Imprint & Data Privacy

Imprint

Accountable Entity (Controller)

CardivAI GmbH

Am Euro Platz 2, Gebäude G

A-1120 Vienna, Austria

Email

office@cardivai.com

Website

cardivai.com

Legal Form

Limited Liability Company (GmbH)

Commercial Register Number

FN 451769t

VAT ID

ATU 71002719

Commercial Register Court

Vienna, Austria

Jurisdiction

District offices of the 12th District of Vienna

Data Privacy

This notice explains how CardivAI GmbH (“we”, “us”) processes personal data in connection with heartcheckapp (the “Service”). It should be read together with our Terms and Conditions.

Important Safety Notice (also shown in the app):

Educational only — not a medical device. This service does not provide diagnosis, treatment, or medical decision support. If you have symptoms such as chest pain, trouble breathing, severe weakness, or confusion, call emergency services 112 (EU) or 911 (USA) now or seek urgent care. For personal medical questions, contact a licensed clinician.

App Privacy Summary (matches App Store disclosures):

heartcheckapp collects and processes email address (account) and an account identifier (user ID). It processes health-related information and user content that you choose to provide (chat text and optional document uploads) only to provide app functionality (chat sessions, report generation, delivery, and security). No advertising. No tracking. We do not sell personal data.

1) Roles and Contact

Controller (GDPR): CardivAI GmbH, Am Euro Platz 2, Gebäude G, A-1120 Vienna, Austria.
Privacy contact: office@cardivai.com or support@heartcheckapp.com.
Scope: heartcheckapp web/mobile service, payment status verification, report delivery, and CardivAI website communications.

2) Categories of Data We Process

Account/contact: email address; authentication identifiers (account/user ID).
Health-related inputs (optional): health information you choose to enter in chat and/or upload as documents/images.
User content: chat messages and uploaded documents/images (if you choose to upload).
Generated outputs: wellness/education summaries derived from your inputs.
Technical/security data (service): timestamps, request metadata, error and security logs needed to operate and protect the service.
Payment status metadata: confirmation that payment succeeded (we do not store full card numbers).
Consent/cookie data (CardivAI website): preferences recorded via CookieYes (consent management).
Website analytics (CardivAI website only, consent-based): if you consent, limited analytics data may be collected via Google Tag Manager tags to understand aggregate usage of the CardivAI website.

3) PII / Health Data Handling and AI Use

We apply privacy-by-design to reduce exposure of PII (personally identifiable information) and health-related information where feasible, including separation of account identifiers and health-related content.
We use cloud infrastructure and AI tooling to generate educational wellness summaries. AI outputs can be incomplete or incorrect and are not clinical advice.

4) Purposes and Legal Bases (GDPR)

Provide heartcheckapp (chat, report generation, delivery, account support): Art. 6(1)(b) GDPR (contract).
Security and abuse prevention: Art. 6(1)(f) GDPR (legitimate interests).
Legal obligations (tax/accounting, lawful requests): Art. 6(1)(c) GDPR.
Health-related data you choose to share: may require Art. 9(2)(a) GDPR (explicit consent), depending on the content and applicable law.
CardivAI website analytics (via consent banner): Art. 6(1)(a) GDPR (consent).

5) Retention

Uploaded documents (temporary storage): deleted automatically after approximately 24 hours, except where needed transiently for processing.
Wellness reports: retained to deliver the service; reports are generated to minimize direct identifiers where feasible.
Account data: retained while your account is active; deleted or anonymized upon valid request, subject to legal obligations.
Security logs: retained for a limited period needed for security and troubleshooting.
CardivAI website analytics/cookie preferences: retained according to CookieYes settings and your consent choices.
Payment records: retained per statutory tax/accounting requirements (typically handled by payment providers; we store only limited status metadata as needed).

6) Recipients / Processors

We use selected processors under appropriate agreements:

AWS: hosting, storage, security, and related infrastructure services.
Stripe: payment processing and payment status confirmation.
CookieYes: consent management (CardivAI website).
Google Tag Manager (CardivAI website only, consent-based): tag management for measuring aggregate website usage. Tags fire based on your CookieYes consent choices.

Important: heartcheckapp (the web/mobile app experience) does not use advertising SDKs and does not track users across apps or websites for advertising. CardivAI’s corporate website may use consent-based analytics (via GTM) to understand aggregate site usage.

7) International Transfers

We operate region-specific environments where applicable and apply appropriate safeguards for any transfers outside the EEA/UK (e.g., SCCs) where required.

8) Your Rights (GDPR)

Access, rectification, erasure.
Restriction, objection, and data portability (where applicable).
Withdraw consent at any time (does not affect prior lawful processing).
Complain to a supervisory authority (e.g., Austrian Data Protection Authority).

Requests: office@cardivai.com or support@heartcheckapp.com.

9) Cookies & Website Analytics

CookieYes (Consent Management)

We use CookieYes to record and honor your consent preferences on our websites. Non-essential cookies are only set after consent.

Google Tag Manager (CardivAI Website Only)

CardivAI’s corporate website may use Google Tag Manager to run consent-based measurement tags (for example, aggregate usage analytics). These tags are intended to help us improve the CardivAI website experience and content.

No tracking or advertising in the app: heartcheckapp does not use advertising SDKs and does not track users across apps or websites for advertising or advertising measurement.

10) Security

Encryption in transit and at rest where applicable.
Access controls and least-privilege practices.
Audit logging and monitoring to detect misuse.

11) Children’s Privacy

The Service is intended for adults (18+).

12) Updates

We may update this page to reflect changes in law or our practices. Material updates will be highlighted here.