Legal

Privacy Policy

Effective May 16, 2026 · Last updated May 16, 2026

Short version: Svas stores your family's health data so you can use it. We don't sell it, we don't train AI on it, and we don't share it with insurance companies or marketers. You can export everything or delete your account anytime — we honor it within 30 days.

1. Who we are

Svas (the "app," "we," "us") is operated by the Svas team, based in India. We can be reached at privacy@svas.app or through the contact form on this site. This policy explains what data we collect from people who use the Svas mobile app or this website, and what we do with it.

2. Data we collect

2.1 Account data

When you sign up, we collect:

Email address — used to log you in, send transactional emails (password resets, invoices), and contact you about your account.
Name — shown to other family members you invite.
Password hash — we never store your raw password. Passwords are salted and hashed using bcrypt before being written to disk.
Preferred language and timezone — so notifications show up in your language at sensible local times.
Push notification token — issued by Firebase Cloud Messaging when you install the app, used to deliver push notifications to your device.
Quiet hours window — if you set one, we store the start/end time and your IANA timezone.

2.2 Family and member data

For each family member you add (yourself, parents, kids, etc.), we store the information you choose to enter:

Name, date of birth, gender, blood group, height, weight
Allergies, chronic conditions, current medications and dosages
Vaccination history
Emergency contact details and notes
Vital readings — heart rate, blood pressure, SpO2, body temperature, blood glucose — with the time and source (manual entry, Google Fit, Samsung Health, Fitbit, etc.)
Uploaded reports, prescriptions, and lab results (images or PDFs)
Text and structured fields extracted from those reports via OCR
Daily check-in logs (meals, mood, symptoms) if you enable check-ins
Medication reminder schedules

This is the core of what Svas does — without this data the app doesn't work for you.

2.3 Health Connect data (Android only)

If you connect Svas to Health Connect, we read the data types you explicitly grant permission for. As of today, we read: heart rate, blood pressure, oxygen saturation, body temperature, and blood glucose. We pull readings from the last 30 days on first sync, and only new readings on each subsequent sync. We do not write data back into Health Connect, and we do not read any data type you have not granted permission for. You can revoke our access at any time in the Health Connect system app on your phone.

2.4 Doctor share links and emergency cards

When you generate a share link to send to a doctor, or an emergency card to attach to your phone's lock screen, we create a time-limited URL that grants read-only access to the data you select. We log when these URLs are accessed (timestamp + approximate region from IP) so we can show you who viewed your share — and so we can notify you if someone opens your emergency card.

2.5 Operational and technical data

Like any web service, our servers log basic technical information for every request:

IP address (kept for 30 days, used for abuse prevention and security investigations)
App version and device type (so we can debug crashes you report)
Crash reports (only if you grant the system permission)

We do not run third-party analytics SDKs (no Google Analytics, no Facebook Pixel, no Mixpanel) in the mobile app or on this website.

2.6 Payment data

If you upgrade to Svas Plus, payments are handled by our payment processor. We receive only enough information to confirm your subscription tier (e.g. "active," "canceled") and the last four digits of your card for your records. We never see your full card number or CVV.

3. How we use your data

We use the data described above to:

Operate the core features of Svas — show you your family's vitals, render charts, OCR your reports, fire reminders, deliver push notifications
Authenticate you and protect your account
Send transactional emails (password resets, billing receipts, important account notifications)
Provide customer support when you contact us
Detect and prevent abuse, fraud, and security incidents
Improve Svas — for example, fixing bugs you report, or adding new vital types people ask for. We use aggregated, non-identifying signals for this. We do not read individual users' health data for product development.
Comply with our legal obligations

What we will never do: sell your data, share it with advertisers or insurance companies, train machine-learning models on it, or use it for any purpose unrelated to operating Svas for you.

4. Third parties we work with

Svas relies on a small number of carefully chosen vendors to actually run. Each has its own privacy policy, and each receives only the data it needs to do its job:

Supabase (managed Postgres in the EU/US) — stores your account, members, vitals, and metadata about reports.
Backblaze B2 (object storage) — stores the actual report images and PDFs you upload. Files are encrypted at rest and accessed only via short-lived signed URLs.
DigitalOcean — hosts our API server.
Firebase Cloud Messaging (Google) — delivers push notifications. Receives only your device's push token, a notification title/body, and an optional image URL.
Expo Push — routes pushes between our server and FCM. Receives the same fields as above.
Groq / OpenAI — extracts structured data from medical reports you upload. Only the OCR-extracted text is sent for parsing. These vendors do not retain the data after the request completes, and contractually cannot use it to train their models.
Resend (transactional email) — delivers password resets and account emails. Receives your email address and the message body.
Razorpay / Stripe (whichever your country uses) — handles payments for Svas Plus.

5. Health Connect specifics (required disclosure)

As required by Google's Health Connect policy, we disclose the following:

Data we read: heart rate, blood pressure (systolic), oxygen saturation, body temperature, blood glucose.
Why: to populate the family member's vital charts inside Svas without you having to type readings manually.
Where it's sent: our own backend at api.svas.app, encrypted in transit (HTTPS/TLS 1.3) and at rest (Supabase managed Postgres). No other party sees your Health Connect data.
Retention: readings stay in your Svas account until you delete the member or your account. See section 8.
Sharing: the only people who see Health Connect readings are users you have explicitly invited to your family. We never share with advertisers, insurers, or anyone else.
Revoking access: open the Health Connect app on your phone → App permissions → Svas → revoke. Future syncs will silently no-op.

6. Children's data

Svas is designed to let parents and guardians track their children's health. If you add a child as a family member, you do so as their parent or legal guardian and you consent on their behalf. We do not knowingly allow anyone under 13 to create their own Svas account. If you believe a child has signed up for an account, please contact us at privacy@svas.app and we will delete the account promptly.

7. Security

We take security seriously. The protections we have in place include:

All traffic between your device and our servers is encrypted using TLS 1.3.
All databases and object storage encrypt data at rest.
Passwords are hashed using bcrypt — we cannot read your password ourselves.
Authentication uses signed JSON Web Tokens with short expiry times.
Database access is strictly limited; production access requires SSH key + 2FA.
We regularly update our dependencies to pick up security patches.

That said, no system is 100% secure. If you suspect your account has been compromised, please email security@svas.app immediately and change your password from the Account settings screen.

8. Retention & deletion

We keep your data as long as your account is active. When you delete your account (see Account Deletion for the full process):

Your account, family members, vitals, reports, and reminders are deleted from our active databases within 30 days.
Encrypted backup snapshots that include your data may be retained for up to 90 days, after which they roll off automatically and are unrecoverable.
Some records may be retained longer if we are legally required to (for example, payment receipts for tax compliance — minimum 7 years in India).
Anonymized, aggregated usage statistics (e.g. "X users opened the app this month") may persist indefinitely — these cannot be linked back to you.

9. Your rights

Regardless of where you live, you have the right to:

Access your data — you can see everything Svas has stored about you inside the app.
Correct inaccurate data — edit any value directly in the app.
Export your data — request a JSON export by emailing privacy@svas.app; we'll send it within 14 days.
Delete your data — Settings → Sign out → "Delete my account," or email us.
Withdraw consent for any specific data type — for example, revoking Health Connect access stops new readings from being pulled.

If you are in the EU/UK, you additionally have rights under GDPR including the right to object to processing and the right to lodge a complaint with your local data protection authority. Our lawful basis for processing health data is your explicit consent (which you gave when you created the account).

10. International transfers

Svas is operated from India, but some of our vendors (Supabase, Backblaze, Firebase, Resend, OpenAI) operate servers in the United States and the European Union. By using Svas, you understand that your data may be transferred to and processed in those countries. All transfers are protected by TLS in transit and by contractual safeguards (Standard Contractual Clauses with EU vendors).

11. Cookies & web tracking

This website (svas.app) uses no cookies, no analytics, and no third-party trackers. We don't need them to show you a privacy policy.

The Svas mobile app stores small amounts of data locally on your device (your login token, your preferences, the last-synced Health Connect timestamp). None of this is shared with anyone.

12. Changes to this policy

We may update this policy when we ship new features or work with new vendors. If we make a material change, we'll notify you in the app and by email at least 14 days before it takes effect. The "Last updated" date at the top of this page always reflects the current version.

13. Contact us

For any privacy question, request, or complaint:

Email: privacy@svas.app
General contact: hello@svas.app
Security disclosures: security@svas.app

We respond to all privacy requests within 14 days.