Privacy Policy

Version 2.0 · Last updated: April 2026

1. Data Controller

The data controller for the nevu app and this website is Nevu Health Ltd, a company registered in England and Wales.

  • Companies House number: 17155137
  • ICO registration: C1909486
  • Registered address: Dunleavy House, Dunleavy Dr, Cardiff CF11 0SN
  • Contact: [email protected]

2. What Data We Collect and Why

2.1 Account Data

Name, email address, gender, height, weight, and goals. Collected during onboarding to personalise your coaching experience. Lawful basis: contract performance.

2.2 Health Data (Special Category)

Weight logs, food logs, medication type, dose schedule, injection sites, symptoms, body measurements, and sleep data from Health Connect. This data powers dose-cycle coaching and health insights. Lawful basis: explicit consent (collected via our 3-box consent flow during onboarding).

2.3 AI Coaching Conversations

Messages exchanged with Kyra (AI coach) are processed to provide coaching responses. Conversations are stored to provide continuity. Lawful basis: consent and legitimate interest in providing the service.

2.4 Waitlist Data

Email address, medication type, duration on medication, and phone type. Collected for product launch notifications. Lawful basis: consent.

2.5 Feedback Data

Name (optional), email, description, screen, and severity. Used to improve the product. Lawful basis: legitimate interest.

2.6 Usage Analytics (Optional)

Anonymous usage patterns to improve the app. Only collected if you consent during onboarding. We use PostHog (EU-hosted). Lawful basis: consent.

3. How Data Is Stored

All data is stored on Supabase (EU-hosted, eu-west-2 region) with encryption at rest and in transit. Row Level Security (RLS) is enabled on all database tables, meaning each user can only access their own data.

Progress photos are stored on-device only and are never uploaded to our servers.

4. Third-Party Processors

We share data with the following processors, all under appropriate data processing agreements:

  • Supabase (EU) — Database hosting and authentication
  • RevenueCat — Subscription management (email and subscription ID only)
  • PostHog (EU) — Anonymous usage analytics (if consented)
  • Sentry — Error reporting (anonymised crash data)
  • Google Gemini — AI coaching responses (messages processed in real-time, not stored by Google for training)
  • FatSecret — Food database lookups (search queries only, no personal data)
  • Formspree — Waitlist and feedback form notifications (email and form data)

5. Data Retention

  • Active accounts: Data retained for the lifetime of the account
  • Deleted accounts: All data permanently deleted within 30 days
  • Waitlist data: Retained until app launch, then deleted or converted to account data with consent
  • Feedback data: Retained for 24 months
  • Analytics data: Anonymised after 12 months

6. Your Rights

Under the UK GDPR, you have the right to:

  • Access — Request a copy of all data we hold about you
  • Rectification — Correct any inaccurate data
  • Erasure — Request complete deletion of your account and all data
  • Portability — Receive your data in a machine-readable format (JSON export available in-app)
  • Objection — Object to processing based on legitimate interest
  • Restrict processing — Request temporary restriction of data processing
  • Withdraw consent — Withdraw consent at any time without affecting the lawfulness of prior processing

To exercise any of these rights, email [email protected]. We will respond within 30 days.

7. Cookies

This website uses only essential cookies required for basic functionality. We do not use tracking cookies, advertising cookies, or third-party analytics cookies on this website.

  • Essential cookies: Cookie consent preference (localStorage). Required for the site to remember your consent choice.
  • Form cookies: Formspree may set functional cookies when you submit the waitlist or feedback forms. These are necessary for form processing.
  • Database cookies: Supabase may set functional cookies when storing waitlist data. These are necessary for data submission.
  • Analytics: We do not use analytics cookies on this website. PostHog analytics is used in the mobile app only, not on this site.
  • Advertising: We do not use any advertising or tracking cookies.

8. Children

nevu is for adults aged 18 and over only. We do not knowingly collect data from anyone under 18. Age verification is required during onboarding.

9. Photos

Progress photos and food photos taken within the app are stored on your device only. They are never uploaded to our servers or shared with any third party. If you delete the app, the photos remain in your device's gallery.

10. Medical Disclaimer

nevu is a health coaching tool, not a medical device. Kyra is an AI coach, not a doctor. Nothing in the app or on this website constitutes medical advice. Always consult your prescribing doctor for medical decisions.

11. Complaints

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or in-app notification. The latest version is always available at this URL.

Nevu is a health and wellness coaching app — not a medical device. It does not diagnose, treat, cure, or prevent any disease. Always consult your prescribing doctor before making changes to your medication or treatment plan.