Ava Longevity

Privacy Policy

Effective 18 April 2026 · Version 2026-04-18

Your privacy matters. This policy explains what data Ava Longevity collects, how we use it, the third parties we share it with, and the control you have over it under the EU General Data Protection Regulation (GDPR).

Special-category health data (GDPR Article 9)

• Ava processes data concerning your health: menstrual cycle, hormonal symptoms, blood marker values (if you upload a lab report) and responses to our lifestyle questionnaire. Under GDPR Article 9, this is “special-category data” and requires your explicit consent.
• During onboarding we ask for an explicit, affirmative opt-in. You can withdraw consent at any time from the Profile screen, by deleting your account, or by emailing support@avalongevity.com.
• We keep an audit trail of your consent (when you gave it, which version of this policy, and the IP/user-agent at the moment of consent) for up to 3 years, as required to prove lawful processing.
• Ava is a wellness platform and does not diagnose, treat or prevent any disease. The Lifestyle Biological Age and Longevity Score are lifestyle indicators, not medical measurements.

What we collect

• Your email address when you create an account.
• Your age, height, weight and body measurements (optional).
• Your cycle data: last period date, cycle length, regularity, reproductive stage and contraception (optional).
• Your lifestyle data: wake and bed times, diet, exercise, caffeine, alcohol and supplements.
• Your answers to the Ava lifestyle questionnaire and the scores we calculate from them.
• Meal photos or descriptions you voluntarily submit for analysis.
• Blood lab reports you voluntarily upload; we extract the numeric values using AI vision and discard the original image within 24 hours.
• Daily check-ins, protocol completions, mood and symptom logs you choose to record.
• If connected, wearable data from WHOOP (recovery, HRV, sleep) and calendar availability from Google or iCal.

How we use your data

• We use your profile, cycle and diagnostic information to generate your personalised Ava protocol.
• We compute your Lifestyle Biological Age, Longevity Score and system scores from your answers.
• We generate cycle-aware recipes and meal analyses tailored to you.
• We use your data only to deliver and improve the Ava experience.

How we store and process it

• Your data is stored on secure, GDPR-compliant cloud infrastructure (Supabase, EU region where available).
• Personalised content is generated with the help of large language models (OpenAI). Only the minimum context needed for each response is shared. Under OpenAI’s API terms, prompts submitted via the API are not used to train their models.
• All traffic between the app and our services is encrypted in transit (HTTPS / TLS 1.2+).
• All data is encrypted at rest on our servers.
• Access is limited to the authenticated account that owns the data. Engineering access to production data is restricted to a named list of administrators and logged.

Sub-processors we use

• Supabase (EU/US) — database, authentication and storage for your profile, logs and uploads.
• Vercel (US) — hosting of the web application and privacy-friendly product analytics.
• OpenAI (US) — language-model responses, meal photo analysis and blood lab OCR. Processed under OpenAI’s API data processing terms; data is not used to train their models.
• SendBlue (US) — delivery of iMessage and SMS nudges. Only your phone number and the message body are shared.
• Twilio (US) — fallback SMS delivery in countries where iMessage is not available.
• WHOOP (US) — optional wearable integration. Only activated if you explicitly connect your WHOOP account.
• Google Calendar / Apple iCal — optional calendar availability. Only activated if you explicitly connect.
• Stripe (US/EU) — payment processing if you subscribe to a paid plan. We never see or store your full card details.

International data transfers

• Several of our sub-processors are located outside the European Economic Area, mainly in the United States.
• These transfers are covered by the European Commission’s Standard Contractual Clauses (SCCs, 2021/914) signed with each vendor, together with supplementary technical measures (encryption in transit and at rest, pseudonymisation where possible).
• We rely on the EU-US Data Privacy Framework where a vendor is certified under it.
• A Data Transfer Impact Assessment (DTIA) is maintained on file and can be shared with regulators on request.

How long we keep your data

• Account data (profile, cycle, lifestyle answers, daily logs): for as long as your account is active.
• Blood lab report images: deleted within 24 hours of upload; only the extracted numeric values are retained.
• Consent audit trail: up to 3 years after you withdraw consent or delete your account, as required to prove lawful processing.
• Encrypted backups: purged within 30 days of account deletion.
• Billing records: retained for the period required by applicable tax law (typically up to 10 years in the EU).

We do not sell your data

• We do not sell, rent or trade your personal data.
• We do not share your data with advertisers.
• We do not track you across other apps or websites.

Your GDPR rights

• Access: request a copy of the data we hold about you.
• Correction: update inaccurate data directly in the app or by writing to us.
• Deletion: request the full deletion of your account and associated data at any time.
• Portability: receive your data in a structured, machine-readable format.
• Objection: ask us to limit or stop specific processing.

How to delete your data

• Open the app, go to the Profile screen and tap “Delete my account”. You will be asked to type DELETE to confirm.
• Alternatively, email support@avalongevity.com from your registered email address and request account deletion.
• We remove your profile, cycle data, lifestyle answers, scores, meal logs, daily logs, wearable data and connected-account tokens from our live systems immediately.
• Encrypted backups are purged within 30 days.
• A minimal record of your deletion request and consent withdrawal is retained for up to 3 years to demonstrate compliance with GDPR, and cannot be linked back to your identity.

Data controller and contact

• The controller of your personal data is Ava Longevity.
• For any privacy question, data subject request, or to contact our data protection point-of-contact, email support@avalongevity.com.
• You have the right to lodge a complaint with your local data protection authority if you believe your rights have been infringed.

Children

• Ava Longevity is designed for adult women aged 18 and older.
• We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we will close it.

Changes to this policy

• We may update this policy to reflect product or legal changes.
• Material changes will be communicated in the app before they take effect.

Contact us

• For any privacy question or request, email support@avalongevity.com.
• We respond within 30 days.

By using Ava Longevity, you confirm that you have read and understood this Privacy Policy.