Privacy Policy

Plain language summary: Evora Health collects personal information to power your devices, run the Evora App, process your orders, and communicate with you. We do not sell your data. We never share your health or biometric data with insurers, employers, medical aids, or advertisers. You can export, correct, or delete your data at any time from within the App or by emailing admin@evorahealth.co.za.

1. Who We Are (Responsible Party)

For the purposes of POPIA, the Responsible Party is:

Evora Health
Trading as: Evora Health
Registered Office: The Colab, 194 Bancor Avenue, WestPark Lane, Menlyn Maine, Pretoria, 0081
Country: Republic of South Africa
Email: admin@evorahealth.co.za
WhatsApp: 082 233 3529

The Information Officer responsible for POPIA compliance may be contacted at the above email address.

2. Scope of This Policy

This Privacy Policy applies to:

The Evora Health website at www.evorahealth.co.za and the member portal at app.evorahealth.co.za.
The Evora App (iOS and Android), including all in-app features such as health tracking, AI insights, cycle tracking, device connectivity, and subscriptions.
Evora Health hardware products: the The Evora Bio Band, The Evora Bio Pod, and LED Bio Mask.
All communications between you and Evora Health, including email, WhatsApp, and in-app messaging.

By creating an Evora account, downloading the Evora App, purchasing a product, or using any Evora service, you acknowledge that you have read and understood this Privacy Policy.

3. Information We Collect

3.1 Information You Provide Directly

Account information: Name, email address, date of birth (to verify you are 18 or older), password (stored as a hash - never in plain text).
Profile information: Sex assigned at birth, gender identity (optional), height, weight (initial entry), Fitzpatrick skin tone (for LED mask calibration and SpO2 accuracy).
Order and delivery information: Delivery address, order history, payment reference numbers.
Health self-reports (entered voluntarily by you): Mood, energy level, daily symptoms, menstrual cycle dates, cycle length, phase, flow intensity, contraception type, pregnancy status, perimenopause status, body measurements (up to 11 measurement zones: waist, hips, bust, thighs, calves, upper arms, neck, shoulders, chest, wrist, forearm).
Emergency contacts: Name and mobile number of relatives you designate as emergency contacts. Emergency contact data is used only for escalated emergency SMS alerts and is never used for any other purpose.
Communications: Any messages you send us via email, WhatsApp, in-app support, or any contact form.
Reseller applications: Business details, identity documentation, and banking information provided during a reseller application.

3.2 Data Collected from Your Devices

When you pair and use Evora hardware, the following measurements are collected via Bluetooth Low Energy (BLE 5.0) and processed in the App:

The Evora Bio Band: Heart rate (resting and continuous), heart rate variability (HRV - RMSSD), blood oxygen saturation (SpO2), skin temperature, step count and distance, calories burned (estimated), sleep stages (Light, Deep, REM, Awake) and sleep score, Evora Wellness Score (a proprietary composite wellness indicator), and raw PPG waveform data for analysis.
The Evora Bio Pod: Body weight, BMI (calculated), estimated body fat percentage, estimated muscle mass, estimated bone density, estimated body water percentage, and visceral fat index. All measurements are taken by bioelectrical impedance analysis (BIA) and optical weigh-in sensors.
LED Bio Mask: Session date and time, session duration (capped at 10 minutes by hardware timer), LED zones activated, and cumulative session count. No biometric data is transmitted by the Mask itself.

3.3 Data Collected Automatically

Device and app metadata: Device model, operating system version, App version, unique device identifier (used for pairing and push notifications).
Usage analytics: Screens viewed, features used, session duration, tap events (anonymised). Collected via Firebase Analytics.
Crash and error reports: Stack traces, device state at crash time. Collected via Firebase Crashlytics (no personally identifiable health data is included in crash reports).
Website data: IP address, browser type, pages visited, time on site. Collected via cookies and analytics tools on www.evorahealth.co.za.

3.4 Data from Third-Party Health Platforms (with Your Consent)

If you connect the Evora App to Apple Health (HealthKit) on iOS or Google Health Connect on Android, we may read and/or write the following data types, based only on the permissions you grant:

Steps, active energy, resting heart rate, heart rate variability, sleep analysis, body weight, body mass index, oxygen saturation.
Menstrual cycle data (read/write) where you grant explicit permission.

Data imported from Apple Health or Google Health Connect is processed solely to enrich your Evora dashboard and AI insights. We do not share it with any third party.

3.5 Optional Progress Photos

The Evora App includes an optional photo journal feature. If you use it, photos are stored locally on your device only and are never uploaded to Evora Health servers. Evora Health has no access to your progress photos.

4. Special Personal Information

POPIA affords heightened protection to certain categories of personal information, referred to as special personal information. Several categories of data collected by the Evora App fall within this definition, including:

Health information (biometric measurements, HRV, SpO2, sleep, body composition).
Reproductive health data (menstrual cycle, pregnancy status, perimenopause status, contraception type).
ECG/electrocardiogram waveform data (where supported by device and collected by the Evora Bio Band).
Body measurements and physical characteristics.

How we protect your special personal information: We collect special personal information only with your explicit, informed consent, obtained during App onboarding. This data is encrypted in transit (TLS 1.3) and at rest (AES-256). It is never shared with third parties for commercial purposes. It is never sold. It is never used for insurance underwriting, employment screening, or medical aid assessment. It is never shared with government entities except where required by a binding South African court order.

You may withdraw consent to the processing of any special personal information category at any time via App Settings > Privacy > Manage Data, or by contacting us at admin@evorahealth.co.za. Withdrawal of consent for core health data will limit the functionality of the App and AI insights but will not affect data already lawfully processed.

5. How We Use Your Information

Purpose	Data Used	Basis
Provide App features and health dashboards	All health and biometric data from your devices and self-reports	Consent / Contract
Generate AI-powered wellness insights (after 14-day learning period)	Longitudinal health data, cycle data, sleep, HRV, mood logs	Consent
Calculate your Evora Wellness Score and Evora BioAge	Biometric, sleep, HRV, body composition data	Consent
Send emergency SMS alerts to your designated contacts	Emergency contact numbers, optional GPS location	Consent (explicit, at time of setup)
Process and fulfil product orders	Name, delivery address, order details	Contract
Manage your subscription (Free / Premium)	Account ID, subscription tier, purchase tokens (via RevenueCat)	Contract
Send transactional notifications (order updates, subscription renewals)	Email address, push notification token	Contract
Send wellness newsletters and product updates	Email address	Consent (opt-in; revocable)
Improve product accuracy and App features	Anonymised, aggregated usage and biometric data	Legitimate interest
Detect and prevent fraud and unauthorised access	Account metadata, device identifiers, login events	Legitimate interest / Legal obligation
Comply with South African legal obligations (e.g. tax records)	Order and payment records	Legal obligation
Manage reseller relationships	Business and identity information (resellers only)	Contract / Consent

We will not use your personal information for purposes other than those listed above without obtaining your prior, explicit consent.

6. Legal Basis for Processing (POPIA)

Under POPIA, we process personal information on one or more of the following grounds:

Consent: You give us explicit consent at onboarding for health and biometric data, cycle tracking, AI personalisation, emergency contact storage, and optional integrations. You may withdraw consent at any time.
Performance of a contract: Processing necessary to deliver your product order, manage your subscription, or operate the App services you have subscribed to.
Legitimate interest: Fraud prevention, App stability, aggregated analytics to improve product accuracy - provided such interests are not overridden by your rights and freedoms.
Legal obligation: Where South African law requires us to retain or disclose records (e.g. Consumer Protection Act transaction records, SARS tax records).

7. AI-Powered Insights and Automated Processing

The Evora App uses the Anthropic Claude API to generate personalised health insights, trend summaries, and wellness recommendations after a mandatory 14-day data learning period. During this period, the App collects baseline data from your devices and self-reports before AI personalisation is activated.

For the purpose of generating insights, a structured summary of your health data (not your raw data in full) is transmitted to the Anthropic Claude API. This summary is assembled and processed on our secure Firebase Cloud Functions backend (region: europe-west1) before being sent to the Anthropic API. Anthropic processes this data solely as a data processor acting on our instructions and is contractually prohibited from using your data to train their models or for any purpose other than generating your insight.

AI-generated insights are wellness motivational content only and do not constitute medical advice, diagnosis, or treatment. The Evora BioAge metric is a wellness engagement indicator and is not a clinical measure of biological age. AI insights are not used to make any automated decisions that have legal or similarly significant effects on you.

8. Sharing Your Information

Evora Health does not sell, rent, or trade your personal information to any third party.

We do not share your health or biometric data with:

Insurance companies or medical aids.
Employers or government agencies (except as required by a binding court order).
Advertisers or data brokers.
Any third party for commercial profiling or targeting.

We share your personal information only with the following service providers, strictly limited to what they need to perform their function:

Provider	Purpose	Data Shared
Google Firebase	Authentication, Cloud Firestore database, Cloud Functions, Analytics, Crashlytics	Account data, health data (encrypted), usage events, crash metadata
Anthropic (Claude API)	Generating AI wellness insights on your behalf	Structured health summary (no name, email, or direct identifiers)
RevenueCat	Subscription and in-app purchase management (Apple IAP, Google Play Billing, PayFast)	App User ID, subscription status, purchase receipts
PayFast	Payment processing for web orders and ZAR subscription payments	Order amount, order reference. No card data touches our servers.
Avolvia	Transactional and marketing email delivery	Email address, name, communication preferences
Courier/logistics providers	Order delivery	Name, delivery address, phone number
Apple (HealthKit)	Data sync with Apple Health (only if you grant permission)	Health data types you approve in iOS permission dialog
Google (Health Connect)	Data sync with Google Health Connect (only if you grant permission)	Health data types you approve in Android permission dialog

Each provider is contractually required to process your data only for the purpose specified and to maintain appropriate security standards.

We may disclose personal information if required to do so by a binding court order from a South African court of competent jurisdiction. We will notify you as permitted by law if such a disclosure is required.

9. Third-Party Integrations

9.1 Apple Health (HealthKit)

On iOS, you may grant the Evora App permission to read from and write to Apple Health. Permissions are requested individually and you may revoke them at any time via iPhone Settings > Privacy & Security > Health > Evora. Evora Health does not use HealthKit data for advertising or share it with third parties.

9.2 Google Health Connect

On Android, you may grant the Evora App permission to read from and write to Google Health Connect. Permissions are requested individually and may be revoked at any time via Android Settings > Apps > Health Connect > App Permissions > Evora. Evora Health does not use Health Connect data for advertising or share it with third parties.

9.3 Apple App Store and Google Play Store

Premium subscriptions purchased on iOS are processed by Apple and subject to Apple's Privacy Policy. Subscriptions purchased on Android are processed by Google and subject to Google's Privacy Policy. Evora Health receives a subscription token confirming your entitlement; we do not receive your payment card details.

9.4 RevenueCat

RevenueCat manages cross-platform subscription entitlements. It links your App User ID to your subscription status. RevenueCat does not receive your health or biometric data. See RevenueCat's privacy policy at revenuecat.com/privacy.

10. Transborder Data Flows (POPIA Section 72)

POPIA Section 72 requires us to inform you when your personal information is transferred to a country outside South Africa.

The following transfers occur:

Firebase Cloud Firestore and Cloud Functions are hosted in the europe-west1 (Belgium) Google Cloud region. Belgium is an EU member state and subject to the General Data Protection Regulation (GDPR), which the Information Regulator of South Africa has recognised as providing an adequate level of protection. Google provides Standard Contractual Clauses (SCCs) as a transfer safeguard.
Anthropic Claude API is operated from the United States. Your de-identified health summary is transmitted to Anthropic's API endpoints in the US solely for the purpose of generating your AI insight. Anthropic provides appropriate contractual safeguards.
RevenueCat is operated from the United States. Only your subscription status token (not health data) is shared. RevenueCat maintains standard contractual protections.

By using the Evora App and accepting this Privacy Policy, you consent to these transborder transfers as necessary to provide the services you have requested.

11. Family Mode and Shared Devices

The Evora App supports a Family Mode allowing up to 5 user profiles under one Evora account. Each family member's data is maintained in strict isolation:

Each family member's health and biometric data is accessible only to that member when they are logged in under their own profile.
The Family Account holder (primary account owner) can view a limited household wellness summary showing aggregate trend data only - they cannot access the detailed biometric data or health logs of individual family members without that member's active consent.
AI insights generated for each profile are private to that profile.
Family members may remove themselves from a Family account at any time from within the App.

When sharing a physical device (e.g. the Evora Bio Pod), each family member's weigh-in is matched to their profile via the App's active profile selection and is not visible to other family members.

12. Discreet Mode

The Evora App includes a Discreet Mode that replaces app content with a neutral neutral screen, suppresses all push notifications, and hides the app's icon in recent apps (where supported by the operating system). Discreet Mode does not pause data collection from paired devices and does not affect how your data is stored on our servers. It is a display-only privacy feature designed for use in shared physical environments.

Discreet Mode can be activated from the App home screen or via a configurable shake gesture.

13. Cookies, Analytics and Crash Reporting

13.1 Website Cookies

Our website uses cookies and similar technologies to ensure the website functions correctly (essential cookies), analyse traffic and user behaviour (analytics cookies), and remember your cart and preferences (functional cookies). You may control cookies through your browser settings. Disabling non-essential cookies will not affect your ability to browse the website.

13.2 App Analytics - Firebase Analytics

We use Firebase Analytics (Google) to understand how users interact with the App - which screens are visited, which features are used, and where users drop off. Event data is anonymised before transmission and is not linked to your name or email address. You may opt out of analytics collection via App Settings > Privacy > Analytics.

13.3 Crash Reporting - Firebase Crashlytics

We use Firebase Crashlytics to detect, prioritise, and fix App crashes. Crash reports include device model, OS version, App version, and a stack trace of the crash event. No personally identifiable health or biometric data is included in crash reports. You may opt out via App Settings > Privacy > Crash Reporting.

14. Data Storage and Security

All Evora App data is stored in Google Firebase Cloud Firestore, hosted in the europe-west1 (Belgium) region. Data is encrypted in transit using TLS 1.3 and encrypted at rest using AES-256 encryption managed by Google Cloud.

Additional security measures include:

Firebase Security Rules enforce per-user data access - no user can access another user's records.
Firebase Authentication with email/password (hashed) and optional third-party sign-in (Google, Apple).
Cloud Functions validate all incoming requests server-side before writing to Firestore.
No health or biometric data is stored in app logs or crash reports.
Emergency contact data is stored in an encrypted sub-collection accessible only during an active emergency event.

Despite these measures, no system is completely immune to breach. If you believe your account has been compromised, contact us immediately at admin@evorahealth.co.za so we may take appropriate action.

Evora Health will notify affected users and the Information Regulator of South Africa within the timeframes required by POPIA in the event of a data breach that poses a risk to you.

15. Data Retention

We retain your personal information for as long as necessary to provide our services and meet our legal obligations. Specific retention periods are:

Data Category	Retention Period	Basis
Account profile information	Duration of active account + 30 days after deletion request	Contract
Daily health and biometric data (Band, Pod readings, self-reports)	Duration of active account; exportable and deletable at any time	Consent
App event logs (anonymised activity log)	36 months (3 years) rolling	Legitimate interest (product improvement)
Order and payment records	5 years from transaction date	Legal obligation (SARS / CPA)
Emergency contact records	Until you remove the contact or delete your account	Consent
Crash and analytics logs	90 days rolling (Firebase default)	Legitimate interest
Deleted account data	Purged within 30 days of confirmed deletion request	POPIA compliance

When data is no longer required, it is securely deleted or irreversibly anonymised.

16. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights. Many of these rights can be exercised directly within the Evora App under Settings > Privacy > Manage Data.

Right of Access

Request a copy of the personal information we hold about you. In-app: export your full data history as a CSV file from Settings > Privacy.

Right to Correction

Request correction of inaccurate or incomplete personal information. Most profile data can be edited directly in the App.

Right to Deletion

Request deletion of your account and all associated data. In-app: Settings > Privacy > Delete Account. Deletion is processed within 30 days.

Right to Object

Object to the processing of your personal information for direct marketing or analytics. You may unsubscribe from emails at any time via the link in any email.

Right to Withdraw Consent

Withdraw consent to any specific processing activity without affecting prior lawful processing. Withdrawal for health data may limit certain App features.

Right to Data Portability

Export your health and biometric data in CSV format at any time from the App. This is available on both Free and Premium plans.

Right to Complain

Lodge a complaint with the Information Regulator of South Africa if you believe your rights have been violated.

Right Not to Be Subject to Automated Decisions

AI insights are for informational and motivational purposes only. No automated decision with legal or significant practical effect is made about you.

To exercise any right not available in the App, email admin@evorahealth.co.za with the subject line "POPIA Data Request". We will acknowledge your request within 5 business days and respond fully within 30 days.

You may also lodge a complaint with the Information Regulator of South Africa:
Website: www.justice.gov.za/inforeg
Email: complaints.IR@justice.gov.za

17. Children's Privacy

The Evora App and all Evora Health products and services are intended for users aged 18 years and older. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that a user under 18 has created an account or provided us with personal information, we will take immediate steps to suspend the account and delete the associated data.

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at admin@evorahealth.co.za.

18. Third-Party Links

Our website and App may contain links to third-party websites and services (for example PayFast, Apple, Google, social media platforms). We are not responsible for the privacy practices of those websites and encourage you to review their respective privacy policies before providing any personal information.

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the law, our data practices, or the features of the Evora App. The updated version will be posted on this page with a revised effective date at the top. For material changes, we will notify registered users via email and via an in-app notification at least 14 days before the change takes effect. Continued use of the App after the effective date constitutes acceptance of the revised policy.

20. Contact and Complaints

For any privacy-related queries, data access requests, consent withdrawals, or complaints:

Information Officer, Evora Health
Email: admin@evorahealth.co.za
WhatsApp: 082 233 3529
Address: The Colab, 194 Bancor Avenue, WestPark Lane, Menlyn Maine, Pretoria, 0081
Country: Republic of South Africa

We are committed to resolving all privacy concerns promptly, fairly, and in accordance with POPIA.

Table of Contents