Launching 29th Jan | Sign up to waitlist → Get 50% off

Aeva Health Privacy Policy

Last Updated: June 24, 2026

Aeva Health Ltd (we, us, our, Aeva Health) is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over it. It applies to your use of the Aeva Health website (aevahealth.com), the Aeva web application, and the Aeva mobile applications for iOS and Android. Together, these form the Aeva Digital Platform or our Services.

1. Introduction

This Privacy Policy supersedes and replaces all previous versions of our Privacy Policy. Any previous version is no longer applicable.

You must be 18 years or older to use our Services. By accessing or using the Aeva Digital Platform you confirm that you have read and understood this Privacy Policy.

Our commitment: Health data shared with Aeva Health is treated as special category data under Article 9 UK GDPR. We process it only with your explicit consent, only for the purposes you have agreed to, and only for as long as you choose to use Aeva. We never sell user data.

This Privacy Policy should be read alongside our Terms and Conditions and our Cookie Policy.

2. Who we are

Aeva Health Ltd is a private limited company registered in England and Wales (company number 15462448) with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. We are registered as a data controller with the UK Information Commissioner's Office (ICO) under registration number 00018109281.

Aeva Health does not provide medical services or medical diagnoses. Our services are designed to complement, not replace, professional medical care.

This remains the case now that Aeva is registered as a medical device. Aeva is registered with the Medicines and Healthcare products Regulatory Agency (MHRA) as a Class 1 Software as a Medical Device under the Medical Devices Regulations 2002 (UK MDR 2002), MHRA reference number 38746. The classification reflects that our software provides health information and highlights patterns and observations in your data to support your understanding of your health. It is informational and non-diagnostic: it does not diagnose, treat, or monitor any condition, and it does not mean we provide medical services or medical diagnoses. Because Aeva is a registered medical device, we are subject to additional regulatory obligations including post-market surveillance, vigilance reporting, and technical file maintenance. This Privacy Policy reflects those obligations where they affect how we process your personal data.

Always seek the advice of a qualified healthcare professional for questions about your health. The Aeva Digital Platform is not intended for use in emergencies. If you are experiencing a medical or mental health emergency, please call 999 or contact NHS 111.

Our Data Protection Representative can be contacted at:

You may contact our Data Protection Representative with any enquiries relating to the protection of your data under this Privacy Policy.

3. Lead Supervisory Authority

The Lead Supervisory Authority overseeing Aeva Health’s activities in the United Kingdom is: 

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. Phone: +44 (0) 303 123 1113, Email: casework@ico.org.uk. Website: https://ico.org.uk.

4. How to contact us

If you have any questions, concerns, or complaints about how we handle your personal data, you can reach us at:

  • Privacy queries, rights requests, data concerns: privacy@aevahealth.com
  • Service complaints and general support: support@aevahealth.com
  • Safeguarding and medical device safety: safeguarding@aevahealth.com
  • Billing and payments: billing@aevahealth.com
  • General enquiries: hello@aevahealth.com

You have the right to lodge a complaint with the Information Commissioner's Office at any time. The ICO can be contacted at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, telephone 0303 123 1113, or via ico.org.uk/make-a-complaint.

5. Where we store your data

The personal data that we collect from you is stored in the United Kingdom on Amazon Web Services infrastructure (specifically the AWS eu-west-2 region, London) operated by Amazon Web Services EMEA SARL, a company incorporated under the laws of Luxembourg, with registered office at 38 Avenue John F. Kennedy, L-1855 Luxembourg. Where any data is processed outside this location by our sub-processors (for example, vector embeddings in Pinecone, food photo analysis in Spoonacular), the relevant safeguards and transfer mechanisms are set out in Section 15. Each sub-processor is listed in Section 14.2. 

6. Personal data we collect

We only collect the personal data we deem necessary to provide and improve our Services. We have grouped the categories below for clarity. The lawful basis on which we process each category is set out in Section 8.

6.1 Identity and contact information

  • Name
  • Email address
  • Postal address (only where you order a physical product, such as a functional testing kit, available at public launch)
  • Age confirmation (you confirm at signup that you are 18 or over). We do not collect your date of birth
  • Profile photo (optional)
  • Gender
  • Pronoun preferences (optional)

6.2 Account and login data

  • User ID assigned by us
  • Login credentials (password is stored in a hashed, irreversible form)
  • Profile preferences and account settings
  • Consent records (what you consented to, when, and the version of the consent you saw)

6.3 Health data

Health data is special category data under Article 9 UK GDPR. We process it on the basis of your explicit consent. This category includes:

Information you provide:

  • Information you provide about your symptoms, conditions, and health goals across our six health pillars: hormones, sleep, gut health, movement, stress, and mental wellbeing
  • Menstrual cycle and fertility-related information
  • Chronic health conditions and diagnoses you choose to share
  • Medication and supplement information (where you choose to share)
  • Journal entries and notes you log in the app
  • Symptom photos you choose to upload
  • Food photos you upload for nutritional analysis
  • Outputs of our pattern recognition feature (correlations and confidence indicators observed from your logged symptom, lifestyle, journal and connected-device data). Uploaded test results, lab reports and medical documents are stored for your reference and for sharing with practitioners only.

Information we generate for you from your data:

  • Daily insights and pillar scores generated for you across the six pillars
  • Your My Health Summary (a weekly PDF we generate for you)
  • Outputs of our pattern recognition feature (correlations and confidence indicators observed from the data above)

6.4 Wearable and connected health app data

Through our integration partner Sahha you can connect a range of wearables and connected health apps to the Aeva Digital Platform. Examples include Apple Health, Google Health Connect, Apple Watch, Garmin, Oura, Fitbit, Whoop, Withings, Polar, and Strava. The exact list of supported devices and apps may change over time and is shown to you in the app.

The data we collect through Sahha may include:

  • Sleep data (duration, sleep stages, sleep quality)
  • Heart-related data (heart rate, resting heart rate, heart rate variability)
  • Activity data (steps, workouts, calories, distance)
  • Body data (weight, body composition, where logged)
  • Other physical signals provided by your device or app
  • Menstrual cycle data, where your connected app or device supports cycle tracking (this may include data sourced from Apple Health, Strava, or other connected sources, where available)

Where your connected source supports it, with your consent we may also import historical data from before you connected to the Aeva Digital Platform, so that pattern recognition has more context to work with. You control which sources you connect and which data categories you allow Aeva to ingest. You can disconnect at any time.

6.5 Conversations with Eva

Eva is our AI health coach, presented as part of Aeva. When you interact with Eva we process the messages you send and the responses Eva generates. Eva runs on AWS Bedrock under our enterprise terms with Amazon Web Services. AWS does not retain your conversations and does not use them to train AWS or third-party models.

We strip identifying details from your messages before they are processed by AWS Bedrock. Please be mindful of what personal information you share with Eva. There is no need to share details like your full address, bank details, or national insurance number for the service to work.

6.6 Practitioner and Super Team data

When you book a session with one of our independent practitioners, or are matched to a Super Team (a fixed trio of practitioners working with you), we process:

  • Booking details (date, time, practitioner, service type)
  • In-app messages between you and the practitioner(s), including group chat with all three Super Team practitioners
  • Documents you choose to share with a practitioner (see Section 6.9)
  • Session attendance and punctuality records
  • Practitioner notes recorded in the platform after a session

6.7 Functional testing data

Where you choose to purchase a functional testing service through the Aeva Digital Platform (available at public launch), we process information related to the test, including the postal address for kit fulfilment and the results returned by our testing partner. The specific testing partner is identified in Section 8.

6.8 Payment data

We do not store your full card details. Payments are processed by our payment providers (Stripe and, where you use it, Klarna and Revolut Pay). Where you purchase a subscription through the Apple App Store or Google Play Store, payment is processed by Apple or Google under their terms; Aeva Health is not responsible. We receive only transaction-level information (amount, date, payment method type, success or failure) but not your card number or full payment details.

6.9 Documents and content you upload

You may upload documents (such as lab results or medical records) to your account. You control whether to share an uploaded document with a specific practitioner. You may revoke the storage and processing of such data at any time. Documents you upload are stored within our infrastructure and are not shared with third parties beyond what is necessary to provide our Services (such as our hosting providers).

6.10 Technical and device data

  • Device identifiers
  • Device model and operating system version
  • App version
  • IP address
  • Browser type (when you use the web app)
  • Time zone and language settings
  • Crash and performance data, where you have not opted out 

6.11 Usage and analytics data

We use Mixpanel for product analytics. Mixpanel receives an anonymous distinct identifier and event data only (for example, that a user logged a symptom, opened a screen, or completed an onboarding step). Mixpanel does not receive the underlying health data values themselves. Mixpanel helps us understand which features are used and how to improve the product.

6.12 Support and quality data

Where you contact us for support, or where we handle a service issue, we record correspondence, technical issue reports, screenshots you share with us, and service feedback.

7. How we collect your personal data

We collect personal data in three ways:

Directly from you, when you create an account, complete the signup quiz, log information, upload a document, chat with Eva, book a session, contact support, or otherwise interact with the Aeva Digital Platform.

Automatically, when you use the Aeva Digital Platform we automatically collect technical and usage data as described in Sections 6.10 and 6.11.

From third parties, where you connect a wearable device through Sahha, the wearable provider sends data to us through Sahha. Where you purchase a subscription through the Apple App Store or Google Play Store, those platforms send us transaction-level information.

8. How we use your personal data and our lawful bases

Under UK GDPR we must have a lawful basis under Article 6 for everything we do with your personal data. Where we process health data (special category data) we need an additional basis under Article 9. The table below sets out every purpose for which we process your personal data, the categories of data involved, the Article 6 basis, and (where relevant) the Article 9 basis.

Create and manage your account and provide access to the Aeva Digital Platform

  • Article 6 basis: Performance of Contract: Art 6(1)(b)
  • Article 9 basis (for health data): n/a

Provide Eva, our AI health coach

  • Article 6 basis: Performance of Contract: Art 6(1)(b)
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a)

Observe correlations across your data (pattern recognition) and surface them to you with confidence indicators

  • Article 6 basis: Performance of Contract: Art 6(1)(b)
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a)

Generate your weekly My Health Summary PDF

  • Article 6 basis: Performance of Contract: Art 6(1)(b)
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a)

Surface daily insights and pillar scores to you

  • Article 6 basis: Performance of Contract: Art 6(1)(b)
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a)

Personalise the content library (articles, recipes, and educational material) to your profile

  • Article 6 basis: Performance of Contract: Art 6(1)(b)
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a)

Store medical documents, lab results, and other health records you upload to your profile

  • Article 6 basis: Performance of Contract: Art 6(1)(b)
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a)

Facilitate practitioner bookings, expert chats, and discovery calls as a disclosed agent

  • Article 6 basis: Performance of Contract: Art 6(1)(b)
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a)

Operate the Super Team feature (fixed trio of practitioners and shared in-app messaging)

  • Article 6 basis: Performance of Contract: Art 6(1)(b)
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a)

Share documents you designate to a specific practitioner

  • Article 6 basis: Consent: Art 6(1)(a)
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a)

Ingest and process wearable data through Sahha

  • Article 6 basis: Performance of Contract: Art 6(1)(b)
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a)

Analyse food photos through Spoonacular

  • Article 6 basis: Performance of Contract: Art 6(1)(b)
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a)

Provide functional testing services and process results

  • Article 6 basis: Performance of Contract: Art 6(1)(b)
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a)

Process payments and prevent payment fraud

  • Article 6 basis: Performance of Contract: Art 6(1)(b); legitimate interest: Art 6(1)(f) (fraud)
  • Article 9 basis (for health data): n/a

Operate the Credits system (earn, purchase, gift, redeem)

  • Article 6 basis: Performance of Contract: Art 6(1)(b)
  • Article 9 basis (for health data): n/a

Operate the Refer and Earn programme

  • Article 6 basis: Performance of Contract: Art 6(1)(b)
  • Article 9 basis (for health data): n/a

Safety and safeguarding review of Eva conversations and other user data

  • Article 6 basis: Vital interests: Art 6(1)(d); legal obligation: Art 6(1)(c)
  • Article 9 basis (for health data): Vital interests: Art 9(2)(c); substantial public interest: Art 9(2)(g)

Quality review of Eva conversations (excluding safety/safeguarding) and AI improvement

  • Article 6 basis: Consent: Art 6(1)(a), opt-in, default OFF
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a), opt-in, default OFF

Aggregated and anonymised internal analytics to improve the Service

  • Article 6 basis: Legitimate interest: Art 6(1)(f)
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a) where data is identifiable; not required where data is genuinely anonymised

Customer support, service quality, and issue resolution

  • Article 6 basis: Performance of Contract: Art 6(1)(b); legitimate interest: Art 6(1)(f)
  • Article 9 basis (for health data): Explicit consent: Art 9(2)(a) where health data is involved

Marketing communications (newsletter, educational content)

  • Article 6 basis: Consent: Art 6(1)(a); legitimate interest: Art 6(1)(f) where you are an existing customer (soft opt-in)
  • Article 9 basis (for health data): n/a

Crash reporting and performance monitoring

  • Article 6 basis: Legitimate interest: Art 6(1)(f)
  • Article 9 basis (for health data): n/a

Legal and tax compliance, regulatory cooperation

  • Article 6 basis: Legal obligation: Art 6(1)(c)
  • Article 9 basis (for health data): Substantial public interest: Art 9(2)(g) where health data is involved

8.1 More about consent

Where we rely on consent, it must be specific, informed, freely given, and unambiguous. You may withdraw your consent at any time. Withdrawing a consent does not affect any processing we have lawfully completed before notification of your consent withdrawal.

We capture the following consents separately, none of which are bundled with your acceptance of this Privacy Policy or our Terms and Conditions:

Processing of health data (Article 9 explicit consent)

  • Default state: Asked before health data is first collected (no default)
  • Where you manage it: Account settings → Privacy

AI model improvement and training

  • Default state: OFF
  • Where you manage it: Account settings → Privacy

Quality review of Eva conversations (non-safety)

  • Default state: OFF
  • Where you manage it: Account settings → Privacy

Marketing communications

  • Default state: OFF
  • Where you manage it: Account settings → Communications

Research participation (optional, see Section 8.2)

  • Default state: OFF
  • Where you manage it: Account settings → Privacy

Sharing a specific document with a specific practitioner

  • Default state: Off until you choose to share
  • Where you manage it: Document menu within the Aeva Digital Platform

8.2 Research participation

Aeva Health undertakes research to improve understanding of how the Aeva Digital Platform supports women's health across the six pillars. Where you have opted in to research participation at signup or in your account settings, we may include genuinely anonymised data derived from your use of the platform in our research. Where findings are published from research your data has contributed to, we will make those findings available to participants. You may withdraw from research participation at any time. Withdrawal stops your data being included in future research; it does not affect research already completed.

8.3 Automated decision-making

Eva and our pattern recognition feature produce outputs that are generated automatically from your data. They include practitioner matching suggestions and correlation insights with confidence indicators. These outputs are designed to support your understanding of your health, not to make legal or similarly significant decisions about you. You always choose whether to act on a suggestion, including whether to book a recommended practitioner. You can ask us for an explanation of any output, and you can ask us to review or stop any output you disagree with by emailing privacy@aevahealth.com.

As a registered Class 1 medical device, Aeva is required to ensure that automated outputs inform rather than replace your or a healthcare professional's judgement. The pattern recognition feature surfaces correlational insights only; it does not diagnose, predict, or treat any condition. Confidence indicators reflect statistical correlation strength within your own logged and connected-device data, not clinical probability.

9. Your rights as Data Subject

The UK GDPR affords you specific rights as a UK Data Subject. These rights are summarised below. To assert any of these listed rights, you may contact the Data Protection Representative designated by Aeva Health under Section 2 above. For purposes of this Section 9 and Section 10, ‘personal data’ shall include all data relating to the Data Subject, including personal health data.

Right of Confirmation: Each Data Subject shall have the right to obtain from Aeva Health as data controller the confirmation as to whether or not any personal data concerning him or her are being processed.

Right of Access: Each Data Subject has the right to obtain from Aeva Health as the data controller free information about the Data Subject’s personal data stored at any time, as well as a copy of this information. Your rights as a Data Subject include obtaining information as to whether your personal data are transferred to a third country or to an international organisation. In such instances, you have the right to be informed of the appropriate safeguards relating to the transfer.

Right to Rectification: Each Data Subject has the right to obtain from Aeva Health (as data controller) the rectification of inaccurate personal data concerning the Data Subject, without undue delay. Taking into account the purposes of the processing, the Data Subject has the right to have incomplete personal information completed, including by means of providing a supplementary statement, if necessary.

Right to Erasure (Right to be Forgotten): Each Data Subject has the right to obtain from Aeva Health, without undue delay, the erasure of the Data Subject’s personal data. Aeva Health, as data controller has the obligation to erase such data without undue delay where one of the statutory grounds applies, as long as the processing is not necessary.

Right of Restriction of Processing: Each Data Subject has the right to obtain from Aeva Health as data controller a restriction of processing where a statutory reason applies.

Right to Data Portability: Each Data Subject has the right to receive the personal data concerning him or her that has been provided to Aeva Health in a structured, commonly used and machine-readable format.

Right to Object: Each Data Subject has the right to object at any time to the processing of personal data concerning him or her on grounds relating to their particular situation.

Automated individual decision-making, including profiling:  Each Data Subject has the right to not be subject to a decision based solely on automated processing, including profiling.

Right to Withdraw Consent: Where consent forms the legal basis for the processing of the Data Subject’s personal data, the Data Subject has the right to withdraw their consent to such processing at any time. Data Subjects can withdraw consent by logging into their User Account, clicking the “Privacy” link in the menu, and then updating the privacy settings as required. Data Subjects may also contact the Data Subject Representative listed above in Section 2 to withdraw consent to the processing of their personal data.

Right to Complain to the Supervisory Authority: Each Data Subject has the right to complain to the relevant Supervisory Authority about the processing of their personal data by a data controller, as well as the methods and actions of a data controller in the processing of their personal data. The details of the Lead Supervisory Authority overseeing Aeva Health Ltd’s activities in the United Kingdom is the Information Commissioner’s Office, as detailed in Section 3 above.

10. The Legal Basis for the Processing of Personal Data 

The legal basis for the processing of your personal data shall be where:

  • as Data Subject you have provided us with consent to the processing of your personal data for one or more specific reasons;
  • processing of your personal data is necessary for the performance of a contract to which you are a party or in order to take such steps at your request, prior to entering into a contract;
  • processing is necessary for compliance with legal obligations to which Aeva Health as a data controller is subject;
  • processing is necessary in order to protect the vital interests of you as Data Subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Aeva Health as the data controller; and
  • processing is necessary for the purposes of the legitimate interests pursued by Aeva Health as the data controller or by a third party, except in such circumstances where the interests of such processing are overridden by the interests or fundamental rights and freedoms of you as Data Subject which require protection of personal data.

11. Legitimate Interests Pursued by Aeva Health  

Where the processing of your personal data is based on our legitimate interest, it is to carry out our business in favour of the well-being of all our employees, shareholders and our company as a whole.

12. How we protect your personal data

We use industry-standard technical and organisational measures appropriate to the risk. These include:

  • Encryption of personal data in transit and at rest
  • Role-based access controls within Aeva Health, staff and contractors only access personal data when needed to perform their role
  • Logging of access to personal data
  • Regular review of security and access permissions
  • Penetration testing and security review on a defined cycle
  • A documented incident response and breach notification process

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms we will notify the ICO within 72 hours of becoming aware, and we will inform you without undue delay where the risk to you is high.

As a registered Class 1 medical device, we maintain a cybersecurity programme appropriate to its regulated status, including ongoing software vulnerability management, secure software development practices, and post-market surveillance for cybersecurity issues affecting the Aeva Digital Platform.

13. Children

The Aeva Digital Platform is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we hold personal data about a person under 18 we will delete it. If you are the parent or guardian of someone you believe is using our Services contrary to this restriction, please contact privacy@aevahealth.com.

14. Who we share your personal data with

We share your personal data only where necessary to provide the Services or where we are legally required to. We do not sell your personal data.

14.1 Practitioners and Super Teams

Where you book a session or are matched to a Super Team, we share with the practitioner(s):

  • Your name
  • Your weekly My Health Summary and any health information you choose to share with that practitioner
  • Any documents you have specifically chosen to share with that practitioner
  • Booking details and in-app messages you exchange with them

Practitioners on the Aeva Digital Platform are independent professionals. They are responsible for their own professional services. When you book with a practitioner, you accept their terms of service, which follow a standard form provided by Aeva and presented in the practitioner's name. They are bound by professional confidentiality, by the data protection terms in our agreement with them, and by UK GDPR as independent data controllers for the services they provide to you. Practitioners can also share their session notes and reports back with you in the Aeva Expert Reports folder, in the documents section of your health profile.

14.2 Our service providers (sub-processors)

We use the following service providers to deliver the Aeva Digital Platform. Each is bound by a data processing agreement or equivalent processor terms with us that address the requirements of Article 28 UK GDPR. Where we are in the process of formalising an updated agreement with a provider, we operate under their published processor terms until that agreement is signed. Each processes your personal data only on our documented instructions.

Amazon Web Services (AWS)

  • Country / region: United Kingdom
  • Purpose: Cloud infrastructure, AI processing (AWS Bedrock for Eva and pattern recognition, both in eu-west-2, London, UK), automated PII redaction via AWS Comprehend (applied to Eva prompts, pattern recognition inputs, and uploaded documents before they are processed by an LLM, and to redact Eva's responses before they are stored), self-hosted Langfuse observability running within this environment (trace data remains inside our AWS account and is not shared with any third party), Amazon CloudWatch (model invocation logging, 90-day retention), Amazon S3 (document and image storage)
  • Privacy policy: https://aws.amazon.com/privacy/

MongoDB Atlas

Firebase (Google)

  • Country / region: Belgium (EU)
  • Purpose: Push notifications, in-app messaging between users and practitioners, Firebase Crashlytics (crash and error reporting)
  • Privacy policy: https://policies.google.com/privacy

Pinecone

Sahha

  • Country / region: United States (AWS us-east-1)
  • Purpose: Wearable and connected health app data integration (Apple Health, Google Health Connect, Garmin, Oura, Fitbit, Whoop, Withings, Polar, Samsung Health, Strava, and others)
  • Privacy policy: https://sahha.ai/privacy

Spoonacular

Google (Gemini Flash)

OpenAI

  • Country / region: EU
  • Purpose: Vector embeddings (OpenAI text-embedding-3-small model, 1,536 dimensions) for the Aeva content library; embedding of user queries for retrieval-augmented generation; generation of short content for pillar pop-ups
  • Privacy policy: https://openai.com/policies/privacy-policy/

Stripe

  • Country / region: Ireland (EU)
  • Purpose: Web subscription payment processing and in-app payment processing for expert sessions, Super Team sessions, and Aeva Credits
  • Privacy policy: https://stripe.com/privacy

Apple (App Store, In-App Purchase, sign-in)

  • Country / region: United Kingdom
  • Purpose: iOS distribution, in-app subscription billing via Apple In-App Purchase, and user sign-in where you use Apple sign-in
  • Privacy policy: https://www.apple.com/legal/privacy/en-ww/

Google (Play Store, Play Billing, Google sign-in)

  • Country / region: United Kingdom
  • Purpose: Android distribution, in-app subscription billing via Google Play Billing, and user sign-in where you use Google sign-in
  • Privacy policy: https://policies.google.com/privacy

Klarna

Revolut Pay

Mixpanel

  • Country / region: Netherlands (EU)
  • Purpose: Product analytics. Event metadata only (screens viewed, actions taken). No health data values transmitted as event properties.
  • Privacy policy: https://mixpanel.com/legal/privacy-policy/

ActiveCampaign

Postmark

Google Workspace

Google Calendar

  • Country / region: EU
  • Purpose: Optional one-way calendar sync. Where you choose to connect your Google Calendar, we send booked session details to your calendar so they appear in your personal schedule. We do not read events back from your calendar into the Aeva Digital Platform.
  • Privacy policy: https://policies.google.com/privacy

Cal.com

  • Country / region: United States
  • Purpose: Scheduling and booking infrastructure for practitioner sessions
  • Privacy policy: https://cal.com/privacy

14.3 Others we may share with

  • Professional advisers (lawyers, accountants, regulatory advisers) bound by confidentiality
  • Authorities, regulators, or courts where we are legally required to share
  • A buyer or successor in the event of a corporate transaction (sale, merger, or restructuring), subject to confidentiality protections
  • The Medicines and Healthcare products Regulatory Agency (MHRA) where we are required to share information under UK MDR 2002 (for example, in connection with a serious incident report). We will only share the personal data strictly necessary to comply with our regulatory obligations.
  • Anyone you direct us to share with

15. International data transfers

Where we transfer your personal data outside the United Kingdom we use one of the safeguards permitted by UK GDPR:

  • Transfers within the European Economic Area rely on the UK-EU adequacy decision
  • Transfers to the United States rely on the EU-US Data Privacy Framework (UK extension), the UK International Data Transfer Agreement (UK IDTA), or the UK Addendum to the EU Standard Contractual Clauses, depending on the provider
  • Where the country of a provider is marked as TBC in Section 14, the relevant transfer mechanism will be confirmed before that provider goes live

We carry out a Transfer Impact Assessment for each provider that processes personal data outside the United Kingdom, where required.

16. How long we keep your personal data

We keep your personal data only for as long as we need it to provide the Services, comply with our legal obligations, or protect our legal rights.

Active account data (identity, account, health data, Eva conversations, wearable data, pattern recognition outputs)

  • Retention period: Duration of your account, plus 7 years from account closure

CloudWatch logs of Eva conversations (Bedrock model invocation logging)

  • Retention period: 90 days from log creation, with automatic deletion thereafter. Safety-flagged conversations are archived separately with restricted access.

Documents and uploaded content

  • Retention period: Duration of your account, plus 7 years from account closure

Payment and financial records

  • Retention period: 7 years (UK tax minimum is 6 years; aligned to 7)

Customer support correspondence

  • Retention period: 7 years

Marketing consent records (and withdrawal)

  • Retention period: 7 years from the date of consent or withdrawal

Crash and performance data

  • Retention period: 13 months

Practitioner verification documents

  • Retention period: Duration of practitioner engagement, plus 7 years

If you ask us to delete your data we will action your request within 30 days, subject to any legal or regulatory obligation to retain specific records. We will tell you if a request cannot be fully actioned and why.

17. Cookies and similar technologies

Our website uses cookies and similar technologies. See our Cookie Policy for the full list and how to manage your preferences. The mobile app does not use cookies, but uses similar device identifiers and SDKs as described in Sections 6.10 and 6.11.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Where a change is material we will notify you in advance by email and through an in-app notification. The current version is identified at the top of this document. Previous versions are no longer applicable.

19. Marketing communications

We send marketing communications only where you have opted in, or where you are an existing customer and we are sending you information about similar Services and you have not opted out. Every marketing email contains an unsubscribe link. You can also opt out at any time by emailing privacy@aevahealth.com or by updating your account settings.

20. App Store and Play Store

Where you download the Aeva app from the Apple App Store or Google Play Store, those platforms collect information directly under their own privacy policies (which we do not control). This includes information about your device, your Apple ID or Google Account where you sign in, and details of any in-app purchases. Please refer to Apple's and Google's privacy policies for more information.

Decoding the drivers behind your symptoms

First access. Founding Member discount. Priority expert bookings.
By joining the waitlist, you confirm you’re 18 or over and have read our Privacy Policy and Terms & Conditions. We’ll email you about your waitlist place and launch.
Thank You for Joining the Aeva Waitlist! We've just sent you an email, but if you can't spot it, don't panic. Take a look at your spam or promotions folder. We're genuinely thrilled you're here and can't wait to help you on your health journey!
Oops! Something went wrong while submitting the form.