Privacy Policy

Account information. When you create a Vivy account, we collect your email address, display name, and authentication credentials managed by Firebase Authentication.

Health and protocol data. You voluntarily enter protocol details, dosage logs, biomarker measurements, and check-in data. This data is stored in Firestore under your authenticated user ID and is never sold.

Usage data. We collect anonymized, aggregated analytics about feature usage (screen views, session duration, tap events) using Firebase Analytics. No individual health events are included in analytics payloads.

Device information. Device model, operating system version, app version, and crash logs are collected through Firebase Crashlytics to improve stability.

Communications. If you contact us by email, we retain that correspondence to resolve your inquiry.

Service delivery. Your health and protocol data is used exclusively to provide the Vivy app experience — logging, tracking, AI-powered recommendations, and biomarker insights.

AI personalization. Our AI health agent uses your stack and logged data to surface contextual recommendations. This processing happens server-side in our Firebase Cloud Functions environment. Your raw data is never sent to third-party AI providers — only anonymized, aggregated signals are used for model improvement.

We do not train third-party AI models on your health data. We do not send your personal health data, protocol logs, biomarkers, or any other data that could identify you to outside AI companies to be used as training material for their foundation models. When Vivy's own AI needs to improve — for example, to get better at suggesting relevant content — we train only on aggregated or de-identified data. That means the data has been stripped of direct identifiers (like your name, email, and user ID) and combined with data from many other users so that no single person can be picked back out. If this ever changes in the future, we will update this policy, notify you in the app, and give you a chance to opt out before the new use takes effect.

Safety and compliance. We may use your data to detect safety-relevant interactions or flag patterns that could represent a risk, as part of our health safety commitment.

Communication. With your consent, we may send product updates, protocol reminders, and educational content. You can opt out at any time.

Disclosure. Vivy operates a set of branded accounts — collectively referred to as the "Vivy Team" — that post educational content, commentary, and replies inside the Vivy community and on external platforms (including X, LinkedIn, Instagram, Threads, and TikTok). Some or all content from these accounts is generated or assisted by artificial intelligence under human editorial review.

Where this is surfaced. Each Vivy Team profile carries a clear notice on its profile page, and a full directory of AI-assisted accounts is maintained at heyvivy.com/community/ai-companions. This disclosure is provided in accordance with California SB 1001 (bot disclosure), FTC Section 5 (deceptive practices guidance), and equivalent transparency obligations in other jurisdictions.

What these accounts may collect. If you reply to, DM, or otherwise interact with a Vivy Team account, your message content, username, and timestamp are processed so we can generate a response and improve safety filtering. This data is treated under the same protections as the rest of your account data.

Your choice. You are never required to interact with a Vivy Team account to use Vivy. You may block, mute, or ignore any such account at any time.

No impersonation of real people. Vivy Team personas do not represent real individuals, do not claim medical credentials they do not hold, and do not make individualized medical claims.

We do not sell your data. Full stop.

Service providers. We work with Firebase (Google Cloud) as our infrastructure provider. Data processed by Firebase is governed by Google's data processing terms and by a signed Business Associate Agreement (BAA) with Google Cloud for HIPAA-covered data handling, effective April 20, 2026.

Legal requirements. We may disclose information if required by law, court order, or to protect the rights, property, or safety of Vivy, our users, or the public.

Business transfers. In the event of a merger or acquisition, user data may be transferred as part of that transaction. You will be notified in advance.

We retain your account and health data for as long as your account is active. You may request deletion of your account and all associated data at any time through the app (Settings → Account → Delete Account) or by emailing support@heyvivy.com.

Deleted data is purged from our primary databases within 30 days and from backups within 90 days.

AI companion conversation logs. Messages exchanged with Vivy Team (AI-assisted) accounts — including replies, DMs, and community interactions — are retained for up to 90 days for safety review, abuse detection, and quality improvement, then automatically purged. Before any internal review, these logs are passed through an automated PII scrubber that redacts email addresses, phone numbers, physical addresses, and other direct identifiers.

Active-account, post-deletion, and moderation retention. While your account is active, we keep the personal health data you've entered so the app can show it back to you and generate your insights. If you delete your account, we remove your personal health data from our primary databases within thirty (30) days. De-identified, aggregated data — data that can no longer be linked back to you — may be kept indefinitely for product analytics and to improve Vivy's own models. Separately, posts or comments that have been flagged for moderation review are retained for up to ninety (90) days after the flag is resolved, so our moderation team can audit decisions, handle appeals, and detect patterns of abuse. After 90 days, flagged content is purged unless it is subject to a legal hold.

Audit and compliance logs. HIPAA-relevant audit entries are retained in a hot tier for 180 days and archived to a cold tier for six (6) years as required by 45 CFR §164.316(b)(2).

All data is encrypted in transit (TLS 1.3) and at rest (AES-256 via Google Cloud). Firestore security rules enforce user-level read/write isolation — no user can access another user's data.

We maintain a SOC 2-aligned security program and conduct regular security reviews. Our Firebase project operates under a signed Business Associate Agreement (BAA) with Google Cloud for HIPAA-covered data handling, effective April 20, 2026.

Access. You can export all your data from Settings → Account → Export Data.

Correction. You can edit any data you've entered through the app.

Deletion. You can delete your account and all associated data at any time.

Portability. Exported data is provided in JSON format.

California residents (CCPA). You have the right to know what personal information we collect, to opt out of the sale of personal information (we don't sell it), and to non-discrimination for exercising your rights.

EEA/UK residents (GDPR). You have the right to access, rectification, erasure, restriction of processing, data portability, and to object to processing. To exercise any right, contact support@heyvivy.com.

Vivy is not intended for users under the age of 18. We do not knowingly collect personal information from minors. If we become aware that a minor has provided personal information, we will delete it promptly.

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top and notify you via in-app notification for material changes. Continued use of the app after changes constitutes acceptance of the updated policy.

For privacy inquiries, data requests, or to exercise your rights, contact our Privacy Team at support@heyvivy.com.