Privacy Policy

Last updated: 30 May 2026

This policy describes what data we collect, why we collect it, how we store it, and what rights you have. In short: we collect the minimum necessary, encrypt health data, do not share it with advertising networks, and let you export or delete it in one click.

1. Who collects your data

The data controller is the company that develops and maintains the INVY app (hereinafter "we"). For questions related to the processing of personal data, contact us at [email protected].

2. What data we collect

Account data: email address, name or username, date of birth, sex, height, weight (the last three are optional).

Health and tracking data: biomarkers from lab results (glucose, insulin, HbA1c, lipids, HOMA index, and others), nutrition logs, activity (steps, workouts), wellbeing (mood, energy, symptoms), supplement and vitamin intake.

Technical data: device type, OS version, interface language, anonymous in-app interaction events, crash information — so we can fix issues.

3. How we use your data

To show you personalised charts and trends, build INVY AI recommendations, send notifications that you have enabled yourself, improve the product based on anonymised statistics, and fulfil our legal obligations (taxes, accounting).

We do not use your health data for advertising and do not share it with advertising networks, insurance companies, or any third parties for commercial purposes.

4. Legal basis

We process your data on the basis of your consent (for health and sensitive data), contract performance (to provide the service), legitimate interest (for security), and compliance with Ukrainian law (for accounting and tax records). You may withdraw your consent to the processing of health data at any time.

5. Where and how we store your data

All data is stored on servers in Europe (EU/EEA) with backups. Health data is end-to-end encrypted — even our team cannot see the content of your records, only aggregated statistics that are not linked to any individual. We use industry-standard security: TLS 1.3 for transmission, AES-256 for storage, regular audits, and restricted staff access.

6. How long we retain your data

Data in an active account is retained for as long as you use the service. After account deletion — up to 30 days in backups, then permanent erasure. Financial records — 3 years, as required by law. Anonymous statistics — indefinitely, as they contain no identifiers.

7. Who we share your data with

We share your data only with processors with whom we have a data processing agreement: our hosting provider (storage on EU servers), payment provider (processing payments — we do not store card numbers), email service (transactional emails), analytics services (anonymised events only, no health data).

8. Cookies and analytics

On the website we use the minimum necessary cookies — for session operation and saving preferences such as your language.

We use Microsoft Clarity to understand how visitors interact with this landing page, through anonymised heatmaps and session recordings. Clarity is configured with strict content masking, so the text you type and personal details are hidden, and no health data is collected on the website. Clarity loads only after you accept analytics via the cookie banner — if you decline, it never runs. You can change your choice at any time using the "Cookie settings" link in the footer. Microsoft processes this data as described in the Microsoft Privacy Statement.

We also use Google Analytics 4 (GA4) to measure anonymised traffic and understand which channels bring visitors. IP addresses are anonymised, and Google Signals and ad personalisation are disabled, so the data is not used to build advertising profiles. GA4 loads only after you accept analytics via the cookie banner — if you decline, it never runs. Google processes this data as described in the Google Privacy Policy.

9. Your rights

Under applicable law, you have the right to: find out what data we process about you; receive a copy in a machine-readable format; correct inaccurate data; have your data deleted ("right to be forgotten"); restrict processing; withdraw consent; and lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights.

Most of these actions can be performed in your account settings. If you are unable to do so, write to [email protected] and we will help you within 30 days.

10. How to delete your data

In the app: Settings → Account → Delete account. Data is erased from active servers immediately and from backups within 30 days. No support ticket is needed. If you want to delete only part of your data, you can do so in the history without deleting your account.

11. Children

INVY is not intended for persons under the age of 18. We do not knowingly collect data from children. If you are a parent or guardian and discover that your child has registered with us, please write to [email protected] and we will delete the account within 24 hours.

12. Changes to this policy

If we update this policy, we will notify you by email and via an in-app banner at least 14 days before the changes take effect. If the changes restrict your rights, we will ask for your consent again.

13. Contacts

Privacy: [email protected]
General enquiries: [email protected]
Legal requests: [email protected]