Last updated: May 8, 2026
For a plain-language summary of what we can and cannot read about you, see our Transparency page.
søvei ("we," "our," or "us") is committed to protecting your privacy and the security of your personal health information. This Privacy Policy explains how we collect, use, store, and protect your data when you use our health and fitness tracking application.
We understand that health data is among the most sensitive personal information, and we have designed our systems with privacy as a core principle. Your health data belongs to you, not us.
Our Privacy Promise: We will never sell your personal health information. We only share data with third parties when absolutely necessary to provide our services, and we anonymize your data before any AI processing. You have complete control over your data and can export or delete it at any time.
To provide our health tracking services, we collect the following categories of data with your explicit consent:
You can choose not to provide certain data, but some features may be limited without it.
søvei does not sell, rent, or trade your personal health information to third parties. Period.
While we require certain health data to provide our services (nutrition tracking, workout logging, lab results analysis, medication reminders), we have no intention of monetizing this data through sales to advertisers, data brokers, research institutions, or any other third parties.
If our business model ever changes to include any form of data monetization or sharing beyond what is currently described in this policy, we commit to:
Under California law (CCPA/CPRA): We confirm that we have not sold personal information of California consumers in the preceding 12 months and do not intend to do so.
We apply enhanced privacy protections to lab result data. This data is among the most sensitive health information, and we treat it with the highest level of care.
When you upload a lab report PDF or take a photo of your results, the file is processed entirely on your device (in your web browser or mobile app). The original PDF or image is never uploaded to or stored on our servers. We use client-side technology to extract text from the document without transmitting the file itself.
Before any extracted text leaves your device, we automatically remove personally identifiable information (PII) including:
We only store the extracted biomarker values (e.g., "Total Cholesterol: 180 mg/dL") after you review and approve them. These values are associated with your anonymous account identifier but contain no identifying information from the original lab report.
Stored lab data includes: marker name, numeric value, unit of measurement, reference range, and test date. We do not store: the original PDF, patient name, doctor name, lab name, or any other identifying information.
To extract structured data from lab reports, we use artificial intelligence services. The AI only receives de-identified text containing lab values—it never sees your name, date of birth, or any other personal identifiers. The AI cannot determine whose lab results it is processing. See the "AI Processing & Anonymization" section for more details on how we protect your data during AI analysis.
Your lab results are never shared with third parties except for the de-identified AI processing described above. We do not share your lab data with:
Medication data is highly sensitive information that could affect insurance coverage, employment, or personal relationships if disclosed. We apply special protections to this data.
When medication data is included in AI-powered features such as health insights or program generation, medication names and dosages may be shared with AI providers to ensure accurate recommendations and safety checks (e.g., exercise contraindications). Your medication data is associated only with an anonymous identifier — AI providers cannot determine your identity.
Your medication information is never shared with:
We use RxNorm, maintained by the U.S. National Library of Medicine, for medication identification. This is a one-way lookup—no personal data is sent to RxNorm; we only retrieve standardized medication information.
søvei uses artificial intelligence to provide features like meal plan generation, workout programming, lab results analysis, and health insights. We take extensive measures to protect your privacy when using AI services.
We currently use AI services from:
Both providers may be used interchangeably for any AI-powered feature. The specific provider used for a given request may vary based on availability and performance.
These providers have committed to not training their models on data submitted through their APIs. Your health data is used only to generate responses for you, not to improve their general AI models.
Before any data is sent to AI providers, we strip all personally identifiable information. The following is never sent to AI providers:
To provide accurate, personalized health recommendations, certain health metrics are shared with AI providers. These are essential for calculating nutritional needs, generating safe workout programs, and interpreting lab results:
This health data is associated only with an anonymous identifier and cannot be linked back to your identity by AI providers.
AI providers cannot determine:
Throughout our system, your health data is associated with an anonymous identifier (UUID), not your email address or name. This means even our internal systems do not directly link your personal identity to your health records in most operations.
Any analytics we perform on user data for product improvement use aggregated, de-identified data that cannot be traced back to individual users. For example, we might analyze "average protein intake across users in their 30s" but never "what John Smith ate for lunch."
We use third-party services to provide our functionality. We carefully select partners who maintain high privacy and security standards. Here is a complete list of services that may process your data:
Two paths exist. Managed AI (default for paid tiers) routes through providers we have a contract with — your de-identified data only goes to xAI or Anthropic. Bring-Your-Own-Key (BYOK) lets you supply your own API key for any supported provider; in that mode the request goes from your browser directly to the provider you chose, under their terms — we are not in the request path and have no record of what was sent.
Note: We do not use any third-party advertising, tracking, or analytics services that would share your data with advertisers.
We implement comprehensive security measures to protect your health data:
You have comprehensive rights over your health data. We have built tools directly into søvei to help you exercise these rights:
You can view all data we store about you at any time through the app. Navigate to Settings → Your Data to see a complete overview of your stored information.
You can export your data in standard formats (JSON, CSV) at any time. Your export includes:
You can correct or update any inaccurate data directly in the app. If you need assistance, contact us at privacy@sovei.me.
Two deletion paths exist and they behave differently — please choose carefully.
Per-category deletion (Settings → Your Data → delete a specific category, e.g. Sleep, Workouts, Cycle): the rows are immediately hidden from the app and enter a 30-day soft-deletion recovery window. You can restore them at any point in those 30 days from Settings → Privacy. After 30 days they are permanently and irreversibly purged.
Full-account deletion (Settings → Your Data → Delete Account): this is immediate and irreversible. There is no 30-day recovery window. Your account row, every health-data table tied to your account, and your authentication record are removed in one transaction the moment you confirm. We cannot recover the account afterwards. If you may want your data back later, export it first (Settings → Your Data → Export).
In both cases:
You can opt out of:
You can request that we restrict processing of your data while you verify its accuracy or while we assess a deletion request.
Most rights can be exercised directly in the app under Settings → Your Data. For any requests that cannot be completed in-app, or if you need assistance, contact us at privacy@sovei.me. We will respond within 30 days.
We retain your health data for as long as your account is active. This allows you to track trends over months and years. If you delete your account, the data is removed immediately (see §9 above for the difference between per-category and full-account deletion). The exceptions are limited records we are required by law to retain — primarily audit metadata and payment records — described below.
When you delete a category of health data (e.g. all your sleep logs), the rows enter a 30-day soft-deletion recovery window. During this window:
Deleting your entire account (Settings → Your Data → Delete Account) is immediate and irreversible. There is no 30-day recovery window for full-account deletion. Export your data first if you may want it later.
While your account is active, all health data is retained indefinitely unless you choose to delete specific entries. You control what data to keep and what to remove.
If your account is inactive for 36 months (no logins), we will send you a notification email before taking any action. If you do not respond or log in within 30 days of the notification, we may delete your account and associated data to protect your privacy.
The following table summarizes how long different categories of data are retained:
| Data Category | Retention Policy |
|---|---|
| Health data (nutrition, workouts, sleep, body metrics, cycle, medications, supplements, injuries) | Retained while account is active; 30-day recovery period after deletion, then permanently deleted |
| Lab results | Retained while account is active; 30-day recovery period after deletion, then permanently deleted. Anonymized copies may be retained up to 6 years per healthcare compliance requirements |
| AI conversations | 30-day recovery period after deletion, then permanently deleted |
| Audit logs (PHI access, consent records) | 6 years (legal compliance; metadata only, no health data) |
| Payment records | 7 years (financial compliance) |
| Edge function logs | 90 days |
| Threat detection logs | 180 days after resolution |
| Backups | Purged from backup systems within 90 days of deletion |
Legal Hold: If required by legal proceedings, relevant data may be preserved beyond the retention periods listed above.
To comply with healthcare data protection best practices, we maintain audit logs that record when protected health information (PHI) is accessed. These audit logs are retained for 6 years after the access event, even if you delete your account. Audit logs contain only metadata (timestamps, action types, user identifier hashes) and do not contain the actual health data that was accessed.
Records of your privacy consent choices (when you granted or withdrew consent for specific data processing) are retained for 6 years for legal compliance purposes. This helps us demonstrate that we obtained proper consent for data processing.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
California "Shine the Light" Law: We do not share personal information with third parties for their direct marketing purposes.
If you are a Washington resident, you have additional rights under the Washington My Health My Data Act:
If you are a resident of Virginia, Colorado, or Connecticut, you have similar rights under your state's privacy laws, including the right to access, correct, delete, and obtain a copy of your personal data, as well as the right to opt out of targeted advertising (which we do not conduct).
Nevada residents have the right to opt out of the sale of personal information. As stated above, we do not sell personal information. If you wish to be added to our internal "do not sell" list, contact privacy@sovei.me.
If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):
søvei is based in the United States. If you are accessing our service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States.
For users in the European Economic Area (EEA), we rely on the following mechanisms for international data transfers:
Our data processors (Supabase, Stripe, AI providers) also maintain appropriate safeguards for international data transfers.
søvei is a consumer health application and is not a covered entity under HIPAA (Health Insurance Portability and Accountability Act). HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses—not to consumer health apps like ours.
However, we voluntarily adopt many HIPAA-aligned practices to protect your health information, including:
If you receive lab results through a healthcare provider, their handling of that information is subject to HIPAA. Our handling of data you voluntarily provide to us is governed by this Privacy Policy and applicable consumer privacy laws.
As a provider of personal health records, we are subject to the FTC's Health Breach Notification Rule. In the event of a data breach involving your health information, we will notify you and the FTC as required by law. See the "Data Breach Notification" section below for more details.
søvei is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13, in compliance with the Children's Online Privacy Protection Act (COPPA).
Users between 13 and 16 years of age in the European Union may require parental consent under GDPR. If you are in this age group, please ensure you have parental permission before using søvei.
If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately at privacy@sovei.me and we will:
In the unlikely event of a data breach affecting your personal health information, we will:
Breach notifications will include:
We may update this Privacy Policy from time to time. When we make changes:
We encourage you to review this policy periodically. Your continued use of søvei after changes take effect constitutes acceptance of the revised policy.
A history of previous versions of this Privacy Policy is available upon request.
If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about our data practices, please contact us at:
Privacy Inquiries:
Email: privacy@sovei.me
Data Protection Officer:
Email: dpo@sovei.me
Email is the canonical channel for privacy inquiries. We'll publish a physical mailing address once incorporation is complete; until then, privacy@sovei.me is the route on record.
We aim to respond to all privacy inquiries within 30 days. For requests involving your data rights (access, deletion, correction), we will acknowledge receipt within 10 business days and complete your request within the timeframe required by applicable law.
Summary:At søvei, we believe your health data belongs to you. We collect only what's necessary to provide our services, we never sell your data, and we go above and beyond to protect your privacy. You can access, export, or delete your data at any time. If you have any questions, we're here to help.