Sorevia

← Back to App

Privacy Policy

Last updated: March 23, 2026  |  Effective: March 23, 2026

1. Who We Are

Data Controller: NexusFleet, operated by CarlosFilipe.net
App name: Sorevia - PCOS & Hormone Health Tracker
Website: sorevia.health
Privacy contact: privacy@carlosfilipe.net

Sorevia is a specialised health tracking application designed for individuals managing PCOS (Polycystic Ovary Syndrome) and related hormone health conditions. We are the data controller for all personal data collected through this app.

Medical Disclaimer: Sorevia is not a medical device, is not registered as a medical device, and does not provide medical advice, diagnosis, or treatment. All content and AI-generated insights are for informational and self-tracking purposes only. Always consult a qualified physician or healthcare provider before making health decisions. Do not disregard professional medical advice based on information provided by this app.

2. Information We Collect

Sorevia collects the following categories of personal and sensitive personal data that you provide directly or generate through your use of the app:

Account data:

• Email address and bcrypt-hashed password (we never store plain text passwords)
• Account creation date, subscription tier, and subscription status

Meal and nutrition data:

• Meal names, food items, portion sizes, calorie counts
• Macronutrient breakdowns (carbohydrates, protein, fat, fibre)
• Glycaemic index (GI) scores and glycaemic load values you log
• Meal timestamps and daily nutritional totals

Workout and exercise data:

• Exercise types, duration, intensity levels, estimated calories burned
• Workout dates and personal notes

Menstrual cycle and reproductive health data:

• Menstrual period start and end dates
• Symptom logs (e.g., cramping, bloating, headaches, mood changes, acne, hair loss, fatigue)
• Flow intensity ratings
• Cycle length predictions and pattern analysis
• Ovulation tracking data if used

Medication and supplement data:

• Medication names and dosages
• Medication schedules and adherence logs (taken / skipped / late)
• Supplement names and dosages

Sleep data:

• Sleep start and end times, total sleep duration
• Sleep quality ratings and any notes you add

Lab results and health metrics:

• Lab test names (e.g., testosterone, LH, FSH, AMH, thyroid panel, insulin, HbA1c, fasting glucose)
• Test result values and reference ranges you enter
• Test dates and lab notes
• Body weight, BMI, waist measurements
• Insulin resistance scores and metabolic health metrics you log

AI-generated insights:

• Personalised health insights and pattern analyses generated by Anthropic's Claude AI based on your tracked data
• Timestamps and the data inputs used to generate each insight

Payment data (premium users):

• Subscription tier and billing status — payment card details are handled exclusively by Stripe and never stored on our servers

Authentication session data:

• Session tokens used to maintain your authenticated session

3. Special Category Health Data — Enhanced Protections

Under GDPR Article 9, health data, menstrual cycle data, and medication data are classified as "special category" sensitive personal data requiring heightened protection. Sorevia processes this data on the basis of your explicit consent (Art. 9(2)(a)). We apply the following enhanced protections to all sensitive health data:

• Encryption in transit: All data transmitted between your device and our servers uses TLS 1.2 or higher
• Encryption at rest: All health data is stored in a PostgreSQL database with filesystem encryption on a dedicated EU server
• Access controls: Health data is accessible only to your authenticated account session; no Sorevia staff member has routine access to individual user health records
• No sharing with insurers: We will never share your health data with insurance companies under any circumstances
• No sharing with employers: We will never share your health data with current or potential employers
• No advertising use: Your health data is never used for targeted advertising or shared with advertising networks
• No data brokering: We do not sell, license, or transfer your health data to data brokers or aggregators
• Breach notification: In the event of a breach affecting your health data, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR Art. 33-34

4. How We Use Your Information

• To power all Sorevia tracking features: meal logging, workout tracking, cycle monitoring, medication adherence, sleep logging, lab result storage, and health metrics
• To generate AI-powered personalised insights by sending your tracked health data to Anthropic's Claude API for analysis and pattern recognition
• To display your data in charts, trends, and summaries within the app dashboard
• To send account-related transactional emails via Brevo (verification, password resets, subscription receipts)
• To process premium subscription payments via Stripe
• To maintain session authentication so you stay securely logged in
• To generate your full data export when you request it at /user/export
• To permanently delete your account and all associated data when requested at /user/account
• To comply with applicable law and respond to valid legal requests

We do not use your health data to train AI models, conduct third-party research, or for any purpose other than providing you with the Sorevia service as described above.

5. Legal Basis for Processing (GDPR Articles 6 & 9)

For users in the European Union, we process your personal and special category data on the following legal bases:

• Explicit consent for health data (Art. 9(2)(a)): You provide explicit consent to our processing of your menstrual cycle data, medications, lab results, and all other health information when you create your account and begin tracking. You may withdraw this consent at any time, which will result in account and data deletion.
• Contract performance (Art. 6(1)(b)): Processing your account credentials and subscription status is necessary to deliver the Sorevia service you signed up for
• Consent for AI processing (Art. 6(1)(a) + Art. 9(2)(a)): Sending your health data to Anthropic's Claude AI for insight generation requires your explicit consent. You may opt out of AI insights in settings at any time without losing access to other Sorevia features.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and anonymised service improvement
• Legal obligation (Art. 6(1)(c)): Retaining payment and compliance records as required by applicable financial law

6. Third-Party Services

We share limited data with the following service providers. We do not sell your data and we do not share health data with any third party except Anthropic for AI insight generation (with your explicit consent).

• Anthropic (Claude AI) — When you use the AI health insights feature, relevant portions of your tracked health data (meals, cycle data, symptoms, medications, sleep logs, lab results) are sent to Anthropic's Claude API to generate personalised analysis. Anthropic processes this data per their own API privacy policy. You may opt out of AI insights at any time in your account settings — no other Sorevia features require your data to be sent to Anthropic.
  Privacy policy: anthropic.com/privacy
• Brevo (Sendinblue) — We use Brevo to deliver transactional emails: account verification, password resets, and subscription notifications. Only your email address is shared with Brevo. No health data is ever transmitted to Brevo.
  Privacy policy: brevo.com/legal/privacypolicy
• Stripe — Premium subscription payments are processed by Stripe. We share your email address and subscription status with Stripe. We never receive or store your full card number, CVV, or billing address. No health data is shared with Stripe.
  Privacy policy: stripe.com/privacy
• Let's Encrypt — SSL/TLS certificates that encrypt all data in transit. No personal data is shared with Let's Encrypt.
  Privacy policy: letsencrypt.org/privacy
• Google Fonts — The Inter typeface is loaded from Google Fonts CDN, which may log your IP address. No personal data or health data is shared with Google.
  Privacy policy: policies.google.com/privacy

We do not use advertising networks, tracking pixels, social media trackers, or behavioural analytics services. We do not share your health data with insurers, employers, pharmaceutical companies, or data brokers — ever.

7. AI and Automated Processing

Sorevia's AI health insights are generated by Anthropic's Claude. Here is a precise description of how this works:

• When you request a health insight, or when the app generates a periodic insight, relevant data from your Sorevia profile is packaged into a structured prompt — drawing from your meal logs, cycle records, symptoms, medications, lab results, and sleep data as applicable
• This prompt is transmitted over an encrypted HTTPS connection to Anthropic's Claude API
• Claude analyses the data and returns a personalised narrative identifying patterns, potential correlations, and general wellness observations relevant to PCOS and hormone health
• The insight text is stored in your Sorevia account alongside a reference to the data inputs used
• Anthropic processes your health data per their API privacy policy — this data is transmitted to and processed by Anthropic's infrastructure

Critical AI limitations and disclosures:

• AI-generated insights are informational only — they are not medical diagnoses, medical advice, or clinical assessments
• AI insights may contain errors, omissions, or inaccuracies — always verify important health information with a qualified healthcare professional
• No automated decision-making with legal or clinically significant effects is performed solely by AI within Sorevia
• You may disable AI insights entirely in your account settings — all other Sorevia tracking features will continue to function without AI processing
• You may request deletion of all stored AI insight records as part of a full data deletion request

8. Data Security

Given the highly sensitive nature of the health data we hold, we apply robust, layered security measures:

• Encryption in transit: TLS 1.2 or higher for all data transmitted between your device and our servers
• Encryption at rest: PostgreSQL database with filesystem-level encryption on a dedicated Hetzner server in Helsinki, Finland, EU
• Password hashing: bcrypt with cost factor 12 — plain text passwords are never stored, transmitted, or logged
• Session management: Signed, expiring session tokens; sessions are fully invalidated on logout
• Access controls: Health data API responses are scoped to the authenticated user's own session only
• Network security: Firewall rules, fail2ban intrusion prevention, WireGuard VPN for all administrative server access, and regular independent security audits
• Minimal data exposure: API endpoints return only the fields required for display — no bulk export endpoints are exposed through the public API

9. Data Retention

• Active account health data: All tracked data (meals, cycles, workouts, medications, sleep, lab results, AI insights) is retained for the duration your account is active
• Account deletion: Upon account deletion request via /user/account or by email, all personal data including every health record, AI insight, and account credential is permanently deleted from our databases within 30 days. This deletion is complete and irreversible.
• AI insight data: Retained as part of your account data while active; permanently deleted with your account. Anthropic's own retention of API request data is governed by their privacy policy.
• Payment records: Stripe transaction records are retained for 7 years to satisfy financial compliance requirements. No health data is included in payment records.
• Security logs: Authentication and security event logs are retained for 90 days, then permanently purged.

10. Your Rights (GDPR)

As a user whose sensitive health data we process, you have robust rights under GDPR:

• Right of access (Art. 15): Request a complete copy of all personal and health data we hold about you
• Right to rectification (Art. 16): Correct inaccurate data — most data is editable directly within the Sorevia app
• Right to erasure (Art. 17): Delete your account and all associated health data permanently via /user/account in the app, or by emailing us. Deletion is complete and irreversible.
• Right to data portability (Art. 20): Export all your tracked health data in structured, machine-readable JSON format via /user/export in the app
• Right to restriction (Art. 18): Request that we pause processing of your data under certain circumstances while retaining it
• Right to object (Art. 21): Object to processing based on legitimate interests
• Right to withdraw consent (Art. 7(3)): Withdraw your explicit consent to health data processing or AI insight generation at any time. Withdrawing consent to core health data processing necessarily requires account deletion, as we cannot provide the Sorevia service without storing your tracked data.
• Right not to be subject to solely automated decisions (Art. 22): No decisions with legal or similarly significant effects are made about you based solely on automated processing in Sorevia
• Right to lodge a complaint: You have the right to contact your national data protection supervisory authority — in Malta: the Office of the Information and Data Protection Commissioner (idpc.org.mt); in the UK: the ICO (ico.org.uk); or your EU member state's national DPA.

To exercise any right, email privacy@carlosfilipe.net with subject "GDPR Request — Sorevia" and your registered email address. We will respond within 30 days. For deletion and portability requests, we will act within 30 days of identity verification.

11. Cookies and Local Storage

Sorevia uses minimal browser storage:

• Session cookie: A single strictly-necessary session cookie is set when you log in. It contains only a session identifier — no health data or personal information — and expires on logout or session timeout. This cookie is required for authentication and cannot be disabled while you are logged in.
• Local storage: UI preferences such as your active dashboard tab, display settings, and notification preferences may be stored locally on your device. This data never leaves your device and contains no health or personal information.

We do not use advertising cookies, third-party analytics cookies, social media trackers, or tracking pixels. We do not display a cookie consent banner because we use no non-essential cookies.

12. Age Restrictions

Sorevia is designed for adults aged 18 and older managing PCOS and hormone health conditions. In jurisdictions where GDPR applies (Art. 8), users must be at least 16 to provide their own consent to health data processing. For users aged 13–15, parental or guardian consent may be required depending on applicable local law. We do not knowingly collect data from anyone under 13.

If you are a parent or guardian who believes a minor has created a Sorevia account without appropriate authorisation, contact us immediately at privacy@carlosfilipe.net and we will delete the account and all associated health data promptly.

13. International Data Transfers

Your health data is stored on a dedicated server in Helsinki, Finland, within the European Union. EU data protection laws and GDPR safeguards apply by default to all data stored on this server.

When you use the AI health insights feature, your health data is sent to Anthropic's Claude API, which may process data on servers in the United States. The transfer of special category health data outside the EU requires appropriate safeguards. By enabling AI insights and providing explicit consent to this feature, you consent to this international transfer. Anthropic maintains appropriate data processing agreements and legal mechanisms for the transfer of personal data from the EU.

Email delivery via Brevo and payment processing via Stripe involve international data transfers that are subject to Standard Contractual Clauses (SCCs) or equivalent GDPR-compliant transfer mechanisms. No health data is included in transfers to Brevo or Stripe.

14. Changes to This Policy

We may update this Privacy Policy periodically. For any material changes — particularly changes to how we process your health data, changes to third-party AI processing, or changes to your rights — we will:

• Send an email notification to your registered email address at least 14 days before changes take effect
• Display a prominent in-app notification requiring your acknowledgement before you continue using the app
• For changes requiring a new legal basis — such as new categories of data collection or new third-party sharing arrangements — we will request fresh explicit consent

The "Last updated" date at the top of this page reflects the most recent revision. If you do not agree to updated terms, you may delete your account and export your data before the new effective date.

15. Contact Information

NexusFleet / CarlosFilipe.net
Privacy inquiries and GDPR requests: privacy@carlosfilipe.net
Data export: /user/export (when logged in)
Account deletion: /user/account (when logged in)
App website: sorevia.health

For GDPR rights requests, email us with subject "GDPR Request — Sorevia" and your registered email address. We respond within 30 days.

For urgent concerns about health data security or a suspected breach, email us with subject "Security — Sorevia" for priority handling.

To opt out of AI processing specifically, email us with subject "Opt Out AI — Sorevia" or disable AI insights in your app settings.