myvyo

Privacy Policy

Version 1.0 · 27 March 2026

This is a convenience translation. In the event of any discrepancy, the German version shall prevail.

Summary: Your raw health data never leaves your device. If you choose a Premium subscription,
anonymised daily metric totals (e.g. step count, sleep hours, mood score) may be processed by our EU-based AI
service to provide you with deeper insights. You can export or delete all your data at any time.

A. General Provisions

A1. Scope of This Privacy Policy

Thank you for your interest in our app myvyo and our website https://myvyo.ai.

The protection of your personal data (hereinafter “data”) is of great importance to us. Below, we will inform you
in detail about what data is collected when using our app, visiting our website, and using our services, as well as
how this data is processed or used, and what accompanying protective measures we have implemented both technically
and organisationally.

A2. Data Controller / Service Provider

The data controller within the meaning of the German Federal Data Protection Act (BDSG) and the European General
Data Protection Regulation (GDPR) and, at the same time, the service provider (German Digital Services Act (DDG))
is:

POLLION GmbH
Immanuelkirchstr. 14a
10405 Berlin
Germany

Managing Director: Dr. Nicolas Scharioth
Email: info@myvyo.ai
Phone: +49-30-51305057

See also our imprint: https://myvyo.ai/imprint

For questions or comments about this privacy policy, the use of your data, or data protection in general, please
contact: info@myvyo.ai

A3. Data Protection Officer

The Data Protection Officer of POLLION GmbH pursuant to BDSG and GDPR is:

Attorney Andrea Schweizer
Kanzlei Prof. Schweizer Rechtsanwaltsgesellschaft mbH
Schneckenburgerstraße 22
81675 Munich
Germany

Phone: +49-89-9280850
Email: andrea.schweizer@schweizer.eu

A4. Your Rights as a Data Subject

You have the following rights regarding your personal data:

  • Right of Access (Art. 15 GDPR): You may request information about your personal data stored by
    POLLION GmbH at any time, free of charge and without giving reasons. In the app, you can use the “Export All Data”
    function in Settings.
  • Right to Rectification (Art. 16 GDPR): You can request the correction of inaccurate or
    incomplete data at any time. In the app, you can edit your manually entered data (mood, energy, notes) at any
    time.
  • Right to Erasure (Art. 17 GDPR): You can request the deletion of your data. In the app, you can
    use the “Delete All Data” function in Settings.
  • Right to Restriction of Processing (Art. 18 GDPR): You can request that your data be stored
    only but no longer processed.
  • Right to Data Portability (Art. 20 GDPR): You have the right to receive your data in a
    structured, commonly used, and machine-readable format (JSON). Use the export function in the app settings for
    this.
  • Right to Object (Art. 21 GDPR): You can object to the processing of your data at any time,
    insofar as the processing is based on Art. 6(1)(f) GDPR (legitimate interest).
  • Right to Withdraw Consent (Art. 7(3) GDPR): You can withdraw a given consent at any time with
    effect for the future. Cloud AI processing is linked to your Premium subscription; you can stop processing by
    cancelling your subscription or reverting to the Free tier.
  • Right to Lodge a Complaint (Art. 77 GDPR): You have the right to lodge a complaint with the
    competent supervisory authority.

Competent supervisory authority:

Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstr. 219
10969 Berlin
Germany

A5. Communication with Us

a) Email

If you contact us by email, we will endeavour to respond to your enquiry promptly. We retain the corresponding
email correspondence for 5 years from the end of the year (or longer if legal retention obligations exist), so that
we can refer to it for subsequent enquiries.

As an email service, we use Gmail and other Google Workspace services from Google LLC based in the United States
(legal basis: Art. 6(1)(f) GDPR — legitimate interest in efficient communication). An EU adequacy decision applies
to Google LLC, so an adequate level of data protection can be assumed.

B. Data Processing in the App

B1. Data Stored Exclusively on Your Device

The following data is stored exclusively on your device and is never transmitted to our servers:

  • Health data from Apple Health / Google Health Connect: Step count, sleep hours, resting heart
    rate, heart rate variability (HRV), active calories, training minutes, VO2 Max, and other metrics — read with your
    explicit permission via the Apple HealthKit / Google Health Connect API.
  • Daily entries: Mood score (1–10), energy score (1–10), optional free-text notes.
  • Daily summaries: Aggregated metric summaries generated once daily and stored in the device’s
    local storage (UserDefaults / SharedPreferences).
  • App settings: Notification settings, tracked metrics selection, daily targets — stored locally.
  • On-device AI analysis: The app’s on-device AI engine analyses your local health data to
    generate recommendations and nudges. No data leaves your device for this feature.
  • Granular AI Consent: You can choose exactly which data categories are included in cloud
    analysis via Settings → AI Processing. Only the categories you explicitly enable are shared.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing the core functionality of the app). For health
data, additionally your explicit consent (Art. 9(2)(a) GDPR).

B2. Cloud AI Processing (Premium Feature)

If you use a Premium subscription, a daily summary is sent to our AI proxy to provide you with
personalized deep-dive insights. This summary contains only anonymised, aggregated metric values
for example: “8,234 steps, 7.5h sleep, Mood: 8/10, Energy: 7/10, HR: 62 bpm”.

We never send: Raw HealthKit/Health Connect sensor data, sub-daily timestamps, location data,
device identifiers, your name, or any other personally identifying information.

Usage Limits: To ensure service quality and prevent abuse, Cloud AI Insights are currently limited
to 10 requests per day per user.

Processing chain:

  1. Your app sends the anonymised daily summary via HTTPS (TLS 1.3) to our proxy server.
  2. The proxy server (hosted on Vercel, EU/US) forwards the request to Mistral AI (headquartered in
    Paris, France).
  3. Mistral AI generates an AI analysis and returns the insight text.
  4. The proxy returns only the insight text to your app.

No data is stored on our proxy server. The proxy is entirely stateless.

Legal basis: Art. 6(1)(a) GDPR (your explicit consent). You can withdraw consent at any time in the app under
Settings → AI & Privacy.

B2a. User-Provided Notes (Cloud AI Processing)

When you save a free-text note in the app, you are asked to give explicit consent each time before
the note is saved. By consenting, you acknowledge that:

  • Your note may be included in the daily summary sent to the Cloud AI service (see B2) for the purpose of
    generating personalized insights.
  • You are responsible for ensuring that the note does not contain sensitive personal data (e.g. health diagnoses,
    names of third parties, financial information) that you do not wish to share with the AI service.
  • Notes are processed under the same conditions as the anonymised daily summary (see B2): transmitted via HTTPS,
    processed by Mistral AI, not stored on our proxy.

Legal basis: Art. 6(1)(a) GDPR (your explicit, per-use consent given at the time of saving the note).

You can withdraw future consent by simply not checking the consent box when saving new notes. Previously consented
notes that have already been processed cannot be retroactively removed from AI analysis, but no further processing
will occur.

B3. Subscription Management with RevenueCat

We use the service RevenueCat for managing premium subscriptions.

Provider:
RevenueCat, Inc.
San Francisco, CA
USA

RevenueCat receives the following data from Apple or Google:

  • Anonymous user ID (automatically generated, no name or email),
  • Subscription status (active, expired, cancelled),
  • Product ID of the purchased subscription,
  • Purchase and renewal timestamps.

RevenueCat receives no health data, mood scores, notes, or other content data from the app.

Legal basis: Art. 6(1)(b) GDPR (contract performance — provision of the premium subscription).

Privacy policy of RevenueCat: https://www.revenuecat.com/privacy

B4. Payment Processing via App Stores

Payment processing for subscriptions is handled exclusively by Apple (App Store) or Google (Play Store). POLLION
GmbH receives no payment data (credit card, IBAN, etc.) from you.

We only receive confirmation of your subscription status (active/inactive) via RevenueCat.

Legal basis: Art. 6(1)(b) GDPR (contract performance — payment processing).

C. Data Processing on Our Website

C1. Hosting

We host our website https://myvyo.ai with a professional hosting provider. When you
visit our website, various log files including your IP addresses are automatically recorded.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable presentation of our website).

C2. Collection and Use of Your Data When Visiting the Website

For purely informational use of our website, it is generally not necessary for you to provide personal data.
Rather, in this case we only collect and use the data that your web browser automatically transmits to us:

  • Date and time of the page request,
  • Your device type,
  • Your browser type and browser settings,
  • The operating system used,
  • The previously visited page (referrer URL),
  • The amount of data transferred and access status,
  • Your IP address (anonymised only).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the technical provision and improvement of our offering).

C3. Use of Cookies

The website https://myvyo.ai uses so-called “cookies.” Cookies are small text files
that are stored either temporarily for the duration of a session (session cookies) or permanently (persistent
cookies) on your device.

Necessary Cookies (Without Consent)

The following cookies are technically necessary to provide the website to you (legal basis: Art. 6(1)(f) GDPR):

  • Session cookie: To maintain your session,
  • HTTPS cookie: To process encrypted communication,
  • Cookie preference cookie: To store your cookie settings.

D. Disclosure of Data to Third Parties

We only share your data with third parties in the following cases:

  • Mistral AI: Anonymised daily summary for AI analysis — only with your explicit consent (see
    B2),
  • Vercel: Proxy infrastructure for AI communication — only with your explicit consent (see B2),
  • RevenueCat: Subscription management (see B3),
  • Apple / Google: Payment processing (see B4),
  • Google Workspace: Email communication (see A5),
  • Legal obligation: When we are legally required to do so (e.g. upon requests from law
    enforcement authorities).

We never sell your data to third parties.

We do not use advertising networks, analytics SDKs, or any third-party tracking services in the
app.

E. Data Retention

We store your data only as long as necessary for the respective purposes:

  • On-device data: Until you use the “Delete All Data” function in Settings, or uninstall the app.
  • AI proxy: No storage — the proxy is entirely stateless.
  • Mistral AI: Subject to Mistral AI’s data
    retention policy    . Anonymised inputs may be retained per their terms.
  • RevenueCat: Subscription data is retained according to RevenueCat’s policies.
  • Email correspondence: 5 years from the end of the year.

F. Data Security

We employ technical and organisational security measures to protect your data against accidental or intentional
manipulation, loss, destruction, or access by unauthorised persons:

  • TLS encryption: All data transmissions from the app to our proxy are conducted over HTTPS (TLS
    1.3).
  • Bearer token authentication: The proxy validates requests with a bearer token before
    processing.
  • HealthKit/Health Connect sandboxing: Health data is protected by Apple’s or Google’s sandboxing
    mechanisms and your device lock (passcode/biometrics).
  • No server storage: Our proxy does not store any data — it only forwards.
  • Data minimisation: We transmit only the minimally necessary, anonymised data to the AI service.

G. Special Notes on Health Data

Health data constitutes special categories of personal data pursuant to Art. 9 GDPR. We treat this data with the
utmost care:

  • Health data is stored and processed exclusively on your device.
  • The sharing of anonymised health metrics with the AI service takes place only with your explicit
    consent     (Art. 9(2)(a) GDPR).
  • Apple HealthKit data is never used for advertising purposes, not sold to third parties, and not used outside the
    app — in accordance with Apple’s HealthKit guidelines.
  • myvyo is not a medical device and does not provide medical advice, diagnosis, or treatment.

H. Links to Other Websites and Services

Our website and app may contain links to websites of other providers. We have no influence on whether these
providers comply with data protection regulations. Please review the privacy policies of the linked sites
independently.

I. Age Restriction

myvyo is rated 17+ on the App Store. We do not knowingly collect data from users under 17 years of age.

J. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in the legal situation or changes to our
services. The current version is always available at https://myvyo.ai/privacy.

Data protection measures are subject to constant technical developments. For this reason, we ask you to inform
yourself about our data protection measures at regular intervals by reviewing our privacy policy.

© 2026 myvyo | POLLION GmbH | All rights reserved