Privacy Policy

Effective {{EFFECTIVE_DATE}} · Last updated {{LAST_UPDATED}}

Template — pending legal review. This document has been drafted as a starting point and must be reviewed by qualified counsel before publication. Do not rely on it in its current form. Sections containing {{PLACEHOLDERS}} require values supplied by the legal team.

At a glance

What we collect: your account info, the answers you give to the wellness assessment, an optional short text label produced by the on-device face scan (e.g. "tired" — never the biometric data itself), and basic device diagnostics.
How we use it: to provide your personalised assessment and recommendations inside the Oliv™ app, and to respond when you contact support. We do not sell your data, do not run advertising, and do not share with third parties beyond what's required to deliver the app. Oliv is currently free to use; there are no payments.
Your rights: you can delete your account inside the app at any time. For any other request (access, correction, portability, withdrawing consent, complaints), email support@olivwellness.com.

1. Who we are

This Privacy Policy describes how {{LEGAL_ENTITY}} (referred to as "Oliv", "we", "us", or "our"), incorporated in the State of Wyoming, United States, with its principal place of business at {{ADDRESS}}, collects, uses, discloses, and otherwise processes your personal data.

For purposes of the UK General Data Protection Regulation ("UK GDPR") and EU General Data Protection Regulation ("EU GDPR"), {{LEGAL_ENTITY}} is the data controller of your personal data.

For purposes of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), and other applicable US state privacy laws, {{LEGAL_ENTITY}} is the business or controller of your personal information.

2. Scope of this policy

This policy applies to personal data we process in connection with:

the Oliv™ iOS mobile application (the "App"), distributed through the Apple App Store;
the marketing website at olivwellness.com (the "Site"); and
email correspondence with our support team at support@olivwellness.com.

It does not apply to third-party products, services, or websites we link to. When you make an in-app purchase, your payment is processed by Apple Inc. under Apple's own privacy policy.

Launch markets: at the date of this policy, the Oliv™ App is available for download from the Apple App Store in the European Union, the United Kingdom, and the United States. Marketing activity is initially focused on the European Union; the App itself is available to residents of all three regions. Sections of this policy that describe rights under specific regimes (UK GDPR, EU GDPR, CCPA/CPRA, VCDPA, Illinois BIPA, and other US state privacy laws) apply to you depending on where you reside.

3. Personal data we collect

3.1 Account & identity data

When you create an Oliv account we collect the email address you use to sign in. You may optionally provide a display name. We do not require government ID, date of birth in identifiable form, or social-media login.

3.2 Wellness assessment responses

When you complete the in-app wellness assessment, your answers are stored against your account so you can review your history and refresh the assessment over time. Some answers describe how you feel, what you eat, how you sleep, and your mood — which under UK/EU GDPR are treated as special category data concerning health (Article 9). We process this data only with your explicit consent (Article 9(2)(a)), which you give by taking the assessment.

3.3 Face scan

The face scan is an optional feature. If you choose to use it, the following describes exactly what happens to the data:

Processed only on your device. The camera input, the face-geometry mesh derived from it, and any biometric identifier are processed entirely on your iPhone using on-device computation. They are never transmitted to {{LEGAL_ENTITY}} or to any third party.
Not stored anywhere. We do not store the camera frames, the face mesh, or any biometric identifier — neither on your device after the scan ends, nor on our servers. Once the on-device processing finishes, the raw inputs are discarded.
What we do retain is a short descriptive label. The on-device process produces a brief plain-language summary of the observation (for example, "tired"). That descriptive label — and only that label — is sent to your account so you can see how your readings have changed over time. The label is text. It is not biometric data, contains no facial measurements, and cannot be used to identify you or anyone else.
Lawful basis under UK/EU GDPR. The descriptive label is information about how you are feeling, which is data concerning health within the meaning of Article 9. We process it on the basis of your explicit consent (Article 9(2)(a)), which you give by choosing to take a face scan, and which you can withdraw at any time. Because we do not transmit, store, or use the biometric identifiers themselves, we do not engage in the "processing of biometric data for the purpose of uniquely identifying a natural person".
Illinois (BIPA). The on-device processing involves a "scan of face geometry" and so falls within the scope of the Illinois Biometric Information Privacy Act. We collect it only with your prior written consent (which you give when you opt into the face scan), we do not disclose it, and because the biometric identifier itself is not stored — neither by us nor on your device beyond the scan — there is no retained biometric identifier to destroy. The descriptive label we retain is not a biometric identifier. See Section 8 — Your rights for the full BIPA notice.

3.4 Subscription & billing data

We do not currently collect any subscription or billing data, because Oliv™ is free to use. There are no in-app purchases at this time. If we introduce paid features in future we will update this policy in advance and obtain any consent required by law.

3.5 Device & technical data

The App collects a small amount of technical data necessary to operate: iOS version, device model and language, App version, time-zone, and anonymised crash logs. This data is used to diagnose problems and is not combined with your assessment responses for any marketing or profiling purpose.

3.6 Support correspondence

If you email support, we keep a record of the message and our response so we can follow up. Support correspondence is stored only in our inbox and is not used for any other purpose.

3.7 What we do not collect

We do not use cookies or web-tracking technologies on olivwellness.com.
We do not use third-party analytics, advertising trackers, or behavioural-advertising SDKs in the App.
We do not access your contacts, photo library, location, microphone, or other device sensors (other than the camera, only when you actively use the optional face scan).
We do not knowingly collect data from anyone under 18 (see Section 11).

4. How we use your data & lawful bases

The table below summarises why we process each category of data and the lawful basis under UK/EU GDPR. For US residents, the "purpose" column also represents our notice of "business purpose" under the CCPA/CPRA.

Data	Purpose	Lawful basis (UK/EU)
Account & identity	Create and authenticate your account; communicate essential service messages.	Performance of contract (Art. 6(1)(b))
Assessment responses	Generate your personalised assessment results and recommendations; show your history.	Explicit consent (Art. 9(2)(a)) + contract (Art. 6(1)(b))
Face-scan label	Run the on-device face scan; store the resulting short text label so you can see how your readings have changed. The biometric data itself is not stored.	Explicit consent (Art. 9(2)(a)); BIPA written consent for the on-device processing
Device & technical	Diagnose crashes, maintain stability, fix bugs.	Legitimate interests (Art. 6(1)(f)) — operating a reliable app
Support comms	Respond to your queries; keep a record so we can follow up.	Legitimate interests (Art. 6(1)(f))

We do not use your data to make solely automated decisions that produce legal or similarly significant effects on you (UK/EU GDPR Art. 22). The recommendations Oliv generates are informational suggestions, not decisions affecting your rights or access to a service.

5. Sharing & disclosure

We do not sell your personal data. We do not share your personal data for "cross-context behavioural advertising" or "targeted advertising" within the meaning of CCPA/CPRA, VCDPA, or any other US state privacy law. We do not run any advertising programme.

We share personal data with the following category of recipient, in the listed circumstance only:

Recipient	What & why
Apple Inc.	Apple distributes the App via the App Store. To do so Apple may receive device identifiers, account identifiers associated with your Apple ID, and standard App Store analytics about downloads. Oliv™ does not currently use In-App Purchase or process any payment via Apple. Apple processes the data it does receive under Apple's privacy policy.

At launch, Oliv does not use third-party analytics, hosting, payment processors, CRM tools, or marketing tools beyond Apple's. If this changes, we will update this policy and, where required, notify you and obtain fresh consent before activating any new processing.

We may also disclose personal data:

To comply with law — including in response to a valid legal request from a government authority of competent jurisdiction.
To protect rights and safety — to investigate, prevent, or take action regarding suspected illegal activity, fraud, or threats to the safety of any person.
In connection with a business transaction — such as a merger, financing, or sale of company assets, in which case we will use commercially reasonable efforts to notify you and require the recipient to honour the commitments in this policy.

6. International data transfers

{{LEGAL_ENTITY}} is established in the United States. If you access the App from outside the United States, your personal data will be transferred to, stored in, and processed in the United States.

Where personal data of UK or EU residents is transferred to the United States, we rely on the following safeguards under UK GDPR Article 46 and EU GDPR Chapter V: {{TRANSFER_MECHANISM}} (such as Standard Contractual Clauses approved by the European Commission and the UK Information Commissioner's Office, as applicable, supplemented by additional technical and organisational measures).

For data transmitted via the Apple App Store, Apple is responsible for the transfer mechanism on its side; see Apple's privacy policy for detail.

You may request a copy of the relevant safeguards by emailing support@olivwellness.com.

7. How long we keep data

Category	Retention
Account & identity	For as long as your account is active. Deleted within {{DELETION_SLA}} of you closing the account.
Assessment responses & face-scan labels	For as long as your account is active. You can delete individual entries from your in-app history at any time, and all entries on account closure. The biometric identifier created by a face scan is never stored — it exists only during the on-device processing of a single scan and is discarded when the scan completes.
Device & crash logs	Up to 90 days from collection, then deleted or fully anonymised.
Support correspondence	Up to 24 months from your last message, then deleted.
Backups	Encrypted backups are rotated and purged on a {{BACKUP_PURGE_INTERVAL}} schedule.

8. Your rights

Depending on where you live, you may have some or all of the following rights in respect of personal data we hold about you. We honour these rights from every user, regardless of jurisdiction, where it is operationally possible to do so.

8.1 UK and EU residents (UK GDPR / EU GDPR)

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — ask us to delete your data; subject to limited exceptions such as legal-retention obligations.
Restriction — ask us to restrict processing in certain circumstances.
Portability — receive your data in a structured, commonly-used, machine-readable format (we provide this on request — see Section 9).
Object — object to processing based on legitimate interests.
Withdraw consent — where processing relies on your consent (such as the optional face-scan feature), withdraw it at any time; withdrawal does not affect lawfulness of processing before withdrawal.
Complain to a supervisory authority — UK residents: the Information Commissioner's Office (ico.org.uk). EU residents: your national or regional data-protection authority.

8.2 California residents (CCPA/CPRA)

Right to know — request the categories and specific pieces of personal information we have collected about you, the sources, the business or commercial purpose for collecting, and the categories of recipients.
Right to delete — request deletion of personal information we have collected from you.
Right to correct — request correction of inaccurate personal information.
Right to opt out of sale/sharing — we do not sell or share your personal information for cross-context behavioural advertising. There is nothing to opt out of, but this right is yours.
Right to limit use of sensitive personal information — we use sensitive personal information (health information you provide through the assessment and the descriptive face-scan label) only to provide the App's features you have requested. We do not store or further use any biometric identifier. You can withdraw consent at any time, which limits our use.
Right to non-discrimination — we will not deny you service, charge you a different price, or provide a different level of service because you exercised a privacy right.
Authorised agent — you may use an authorised agent to submit a request on your behalf, with proof of authorisation.

8.3 Virginia residents (VCDPA)

Right to access, correct, delete, and request a copy of (port) personal data we process about you.
Right to opt out of targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects. We do not engage in any of these.
Right to appeal a denial of your request. To appeal, reply to our response email with subject "VCDPA Appeal" within 60 days. We will respond within 60 days of the appeal.

8.4 Other US state residents

Residents of Colorado, Connecticut, Utah, Tennessee, Texas, Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey, Indiana, Minnesota, and Maryland have comprehensive privacy rights similar in substance to those of Virginia residents above. Use the same contact channel (Section 9) to exercise them. Specific rights, timelines, and appeal processes follow your state law.

8.5 Illinois residents — Biometric Information Privacy Act (BIPA) notice

Under the Illinois Biometric Information Privacy Act (740 ILCS 14):

What we collect: when you use the optional face scan, the App performs a scan of your face geometry on your device. That scan is a "biometric identifier" within the meaning of BIPA.

Purpose: to generate a brief observational reading that helps Oliv™ personalise your recommendations inside the App.

Storage and retention: the biometric identifier itself (the face scan and any geometric mesh derived from it) is never stored — neither by {{LEGAL_ENTITY}} nor on your device after the scan completes. The on-device processing produces a short descriptive label (a plain-language summary such as "tired") which is retained alongside your account so you can see how your readings have changed over time. That descriptive label is not a biometric identifier and contains no facial measurements.

Disclosure: we do not sell, lease, trade, or otherwise profit from biometric identifiers, and we do not disclose them to any third party. The biometric identifier is not disclosed because it is not retained beyond the moment of on-device processing.

Destruction: because nothing biometric is stored, there is no retained biometric identifier to destroy. The transient identifier created during the scan is discarded by the on-device process as soon as the scan completes.

Consent: by enabling the face-scan feature in the App, you provide your written consent to this on-device processing.

9. How to exercise your rights

9.1 Delete your account

You can delete your Oliv account at any time directly inside the App:

Settings → Account → Delete account

This is the only privacy right that has a self-service in-app flow. Once you confirm deletion, we remove your account, your assessment history, and any face-scan labels we hold within {{DELETION_SLA}}. (Biometric data is never stored, so there is nothing biometric to delete.) Limited records may be retained where law requires.

9.2 All other requests

For any other privacy request — access, rectification, portability, restriction, objection, withdrawing consent, or making a complaint — email support@olivwellness.com with the subject line "Privacy request". Include the email address associated with your Oliv account and a clear statement of what you would like us to do.

We will respond within:

30 days for requests under UK/EU GDPR (extendable by a further 60 days for complex requests, with notice);
45 days for requests under CCPA/CPRA (extendable once for another 45 days, with notice);
45 days for requests under VCDPA and similar US state laws (extendable once for another 45 days, with notice).

For portability requests, we will provide your data in a structured, machine-readable format — typically JSON or CSV — delivered as a downloadable file via a secure link. There is no in-App export at launch; requests are handled manually by our team.

To protect your account we will need to verify your identity before responding to a substantive request — usually by confirming you control the email address on file.

9.3 No fee, no discrimination

Privacy requests are free. We will not deny you the App, charge you a different price, or give you a lesser experience because you exercised a privacy right.

10. Cookies & tracking

The Oliv website and App do not use cookies, advertising trackers, or third-party analytics at launch. See our Cookie & Tracking Notice for details. If this changes, we will update both this policy and the Cookie Notice, present a consent banner to UK and EU users, and notify existing users in-App.

11. Children

Oliv is intended for users aged 18 years or older. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a person under 18 without verified consent of a parent or legal guardian, we will delete that data as soon as reasonably possible. If you believe a child has provided us with personal data, please contact support@olivwellness.com.

12. Security

We use reasonable technical and organisational measures designed to protect your personal data, including:

encryption in transit (TLS) for all communications with our servers;
encryption at rest for stored data;
on-device processing of face-scan inputs, so camera frames, face geometry, and any biometric identifier are never transmitted to our servers and are not stored;
access controls limiting which personnel can view personal data; and
periodic review of our security practices.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay, as required by law.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes — for example, changing the purposes for which we process your data, or adding a new category of sub-processor — we will notify you at least 30 days in advance by email and through the App. Non-material changes (typo fixes, clarifications) will be reflected by updating the "Last updated" date at the top of this policy.

14. UK & EU representatives

Because {{LEGAL_ENTITY}} is not established in the United Kingdom or the European Union, we have appointed representatives in each region under UK GDPR Article 27 and EU GDPR Article 27 respectively. UK and EU residents may contact the relevant representative directly in relation to questions about how we process their personal data.

UK Representative

{{UK_REPRESENTATIVE}}
{{UK_REP_ADDRESS}}
{{UK_REP_EMAIL}}

EU Representative

{{EU_REPRESENTATIVE}}
{{EU_REP_ADDRESS}}
{{EU_REP_EMAIL}}

15. Contact us

For any question about this Privacy Policy, our data practices, or to exercise any privacy right:

Email: support@olivwellness.com
Post: {{LEGAL_ENTITY}}, {{ADDRESS}}
Company / VAT no.: {{COMPANY_NO}}

UK and EU residents also have the right to contact our UK or EU representative directly.