EVA
ESGet Started
Legal

Privacy Policy

Last updated: March 2026

Data Controller

EVA Health S.L., headquartered in Madrid, Spain, is the data controller responsible for your personal data. You can reach us at hello@evahealth.es.

What We Collect

Account information: Name, email address, and authentication credentials when you create an account.

Health biomarker data: Blood test results, biomarker values, and calculated health metrics. This is classified as special category data under GDPR Article 9 and is only processed with your explicit consent.

Wearable data: If you connect a wearable device, we receive heart rate variability, sleep data, resting heart rate, recovery scores, and activity metrics.

Usage analytics: We use Plausible Analytics, which is privacy-friendly and does not use cookies or track individual users. We collect aggregate page views and traffic sources only.

Legal Basis for Processing

Explicit consent (GDPR Article 9(2)(a)): Required before we process any health or biomarker data. You provide this consent during signup and can withdraw it at any time.

Contract performance (GDPR Article 6(1)(b)): Processing necessary to provide your subscription service, deliver results, and manage your account.

Legitimate interest (GDPR Article 6(1)(f)): Aggregate, anonymised analytics to improve our service. No personal data is involved in this processing.

Health Data Consent

Your health data is special category data under GDPR. We will never process your biomarker results, wearable data, or any health-related information without your explicit, informed consent. This consent is collected separately during account creation and can be withdrawn at any time through your account settings or by contacting us.

How We Store Your Data

All data is stored on Supabase infrastructure within the European Union, encrypted at rest and in transit. We do not transfer your health data outside the EU.

Third-Party Processors

We work with the following processors, all bound by data processing agreements:

  • Supabase — Database and authentication (EU region)
  • Stripe — Payment processing (PCI DSS compliant, does not receive health data)
  • Anthropic — AI-powered health analysis (processes biomarker data to generate insights, under strict data processing agreement)
  • Resend — Transactional emails (receives email addresses only)
  • Plausible Analytics — Privacy-friendly web analytics (no personal data, no cookies)
  • Sentry — Error monitoring (no health data is sent to Sentry)

Data Retention

Active accounts: Your data is retained for as long as your account is active.

After deletion: Account data is permanently deleted within 30 days of account deletion. Health data is deleted immediately upon request.

Legal obligations: We may retain certain data as required by Spanish tax and commercial law.

Your Rights

Under GDPR, you have the right to:

  • Access — Request a copy of all personal data we hold about you
  • Rectification — Correct any inaccurate personal data
  • Erasure — Request deletion of your personal data
  • Portability — Receive your data in a structured, machine-readable format
  • Withdraw consent — Withdraw your consent for health data processing at any time
  • Object — Object to processing based on legitimate interest
  • Lodge a complaint — File a complaint with the Agencia Española de Proteccion de Datos (AEPD), the Spanish Data Protection Authority, at www.aepd.es

To exercise any of these rights, contact us at hello@evahealth.es.

Contact

For any privacy-related questions or to exercise your rights:
EVA Health S.L.
Madrid, Spain
hello@evahealth.es