Aeva Health Privacy Policy
Last Updated: April 24, 2025
Introduction
This Privacy Policy explains how Aeva Health Ltd ("we," "us," or "our") handles your personal data when you use our website, web application, Health Tracking Hub, AI health services, and virtual consultations (collectively, the "Services").
Important Notice
- You must be 18 years or older to use our Services
- By accessing or using our Services, you are agreeing to this Privacy Policy
- If you do not agree with this Privacy Policy, please do not use our Services
- This policy should be read alongside our Terms and Conditions and Cookie Policy
Contact our Data Protection Officer at:
- Email: privacy@aevahealth.com
- Address: 71-75 Shelton Street, London WC2H 9JQ, UK
1. Who We Are
Aeva Health Ltd is registered in England and Wales (Company No. 15462448) with a registered office at 71-75 Shelton Street, London WC2H 9JQ, UK. We are registered with the Information Commissioner's Office under registration number 00018109281.
2. Types of Personal Data We Collect
2.1 Health and Medical Information
- Medical history and symptoms
- Treatment plans and outcomes
- Wellness and lifestyle information
- AI health assistant (AiEva) interactions
- Virtual consultation records
- Practitioner notes and recommendations
- Gender
- Pronoun preferences (Optional)
- Emergency contact details (Optional)
- Profile Picture (Optional)
- Detailed care needs information
- Comprehensive test results (psychological evaluations, scans, blood tests, x-rays)
- Detailed records of meetings and decisions
- Call recordings (only if practitioner and user consent at each session)
2.2 Account Information
- Name and contact details
- Date of birth
- Login credentials
- Profile preferences
2.3 Technical Information
- Device identifiers
- IP address
- Browser type
- Operating system
- Usage patterns
2.4 Disclosed Agent Role and Data Handling
For our practitioner services, Aeva Health acts as a disclosed agent for independent practitioners.
This means:
- We collect payments on behalf of practitioners and retain a service fee
- We issue invoices on behalf of practitioners that clearly identify them as the service provider
When facilitating practitioner services, we share the following information with practitioners:
- User name
- Health profile overview (overview of current health challenges, any diagnoses, objectives, previous treatments) - this is the same profile overview that our users have access to themselves
This limited information is shared so that practitioners can focus on providing solutions during sessions rather than collecting background information. All interaction between users and practitioners takes place within our secure platform, including scheduling, messaging, and video consultations.
Practitioners are integrated into our platform to provide a centralised, seamless experience for users. While we facilitate the connection between users and practitioners, the practitioners are responsible and liable for the professional services they provide.
3. Third-Party Service Providers
We use the following service providers to deliver our Services:
3.1 Infrastructure
- Digital Ocean: Cloud hosting services
- MongoDB: Database management
- Firebase: Application services
Data Transfer Mechanism
All international data transfers comply with UK GDPR using the Addendum to EU Standard Contractual Clauses (SCCs). Data is primarily transferred to:
- United States (Digital Ocean, MongoDB, Firebase)
- International locations (Cal.com)
3.2 Communications
- Active Campaign: Email marketing
- Postmark: Transactional emails
3.3 Scheduling
- Cal.com: Appointment scheduling
3.4 Analytics and AI
- Google Analytics: Website analytics
- AiEva: Our proprietary AI health assistant built on customised GPT technology
Important Note: Our AI assistant (AiEva) is designed with privacy-by-design principles. No personal or sensitive health data is shared with external AI providers. All health-related processing occurs within our secure UK infrastructure.
Each service provider processes data in accordance with their own privacy policies and our data processing agreements.
4. How We Use Your Information
4.1 Core Services
- Providing subscription services directly (AI health assistant, health tracking)
- Facilitating practitioner services as a disclosed agent
- Managing your account
- Processing appointments
4.2 AI and Machine Learning
With your explicit consent, we use anonymised health data to:
- Train and improve AiEva
- Develop personalised health insights
- Enhance prediction accuracy
- Improve service quality
Legitimate Interests Include:
Service Delivery:
- Match users with wellness practitioners
- Personalise platform experience
- Manage bookings and communications
Platform Improvement:
- Enhance user experience through analytics
- Improve practitioner matching
- Develop health/wellness tools
Safety & Quality:
- Verify practitioner credentials
- Monitor service quality
- Prevent platform misuse
Benefits Outweigh Risks Because:
- Minimised data collection
- User maintains data control
- Strong security measures
- Clear opt-out options
- Transparent data usage
- Continuous focus on user privacy
4.3 Google Workspace API Usage
Our application offers an optional integration with Google Calendar, which is governed by the following policies:
4.3.1 Limited Use
Our use of Google Workspace APIs strictly complies with Google's Limited Use Requirements. We explicitly do not use data from these APIs to develop, improve, or train generalised or non-personalised AI/ML models.
4.3.2 One-Way Integration
Our Google Calendar integration only pushes health recommendations and activities from our application to users' calendars. We do not read, collect, store, or process any existing calendar data from users' Google Calendars.
4.3.3 No Transfer to Third Parties
We do not transfer any Google Calendar data to third-party AI tools or services. The calendar integration is solely used to help users view their health recommendations in their preferred calendar system.
4.3.4 Separation from AI Services
While our application uses AI for personalised health recommendations (via AiEva), this functionality operates independently from our Google Calendar integration. No Google user data is ever used to train our AI systems.
4.3.5 Optional Feature
The Google Calendar integration is entirely optional and can be enabled or disabled by users at any time through their account settings.
4.4 Where We Get Personal Information From
- Directly from you
- Suppliers and service providers
5. Data Storage and Security
5.1 Storage Location
- Primary data storage: UK-based MongoDB cluster
- Encrypted backup storage: UK jurisdiction only
5.2 Security Measures
- End-to-end encryption
- Regular security audits
- Access controls
- Continuous monitoring
- Incident response procedures
5.3 Duty of Confidentiality
We are subject to a common law duty of confidentiality. We may share information when:
- You provide explicit consent
- Legal requirement exists
- Public interest overrides confidentiality
- Specific regulatory requirements are met
- With practitioners to facilitate services (as described in Section 2.4)
6. Your Rights
Under UK GDPR, you have comprehensive data protection rights:
Response Timeframe: We will respond to your request within one month.
Detailed Rights Include:
- Access: Request copies of your personal information
- Rectification: Correct or update inaccurate information
- Erasure: Request deletion of your data
- Restrict Processing: Limit how we use your information
- Object to Processing: Challenge our use of your data
- Data Portability: Request data transfer
- Withdraw Consent: Remove permission for data processing at any time
7. Data Retention
We retain your data for:
- Active accounts: Duration of service
- Deleted accounts: 90 days post-deletion
- Medical records: 8 years (as required by UK law)
- Chat logs: 2 years
8. Changes to This Policy
We will notify you of material changes via:
- Email notification
- In-app alerts
- Website notices
9. Contact Us
For privacy-related inquiries:
- Data Protection Officer: privacy@aevahealth.com
- Technical Support: support@aevahealth.com
- Address: 71-75 Shelton Street, London WC2H 9JQ, UK
Additional Complaint Routes: Information Commissioner's Office (ICO)
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Helpline: 0303 123 1113
- Website: https://www.ico.org.uk/make-a-complaint