Imprint & Data Privacy

Data Privacy

This notice explains how CardivAI GmbH (“we”, “us”) processes personal data in connection with heartcheckapp (the “Service”). It should be read together with our Terms and Conditions.

1) Roles and Contact

• Controller (GDPR): CardivAI GmbH, Am Euro Platz 2, Gebäude G, A-1120 Vienna, Austria.
• Privacy contact: office@cardivai.com or support@heartcheckapp.com.
• Scope: websites, chat service, payment, and report delivery.

2) Categories of Data We Process

• Account/contact: email, authentication identifiers (e.g., login IDs).
• Service content: chat messages you enter, language preference, uploaded documents (if you choose to upload).
• Generated outputs: wellness/education summaries derived from your inputs.
• Technical data: device/browser info, referrer, timestamps, anonymized IP, HTTP status, pages visited (incl. CDN logs).
• Payment metadata: payment status and limited metadata processed by Stripe (we do not store full card numbers).
• Consent/cookie data: preferences recorded via CookieYes.

3) PII / PHI Handling and AI Use

• We apply privacy-by-design to reduce exposure of PII (personally identifiable information) and PHI (health-related information) where feasible.
• We use AWS services and AI tooling to support wellness/education outputs. AI outputs can be incomplete or incorrect and are not clinical advice.

4) Purposes and Legal Bases (GDPR)

• Provide the Service (chat, report generation, email delivery): Art. 6(1)(b) GDPR (contract).
• Consent-based features (analytics cookies, preferences): Art. 6(1)(a) GDPR (consent).
• Security and abuse prevention: Art. 6(1)(f) GDPR (legitimate interests).
• Legal obligations (tax/accounting, lawful requests): Art. 6(1)(c) GDPR.
• Health-related data you choose to share: may require Art. 9(2)(a) GDPR (explicit consent), depending on the content.

5) Retention

• CDN/access logs: typically up to 14 days unless needed longer for security investigations.
• Account and service content: retained while your account is active; deleted or anonymized upon valid request, subject to legal obligations.
• Payment records: retained per statutory tax/accounting requirements.

6) Recipients / Processors

We use selected processors under appropriate agreements:

• AWS: hosting, storage, security, and related infrastructure services.
• Stripe: payment processing.
• CookieYes: consent management.
• Google (if you consent): analytics for understanding aggregate usage.

7) International Transfers

• Where data is transferred outside the EEA/UK, we use appropriate safeguards (e.g., SCCs) and additional measures where required.
• Some providers may process data in other jurisdictions depending on their infrastructure.

8) Your Rights (GDPR)

• Access, rectification, erasure.
• Restriction, objection, and data portability (where applicable).
• Withdraw consent at any time (does not affect prior lawful processing).
• Complain to a supervisory authority (e.g., Austrian Data Protection Authority).

Requests: office@cardivai.com or support@heartcheckapp.com.

9) Cookies & Analytics

CookieYes

We use CookieYes to record and honor your consent preferences. Non-essential cookies are only set after consent.

Google Analytics (GA4) (Consent-based)

If you consent, GA4 helps us understand aggregate usage. You can withdraw consent at any time via the CookieYes banner.

10) Security

• Encryption in transit and at rest where applicable.
• Access controls and least-privilege practices.
• Audit logging and monitoring to detect misuse.

11) Children’s Privacy

The Service is intended for adults (18+).

12) Updates

We may update this page to reflect changes in law or our practices. Material updates will be highlighted here.