top of page

App Privacy Policy

 

Last updated May 8, 2026

1. Our commitment to your privacy

At AVVA, we believe that understanding your body and mind is a fundamental part of taking care of yourself — and that the data you share with us to make that possible deserves the highest level of protection.

AVVA collects deeply personal information: your menstrual cycle, your mood, your sleep, your emotional regulation, your intimate experiences. We do not take that lightly. This data is yours. We process it to provide you with a service that works for you, and for no other purpose. It is never sold, never shared with advertisers, and never leaves our own infrastructure.

This Privacy Policy explains what we collect, why we collect it, how we use it, and what rights you have. We have done our best to make it clear and honest. If you have any questions, reach out to us at team@avva.health.

This Policy covers the AVVA mobile application ("Mobile Application" or "Service") and any related services (collectively, "Services"). It does not cover the AVVA website, waitlist, or newsletter, which are governed by a separate Website Privacy Policy.

This Policy is a legally binding agreement between you ("User", "you" or "your") and AVVA Health GbR ("AVVA", "we", "us" or "our"), operated at:

AVVA Health GbR
Donaustraße 44
12043 Berlin
Germany
team@avva.health

Summary of key points

  • What do we collect? Your name, email address, city, health and symptom data you track in the app, conversation data, usage and interaction data, and technical diagnostics. See Section 3.

  • Do we process sensitive data? Yes. Health data, cycle data, and intimacy data are special categories under GDPR and are processed only with your explicit consent. See Section 4.

  • Do we share your data with third parties? No, except for limited technical infrastructure (such as the email server used for login emails), where required by law, or in the event of a business transfer. See Sections 7 and 15.

  • Do we train AI models on your data? Yes. Training on user data is intrinsic to how the Service works. Your identifiable data stays on infrastructure we control; we may publish trained models and research findings derived from it. See Section 6.

  • How long do we keep your data? As long as your account is active. Upon deletion, your data is removed from production systems within one month and aged out of backups within twelve months. See Section 8.

  • What are your rights? Access, rectification, erasure, portability, restriction, and objection. See Section 10.

  • Who can use AVVA? Users aged 18 and over only. See Section 11.

2. Definitions

 

"Personal Information" refers to any information that identifies or can be used to identify you as an individual. "Special category data" refers to the categories of sensitive personal data defined under Article 9 of the GDPR, including health data. "Processing" refers to any operation performed on your data, including collection, storage, use, and deletion.

3. What data we collect

 

When you use the Mobile Application, we collect the following categories of data:

Account data: your name, email address, and date of birth.

Location data: your city, provided by you as a text input. We also derive your approximate city-level location from your IP address at the session level for the purpose of providing location-relevant features.

Health and symptom data: information you provide about your menstrual cycle, physical symptoms, focus and executive function, mood and emotional regulation, sensory sensitivity, sleep, physical activity, cravings, and sexual health and intimacy. This is the core data that powers the Service.

Conversation data: the messages you send to AVVA, AVVA's responses, in-conversation questionnaires and follow-up prompts, and derived representations of your inputs (including embeddings used by the system to better understand and serve you). All of this is processed and stored on infrastructure under our direct control and used to provide personalized recommendations and to train the internal models described in Section 6.

Usage data: information about how you interact with the Mobile Application, including which features you use, when, and for how long.

Technical data: diagnostic information about your device and the application's behavior, used to identify and fix errors and maintain stability.

Customer support data: information you provide when you contact us for support.

4. Special category data

 

AVVA collects and processes data that falls under the special categories of personal data as defined by Article 9 of the GDPR. This includes health data, menstrual and reproductive health data, and data relating to your sexual health and intimacy.

We process this data solely on the basis of your explicit consent, which you provide when you create your account and begin using the tracking features of the Mobile Application. You may withdraw this consent at any time by deleting your account. You can initiate account deletion from within the Mobile Application or by emailing us at team@avva.health. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal, but will result in the deletion of your account and associated data.

This data is never used for advertising, never shared with third parties for commercial purposes, and is processed solely to provide and improve the Services and to train our internal models as described in Section 6.

5. How and why we use your data

 

We process your data for the following purposes and on the following legal bases:

To provide the Service — we process your account data, health data, and conversation data to deliver the core functionality of the Mobile Application, including symptom tracking, pattern recognition, and personalized recommendations. Legal basis: performance of contract (Article 6(1)(b) GDPR) for account data; explicit consent (Article 9(2)(a) GDPR) for health and sensitive data.

To personalize your experience — we process your health data, conversation data, and usage data to generate recommendations and insights tailored to your individual patterns. Legal basis: explicit consent (Article 9(2)(a) GDPR).

To improve the Service — we process usage data and technical data to understand how users interact with the Mobile Application, identify areas for improvement, and measure the effectiveness of features. Legal basis: legitimate interests (Article 6(1)(f) GDPR).

To ensure technical operation — we process crash data and performance data to maintain the stability and security of the Mobile Application. Legal basis: legitimate interests (Article 6(1)(f) GDPR).

To communicate with you — we process your email address to send you transactional communications related to your account (such as login tokens and account notifications), and where you have consented, product updates and newsletters. You can unsubscribe from marketing communications at any time using the unsubscribe link in any such email. Legal basis: performance of contract (Article 6(1)(b) GDPR) for transactional emails; consent (Article 6(1)(a) GDPR) for marketing communications.

To provide customer support — we process your account data and any information you share with us when you contact us. Legal basis: legitimate interests (Article 6(1)(f) GDPR).

To train internal AI models — we process your data to improve the accuracy and personalization of our AI systems, as described in Section 6. Legal basis: explicit consent (Article 9(2)(a) GDPR).

To comply with legal obligations — we may process your data where required by applicable law. Legal basis: legal obligation (Article 6(1)(c) GDPR).

6. AI model training

 

AVVA's core service is built on AI models that learn from user data to provide personalized insights. Training on user data is intrinsic to how the Service works — not an optional add-on. By using AVVA, you consent to your data being used to train these internal models. Use AVVA only if you are comfortable with this.

To improve the accuracy of predictions and recommendations over time, we process user data — including health data, conversation data, and usage data — to train and refine our internal models. This processing works by analyzing patterns in your tracked data and conversations over time, building an understanding of your individual profile that allows AVVA to provide more accurate and relevant recommendations. The goal is a system that learns your patterns specifically, not just those of an average user.

The following applies without exception:

  • All model training takes place on infrastructure under our direct control within the European Union.

  • Your personal data is not shared with external AI providers or third parties for training purposes.

  • Training does not result in automated decisions with legal or similarly significant effects as defined under Article 22 GDPR.

Models trained from this data may be published, including model architectures, embedding spaces, model weights, and aggregate research findings. This is intrinsic to AVVA's mission of advancing research.

The legal basis for this processing is your explicit consent under Article 9(2)(a) GDPR, given at account creation. You may withdraw this consent at any time by deleting your account, either from within the Mobile Application or by emailing us at team@avva.health.

7. Disclosure of information

 

We do not sell, trade, or share your Personal Information with third parties for advertising or commercial purposes.

We may disclose your Personal Information only in the following circumstances:

Technical infrastructure providers: the email infrastructure used for transactional communications (such as login emails) is operated by us on a virtual server provided by Contabo GmbH (Germany) under a data processing agreement. Contabo provides the underlying compute and does not access email contents. All other data processing infrastructure is operated within the European Union on hardware provided by Glome GmbH (Berlin, Germany) under a data processing agreement; Glome GmbH does not access application data.

App distribution platforms: distribution of the Mobile Application via the Apple App Store and Google Play Store is governed by the privacy practices of those platforms, which we do not control. These platforms may collect their own data (such as install metadata and account-level information) under their own privacy policies. AVVA does not transmit user health, symptom, or conversation data to these platforms.

Legal requirements: we may disclose your information where required by law or in response to valid requests by public authorities.

Protection of rights: we may disclose information where necessary to protect the rights, property, or safety of AVVA, our users, or others, to the minimum extent required.

8. Retention of information

 

We retain your Personal Information for as long as your account is active. Upon receipt of a verified account deletion request, we will delete your Personal Information from production systems within one month, except where retention is required by applicable legal obligations.

Database backups are retained for up to twelve months. Deleted data may persist in backups for up to that period before being automatically aged out.

Pseudonymized data, with technical and organizational measures applied to prevent re-identification, may be retained after account deletion for the purposes of scientific research and product improvement. The legal basis for this retention is Article 9(2)(j) GDPR in conjunction with §27 BDSG.

9. Data storage and residency

 

All Personal Information collected through the Mobile Application is stored and processed on servers located in Germany. We do not transfer your data to third countries outside the European Economic Area (EEA). The Mobile Application can be accessed from anywhere in the world, but your data remains on EU-based infrastructure at all times.

10. Your rights under GDPR

 

As a resident of the European Economic Area, you have the following rights with respect to your Personal Information:

  • Right of access: request a copy of the Personal Information we hold about you.

  • Right to rectification: request correction of inaccurate or incomplete Personal Information.

  • Right to erasure: request deletion of your Personal Information, subject to legal exceptions. You can initiate account deletion directly from within the Mobile Application.

  • Right to restriction: request that we limit the processing of your Personal Information in certain circumstances.

  • Right to data portability: request a copy of your Personal Information in a structured, machine-readable format.

  • Right to object: object to processing based on legitimate interests, including the right to object to direct marketing at any time.

  • Right to withdraw consent: withdraw consent at any time without affecting the lawfulness of prior processing.

 

To exercise any of these rights, contact us at team@avva.health. We will respond within one month of receipt, as required by the GDPR.

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement within the European Union. In Germany, the competent supervisory authority for AVVA is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information).

11. Age requirement

 

The Mobile Application and Services are intended for users aged 18 and over. We do not knowingly collect Personal Information from anyone under 18. If you believe a user under 18 has created an account, please contact us at team@avva.health. We will review the matter and take appropriate action, which may include deletion of the account and all associated data.

12. Information security

 

We implement appropriate technical and organizational measures to protect your Personal Information. These include encrypted data transmission (HTTPS) between your device and our servers, secure generation and storage of one-time login tokens, and access controls restricting who within our team can access your data. Given the sensitive nature of the health data we process, we apply particular care to the security of our infrastructure.

No method of electronic storage or transmission is completely secure. While we take every reasonable measure to protect your data, we cannot guarantee absolute security. You are also responsible for maintaining the security of your account credentials.

13. Data breach

 

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware, in accordance with Article 33 GDPR. Where the breach poses a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34 GDPR.

14. Automated processing

 

AVVA uses automated processing to analyze your tracked data and generate personalized recommendations and insights. This processing does not constitute automated decision-making as defined under Article 22 GDPR — that is, no decisions producing legal effects or similarly significant effects concerning you are made solely by automated means.

15. Business transfers

 

In the event of a merger, acquisition, sale of assets, or similar transaction, your Personal Information may be transferred to the acquiring entity. We will notify you by email prior to any such transfer and ensure that the receiving entity is bound by privacy protections at least equivalent to those in this Policy. Your health data will remain protected and will not be used for purposes inconsistent with this Policy without your renewed consent.

16. Changes and amendments

 

We reserve the right to modify this Policy at any time. When we do, we will update the date at the top of this page and notify you by email. Where changes materially affect how we process your Personal Information or require renewed consent, we will seek that consent before the changes take effect. Your continued use of the Mobile Application after notification constitutes acceptance of non-material changes.

17. Prevailing language

 

This Privacy Policy is published in English, which is the authoritative version. Where translations are provided, they are for convenience only. In the event of any discrepancy between a translation and the English original, the English version prevails.

18. Acceptance of this policy

 

By creating an account and using the Mobile Application and Services, you acknowledge that you have read and understood this Policy and agree to be bound by its terms, including your explicit consent to the processing of special category health data as described herein. If you do not agree, you must not use the Mobile Application and Services.

19. Contacting us

 

If you have any questions, concerns, or requests regarding this Policy or the data we hold about you, please contact us at:

 

AVVA Health GbR
Donaustraße 44
12043 Berlin
Germany
team@avva.health

 

AVVA has not appointed a Data Protection Officer. We have assessed our processing activities under Article 37 GDPR and §38 BDSG and determined that the appointment of a DPO is not currently mandatory. Users may direct any data protection inquiries to the email address above.

We will respond within the timeframes required by applicable data protection law.

bottom of page