Privacy Policy
This Privacy Policy explains how Bevita ("Bevita", "we", "us") collects, uses, stores, and protects your personal information when you use the Bevita mobile app and related services. Bevita is operated by Leonid Iakovlev (sole proprietor), Tbilisi, Georgia.
We take your privacy seriously, especially because health data is among the most sensitive categories of personal information.
1. Information We Collect
A. Information you provide directly
- Account information: email address, optional name
- Profile data: age, biological sex, weight, height, chronic conditions, medications, lifestyle factors
- Onboarding quiz responses
- Lab results you upload (photos, PDFs, manually entered values)
- Symptom logs (location, type, intensity, duration)
- Notes and journal entries
- Subscription information (payments are processed by the App Store / Google Play — we do not store payment card details)
B. Information collected automatically
- Device information: device type, OS version, app version, language, timezone
- Usage data: features used, screens viewed, session duration (anonymized analytics)
- Crash reports
- Push notification tokens
C. Information we DO NOT collect
- Precise location (we use only timezone)
- Your contacts or full photo library (only the specific photos you choose to upload)
- Microphone or camera access, except when you explicitly use the upload feature
- Browsing history outside the app
- Social media accounts
2. How We Use Your Information
We use your data to:
- Provide the core service: extract data from your lab results, generate analyses, send personalized reminders
- Improve our service (anonymized) and, only with your explicit consent, the AI features
- Communicate with you about the service (password resets, important updates)
- Process subscriptions
- Detect and prevent abuse, fraud, and security incidents
- Comply with legal obligations
We do NOT: sell or share your data with advertisers, build advertising profiles, train third-party AI models on your data without consent, or share your data with employers, insurers, or healthcare payers.
3. Legal Basis (GDPR)
For users in the EU/EEA, we process your data based on contract performance (to provide the service), legitimate interest (fraud prevention, service improvement), legal obligation (tax, regulatory compliance), and — for health-related data (special categories under Article 9) — your explicit consent, which you provide during onboarding and may withdraw at any time.
4. Data Sharing & Third-Party Processors
We share data only with third-party processors that help us run the service, each under a data processing agreement:
- Cloud database & file storage (EU region)
- AI providers used to extract biomarkers from uploaded lab documents and to generate health analysis, all accessed through the OpenRouter gateway (openrouter.ai):
- OpenRouter (USA) — routing gateway that forwards requests to the AI models below
- Google Gemini, via OpenRouter (USA) — extraction and visual analysis of lab documents
- DeepSeek, via OpenRouter — narrative health summaries and in-app chat answers
- Subscription management
- App Store / Google Play for payment processing
- Push notification delivery
- Anonymized usage analytics and crash reporting
Cross-border transfers: some processors are located outside the EU/EEA. For such transfers we rely on appropriate safeguards (e.g. the EU-U.S. Data Privacy Framework and Standard Contractual Clauses where applicable) and, for AI processing of health data, on your explicit consent. You may opt out of AI processing, but this disables core features (lab extraction, analysis).
5. Data Security
- Transport encryption (TLS) for all data transmission
- Encryption at rest for biomarker values
- Row-level security in our database
- Signed, short-lived URLs for file storage
- Audit logging of data access
In case of a data breach affecting your data, we will notify affected users and authorities as required by applicable law (within 72 hours under GDPR Article 33).
6. AI Processing of Your Data
When you upload a lab result, the image is stored in our EU-based storage, sent to a third-party AI provider for biomarker extraction, returned as structured data, and stored encrypted at rest. Our AI providers do not train models on your data per their stated terms; transient processing is required to perform the extraction. If you withdraw consent for AI processing, we stop processing new uploads with AI, can delete previously extracted data on request, and continue offering manual entry.
7. Data Retention
- Account and profile: while your account is active, plus 30 days after deletion
- Lab results and analyses: while your account is active, plus 30 days
- Anonymous usage analytics: up to 26 months
- Crash logs: up to 90 days
- Records we must keep for legal/accounting reasons: as required by law
After account deletion, we anonymize remaining data within 30 days. Aggregated, anonymized statistics may be retained.
8. Your Rights
Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, or object to the processing of your data; to data portability; and to withdraw consent at any time. EU/EEA users have these rights under the GDPR; California users have rights under the CCPA, including to know, delete, and opt out of any "sale" of data (we do not sell data).
To exercise any right, email bevitahealthapp@gmail.com or use the in-app data export and deletion tools (Settings → Privacy). We respond within the timeframes required by law (30 days under GDPR; 45 days under CCPA).
9. Children's Privacy
Bevita is not intended for users under 18. We do not knowingly collect data from children under 18. If you believe a minor has created an account, contact us at bevitahealthapp@gmail.com and we will delete the data.
10. Sharing with Healthcare Providers
You can choose to share your data with a healthcare provider via PDF export, which you control. We do not share your data with any healthcare provider without your explicit action.
11. Account Deletion
To delete your account: Settings → Account → Delete Account, then confirm. All data is queued for deletion within 30 days. You can also email bevitahealthapp@gmail.com to request deletion.
12. Changes to This Policy
We may update this policy. Material changes will be communicated in-app and/or by email, and you may be asked to re-accept the policy where required.
13. Contact
Bevita — operated by Leonid Iakovlev, Tbilisi, Georgia.
Privacy & data requests: bevitahealthapp@gmail.com