Privacy Policy

Last updated: 14 May 2026

1. Who we are (Data Controller)

F Health ("we", "us", "our") operates the platform at https://health.fovisto.com.

Data controller contact: info@fovisto.com

2. What data we collect

We collect the following categories of personal data:

  • Identity & contact data: first name, last name, email address.
  • Account data: account type (private, doctor, organisation), organisation name, medical licence number (optional).
  • Special category health data (Art. 9 GDPR): health entries you log (weight, blood pressure, glucose, sleep, symptoms, lab results, medications, exercise, etc.), health profile details (date of birth, height, weight, medical conditions, allergies), medical notes.
  • Patient data (clinic accounts only): patient reference numbers, insurance IDs, dates of birth, phone numbers, specialty notes — entered by your managing doctor or organisation.
  • Usage data: pages visited, timestamps, IP address for rate-limiting and security purposes. We do not use cookies for tracking or advertising.

3. Legal basis for processing (GDPR)

PurposeLegal basis
Providing the health tracking serviceArt. 6(1)(b) — performance of a contract; Art. 9(2)(a) — explicit consent for health data
Creating and managing your accountArt. 6(1)(b) — contract performance
Sending transactional emails (verification, password reset)Art. 6(1)(b) — contract performance
AI-generated health insightsArt. 9(2)(a) — explicit consent
Security, fraud prevention, rate limitingArt. 6(1)(f) — legitimate interests
Compliance with legal obligationsArt. 6(1)(c) — legal obligation
Subscription / payment managementArt. 6(1)(b) — contract performance

4. How we use your data

  • To provide personalised health dashboards, trend analysis, and AI recommendations.
  • To allow authorised doctors or organisations to view and manage their patients' health summaries.
  • To send you account verification and password-reset emails.
  • To generate anonymous platform statistics (no data is sold or shared with advertisers).

5. Data sharing and transfers

We do not sell your personal data. We share data only with:

  • Mailjet (Sinch): transactional email delivery (EU-based servers). Mailjet privacy policy.
  • Stripe: payment processing for subscriptions. Data shared is limited to billing information only. Stripe privacy policy.
  • Your managing clinic: if you are a patient account, your managing doctor or organisation can view your health data.

Our servers are located in the European Union (Germany). We do not transfer your data outside the EEA.

6. Data retention

  • Your account and health data are retained for as long as your account is active.
  • If you delete your account, all personal data is permanently erased within 30 days.
  • Anonymised aggregate statistics may be retained indefinitely.

7. Your rights under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15) — request a copy of all data we hold on you.
  • Right to rectification (Art. 16) — correct inaccurate data.
  • Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten").
  • Right to restrict processing (Art. 18) — limit how we use your data.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) — withdraw your consent at any time (this does not affect prior processing).

To exercise any of these rights, email us at info@fovisto.com. We will respond within 30 days.

You also have the right to lodge a complaint with your national supervisory authority (e.g. BfDI in Germany or the ICO in the UK).

8. Security measures

  • All data is transmitted over HTTPS / TLS 1.2+.
  • Passwords are stored as bcrypt hashes (cost factor 12). We never store plain-text passwords.
  • Authentication uses JWT tokens with 30-day expiry.
  • Our API enforces rate limiting on authentication endpoints (20 requests / 15 minutes per IP).
  • Security headers are set on all responses: X-Content-Type-Options, X-Frame-Options: DENY, Content-Security-Policy, Referrer-Policy.
  • Database access is restricted to application-level credentials; direct external access is blocked by firewall.

9. Cookies

We use only a single, strictly necessary session token stored in localStorage to keep you logged in. We do not use tracking cookies, advertising cookies, or third-party analytics scripts.

10. Children's data

Our platform is not directed to children under 16. Patient accounts for minors may only be created by an authorised medical professional. We do not knowingly collect data from children under 16 outside of clinical contexts.

11. Changes to this policy

We may update this Privacy Policy from time to time. Significant changes will be communicated by email or by a prominent notice on the platform. The "Last updated" date at the top indicates when the policy was last revised.

12. Contact

For any privacy-related questions or requests:

← Back to Home