Launching 29th Jan | Sign up to waitlist → Get 50% off
Take Our Quiz

Aeva Health Privacy Policy

Last Updated: August 21, 2025

Introduction

This Privacy Policy explains how Aeva Health Ltd ("we," "us," or "our") handles your personal data when you use our website ("Website"), mobile application ("Aeva App"), and digital platform services (the Website and Aeva App together, the "Aeva Digital Platform").

Important Notice

  • You must be 18 years or older to use our Services
  • By accessing or using our Services, you are agreeing to this Privacy Policy
  • If you do not agree with this Privacy Policy, please do not use our Services
  • This policy should be read alongside our Terms and Conditions and Cookie Policy

Contact our Data Protection Officer at:

1. Who We Are

Aeva Health Ltd is registered in England and Wales (Company No. 15462448) with a registered office at 71-75 Shelton Street, London WC2H 9JQ, UK. We are registered with the Information Commissioner's Office under registration number 00018109281.

2. Types of Personal Data We Collect

2.1 Health and Medical Information

  • Health tracking and symptom monitoring information
  • Personalised health insights and recommendations  
  • Wellness assessments and questionnaire responses
  • AI health assistant (AiEva) interactions and generated health plans
  • Virtual consultation records and practitioner session notes
  • Practitioner-generated health and wellness plans
  • Medical history and current symptoms (where provided)
  • Test results and medical reports (uploaded by users, optional)
  • Treatment plans and health goals
  • Progress tracking and outcome measurements
  • Medication and supplement information (optional)
  • Gender and pronoun preferences (optional)
  • Emergency contact details (optional)
  • Profile Picture (optional)
  • Detailed care needs information
  • Records of practitioner meetings and recommendations
  • Practitioner session recordings (only if practitioner and user consent at each session)

2.2 Account Information

  • Name and contact details
  • Date of birth
  • Login credentials
  • Profile preferences

2.3 Technical Information

  • Device identifiers
  • IP address
  • Browser type
  • Operating system
  • Usage patterns

2.4 Disclosed Agent Role and Data Handling

For our practitioner services, Aeva Health acts as a disclosed agent for independent practitioners.

This means:

  • We collect payments on behalf of practitioners and retain a service fee
  • We issue invoices on behalf of practitioners that clearly identify them as the service provider

When facilitating practitioner services, we share the following information with practitioners:

  • User name
  • Health profile overview (overview of current health challenges, any diagnoses, objectives, previous treatments) - this is the same profile overview that our users have access to themselves

This limited information is shared so that practitioners can focus on providing solutions during sessions rather than collecting background information. All interaction between users and practitioners takes place within our secure Aeva Digital Platform, including scheduling, messaging, and video consultations.

Practitioners are integrated into our Aeva Digital Platform to provide a centralised, seamless experience for users. While we facilitate the connection between users and practitioners, the practitioners are responsible and liable for the professional services they provide.

When service issues arise, we may share relevant information with practitioners to ensure fair resolution and maintain service quality. This sharing is limited to information necessary for addressing specific service concerns.

2.5 Service Quality and Support Data

We collect information to maintain service quality and provide support, including:

  • Technical issue reports and error screenshots
  • Session attendance and timing records
  • Service feedback and quality assessments
  • Support communications and resolution records

3. Third-Party Service Providers

We use the following service providers to deliver our Services:

3.1 Infrastructure

  • Digital Ocean: Cloud hosting services
  • MongoDB: Database management
  • Firebase: Application services
Data Transfer Mechanism

All international data transfers comply with UK GDPR using the Addendum to EU Standard Contractual Clauses (SCCs). Data is primarily transferred to:

  • United States (Digital Ocean, MongoDB, Firebase)
  • International locations (Cal.com)

3.2 Communications

  • Active Campaign: Email marketing
  • Postmark: Transactional emails

3.3 Scheduling

  • Cal.com: Appointment scheduling

3.4 Analytics and AI

Analytics Tools:

  • Google Analytics (website performance)
  • Mouseflow (user experience analytics)

AI Services:

  • AiEva: Our proprietary AI health assistant built on customised GPT technology

Each service provider processes data in accordance with their own privacy policies and our data processing agreements.

Important Note: Our AI assistant (AiEva) is designed with privacy-by-design principles. No personal or sensitive health data is shared with external AI providers. All health-related processing occurs within our secure UK infrastructure.

4. How We Use Your Information

4.1 Core Services

  • Providing subscription services directly (AI health assistant, health tracking)
  • Facilitating practitioner services as a disclosed agent
  • Managing your account
  • Processing appointments
  • Maintaining service quality and resolving user concerns
  • Processing support requests and technical issues

4.2 AI and Machine Learning

With your explicit consent, we use anonymised health data to:

  • Train and improve AiEva
  • Develop personalised health insights
  • Enhance prediction accuracy
  • Improve service quality
Legitimate Interests Include:

Service Delivery:

  • Match users with wellness practitioners
  • Personalise Aeva Digital Platform experience
  • Manage bookings and communications

Aeva Digital Platform Improvement:

  • Enhance user experience through analytics
  • Improve practitioner matching
  • Develop health/wellness tools

Safety & Quality:

  • Verify practitioner credentials
  • Monitor service quality
  • Prevent Aeva Digital Platform misuse

Service Quality & Support:

  • Resolve service issues between users and practitioners
  • Maintain Aeva Digital Platform performance and reliability
  • Ensure professional service standards
  • Process support requests efficiently
Benefits Outweigh Risks Because:
  • Minimised data collection
  • User maintains data control
  • Strong security measures
  • Clear opt-out options
  • Transparent data usage
  • Continuous focus on user privacy

4.3 Google Workspace API Usage

Our application offers an optional integration with Google Calendar, which is governed by the following policies:

4.3.1 Limited Use

Our use of Google Workspace APIs strictly complies with Google's Limited Use Requirements. We explicitly do not use data from these APIs to develop, improve, or train generalised or non-personalised AI/ML models.

4.3.2 One-Way Integration

Our Google Calendar integration only pushes health recommendations and activities from our application to users' calendars. We do not read, collect, store, or process any existing calendar data from users' Google Calendars.

4.3.3 No Transfer to Third Parties

We do not transfer any Google Calendar data to third-party AI tools or services. The calendar integration is solely used to help users view their health recommendations in their preferred calendar system.

4.3.4 Separation from AI Services

While our application uses AI for personalised health recommendations (via AiEva), this functionality operates independently from our Google Calendar integration. No Google user data is ever used to train our AI systems.

4.3.5 Optional Feature

The Google Calendar integration is entirely optional and can be enabled or disabled by users at any time through their account settings.

4.4 Where We Get Personal Information From

  • Directly from you
  • Suppliers and service providers

5. Data Storage and Security

5.1 Storage Location

  • Primary data storage: UK-based MongoDB cluster
  • Encrypted backup storage: UK jurisdiction only

5.2 Security Measures

  • End-to-end encryption
  • Regular security audits
  • Access controls
  • Continuous monitoring
  • Incident response procedures

5.3 Duty of Confidentiality

We are subject to a common law duty of confidentiality. We may share information when:

  • You provide explicit consent
  • Legal requirement exists
  • Public interest overrides confidentiality
  • Specific regulatory requirements are met
  • With practitioners to facilitate services (as described in Section 2.4)

6. Your Rights

Under UK GDPR, you have comprehensive data protection rights:

Response Timeframe: We will respond to your request within one month.

Detailed Rights Include:

  • Access: Request copies of your personal information
  • Rectification: Correct or update inaccurate information
  • Erasure: Request deletion of your data
  • Restrict Processing: Limit how we use your information
  • Object to Processing: Challenge our use of your data
  • Data Portability: Request data transfer
  • Withdraw Consent: Remove permission for data processing at any time

6.1 Service-Related Data Processing

During active service issues or support cases, certain data processing may continue to:

  • Resolve service concerns fairly
  • Maintain accurate service records
  • Comply with professional service obligations

We will inform you if this affects your data deletion rights and provide expected resolution timeframes.

7. Data Retention

We retain your data for:

  • Active accounts: Duration of service
  • Deleted accounts: 90 days post-deletion
  • Medical records: 8 years (as required by UK law)
  • Chat logs: 2 years
  • Support and service records: 3 years (service improvement and legal requirements)
  • Technical issue reports: 2 years (Aeva Digital Platform improvement)
  • Practitioner verification documents: Duration of practitioner engagement + 2 years
  • Safeguarding incident reports: 7 years (regulatory compliance)

8. Changes to This Policy

We will notify you of material changes via:

  • Email notification
  • In-app alerts
  • Website notices

9. Contact Us

For privacy-related inquiries:

Additional Complaint Routes: Information Commissioner's Office (ICO)