1. Introduction

Nivy ("we," "our," "us," or "the Company") is committed to protecting your privacy and personal information. This Privacy Policy explains in detail how we collect, use, process, disclose, transfer, and safeguard your information when you use our personalized recovery plan service, website, mobile applications, and related services (collectively, the "Service").

This Privacy Policy applies to all users of our Service, including business customers, end users, and visitors to our website. By using our Service, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and use of your information as described herein.

If you do not agree with our policies and practices, please do not use our Service. We may update this Privacy Policy from time to time, and your continued use of the Service after such updates constitutes acceptance of the revised policy.

2. Data Controller and Contact Information

For the purposes of applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), Nivy is the data controller responsible for your personal information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you can contact us at:

• Email: [email protected]
• Data Protection Officer: [email protected]

3. Information We Collect

3.1 Information You Provide Directly

We collect information that you provide directly to us when you:

• Create an Account: Name, email address, phone number, company name, business address, tax identification number, and password
• Use Our Service: Profile information (demographics, activity level, pain or tightness areas, goals, equipment preferences), plan history, and in-app usage (e.g. completed steps, timers)
• Make Payments: Payment card information (processed securely through third-party payment processors), billing address, and transaction history
• Contact Support: Support tickets, chat transcripts, email communications, and any information you provide during support interactions
• Participate in Surveys: Feedback, opinions, and demographic information
• Subscribe to Newsletters: Email address and communication preferences

3.2 Automatically Collected Information

When you use our Service, we automatically collect certain information about your device and usage patterns:

• Plan and usage data: Generated plans, exercise steps completed, and usage patterns within the app
• Usage Information: Features accessed, time spent on features, frequency of use, click patterns, navigation paths, and interaction data
• Device Information: IP address, device type, operating system, browser type and version, device identifiers, screen resolution, and language settings
• Location Data: General location information derived from IP address (we do not collect precise GPS location without explicit consent)
• Log Files: Access times, pages viewed, referring URLs, error logs, and system performance data
• Cookies and Tracking Technologies: See our Cookie Policy for detailed information

3.3 Information from Third Parties

We may receive information about you from third-party sources, including:

• Business partners and service providers
• Social media platforms (if you connect your account)
• Public databases and directories
• Marketing and analytics partners
• Payment processors and financial institutions

3.4 Sensitive Personal Information

We may process information you provide about pain areas or health-related goals to generate personalized plans. We do not use this for purposes other than providing the Service. We do not record phone calls; optional in-app voice guidance uses text-to-speech and does not store your voice.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal information based on the following legal grounds:

• Contractual Necessity: To perform our contract with you and provide the Service
• Legitimate Interests: To improve our Service, prevent fraud, ensure security, and conduct business operations
• Consent: Where you have provided explicit consent, such as for marketing communications or optional voice guidance
• Legal Obligation: To comply with applicable laws, regulations, and legal processes
• Vital Interests: To protect the safety and security of our users and the public

5. How We Use Your Information

We use the collected information for the following purposes:

5.1 Service Provision

• To provide, operate, maintain, and improve our personalized recovery plan service
• To generate and display personalized stretch and recovery plans
• To provide step-by-step instructions, images, and optional voice guidance
• To store and display your plan history and progress
• To process payments and manage billing
• To provide customer support and respond to inquiries

5.2 Service Improvement

• To analyze usage patterns and user behavior
• To train and improve our AI models (using anonymized data where possible)
• To conduct research and development
• To develop new features and functionality
• To perform quality assurance and testing

5.3 Business Operations

• To detect, prevent, and address technical issues, fraud, and security threats
• To enforce our Terms of Service and other policies
• To comply with legal obligations and respond to legal requests
• To protect our rights, property, and safety, and that of our users
• To manage business operations and administrative functions

5.4 Communications

• To send service-related communications (transactional emails, notifications, updates)
• To send marketing communications (with your consent, and you may opt out at any time)
• To respond to your inquiries and provide customer support
• To send important notices about changes to our Service or policies

6. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We may share your information in the following limited circumstances:

6.1 Service Providers and Business Partners

We share information with trusted third-party service providers who perform services on our behalf, subject to strict confidentiality obligations:

• Cloud Infrastructure: Amazon Web Services, Google Cloud Platform, or similar providers for hosting and data storage
• Payment Processors: Stripe, PayPal, or similar providers for payment processing
• Voice and media: Text-to-speech and image generation providers used to produce instructions and exercise media
• Analytics Providers: Google Analytics, Mixpanel, or similar providers for usage analytics
• Customer Support: Zendesk, Intercom, or similar providers for support ticket management
• AI/ML Services: Third-party AI service providers for plan generation and related processing

All service providers are contractually required to: (1) use your information only for the purposes we specify; (2) implement appropriate security measures; (3) comply with applicable data protection laws; and (4) delete or return your information upon termination of their services.

6.2 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, including:

• To comply with court orders, subpoenas, or other legal processes
• To respond to government or regulatory requests
• To enforce our Terms of Service or other agreements
• To protect our rights, property, or safety, or that of our users
• To investigate potential violations or fraud

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any such change in ownership or control of your personal information.

6.4 With Your Consent

We may share your information with third parties when you have provided explicit consent for such sharing.

7. Data Security

We implement comprehensive technical and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

7.1 Technical Safeguards

• Encryption: All data in transit is encrypted using TLS 1.3 or higher. Data at rest is encrypted using AES-256 encryption
• Access Controls: Role-based access controls, multi-factor authentication, and principle of least privilege
• Network Security: Firewalls, intrusion detection systems, and regular security monitoring
• Secure Infrastructure: Hosting on SOC 2 Type II certified data centers with physical security controls
• Regular Updates: Prompt application of security patches and updates
• Vulnerability Management: Regular security assessments, penetration testing, and vulnerability scanning

7.2 Organizational Safeguards

• Employee training on data protection and security best practices
• Confidentiality agreements for all employees and contractors
• Regular security audits and compliance reviews
• Incident response procedures and breach notification protocols
• Data protection impact assessments for high-risk processing activities

Important: While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your information and will promptly notify you of any security breach that may affect you, as required by law.

8. Data Breach Notification

In the event of a data breach that may affect your personal information, we will:

• Investigate the breach immediately and take steps to contain and remediate it
• Notify relevant supervisory authorities within 72 hours (as required by GDPR) or as otherwise required by applicable law
• Notify affected users without undue delay if the breach poses a high risk to their rights and freedoms
• Provide clear information about the nature of the breach, the data affected, and the steps we are taking
• Provide guidance on steps you can take to protect yourself

9. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Our retention periods are as follows:

• Account Information: Retained for the duration of your account plus 7 years for legal and tax compliance
• Plan and profile data: Retained for the duration of your account, plus 30 days after account deletion
• Transaction Records: Retained for 7 years for accounting and tax purposes
• Marketing Communications: Retained until you unsubscribe or object to processing
• Support Communications: Retained for 3 years after the last interaction
• Analytics Data: Retained in anonymized form for up to 2 years

When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal, regulatory, or legitimate business purposes (such as fraud prevention or dispute resolution).

10. Your Rights and Choices

Depending on your location, you have certain rights regarding your personal information. We will respond to your requests within the timeframes required by applicable law (typically 30 days, or 1 month for GDPR requests).

10.1 General Rights (All Users)

• Access: Request a copy of the personal information we hold about you
• Rectification: Request correction of inaccurate or incomplete information
• Erasure: Request deletion of your personal information (subject to legal retention requirements)
• Portability: Request transfer of your data in a structured, commonly used format
• Objection: Object to processing of your personal information for legitimate interests or direct marketing
• Restriction: Request restriction of processing in certain circumstances
• Withdraw Consent: Withdraw consent where processing is based on consent (does not affect lawfulness of processing before withdrawal)

10.2 European Economic Area (EEA) Rights (GDPR)

If you are located in the EEA, you have the following additional rights:

• Right to lodge a complaint with your local data protection authority
• Right to object to automated decision-making, including profiling
• Right to information about data transfers to third countries

You can find your local data protection authority at: https://edpb.europa.eu

10.3 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell
• Right to Delete: Request deletion of your personal information (subject to exceptions)
• Right to Opt-Out: Opt-out of the sale or sharing of personal information (we do not sell personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit: Request limitation of use and disclosure of sensitive personal information

10.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: [email protected]
• Support: [email protected]

We may need to verify your identity before processing your request. We will respond to your request within the timeframes required by applicable law.

11. Voice Guidance and Plan Data

Our Service offers optional text-to-speech (TTS) voice guidance that reads exercise instructions aloud. We do not record your voice or make phone calls.

11.1 Voice Guidance

• Voice guidance is optional and generated via third-party TTS; we do not store or analyze your voice
• Instructions read aloud are derived from your plan content only

11.2 Plan and Profile Data

Your profile (e.g. pain areas, goals, equipment) and generated plans are stored to provide and improve the Service. You can request access, correction, or deletion as described in Section 10.

12. AI and Machine Learning

Our Service uses artificial intelligence to generate personalized recovery plans. This section explains how we use AI with your data:

12.1 AI Processing

• We use AI to generate plans based on your profile (e.g. pain areas, goals, equipment)
• AI models may be improved using anonymized and aggregated data
• We do not use your personal information to train AI models without your explicit consent

12.2 Automated Decision-Making

Plan content (e.g. exercise selection and order) is generated automatically. You have the right to:

• Request human review of automated decisions
• Object to automated decision-making
• Receive information about the logic involved in automated processing

13. Cookies and Tracking Technologies

We use cookies, web beacons, pixels, and similar tracking technologies to collect and store information about your use of our Service. For detailed information about our use of cookies, please see our Cookie Policy.

You can control cookies through your browser settings. However, disabling cookies may limit your ability to use certain features of our Service.

14. Children's Privacy

Our Service is not intended for individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children without parental consent.

If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete such information promptly.

15. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country.

15.1 Transfer Safeguards

When we transfer your information internationally, we implement appropriate safeguards to protect your information, including:

• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules where applicable
• Certification under recognized data protection frameworks (e.g., EU-US Data Privacy Framework)
• Other legally recognized transfer mechanisms

15.2 Your Rights

You have the right to request information about the safeguards we have in place for international data transfers. Contact us at [email protected] for more information.

16. Third-Party Links and Services

Our Service may contain links to third-party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

Our Service may integrate with third-party services (such as calendar applications, CRM systems, or payment processors). When you use these integrations, your information may be shared with these third parties in accordance with their privacy policies and our agreements with them.

17. Marketing Communications

We may send you marketing communications about our Service, new features, special offers, and other information we think may interest you. You can opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your communication preferences in your account settings
• Contacting us at [email protected]

Please note that even if you opt out of marketing communications, we may still send you service-related communications (such as account updates, security alerts, or transaction confirmations).

18. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites you visit that you do not want to have your online activity tracked. Currently, there is no industry standard for how DNT signals should be interpreted. As such, we do not currently respond to DNT browser signals or mechanisms.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. We will notify you of any material changes by:

• Posting the updated Privacy Policy on this page with a new "Last updated" date
• Sending an email notification to the email address associated with your account
• Displaying a prominent notice on our website or Service

Material changes will become effective 30 days after notification, unless otherwise required by law. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

20. Complaints and Dispute Resolution

If you have concerns about how we handle your personal information, you have the right to lodge a complaint with:

• Your Local Data Protection Authority: If you are located in the EEA, you can find your authority at https://edpb.europa.eu
• California Privacy Protection Agency: If you are a California resident, you can file a complaint at https://cppa.ca.gov
• Us Directly: We encourage you to contact us first at [email protected] so we can address your concerns

21. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• General Inquiries: [email protected]
• Privacy Inquiries: [email protected]
• Data Protection Officer: [email protected]

We aim to respond to all inquiries within 30 days, or as required by applicable law.