Aeva Health Privacy Policy

Last Updated: April 24, 2025

Introduction

This Privacy Policy explains how Aeva Health Ltd ("we," "us," or "our") handles your personal data when you use our website, web application, Health Tracking Hub, AI health services, and virtual consultations (collectively, the "Services").

Important Notice

  • You must be 18 years or older to use our Services
  • By accessing or using our Services, you are agreeing to this Privacy Policy
  • If you do not agree with this Privacy Policy, please do not use our Services
  • This policy should be read alongside our Terms and Conditions and Cookie Policy

Contact our Data Protection Officer at:

1. Who We Are

Aeva Health Ltd is registered in England and Wales (Company No. 15462448) with a registered office at 71-75 Shelton Street, London WC2H 9JQ, UK. We are registered with the Information Commissioner's Office under registration number 00018109281.

2. Types of Personal Data We Collect

2.1 Health and Medical Information

  • Medical history and symptoms
  • Treatment plans and outcomes
  • Wellness and lifestyle information
  • AI health assistant (AiEva) interactions
  • Virtual consultation records
  • Practitioner notes and recommendations
  • Gender
  • Pronoun preferences (Optional)
  • Emergency contact details (Optional)
  • Profile Picture (Optional)
  • Detailed care needs information
  • Comprehensive test results (psychological evaluations, scans, blood tests, x-rays)
  • Detailed records of meetings and decisions
  • Call recordings (only if practitioner and user consent at each session)

2.2 Account Information

  • Name and contact details
  • Date of birth
  • Login credentials
  • Profile preferences

2.3 Technical Information

  • Device identifiers
  • IP address
  • Browser type
  • Operating system
  • Usage patterns

2.4 Disclosed Agent Role and Data Handling

For our practitioner services, Aeva Health acts as a disclosed agent for independent practitioners.

This means:

  • We collect payments on behalf of practitioners and retain a service fee
  • We issue invoices on behalf of practitioners that clearly identify them as the service provider

When facilitating practitioner services, we share the following information with practitioners:

  • User name
  • Health profile overview (overview of current health challenges, any diagnoses, objectives, previous treatments) - this is the same profile overview that our users have access to themselves

This limited information is shared so that practitioners can focus on providing solutions during sessions rather than collecting background information. All interaction between users and practitioners takes place within our secure platform, including scheduling, messaging, and video consultations.

Practitioners are integrated into our platform to provide a centralised, seamless experience for users. While we facilitate the connection between users and practitioners, the practitioners are responsible and liable for the professional services they provide.

3. Third-Party Service Providers

We use the following service providers to deliver our Services:

3.1 Infrastructure

  • Digital Ocean: Cloud hosting services
  • MongoDB: Database management
  • Firebase: Application services
Data Transfer Mechanism

All international data transfers comply with UK GDPR using the Addendum to EU Standard Contractual Clauses (SCCs). Data is primarily transferred to:

  • United States (Digital Ocean, MongoDB, Firebase)
  • International locations (Cal.com)

3.2 Communications

  • Active Campaign: Email marketing
  • Postmark: Transactional emails

3.3 Scheduling

  • Cal.com: Appointment scheduling

3.4 Analytics and AI

  • Google Analytics: Website analytics
  • AiEva: Our proprietary AI health assistant built on customised GPT technology

Important Note: Our AI assistant (AiEva) is designed with privacy-by-design principles. No personal or sensitive health data is shared with external AI providers. All health-related processing occurs within our secure UK infrastructure.

Each service provider processes data in accordance with their own privacy policies and our data processing agreements.

4. How We Use Your Information

4.1 Core Services

  • Providing subscription services directly (AI health assistant, health tracking)
  • Facilitating practitioner services as a disclosed agent
  • Managing your account
  • Processing appointments

4.2 AI and Machine Learning

With your explicit consent, we use anonymised health data to:

  • Train and improve AiEva
  • Develop personalised health insights
  • Enhance prediction accuracy
  • Improve service quality
Legitimate Interests Include:

Service Delivery:

  • Match users with wellness practitioners
  • Personalise platform experience
  • Manage bookings and communications

Platform Improvement:

  • Enhance user experience through analytics
  • Improve practitioner matching
  • Develop health/wellness tools

Safety & Quality:

  • Verify practitioner credentials
  • Monitor service quality
  • Prevent platform misuse
Benefits Outweigh Risks Because:
  • Minimised data collection
  • User maintains data control
  • Strong security measures
  • Clear opt-out options
  • Transparent data usage
  • Continuous focus on user privacy

4.3 Google Workspace API Usage

Our application offers an optional integration with Google Calendar, which is governed by the following policies:

4.3.1 Limited Use

Our use of Google Workspace APIs strictly complies with Google's Limited Use Requirements. We explicitly do not use data from these APIs to develop, improve, or train generalised or non-personalised AI/ML models.

4.3.2 One-Way Integration

Our Google Calendar integration only pushes health recommendations and activities from our application to users' calendars. We do not read, collect, store, or process any existing calendar data from users' Google Calendars.

4.3.3 No Transfer to Third Parties

We do not transfer any Google Calendar data to third-party AI tools or services. The calendar integration is solely used to help users view their health recommendations in their preferred calendar system.

4.3.4 Separation from AI Services

While our application uses AI for personalised health recommendations (via AiEva), this functionality operates independently from our Google Calendar integration. No Google user data is ever used to train our AI systems.

4.3.5 Optional Feature

The Google Calendar integration is entirely optional and can be enabled or disabled by users at any time through their account settings.

4.4 Where We Get Personal Information From

  • Directly from you
  • Suppliers and service providers

5. Data Storage and Security

5.1 Storage Location

  • Primary data storage: UK-based MongoDB cluster
  • Encrypted backup storage: UK jurisdiction only

5.2 Security Measures

  • End-to-end encryption
  • Regular security audits
  • Access controls
  • Continuous monitoring
  • Incident response procedures

5.3 Duty of Confidentiality

We are subject to a common law duty of confidentiality. We may share information when:

  • You provide explicit consent
  • Legal requirement exists
  • Public interest overrides confidentiality
  • Specific regulatory requirements are met
  • With practitioners to facilitate services (as described in Section 2.4)

6. Your Rights

Under UK GDPR, you have comprehensive data protection rights:

Response Timeframe: We will respond to your request within one month.

Detailed Rights Include:

  • Access: Request copies of your personal information
  • Rectification: Correct or update inaccurate information
  • Erasure: Request deletion of your data
  • Restrict Processing: Limit how we use your information
  • Object to Processing: Challenge our use of your data
  • Data Portability: Request data transfer
  • Withdraw Consent: Remove permission for data processing at any time

7. Data Retention

We retain your data for:

  • Active accounts: Duration of service
  • Deleted accounts: 90 days post-deletion
  • Medical records: 8 years (as required by UK law)
  • Chat logs: 2 years

8. Changes to This Policy

We will notify you of material changes via:

  • Email notification
  • In-app alerts
  • Website notices

9. Contact Us

For privacy-related inquiries:

Additional Complaint Routes: Information Commissioner's Office (ICO)