Last updated: September 22, 2025

Privacy Policy

Welcome to EdenVault ("EdenVault", "we", "us", "our"). We are committed to protecting your privacy and handling your data transparently and securely. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use EdenVault’s mobile and web applications, services, and websites (collectively, the "Services").

Note: This policy is designed to align with the EU General Data Protection Regulation (GDPR) and adopts safeguards consistent with the U.S. HIPAA Security Rule where applicable. EdenVault may act as a Business Associate when we provide services to HIPAA-covered entities; otherwise, HIPAA may not apply to consumer use of the app. This document does not constitute legal advice.

1. Who We Are (Data Controller / Business Associate)

For users in the EEA/UK, EdenVault is the data controller for personal data processed via the Services unless stated otherwise. Where we process Protected Health Information (PHI) on behalf of a HIPAA-covered entity, we do so as a Business Associate under a Business Associate Agreement (BAA).

Contact: contact@edenvault.co

2. Information We Collect

2.1 You provide

Account data (name, email, password).
Profile data (age range, height, weight – optional).
Support communications and feedback.
Consent choices and privacy preferences.

2.2 Collected from devices/sources you connect

Health metrics: daily steps, heart rate, blood pressure (where devices/apps permit).
Device/app metadata: app version, device model, OS, diagnostic logs.
Approximate location (if you enable it) for regional rewards and fraud prevention.

We collect health data only with your explicit consent and only from sources you authorize (e.g., HealthKit, Google Fit, connected wearables). You may withdraw consent at any time from your settings; withdrawal will not affect prior lawful processing.

3. How We Use Your Information (Purposes & Legal Bases)

Provide and operate the Services (lawful bases: performance of a contract; legitimate interests).
Measure activity and award points and rewards (consent for health metrics; performance of a contract).
Personalize in-app experience (consent/legitimate interests).
Communicate with you about security, updates, and support (legitimate interests/legal obligation).
Research and product improvement using aggregated or de-identified data (legitimate interests).
Compliance, security, and fraud prevention (legal obligation/legitimate interests).

4. Sharing and Disclosure

Vetted processors (sub‑processors) for hosting, analytics, and support under data processing agreements.
Rewards partners to fulfill redemptions and offers you choose. We share only the minimum necessary information.
Legal and safety where required by law or to protect rights, safety, or the integrity of the Services.
Business transfers in connection with a merger, acquisition, or asset sale, subject to this Policy.

We do not sell your personal data.

5. International Data Transfers

If we transfer your personal data outside your jurisdiction, we use appropriate safeguards such as EU Standard Contractual Clauses (SCCs) and implement technical and organizational measures to protect your data.

6. Data Retention

We retain personal data only as long as necessary for the purposes described above, to comply with legal obligations, resolve disputes, and enforce our agreements. You can request deletion at any time (see Rights below).

7. Security

We apply safeguards consistent with industry standards and HIPAA Security Rule principles, including encryption in transit and at rest, access controls, audit logging, least-privilege, and regular security assessments. No method of transmission or storage is 100% secure.

8. Your Rights

Depending on your location, you may have rights to:

Access, correct, or delete your data.
Port your data to another service.
Object to or restrict processing.
Withdraw consent (for health metrics and marketing) at any time.
Lodge a complaint with your supervisory authority (e.g., in the EEA/UK).

Submit requests by emailing contact@edenvault.co.

9. Children’s Privacy

The Services are not directed to children under 13 (or the minimum age required by your jurisdiction). We do not knowingly collect personal data from children without appropriate consent.

10. Third-Party Services & SDKs

Third-party integrations you choose to connect (e.g., Apple Health, Google Fit, wearables, rewards partners) are governed by their own policies. Please review those policies before enabling integrations.

11. Changes to This Policy

We may update this Policy from time to time. We will notify you of material changes via in‑app notice or email and update the "Last updated" date above.