data Protection Officer (DPO) if and when we cross the thresholds in GDPR Article 37 —
[DPO contact to be added on appointment].
3. Information We Collect
3a. Account Information (required for sign-in)
When you sign in via Google, Microsoft, or LinkedIn (through AWS Cognito), we receive:
- Email address
- Full name
- Cognito subject identifier
This information is stored in AWS Cognito and is used solely for authentication and to securely link your use of AI features to your account. We do not store your password.
3b. Device Identifiers
We generate a random, anonymous installation identifier on your device. This is used to associate AI processing requests and push notification delivery with your device. It is not linked to advertising identifiers.
3c. On-Device Wellness Data
The following data is created and stored locally on your device:
- Health profile (height, weight, age, sex, body fat %, TDEE)
- Meal logs with full nutritional detail (macros, micronutrients)
- Weight and body measurement logs
- Workout logs and exercise history
- Sleep data and analysis
- Supplement and medication logs
- Chat messages with AI coach
- Custom tracker entries
- Progress photos (face and body)
- Onboarding questionnaire answers (goals, activity level, diet type, lifestyle factors, lab values, symptoms)
This data remains on your device unless you interact with features that require server-side processing (see Section 3e) or choose to enable Cloud Sync (see Section 3d).
3d. Cloud Sync Data (optional, premium feature)
If you choose to enable Cloud Sync, your full journey data is:
- Encrypted with AES-256 server-side encryption
- Stored as a single encrypted document in AWS S3
- Accessible only with your authenticated account
- Deletable at any time via the App’s Account Center or Reset Journey feature
Cloud Sync is disabled by default and requires both a premium subscription and your explicit enablement.
3e. Data Transmitted for AI-Powered Features
When you use AI-powered features (coaching, food scanning, body analysis, plan generation, wellness insights), relevant portions of your on-device data are securely transmitted to our servers for processing. Depending on the feature, this may include:
- Photos you submit for analysis (food, face, body composition)
- Health profile and plan context needed to personalise AI responses (e.g., your nutrition targets, dietary preferences, recent meals, activity data)
- Recent chat messages to maintain conversation context with your AI coach
- Onboarding answers used to generate your initial wellness plan
This data is:
- Encrypted in transit using TLS
- Encrypted at rest using AES-256
- Processed through our secure server infrastructure — your data is proxied through our own servers to the AI provider; it is never sent directly from your device to third-party AI services
- Automatically purged — uploaded files are deleted within 15 minutes; AI job records expire within 1 hour
We do not retain this data beyond what is needed to deliver your results.
3f. Health Metrics for Notifications and Insights
To provide personalised notifications and health insights, the App transmits aggregated health metrics to our servers, including:
- Resting heart rate, HRV, SpO2, and sleep data (from Apple HealthKit, Google Health Connect, or Oura Ring with your permission)
- Recent nutrition summaries for coaching notifications
This data is encrypted in transit and at rest, associated with your anonymous account identifier, and used solely to generate and deliver your personalised notifications and insights.
3g. Push Notification Data
If you enable notifications, we store:
- Expo push token
- Device platform (iOS/Android)
- Installation ID and account identifier
- Timezone (for scheduling reminders)
3h. Health Platform Data
With your explicit permission, the App reads data from:
- Apple HealthKit (iOS): steps, active energy, resting heart rate, HRV, VO2 max, SpO2, sleep analysis, workouts
- Google Health Connect (Android): equivalent health metrics
This data is read into the App on your device. Aggregated health metrics may be transmitted to our servers as described in Section 3f to power personalised notifications and insights.
3i. Oura Ring Data (optional)
If you connect your Oura Ring via OAuth, we access heart rate, sleep data, readiness scores, SpO2, and activity data. Your OAuth credentials are stored securely on your device using the platform’s secure storage (iOS Keychain / Android Keystore) and are never sent to our servers.
4. Information We Do NOT Collect
- Location data
- Contact lists
- Advertising identifiers
- Browsing history
- Data from other apps
- Financial information (payments handled by Apple App Store / Google Play Store)
- Microphone or camera data (beyond photos you explicitly capture for AI analysis)
5. How We Use Your Information
- Deliver the Service: Process AI analyses, provide personalised coaching, generate wellness plans, deliver notifications and insights
- Authentication: Verify your identity and securely link AI usage to your account
- Push Notifications: Send reminders, coaching check-ins, and alerts you’ve configured
- Service Reliability: Monitor application health and diagnose errors using privacy-respecting analytics and error monitoring tools
- Legal Compliance: Respond to legal requests and enforce our Terms
We do not use your data for advertising, marketing to third parties, profiling for advertising purposes, or training AI models.
6. Legal Basis for Processing (GDPR Article 6)
| Purpose | Legal basis |
|---|---|
| Authentication, account management, delivering core App features you have requested | Performance of a contract — GDPR Art. 6(1)(b) |
| AI features, photo analysis, Cloud Sync, integration with health platforms | Your explicit consent — GDPR Art. 6(1)(a) and Art. 9(2)(a) (special-category health data) |
| Service security, abuse prevention, error monitoring, fraud prevention | Our legitimate interests — GDPR Art. 6(1)(f) |
| Compliance with statutory obligations (e.g. tax, accounting, lawful requests) | Legal obligation — GDPR Art. 6(1)(c) |
Health data is special-category data under GDPR Article 9. We process it only on the basis of your explicit consent, which you provide when you sign in and use the relevant features. You may withdraw your consent at any time (see Section 10), without affecting the lawfulness of prior processing.
7. Third-Party Data Processors (Recipients)
We use a limited number of trusted third-party processors, each bound by a data processing agreement (Art. 28 GDPR):
| Service | Purpose | Data Shared |
|---|---|---|
| Amazon Web Services (AWS) | Secure cloud infrastructure (Cognito, S3, DynamoDB, Lambda) | Authentication data, encrypted backups, encrypted temporary processing data, health metrics |
| Google Gemini AI (Google Cloud) | AI analysis and coaching | Temporarily: photos, health context, and conversation context — transmitted exclusively via our secure server proxy |
| RevenueCat | Subscription management | Anonymous app user ID, subscription status only |
| Expo (Expo Application Services) | Push notification delivery | Push tokens, notification content |
| PostHog | Privacy-respecting product analytics | Pseudonymised usage events, session data with masked inputs and images |
| Sentry | Error monitoring (server-side) | Application error logs (no personal health data) |
| Social Identity Providers (Google, Microsoft, LinkedIn) | Authentication | Email, name (via OAuth 2.0 / OpenID Connect) |
| Apple App Store / Google Play Store | App distribution and payments | Purchase information (we do not receive your payment data) |
We do NOT sell, rent, or share your personal data with advertisers, data brokers, or any third parties for their own purposes.
8. Advertising
We do NOT display advertisements in the App. We do NOT sell, rent, or share your personal data with advertisers or ad networks. We do NOT use your data for targeted advertising. We do NOT use advertising identifiers.
9. Data Retention
| Data Type | Retention |
|---|---|
| On-device wellness data | Until you delete the App or use Reset Journey |
| AI uploads (photos) | Automatically deleted within 15 minutes |
| AI job records | Expire and are deleted within 1 hour |
| Onboarding sessions | Expire after 14 days |
| Health metric snapshots | Retained while your account is active; deleted on account deletion |
| Cloud Sync backups | Until you disable Cloud Sync, delete via Reset Journey, or delete your account |
| Push notification tokens | Retained while your account is active |
| Cognito account | Until you request account deletion |
| Records required by law (e.g., accounting, tax) | For the statutory retention period required by applicable Finnish/EU law |
You can delete all server-side data at any time using the “Delete Account” feature in the App.
10. Your Rights Under GDPR
If you are located in the EU/EEA, you have the following rights under the GDPR in relation to your personal data:
- Right of access (Art. 15) — obtain a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — have inaccurate or incomplete data corrected.
- Right to erasure / “right to be forgotten” (Art. 17) — delete your personal data, subject to limited statutory exceptions.
- Right to restriction of processing (Art. 18) — restrict how we process your data in certain circumstances.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format and transmit it to another controller. The App’s in-app export feature is designed to support this right.
- Right to object (Art. 21) — object to processing based on our legitimate interests.
- Right to withdraw consent (Art. 7) — withdraw consent at any time, without affecting the lawfulness of prior processing.
- Rights related to automated decision-making (Art. 22) — we do not make decisions about you that have legal or similarly significant effects based solely on automated processing.
To exercise any of these rights, contact us at hello@oivana.com or use the in-app data management features. We will respond within one month (extendable by two further months for complex requests, in accordance with Art. 12(3) GDPR).
Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority, in particular in your country of residence, place of work, or place of the alleged infringement.
In Finland, the supervisory authority is the Data Protection Ombudsman (Tietosuojavaltuutettu):
- Website: tietosuoja.fi
- Address: Lintulahdenkuja 4, FI-00530 Helsinki, Finland
- Postal address: PO Box 800, FI-00531 Helsinki, Finland
Additional rights for California residents (CCPA / CPRA)
If you are a California resident, you also have the right to:
- Know what personal information we collect and how we use it
- Delete personal information (subject to legal exceptions)
- Correct inaccurate personal information
- Opt-out of “sale” or “sharing” — we do NOT sell or share personal information for cross-context behavioural advertising
- Limit the use of sensitive personal information — we already limit this to providing the Service
- Non-discrimination for exercising your rights
To exercise CCPA/CPRA rights, contact us at hello@oivana.com.
11. Data Security
We implement multiple layers of security to protect your data:
- Encryption in transit: All data transmitted between your device and our servers is protected with TLS encryption.
- Encryption at rest: All server-side data is encrypted with AES-256.
- Secure authentication: OAuth 2.0 with PKCE flow; tokens stored in device secure storage (iOS Keychain / Android Keystore).
- No stored passwords: Social sign-in only — we never handle or store your password.
- Secure AI proxy: AI requests are routed through our own servers — API keys and credentials are never exposed to the client.
- Automatic data purging: Temporary uploads and processing artifacts are automatically deleted on schedule.
- API protection: Rate limiting, request throttling, and concurrency controls on all server endpoints.
- Minimal data collection: We only transmit the minimum data necessary to deliver the feature you’re using.
Personal data breaches
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Finnish Data Protection Ombudsman within 72 hours of becoming aware of it, in accordance with GDPR Article 33, and notify affected users without undue delay where required by GDPR Article 34.
12. International Data Transfers
Our infrastructure is hosted on Amazon Web Services. Depending on the service, processing may take place in AWS regions located in the European Union (where supported) or in other regions, including the United States, where some of our processors (such as Google Cloud for AI, and certain AWS managed services) operate.
For any transfer of personal data outside the EEA, we rely on appropriate safeguards under Chapter V of the GDPR, including:
- The EU Standard Contractual Clauses (SCCs) approved by the European Commission (Decision (EU) 2021/914)
- Certification under the EU–U.S. Data Privacy Framework where the recipient is so certified (e.g., AWS, Google LLC)
- Additional technical safeguards including end-to-end TLS, AES-256 encryption at rest, and short retention periods for AI processing artifacts
You may request a copy of the safeguards in place by contacting hello@oivana.com.
13. Children’s Privacy
The App is not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe we have inadvertently collected such data, please contact us at hello@oivana.com and we will take steps to delete it.
14. Cookies and Tracking
- The App does not use cookies.
- This website does not use analytics cookies or tracking technologies.
- We do not engage in cross-app or cross-site tracking.
- We do not use advertising identifiers.
- Our iOS privacy manifest declares
NSPrivacyTrackingas false.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes through the App and by updating the “Effective Date” above. If a policy change requires your re-consent, you will be prompted within the App. Your continued use of the App after changes constitutes acceptance of the updated policy.
16. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights:
Oivana Oy
[Registered address — Finland]
Business ID (Y-tunnus): [Y-tunnus to be added]
Email: hello@oivana.com
For data-protection questions in particular, please put “Privacy” in the subject line.
For EU/EEA data-protection inquiries, you may also contact your local Data Protection Authority. The Finnish supervisory authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutettu), tietosuoja.fi.