Website Privacy Policy
Last updated May 8, 2026
1. Our commitment to your privacy
This Privacy Policy explains how AVVA collects, uses, and protects your data when you visit our website at www.avva.health. It applies only to the website and not to the AVVA mobile application, which is governed by a separate App Privacy Policy.
The website is an informational and marketing site. We do not process health data, symptom data, or any other special category data through the website. The intimate processing that AVVA is built around happens exclusively inside the mobile application.
This Policy is a legally binding agreement between you ("User", "you" or "your") and AVVA Health GbR ("AVVA", "we", "us" or "our"), operated at:
AVVA Health GbR
Donaustraße 44
12043 Berlin
Germany
team@avva.health
2. What data we collect
We collect three categories of data through the website:
Information you provide through forms: your email address and, where the form requests it, your name.
Analytics and behavioural data: if you consent via our cookie banner, we collect data about how you use the website — pages visited, time spent, interactions, and similar usage data — through Google Analytics and Twipla Session Recordings. Without your consent, this data is not collected.
Technical data: standard server log data including IP address, browser type, device information, and referrer information. This is processed by our hosting provider for security and operational purposes.
3. How and why we use your data
We process your data for the following purposes and on the following legal bases:
To deliver the waitlist and respond to signups — we process your email and name (where provided) to add you to the AVVA waitlist and to communicate with you about access to the application. Legal basis: consent (Article 6(1)(a) GDPR) and pre-contractual measures at your request (Article 6(1)(b) GDPR).
To send our newsletter — where you have opted in, we use your email address to send you newsletters about AVVA, product updates, and related content. You can unsubscribe at any time using the link at the bottom of any newsletter email. Legal basis: consent (Article 6(1)(a) GDPR).
To understand and improve the website — where you have given consent, we use analytics and session-recording tools to measure how visitors use the site, identify usability issues, and improve content. Legal basis: consent (Article 6(1)(a) GDPR) in combination with §25 TDDDG.
To operate and secure the website — server logs and standard technical data are processed to operate the site and protect against abuse. Legal basis: legitimate interests (Article 6(1)(f) GDPR).
To comply with legal obligations — we may process your data where required by applicable law. Legal basis: legal obligation (Article 6(1)(c) GDPR).
4. Disclosure of information and processors
We do not sell your data and we do not share it with third parties for advertising. The following service providers act as processors on our behalf and process data only as needed to provide their services to us:
Wix.com Ltd (Israel): our website is hosted on the Wix platform. All form submissions (waitlist, newsletter signups, contact forms) are stored on Wix's infrastructure, and our newsletter is sent through Wix's email marketing tools. Wix processes this data on our behalf under a data processing agreement. Israel has been recognised by the European Commission as providing an adequate level of data protection.
Contabo GmbH (Germany): provides email infrastructure under a data processing agreement.
Google Ireland Limited (Google Analytics): we use Google Analytics to understand how visitors use our website. Google Analytics is loaded only after you provide consent via our cookie banner. Google may transfer data to its parent company in the United States; such transfers are governed by Google's Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.
Twipla GmbH (Twipla Session Recordings): we use Twipla to record anonymised session interactions on our website (such as clicks and scrolling) in order to identify usability issues. Twipla is loaded only after you provide consent via our cookie banner.
Usercentrics GmbH (Germany): we use Usercentrics to manage your cookie consent preferences. Usercentrics processes consent records on our behalf.
Legal requirements: we may disclose information where required by law or in response to valid requests by public authorities.
Protection of rights: we may disclose information where necessary to protect the rights, property, or safety of AVVA, our users, or others, to the minimum extent required.
5. Cookies and tracking technologies
We use cookies and comparable technologies on the website. Strictly necessary cookies (such as those required for the site to function and for you to manage your consent preferences) are set automatically. All other cookies — including analytics, session recording, and any future advertising cookies — are set only with your prior consent, in accordance with §25 TDDDG.
You can review and change your cookie preferences at any time using the cookie settings link in the website footer. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
6. Retention
We retain your data only for as long as necessary for the purpose for which it was collected:
-
Waitlist data is retained until you complete signup for the application, or until you ask us to remove you from the waitlist.
-
Newsletter subscribers' email addresses are retained until you unsubscribe.
-
Analytics and session data are retained according to the retention periods configured in the respective tool (typically 14 months or less).
-
Server logs are retained for short operational and security periods by our hosting provider.
Where we are required by law to retain certain data for longer (for example, if a record forms part of accounting documentation), we will retain it for the legally required period and no longer.
7. Data storage and international transfers
Data submitted through the website is stored on infrastructure operated by our processors as described in Section 4. Where transfers to third countries occur (notably to the United States via Google), they are based on European Commission adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms.
8. Your rights under GDPR
As a resident of the European Economic Area, you have the following rights with respect to your Personal Information:
-
Right of access: request a copy of the data we hold about you.
-
Right to rectification: request correction of inaccurate or incomplete data.
-
Right to erasure: request deletion of your data, subject to legal exceptions.
-
Right to restriction: request that we limit the processing of your data in certain circumstances.
-
Right to data portability: request a copy of your data in a structured, machine-readable format.
-
Right to object: object to processing based on legitimate interests, including the right to object to direct marketing at any time.
-
Right to withdraw consent: withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at team@avva.health. We will respond within one month of receipt, as required by the GDPR.
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement within the European Union. In Germany, the competent supervisory authority for AVVA is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information).
9. Use by minors
The website is not directed at children under 16. We do not knowingly collect data from children under 16 through the website. If you believe a minor has provided us with their data through one of our forms, please contact us at team@avva.health and we will delete the relevant information.
10. Information security
We rely on the technical and organisational measures provided by our processors (in particular Wix) to protect data submitted through the website. These include encrypted transmission (HTTPS) and access controls. No method of electronic storage or transmission is completely secure, and we cannot guarantee absolute security.
11. Data breach
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware, in accordance with Article 33 GDPR. Where the breach poses a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34 GDPR.
12. Business transfers
In the event of a merger, acquisition, sale of assets, or similar transaction, the data we have collected through the website may be transferred to the acquiring entity. We will notify you by email prior to any such transfer and ensure that the receiving entity is bound by privacy protections at least equivalent to those in this Policy.
13. Changes and amendments
We reserve the right to modify this Policy at any time. When we do, we will update the date at the top of this page. Where changes materially affect how we process your data or require renewed consent, we will seek that consent before the changes take effect.
14. Prevailing language
This Privacy Policy is published in English, which is the authoritative version. Where translations are provided, they are for convenience only. In the event of any discrepancy between a translation and the English original, the English version prevails.
15. Contacting us
If you have any questions, concerns, or requests regarding this Policy or the data we hold about you, please contact us at:
AVVA Health GbR
Donaustraße 44
12043 Berlin
Germany
team@avva.health
AVVA has not appointed a Data Protection Officer. We have assessed our processing activities under Article 37 GDPR and §38 BDSG and determined that the appointment of a DPO is not currently mandatory. Users may direct any data protection inquiries to the email address above.
We will respond within the timeframes required by applicable data protection law.