Imprint

Data Privacy

This Data Privacy notice explains how CardivAI GmbH (“we”, “us”) processes personal data in connection with heartcheckapp (the “Service”). It aligns with our Terms and Conditions and applies to visitors and users within the EU and outside the EU.

1. Roles and Contact

• Controller (GDPR): CardivAI GmbH, Am Euro Platz 2, Gebäude G, A-1120 Vienna, Austria.
• Contact for privacy requests: office@cardivai.com or support@heartcheckapp.com.
• Scope: Websites, chat Service, payment, and email delivery of wellness reports.

2. Categories of Data We Process

• Account and contact data: name, email, authentication identifiers (Cognito).
• Chat interaction data: messages you enter, language preference, uploaded documents.
• Derived wellness report data: summaries generated from your inputs.
• Technical data: device/type, browser, OS, referrer, timestamps, anonymized IP, HTTP status, pages visited (including via CDN/CloudFront logs).
• Payment metadata: limited payment details processed by Stripe (we do not store full card numbers).
• Cookie/consent data: preferences recorded via CookieYes.

3. PII / PHI Handling and AI Use

• We separate and compartment Personal Identifiable Information (PII) and Protected Health Information (PHI) from sensitive medical data to support privacy-by-design.
• We use Amazon Comprehend Medical (HIPAA-eligible) to help anonymize/extract PHI from uploaded documents.
• The AI model (Anthropic Claude Sonnet 4.5) powers chat and wellness report generation. AI outputs can contain errors or omissions and are not clinical advice.

4. Purposes and Legal Bases (GDPR)

• Provide the Service (chat, report generation, email delivery): Art. 6(1)(b) GDPR (contract) and, where relevant, Art. 9(2)(a) (explicit consent) for health-related data you choose to share.
• Consent-based features (analytics cookies, preference storage): Art. 6(1)(a) GDPR.
• Security, integrity, fraud prevention, logs: Art. 6(1)(f) GDPR (legitimate interests).
• Compliance (tax, accounting, requests from authorities): Art. 6(1)(c) GDPR (legal obligation).

5. Data Retention

• CDN / access logs: typically up to 14 days unless needed longer for security or investigations.
• Account and chat/report data: retained while your account is active; deleted or anonymized upon valid request or after applicable statutory periods.
• Payment records: retained per tax/accounting laws.

6. Recipients and Processors

We use carefully selected processors bound by data processing agreements:

• Amazon Web Services (AWS): hosting, storage, Comprehend Medical, security services.
• Anthropic: AI model processing for wellness/education outputs.
• Stripe: payment processing (we do not store full card data).
• CookieYes Limited: consent management platform.
• Google LLC (GA4): analytics with IP anonymization (see Cookies & Analytics below).

7. International Transfers

• Where data is transferred outside the EEA/UK, we use Standard Contractual Clauses (SCCs) and additional safeguards as needed.
• Some services may process data in the U.S. or other jurisdictions per their infrastructure and legal requirements.

8. Your Rights (GDPR)

Subject to conditions and exceptions in law, you can:

• Access, rectify, or erase your personal data.
• Restrict or object to processing; exercise data portability.
• Withdraw consent at any time (does not affect prior lawful processing).
• Lodge a complaint with a supervisory authority (e.g., Österreichische Datenschutzbehörde in Austria).

To exercise rights, contact: office@cardivai.com or support@heartcheckapp.com.

9. Security

• Encryption in transit and at rest for applicable data stores.
• Logical separation of PII/PHI and medical content where feasible.
• Access controls, audit logging, and least-privilege IAM practices.

10. Cookies & Analytics

10.1 CookieYes Consent Management

We use CookieYes to record and honor your consent preferences. Only categories you allow are activated (except strictly necessary cookies).

• Consent cookie: cookieyes-consent (typ. 1 year) — stores your preferences; no personal content.
• Legal basis: Art. 6(1)(a) GDPR for non-essential cookies; Art. 6(1)(f) for strictly necessary cookies (legitimate interests to run the site).

10.2 Google Analytics 4 (GA4) with IP Anonymization

We use GA4 exclusively with _anonymizeIp() so IP addresses are truncated before storage. In rare cases, full IP may be briefly routed to U.S. servers for truncation.

• Recipient: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
• Legal basis: your consent (Art. 6(1)(a) GDPR). You can withdraw consent via the CookieYes banner at any time.
• Data shared: anonymized IP, URLs, device/browser info, and aggregate usage metrics.

10.3 Necessary Cookies

These enable core site functions (e.g., secure login, load balancing). They do not store personal content.

11. Website / CDN Logs

• On access, our CDN may collect: browser type/version, OS, ISP, anonymized IP, timestamps (incl. GMT offset), referrer/next URL, data volume, and HTTP status codes.
• Purpose: deliver content, ensure security, detect abuse, and improve reliability.
• Legal basis: Art. 6(1)(f) GDPR (legitimate interests).
• Retention: typically up to 14 days unless needed for security/incident review.

12. Children’s Privacy

The Service is intended for adults (18+). Do not use the Service if you are under 18.

13. Links and References

• Terms and Conditions (includes additional privacy and liability disclosures).
• Support: support@heartcheckapp.com

14. Updates to this Notice

We may update this page to reflect changes in laws or our practices. Material changes will be highlighted. Please review periodically.