Glyvon Health Privacy Policy

1. Introduction

1.1 Purpose of This Policy

This Privacy Policy ("Policy") describes how Glyvon Health ("we", "us", "our") collects, uses, processes, stores, shares, and protects your personal information when you use our mobile application and associated services (collectively, the "Service"). This Policy also explains your rights regarding your personal data and how you can exercise those rights.

1.2 Our Commitment to Privacy

We recognize that health data is among the most sensitive categories of personal information. We are committed to processing your data lawfully, fairly, and transparently, and to implementing robust technical and organizational safeguards to protect it. We have designed the Service with privacy in mind, adhering to the principles of data protection by design and by default as required under GDPR Article 25.

1.3 Legal Bases for Processing

We process your personal data under the following legal bases as defined by GDPR Article 6:

Consent (GDPR Art. 6(1)(a)): You have given explicit, informed consent for the processing of your personal data for one or more specific purposes. This is the primary legal basis for processing your health data (GDPR Art. 9(2)(a)).

Performance of a Contract (GDPR Art. 6(1)(b)): Processing is necessary to provide you with the Service you have requested and to fulfill our obligations under the Terms of Service.

Legitimate Interest (GDPR Art. 6(1)(f)): Processing is necessary for our legitimate business interests, such as improving the Service, preventing fraud, and ensuring security, provided that these interests are not overridden by your fundamental rights and freedoms.

Legal Obligation (GDPR Art. 6(1)(c)): Processing is necessary to comply with a legal obligation to which we are subject, such as data retention requirements, tax laws, or regulatory compliance.

1.4 Scope

This Policy applies to all users of the Service, regardless of location. Where specific regional regulations grant additional rights, those rights are described in Section 10 of this Policy.

2. Data Controller Information

Data Controller: Glyvon Health (MevaTech Software LLC) Registered Location: 30 N Gould St Ste R, Sheridan, WY 82801, USA Contact Email: support@glyvon.app Phone: +1 (307) 670-7149 (SMS only)

As the data controller, Glyvon Health determines the purposes and means of processing personal data collected through the Service, in accordance with GDPR Article 4(7).

3. Categories of Personal Data We Collect

3.1 Account Information

When you create an account, we may collect: email address (optional, used for account creation, recovery, and service communications); display name (optional, used for personalization within the application); profile photo or avatar (optional, stored in secure cloud storage); and authentication method category (required, indicating whether you authenticated via email, a supported platform sign-in option, or anonymous access). The legal basis for processing this data is the performance of our contract with you (GDPR Art. 6(1)(b)).

3.2 Health and Medical Data (Special Category)

Health data constitutes a special category of personal data under GDPR Article 9. We process this data based on your explicit consent (GDPR Art. 9(2)(a)). The health data we collect includes:

Glucose Readings: blood glucose value (accepted range: 20-600 mg/dL), measurement type (fasting, before meal, after meal, bedtime, random), date and time of measurement, contextual tags (exercise, stress, illness, alcohol, travel, medication), and optional free-text notes (limited to 1,000 characters).

Medication Information: drug name, dosage amount per administration, dosage unit (mg, ml, units, tablets, capsules, drops), frequency of administration (once daily, twice daily, three times daily, four times daily, or as needed), scheduled reminder times, start and end dates of the medication regimen, reminder notification preferences, and optional notes.

Medication Logs: scheduled time for each dose, actual time the dose was taken (if recorded), and administration status (pending, on time, late, missed, skipped).

Meal Information: meal type (breakfast, lunch, dinner, snack), text description of the meal, meal photograph (optional, stored in secure cloud storage), nutritional data including carbohydrates, calories, protein, and fat (entered manually or estimated by AI), glycemic index classification (low, medium, high), AI-generated analysis results (if applicable), and timestamp of consumption.

Health Profile: diabetes type (Type 1, Type 2, Gestational, Prediabetes), date of birth, weight in kilograms, height in centimeters, target glucose range (minimum and maximum values in mg/dL), most recent HbA1c value, year of diagnosis, and an optional hypertension flag.

Blood Pressure Readings: systolic value (accepted range: 70-250 mmHg), diastolic value (accepted range: 40-150 mmHg), pulse rate (accepted range: 30-220 bpm), measurement position (sitting, standing, lying), arm side (left, right), date and time of measurement, and optional free-text notes. Readings are categorized client-side per the ACC/AHA 2017 guideline (Normal, Elevated, Stage 1, Stage 2, Hypertensive Crisis).

Weight and Body Composition Data: body weight in kilograms (required), and the following optional fields when you record them or import from a smart scale: body fat percentage, muscle mass in kilograms, body water percentage, visceral fat level, bone mass, basal metabolic rate (kcal), and circumference measurements (waist, neck, hip, chest, thigh, arm in centimeters). The data source is recorded as one of: manual entry, formula-derived (from height/weight/age/gender), tape measurement, bioelectrical-impedance scale, or platform health framework.

Hydration (Water) Logs: volume consumed (in milliliters), unit preference (ml or oz), date and time of consumption, and optional notes.

Diabetes Risk Assessments: FINDRISC questionnaire responses (age band, BMI, waist circumference band, physical activity, fruit/vegetable intake, antihypertensive medication, history of high glucose, family history of diabetes), the calculated FINDRISC score (0-26), and the assessment timestamp. These calculations are performed locally on your device and are not used for medical diagnosis.

Insulin Resistance (HOMA-IR) Calculations: when you use the HOMA-IR calculator, the fasting glucose value and fasting insulin value you enter are processed only on your device to compute the HOMA-IR index (Matthews 1985 method). These inputs are not transmitted off-device unless you choose to save them as a glucose reading.

Body Composition Source Preference: a single setting indicating which measurement tier you selected for the holographic body composition dashboard (formula / tape / scale), and a flag tracking whether you completed the setup wizard. Stored in `user_settings`.

3.3 Device and Technical Information

We automatically collect certain technical information necessary for the operation of the Service: device model and manufacturer, operating system name and version, application version and build number, user agent string (collected during consent recording for compliance verification), and public IP address (collected for consent compliance records where required by applicable law, including GDPR Article 7(1)). The legal basis for this processing is our legitimate interest in maintaining service security and compliance (GDPR Art. 6(1)(f)).

3.4 Usage Data

We collect aggregated and anonymized data about how you interact with the Service: feature usage patterns (which screens and features are accessed), session duration and frequency, application crash reports and error logs, and service request metadata (timestamps, response codes, latency). This data is processed for the purpose of service improvement and is anonymized wherever possible.

3.5 AI Interaction Data

When you use AI-powered features (subject to separate AI Data Usage consent), additional data is processed: your chat messages sent to the AI assistant (limited to 4,000 characters per message), health context data shared with the AI for personalized responses (recent glucose readings, meals, medications, and summary statistics), AI-generated responses, usage counts and processing metrics, and meal photographs submitted for AI nutritional analysis. This consent is requested at first use of an AI feature before any data is sent to our third-party AI processing provider, and can later be managed in Settings > AI Data Processing. This data is described in detail in our AI Data Usage Policy.

3.6 Consent Records

For legal compliance, we maintain records of all consents you have provided, including: consent type (Terms of Service, Privacy Policy, AI Data Usage), consent status (granted or revoked), timestamps of when consent was granted and revoked, encrypted IP address at the time of consent, and user agent information at the time of consent. These records are maintained pursuant to GDPR Article 7(1) to demonstrate that valid consent was obtained.

3.7 Subscription Data

For users with paid subscriptions, we receive from our subscription management provider: subscription status (active, expired, cancelled, paused, trial, billing issue), subscription platform (iOS, Android), subscription plan type (monthly, yearly), expiration date, and billing environment (such as test or production). We do not receive or store payment card details, billing addresses, or other financial instruments. Payment processing is handled entirely by the app store provider for your platform.

4. How We Use Your Information

4.1 Primary Purposes

We use your personal data for the following primary purposes, each of which is necessary to provide the Service: storing and displaying your glucose readings, medications, and meals; synchronizing your data across devices via cloud infrastructure; sending medication reminder notifications at your configured times; generating health visualizations including glucose trend charts, Time in Range calculations, and statistical summaries; managing your user account, authentication sessions, and preferences; providing customer support when you contact us; and processing subscription transactions through our payment partners.

4.2 AI Processing Purposes (Requires Separate Consent)

With your separate, explicit consent for AI data processing, we also use your data for: AI-powered nutritional analysis of meal photographs (Premium feature); AI chat assistant that analyzes your recent health data to provide personalized informational responses; and health trend analysis and pattern recognition through AI processing. AI processing requests are sent to our third-party AI processing provider in the United States, and that provider may retain submitted data for up to thirty (30) days for abuse monitoring.

4.3 Secondary Purposes

We use data for the following secondary purposes based on our legitimate interest (GDPR Art. 6(1)(f)): service improvement through analysis of anonymized and aggregated usage data; debugging and error resolution using crash reports and error logs; security monitoring using access logs, rate limit data, and anomaly detection; and fraud prevention through analysis of account activity patterns.

4.4 What We Do Not Do

We want to be explicit about what we do not do with your data. We do not sell your personal data to any third party, for any purpose, under any circumstances. We do not share identifiable health data with third parties without your explicit consent, except as required by law. We do not use your personal data for advertising, marketing profiling, or behavioral targeting. We do not make automated decisions that produce legal effects or similarly significant effects on you without human oversight, as described in GDPR Article 22. We do not use your data to train or improve our own machine learning models. We do not transfer your data to third parties for their independent use.

5. Data Storage, Security, and Infrastructure

5.1 Local Storage

Authentication credentials and other sensitive access data are stored using platform-native protected device storage. Application preferences and settings are stored locally on the device. Health data is maintained in local device storage for offline access and is synchronized to the cloud when connectivity is available.

5.2 Cloud Infrastructure

Cloud-based data storage and processing is provided by contracted cloud infrastructure providers. All cloud-stored data is logically segregated to enforce per-user data isolation. Meal photographs are stored in secure cloud object storage. AI chat messages are stored with additional encryption at rest. Our cloud environment is managed to support recognized security and privacy standards.

5.3 Security Measures

We implement comprehensive technical and organizational security measures in accordance with GDPR Article 32. These measures include: encryption of data in transit and at rest; strict per-user access controls; secure credential storage; abuse prevention systems to protect against unauthorized access; request validation and input sanitization; and regular security review and assessment processes.

We do not publicly disclose specific security implementation details, algorithms, thresholds, or configurations for security reasons. Detailed security specifications are maintained in our internal security documentation.

5.4 Data Retention Periods

We retain your data for the following periods:

Active account health data (glucose readings, medications, meals, profiles): retained for the lifetime of your account and deleted within thirty (30) days of account deletion.

AI chat messages and session history: retained for the lifetime of your account and deleted within thirty (30) days of account deletion.

Consent records: retained for seven (7) years after the date of consent, as required by applicable law, even after account deletion.

Error and crash logs: automatically purged after ninety (90) days.

Usage analytics (anonymized): retained indefinitely in aggregated, non-identifiable form.

Backup data: rotated on a thirty (30) day cycle; backups containing deleted user data are overwritten within this cycle.

AI provider retention: our third-party AI processing provider may retain submitted request data for up to thirty (30) days for abuse monitoring purposes, after which it is permanently deleted. That provider does not use submitted API data for public model training.

5.5 Data Minimization

In accordance with the data minimization principle (GDPR Art. 5(1)(c)), we collect and process only the personal data that is strictly necessary for each specific purpose. Optional fields are clearly marked, and the Service functions fully without requiring all data points. When transmitting health data to the AI provider, we send only the minimum context necessary for the requested analysis.

6. Data Sharing and Third-Party Processors

6.1 Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all third-party service providers that process personal data on our behalf, in accordance with GDPR Article 28. These agreements impose obligations on processors to implement appropriate security measures, process data only on our documented instructions, assist us in fulfilling data subject rights requests, notify us of data breaches without undue delay, and delete or return data upon termination of the agreement.

6.2 Third-Party Service Providers (Named Sub-Processors)

We disclose the specific sub-processors we engage so you can make an informed choice about consent (KVKK m.10 / GDPR Article 28 transparency requirement).

Supabase Inc. (United States): Cloud hosting, authentication, PostgreSQL database, Edge Functions, and Storage. Stores all cloud-synchronized user data including health records, account information, application settings, and uploaded meal/avatar images. Row Level Security restricts each row to its owning user. A Data Processing Agreement is in place. Standard Contractual Clauses cover EU/EEA -> US transfers.

OpenAI, L.L.C. (United States): AI inference for meal photo analysis, AI chat responses, and AI-driven health insights. Receives only the meal photo, chat message, and minimal health context the user explicitly submits. May retain submitted data for up to thirty (30) days for abuse monitoring before permanent deletion. A Data Processing Agreement is in place. Processing occurs in the United States; transfers are protected by Standard Contractual Clauses. AI features are gated by separate explicit consent (`ai_data_usage`).

RevenueCat, Inc. (United States): Subscription entitlement management and purchase verification. Receives the user identifier (UUID) and subscription status only. Does not receive any health data. A Data Processing Agreement is in place. Processing occurs in the United States.

Apple Inc. and Google LLC: Native sign-in (Sign in with Apple / Google), in-app payment processing (App Store / Play Billing), and push notification delivery (APNs / FCM). Each platform receives only the data necessary for the chosen feature, governed by their own privacy policies.

Expo (Expo Application Services, by 650 Industries, Inc., United States): Build and OTA update infrastructure for the application binary. Does not receive end-user health data; only build artefacts and crash diagnostics scrubbed of personally identifying information.

Public IP geolocation service: Used at consent capture time to record the public IP address for compliance evidence (where legally required). The IP is stored hashed and encrypted and is never transmitted to any other sub-processor.

This list is current as of the Last Updated date above. Any new sub-processor will be reflected here and a version bump triggers a renewed consent prompt the next time you open the app.

6.3 Legal Disclosures

We may disclose your personal data without your consent when required to do so by a valid court order, subpoena, or other compulsory legal process; when necessary to respond to a lawful request by a public authority, including law enforcement or national security agencies; when necessary to protect our legal rights, property, or safety, or the rights, property, or safety of others; or in emergency situations involving a threat to the life, health, or safety of any person.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, dissolution, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. In such an event, we will notify you via the application interface or email before your personal data is transferred and becomes subject to a different privacy policy. The acquiring entity will be bound by the data protection obligations contained in this Policy. You will have the opportunity to delete your account before any such transfer takes effect.

7. International Data Transfers

7.1 Transfer Mechanisms

When your personal data is transferred outside the European Economic Area (EEA) or the United Kingdom to countries that have not been recognized as providing an adequate level of data protection, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V (Articles 44-49). These safeguards include: Standard Contractual Clauses (SCCs) as approved by the European Commission (GDPR Art. 46(2)(c)); Data Processing Agreements incorporating supplementary measures where necessary; adequacy decisions by the European Commission for transfers to countries recognized as providing adequate protection; and assessment of the legal framework of the recipient country to ensure effective protection.

7.2 Specific International Transfers

The following international data transfers occur in the course of providing the Service:

AI processing data (meal photos, chat messages, health context) is transferred to our contracted AI processing provider in the United States. This transfer is protected by Standard Contractual Clauses and a Data Processing Agreement, and the data is processed solely for the purpose of providing AI features and is not retained beyond thirty (30) days.

Subscription management data (user ID and subscription status) may be transferred to our contracted subscription management provider in the United States. This transfer is protected by Standard Contractual Clauses and a Data Processing Agreement.

Cloud hosting and support data may be processed by our contracted infrastructure providers in regions necessary to deliver the Service. These transfers are protected by Standard Contractual Clauses and applicable processor agreements.

7.3 Your Right to Information

You have the right to request detailed information about the specific safeguards applied to any international transfer of your data by contacting support@glyvon.app. We will respond to such requests within thirty (30) days.

8. Your Privacy Rights

8.1 Universal Rights (All Users)

Regardless of your location, all users of the Service have the following rights: the right to access your personal data and receive a copy of the information we hold about you; the right to correct inaccurate or incomplete personal information; the right to request deletion of your personal data, subject to legal retention requirements; the right to export your health data in a portable format (CSV); the right to withdraw consent for any processing based on consent, at any time, without affecting the lawfulness of processing carried out before withdrawal; and the right to be informed about how your data is collected, used, and shared.

8.2 GDPR Rights (EU/EEA Residents)

Under the General Data Protection Regulation (Regulation (EU) 2016/679), EU and EEA residents are entitled to the following additional rights:

Right to be Informed (Articles 13, 14): You have the right to receive clear, transparent information about how your data is processed. This Policy serves as our primary means of fulfilling this obligation.

Right of Access (Article 15): You may request confirmation of whether we process your personal data and, if so, receive a copy of that data along with supplementary information about the processing.

Right to Rectification (Article 16): You may request correction of inaccurate personal data and completion of incomplete personal data.

Right to Erasure (Article 17): You may request deletion of your personal data when it is no longer necessary for the purpose for which it was collected, when you withdraw consent, when you object to processing and there are no overriding legitimate grounds, or when the data has been unlawfully processed.

Right to Restriction of Processing (Article 18): You may request that we restrict the processing of your data while the accuracy of the data is being verified, while we assess whether our legitimate interests override your rights, or when processing is unlawful but you prefer restriction over erasure.

Right to Data Portability (Article 20): You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.

Right to Object (Article 21): You may object to processing based on legitimate interest. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects. We do not engage in such decision-making. Our AI features are informational only and do not produce decisions with legal or similarly significant effects. You have the right to obtain human intervention, express your point of view, and contest any decision.

Right to Lodge a Complaint (Article 77): You have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

Response Time: We will respond to all GDPR rights requests within thirty (30) days of receipt. Where requests are complex or numerous, this period may be extended by an additional sixty (60) days, in which case we will notify you of the extension and the reasons for it within the initial thirty (30) day period.

Contact: support@glyvon.app

8.3 California Rights (CCPA/CPRA)

California residents have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act, including: the right to know what categories and specific pieces of personal information are collected, used, disclosed, or sold in the preceding twelve (12) months; the right to delete personal information collected from you, subject to certain exceptions; the right to opt-out of the sale or sharing of personal information (we do not sell or share personal information); the right to non-discrimination for exercising your privacy rights; the right to correct inaccurate personal information; and the right to limit the use and disclosure of sensitive personal information.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA.

Contact: support@glyvon.app

8.4 Exercising Your Rights

You may exercise your rights through the following channels:

In-App: Navigate to Settings, then Privacy, where you can access options to download your data, manage consents, and delete your account.

By Email: Send your request to support@glyvon.app. To protect your privacy, we may need to verify your identity before processing your request. Verification may require you to confirm your email address, provide account-identifying information, or respond to a verification email.

We do not charge a fee for processing your data rights requests, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request, providing reasons for such refusal.

9. Children's Privacy

The Service is not intended for, marketed to, or designed for use by children under the age of sixteen (16). We do not knowingly collect, solicit, or process personal data from children under sixteen (16). In jurisdictions where a higher minimum age applies for data processing consent, we comply with the applicable local minimum age.

If we become aware that we have collected personal data from a child under the applicable minimum age without verified parental consent, we will take immediate steps to delete such data from our systems within forty-eight (48) hours. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us immediately at support@glyvon.app and we will promptly investigate and, if confirmed, delete the data.

10. AI and Automated Processing

10.1 AI Features Overview

The Service includes optional AI-powered features that process personal data, including health data. These features require a separate, explicit consent for AI data processing, as described in our AI Data Usage Policy. AI features include food analysis (which processes meal photographs to estimate nutritional content), AI chat assistant (which processes messages and health context to provide informational responses), and health insights (which analyze glucose trends and meal patterns to identify informational patterns).

10.2 Automated Decision-Making (GDPR Article 22)

We do not engage in automated decision-making that produces legal effects concerning you or similarly significantly affects you, as described in GDPR Article 22(1). All AI features within the Service are advisory and informational in nature. AI outputs do not determine your access to the Service or any features, do not affect your legal rights or obligations, do not influence medical treatment decisions (which should always be made in consultation with a healthcare professional), and do not restrict, limit, or modify your use of the Service in any way. You always retain full control over whether to act on any AI-generated information.

10.3 Right to Human Intervention

Notwithstanding Section 10.2, in the event that any AI processing could be construed as having a significant effect on you, you have the right to: obtain human intervention by contacting us at support@glyvon.app; express your point of view regarding any AI-generated output; and contest any AI-generated result that you believe is inaccurate or inappropriate.

10.4 AI Data Handling

When your data is processed by AI features: only the minimum necessary data is shared with the AI provider (data minimization); data is transmitted securely using encrypted channels; the AI provider does not use your data for public model training; processed data is not permanently stored by the AI provider beyond a limited abuse monitoring period; and you may revoke AI consent at any time, which immediately stops all AI data processing.

For complete details about AI data processing, please refer to our AI Data Usage Policy (AI_DATA_USAGE.md).

11. Cookies, Tracking, and Analytics

11.1 Mobile Application

The Glyvon Health mobile application does not use cookies, third-party tracking pixels, advertising identifiers, cross-app tracking technologies, or fingerprinting techniques.

11.2 Analytics

We collect minimal, anonymized analytics data for the purpose of crash reporting and stability monitoring, performance measurement and optimization, and aggregated feature usage analysis. This analytics data does not contain personally identifiable information and cannot be linked to individual users.

11.3 Web Version

The web version of the Service uses only strictly necessary session cookies for authentication and session management. No third-party analytics cookies, advertising cookies, or tracking cookies are used. Session cookies are automatically deleted when you close your browser or when your session expires.

12. Data Breach Notification

12.1 Our Obligations

In the event of a personal data breach, we will comply with our notification obligations under GDPR Article 33 (notification to the supervisory authority within seventy-two (72) hours of becoming aware of the breach) and GDPR Article 34 (notification to affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms).

12.2 What We Will Communicate

In the event of a breach affecting your data, we will provide you with: a description of the nature of the breach, including the categories and approximate number of individuals and data records concerned; the name and contact details of our data protection officer or other contact point; a description of the likely consequences of the breach; a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects; and recommendations for steps you can take to protect yourself.

12.3 Breach Notification Channels

We will notify affected individuals through in-app notifications, email (where available), and public announcements on our website where the breach is likely to affect a large number of users.

13. Data Protection Impact Assessment

Pursuant to GDPR Article 35, we have conducted and maintain a Data Protection Impact Assessment (DPIA) for the Service. This assessment was undertaken because the Service processes special category health data on a large scale, utilizes AI-powered automated processing of health data, involves international data transfers to AI processors, and processes data of potentially vulnerable individuals (persons managing chronic health conditions). The DPIA is reviewed and updated at least annually, or whenever we make material changes to how we process personal data. The DPIA and its findings are available for review by supervisory authorities upon request.

14. Changes to This Policy

14.1 Notification of Changes

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes to this Policy, we will provide you with conspicuous notice through the application interface and/or by email to the address associated with your account. Minor, non-material changes will be reflected in the "Last Updated" date at the top of this document.

14.2 Consent to Changes

Where changes to this Policy affect the processing of your data in a materially different way or require additional consent under applicable law, we will seek your renewed consent before implementing those changes. Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes, to the extent permitted by applicable law.

14.3 Version History

Version 3.3 (April 2026): Reduced public exposure of vendor, model, and infrastructure details while preserving disclosure of processing categories, retention periods, and user rights.

Version 3.2 (March 2026): Clarified first-use AI consent flow, added public policy URL, and expanded disclosure that AI requests are processed by a third-party AI provider in the United States with up to thirty (30) days of abuse-monitoring retention.

Version 3.1 (February 2026): Updated contact email to support@glyvon.app, corrected company name to MevaTech Software LLC, added automated data retention enforcement (scheduled cleanup of soft-deleted records after 30 days, consent archives after 7 years).

Version 3.0 (February 2026): Comprehensive rewrite with expanded legal references, detailed GDPR article citations, EU AI Act compliance, enhanced international transfer documentation, DPIA disclosure, and updated security/AI processing sections.

Version 1.0 (November 2024): Initial release.

15. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices:

Email: support@glyvon.app Phone: +1 (307) 670-7149 (SMS only)

Mailing Address: Glyvon Health (MevaTech Software LLC) 30 N Gould St Ste R Sheridan, WY 82801 USA

If you are not satisfied with our response to your privacy inquiry or data rights request, you have the right to lodge a complaint with your local supervisory authority. EU/EEA residents may contact their national Data Protection Authority.