Savva Privacy Policy

Last updated: September 19, 2025

Vircode, Inc. (“Savva,” “we,” “us”) respects your privacy. This Privacy Policy explains what information we collect, why we collect it, how we use and share it, how long we keep it, and the choices and rights you have.

Savva operates various websites (including those located at www.savva.ai) for communicating with the public regarding our company and the Savva app‑based health and fitness platform (the “Platform”). The Platform allows you to connect the Platform’s mobile app running on your device to (i) a health and fitness application (such as Apple Health or Google Fit) also running on your device and/or (ii) one or more Electronic Health Record (“EHR”) systems of your healthcare providers. Data from these sources (“Health Data”) is used by the Platform to provide you with organizational features and insights regarding the data. To increase the privacy of your data, you must actively opt into each connection, and any connected Health Data remains on your device. The Platform was intentionally designed such that there is no need for the Health Data to be sent to Savva for the normal operation of the Platform. You get the benefit of Health and Fitness insights about your data right on your device and you are in control of your Health Data. The only time that your Health Data may be sent to Savva is if you actively opt into an advanced feature that expressly requires such a transmission or you make a support request that inherently requires transmission of a segment of data to resolve the particular support query. In either case, you will be fully aware of what Health Data is leaving your device. Our various websites never collect or process your Health Data.

Specific details are provided below in this Policy. If you do not agree with this Policy, please do not use the Platform or our websites.

1) Who We Are & What This Policy Covers

Controller / Data fiduciary: Vircode, Inc. (Savva).
What’s covered by this Policy: Our mobile apps, our websites, your Health Data, other data processed by Savva (e.g., user input form data collected via our websites, messages, etc.).
Contact: support@savva.ai • 4581 WESTON RD, PMB#141, WESTON, FL 33331
Note (Health Data default): Health Data you choose to connect (Apple Health, Google Fit, EHR) is processed on your device by default. Savva’s servers do not receive or store that content unless you explicitly transmit it to Savva (e.g., a support request), opt into an advanced feature that requires such transfer, or opt-in for cloud AI inference

2) Our Data Map & Notice at Collection

Savva collects and processes the following categories of data:

Data Category	Examples of What We Collect	Purposes of Use	To Which Vendor Processors Do We Disclose Such Data¹
Personal Identifiers	App instance ID; device registration ID (unique to your device, not linked to name or email); IP address; user agent; device model/OS; time zone/locale; coarse location (from IP); push notification tokens (if enabled)	Provide & secure the service; diagnostics; fraud/security; legal compliance; send push notifications for subscribed features	Hosting & infrastructure; security/monitoring; support tools
Internet and Network Activity	Pages/screens viewed; event/diagnostic telemetry	Functionality, performance, debugging; aggregate analytics	Hosting & infrastructure; analytics tooling; error monitoring
Geolocation (general)	Country/region inferred from IP	Localization; fraud/security	Hosting & infrastructure; security/monitoring
Non‑Health Data User Content & Communications	Customer support messages sent by you to us; forms you submit (neither include Health Data unless you actively attach it)²	Customer support; service notices	Support tooling; ticketing
Sensitive Personal Information (Health Data)	Apple Health, Google Fit and/or EHR Health Data you choose to connect	Deliver requested features; on‑device insights; no advertising/profiling based on Health Data	If you opt in to cloud‑based AI inference: your selected third‑party AI provider (see §12); hosting/support processors under DPA
Cloud AI Inference (optional)	Fitness and medical records you choose to send for AI analysis; usage/billing logs	Provide AI‑powered insights via third‑party inference providers you select; billing	Your selected AI inference provider only

Data Category	Retention
Personal Identifiers	IP & diagnostics logs: ~30 days; security logs: ≤12 months; metadata related to your giving consent is retained indefinitely for compliance purposes
Internet and Network Activity	Diagnostics data: ~30 days; aggregated analytics ≤13 months
Geolocation (general)	IP logs: ~30 days
Non‑Health Data User Content & Communications	As needed for support and legal/compliance requirements
Sensitive Personal Information (Health Data)	We do not store or have access to Health Data; it is kept on your device. You can remove the app from your device at any time.

¹ Disclosures to vendor processors occur as necessary to the functioning of the Platform or our websites and such disclosure is limited to that purpose. We do not sell or share data with third parties.
² Currently, the main features related to Health Data do not have data disclosed to vendor processors since such data remains on your device. If you attach Health Data to a support request or user submission form, such data may be disclosed to support tooling and ticketing vendors. If we offer any feature that will involve the transfer of your Health Data from your device to Savva we will do so only with specific opt‑in consent from you (in such a case, such data may be disclosed to hosting/support processors solely for the purpose of delivering the feature and under appropriate contractual data processing agreements).

General Notes

We do not sell or share your data with third parties.
Health Data: your Health Data is on your device and never used for advertising, profiling, or sale. You can withdraw consent to processing your Health Data in Settings.
We process your Health Data based on your providing opt‑in explicit consent. We process other data based on your consent, legitimate interests, and contract. Where we rely on legitimate interests, our interests are service security, fraud prevention, diagnostics, and product performance. We balance these against your interests and rights.
Notice at Collection (for California and other states where required): This Privacy Policy is provided to you at the time of/before the collection of data. The tables above give the categories, purposes, and retention periods for the categories of data processed. We do not sell/share the data referenced in these tables.
Non‑essential SDKs/cookies: Our websites do not utilize cookies. We will only use non‑essential SDKs after you provide consent. Our websites utilize Global Privacy Control (GPC) where required.

3) Where We Get Data

From you/your devices via our apps/web (including OS‑level health APIs you permit). For example, when you connect to an EHR of your health provider, data is transferred from the EHR to your mobile device. When you connect our mobile app to a health/fitness app (Google Fit/Apple Health) on your device, we utilize information from those apps in our mobile app on your device.
Non‑Health Data User Content & communications you send us (forms, uploads, messages).
Automatic app/web signals (diagnostics, performance).
Service providers acting on our instructions (e.g., hosting, error reporting).
For data we do not collect directly from you, typical sources are: OS and device providers (e.g., Apple/Google) for health API permissions, authentication and support tools, hosting/monitoring providers, and app stores.

4) Sharing & Third Parties

We disclose Personal Information as set forth and the tables above and with the following conditions.

As set out in the tables above, we disclose certain data to our Vendor Service providers/processors who are bound by written contracts to use your data only for our instructions, with equivalent or stronger controls; they must flow down obligations to any of their sub‑processors.
Same‑liability commitment: Where the law permits, we hold service providers (and their sub‑processors) to the same level of protection and responsibility that applies to us, and we remain responsible for their on‑our‑behalf processing.
Corporate transactions: Custody of your Personal Information may be transferred as part of a merger, acquisition, financing, reorganization, bankruptcy, or sale of the assets of Vircode, Inc. The recipient must honor this Policy or give you new, legally required choices before any different use. In the case of a corporate transfer, you will be informed of such a transfer of ownership and will always have the right to delete the mobile app from your mobile device (thereby removing consent to processing your Health Data stored on your device) or to continue use under the new ownership. Additionally, you may have other rights with respect to your data (e.g., those discussed in Section 7 below).
We may disclose your Personal Information to anyone to whom you explicitly direct us to disclose it (e.g., you export a report to a clinician).
When legally permitted we may disclose your Personal Information for legal and/or safety reasons (to comply with the law or protect users, our company, or others).
We do not sell or share Personal Information for cross‑context behavioral advertising. Health Data is never used for advertising.

5) International Transfers

Your data may be processed in the United States or other countries where we/our service providers operate.
Your Health Data is maintained on your device by default: This design minimizes cross‑border transfers of sensitive health data. Wherever your device is located, that is where your Health Data is located.
We require our providers and their sub‑processors to flow‑down equal safeguards to those in this Privacy Policy and require them to support your rights, regardless of their location.
You can request a copy/summary of our transfer safeguards by emailing support@savva.ai (commercial terms may be redacted).

6) Data Retention

IP/diagnostics logs: ~30 days
Security logs: ≤12 months
Aggregated analytics: ≤13 months
Consent metadata: maintained indefinitely
Health/EHR data: controlled on your device; not stored or processed on our servers (unless you explicitly and actively attach it to a communication to us and/or provide us opt‑in consent for a cloud‑based feature that utilizes your Health Data). You can delete the Savva mobile app at any time.

We delete or de‑identify data in our possession when it is no longer needed.

7) Your Rights & Controls

Where the law applies (e.g., EU/UK GDPR; CA/CO/CT/DE/FL/IA/IN/KY/MD/MN/MT/NE/NH/NJ/OR/RI/TN/TX/UT/VA), you may have some or all of the following rights related to your data:

Access / Know (get a copy)
Correct inaccuracies
Delete personal data¹
Portability (receive in usable format)²
Restrict / Object to certain processing (GDPR)
Opt‑out of targeted advertising, sale, and certain profiling³; we don’t sell/share or do impactful profiling
Withdraw consent (for health/sensitive data and non‑essential SDKs) at any time⁴
Appeal a decision we make on your request

¹ You can request that we delete 100% of the data that we have in our possession. We will comply with such request. However, because your Health Data is stored on your mobile device, you must also delete the mobile app from your device. Upon such a request to delete your data, your “account” with us will be deleted within forty‑five (45) days.
² With respect to your Health Data, the only copy utilized by the Platform is located on your mobile device and is already in a portable format usable by you.
³ We do not sell or share your data or do impactful profiling.
⁴ With respect to your Health Data, you can withdraw consent at any time by deleting the mobile app. We do not currently use non‑essential SDKs with our mobile app or website. If we do in the future, you will be provided a functionality to withdraw your consent.

The Platform does not make automated decisions with legal or similarly significant effects: We do not make decisions about you based solely on automated processing (including profiling) that produce legal or similarly significant effects (Art. 22 GDPR).

How to exercise your rights: Email support@savva.ai (or use any in‑app/web form we provide). We reserve the right to confirm your request using information sufficient to verify your (or your agent’s) identity where applicable and/or required by law.

Timing: We respond within legal timelines (e.g., 45 days, extendable once if reasonably necessary; appeals answered within 60 days or sooner if required).

Regulators: GDPR users can also complain to a local Data Protection Authority; we’ll share links on request. You also have the right to lodge a complaint with your EU/EEA Data Protection Authority or the UK Information Commissioner’s Office (ICO).

Important Note: Our mobile application requires health and EHR data access for basic functionality; removing your consent to Savva to store and process data within the application on your device will require deletion of the application itself.

8) Cookies, “Do Not Track,” and Global Privacy Control

Cookies: We don’t currently use cookies. If we introduce them on our website, we’ll ask for consent where required and provide controls. For our mobile app, we use device‑local identifiers (e.g., tokens/keys) to remember settings on your device.
Do Not Track (DNT): No industry standard exists; we don’t respond to DNT. Learn more at allaboutdnt.com.
GPC / Universal Opt‑Out Mechanisms: We do not currently use cookies on our websites and do not utilize targeted advertising. However, if and where required (e.g., Colorado), we honor recognized UOOMs including Global Privacy Control (GPC) to effect your opt‑out choices.

9) Security

We use administrative, technical, and physical safeguards appropriate to the data we process (encryption in transit/at rest, least‑privilege access, monitoring). No system is 100% secure. If a security incident affects you, we’ll notify you and regulators as required by law.

You acknowledge that your Health Data that is utilized by the Platform is maintained on your mobile device. Beyond Savva’s measures taken in design of its mobile app (e.g., encrypting your data stored on your device), Savva cannot control the physical security of your mobile device. You are solely responsible for your mobile device and to whom you give access (including giving access to the Savva mobile app).

10) Children

Our Platform is not intended for individuals under 18. If you think a child gave us information, contact support@savva.ai so we can delete it.

11) Consumer Health Data Specifics

We collect Consumer Health Data (CHD) (i.e., your Health Data) only when you opt in (e.g., using Apple Health/Google Fit and/or EHR data connections/imports to the Platform).
We do not sell your CHD.
If a feature requires CHD to leave your device, we’ll request explicit consent to collect and a separate explicit consent to disclose to our processors (hosting/support).
The Platform does not utilize geofencing around health‑care facilities.
You may access/delete CHD and withdraw consent anytime in Settings.

12) Third‑Party Integrations

If you connect a third-party system (e.g. EHR), your data with that system is governed by their privacy policy. When authentication routes through Savva, we do not receive your FHIR resources unless you explicitly direct us to (e.g., export/share).

Cloud-Based AI Inference (Optional Feature)

If you opt in to cloud-based AI inference, your fitness and medical records will be sent to the third-party AI inference provider you select in the app. Available providers are: OpenAI, Google Cloud, Alibaba Cloud, Moonshot AI, Anthropic, Mistral AI, and x.ai. Your data will only be sent to the provider you choose. Our server facilitates this transfer but does not save your chat history or medical information. We do save and log usage on our server for billing purposes. Each provider’s processing of your data is governed by their respective privacy policy.

13) Changes to this Policy

We may update this Policy. If changes are material, we’ll let you know as the law requires. Using the Platform after changes take effect means you accept the updated Policy.

14) Contact us

Questions or requests: support@savva.ai
Address: 4581 WESTON RD, PMB#141, WESTON, FL 33331