Privacy Notice
Version 1.0 - effective 1 April 2026
Data Controller
Arivit is the data controller responsible for your personal data. Our registered address is [registered address]. You can contact us via our support form at support.arivit.app.
Purposes of Processing
We process your personal data for the following purposes: providing the Arivit personal safety service, detecting inactivity and emergencies through automated monitoring, sending emergency alerts to your designated guardians, managing safe zone monitoring, maintaining your account and subscription, and improving our service quality and reliability.
Data We Collect
We collect the following categories of personal data: name, email address, phone number (optional), GPS coordinates (when GPS sharing is enabled), battery level, movement and inactivity signals, IP address and user agent (session data), device push notification tokens, health metrics such as heart rate and blood oxygen (when wearable features are enabled, Art. 9 explicit consent required), and medication reminder data (Art. 9 explicit consent required).
Legal Basis
We process your data on the following legal bases under GDPR Article 6: (a) your explicit consent for health data processing (Art. 9(2)(a)) and optional features such as GPS sharing; (b) performance of the contract to provide our safety monitoring service; (f) our legitimate interest in detecting user inactivity and emergency events to dispatch timely safety alerts on behalf of your Guardians, preventing fraud, ensuring security, and improving the service. For GPS location processing, we rely on legitimate interest (Art. 6(1)(f)) - the Guardian has a legitimate interest in knowing the approximate location of a vulnerable family member for safety purposes.
GPS Location Processing
When GPS sharing is enabled (opt-in, default off), your GPS coordinates are captured every 5 minutes via the mobile app heartbeat. Coordinates are stored with reduced precision (~110m accuracy) and used for safe zone monitoring and inactivity context. GPS data is pruned after 90 days by an automated monthly job. On account deletion, all GPS coordinates are permanently removed. A Data Protection Impact Assessment (DPIA) has been completed for GPS processing as required by Art. 35.
Recipients and Processors
Your data may be shared with the following processors for the stated purposes: Firebase Cloud Messaging (Google) for push notification delivery to Guardians; Scaleway TEM for email alert delivery; Twilio for SMS alert delivery; and OVHcloud (France) for application hosting infrastructure. All processors are bound by Data Processing Agreements (DPAs) and process data only on our instructions.
International Data Transfers
Firebase Cloud Messaging (Google) may process push notification tokens on servers outside the EU. These transfers are protected by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework. Twilio SMS delivery uses EU gateways for EU phone numbers with SCCs in the DPA. Scaleway TEM (email) and OVHcloud (hosting) are located in France, EU. No personal data is transferred outside the EU for hosting or email processing.
Automated Processing
Arivit uses automated processing to detect potential emergencies: inactivity detection (no heartbeat received beyond your configured threshold), safe zone exit detection, battery level monitoring, and health metric anomaly detection. These automated systems trigger notifications to your designated Guardians - they do not make legal or similarly significant decisions about you (Art. 22). Your Guardians review the alerts and decide what action to take.
Data Retention
We retain your personal data as follows: heartbeat and GPS data for 90 days (automated monthly pruning); health event data for 90 days (automated monthly pruning); alert history for the duration of your account (GPS coordinates are removed from alerts on account deletion); account and profile data for the duration of your account; session tokens expire on sign-out or after 30 days of inactivity; device push tokens are retained until account deletion or token rotation; guardian invitation emails are automatically cleared after 7 days. On account deletion, all personal data is anonymized or deleted immediately.
Your Rights
Under GDPR Articles 15-22, you have the right to: access your personal data (Art. 15), rectify inaccurate data (Art. 16), request erasure of your data (Art. 17), restrict processing (Art. 18), data portability (Art. 20), and object to processing (Art. 21). Where processing is based on your consent, you have the right to withdraw consent at any time (Art. 7(3)) without affecting the lawfulness of processing carried out before withdrawal. To exercise any of these rights, contact us via our support form at support.arivit.app.
Supervisory Authority
You have the right to lodge a complaint with the Agencia Espanola de Proteccion de Datos (AEPD) at www.aepd.es, which is the competent supervisory authority for Spain. If you reside in another EU member state, you may also lodge a complaint with your local data protection authority.
Contact
For any questions about this privacy notice or to exercise your data protection rights, please contact our data protection team via our support form at support.arivit.app.
This website uses only essential cookies (language preference stored locally in your browser). No analytics or tracking cookies are used.