Privacy Policy

Effective March 27, 2026

Aevia is a personalized adaptive nutrition platform with principal offices in Miami Beach, Florida ("we," "us," "our"). Aevia is operated by Livekick Inc., a Delaware corporation headquartered in Miami Beach, Florida. This Privacy Policy explains what personal information we collect, how we use and share it, how we protect it, and your rights regarding that information. We wrote this to be clear and readable, not to obscure anything in dense legal language.

Scope and Eligibility

Aevia is available only to users who are 18 years of age or older. We do not knowingly collect information from anyone under 18. If you are a minor, please do not use this service. If we discover that a minor has provided us with personal information, we will delete it promptly upon notification.

What We Collect

We collect only the information necessary to deliver your personalized nutrition protocol and operate the service securely.

Account and Authentication Information

• Email address or phone number: used solely for authentication. By providing your phone number, you expressly consent to receive one-time verification codes via SMS. Message frequency varies based on your login activity. Standard messaging and data rates may apply. Reply STOP to opt out, HELP for assistance. By providing your email, you consent to receive one-time verification codes via email. These credentials are not shared with third parties for marketing purposes.
• Passkey credentials: if you enable biometric or security key authentication via WebAuthn, we store only the public key credential on our servers. Biometric data (fingerprint, face ID) never leaves your device. The biometric authentication happens entirely on your device, and only the result of that authentication is transmitted to us.
• Device trust tokens: we store a device identifier in your browser's localStorage to recognize your device when you sign in for up to 30 days. This token is not personally identifiable. You can clear this at any time by clearing browser storage.

Health and Wellness Information

• Onboarding inputs: information you voluntarily provide during account setup and protocol generation, including age, biological sex, height, weight, health conditions, medications, allergies, dietary preferences and restrictions, fitness goals, sleep patterns, and stress levels.
• Apple HealthKit data: if you choose to connect your Apple Health account, we request access to the following 42+ data types with timestamps: heart rate, resting heart rate, heart rate variability (HRV), blood pressure, blood glucose, oxygen saturation, body temperature, body mass index (BMI), body fat percentage, weight, respiratory rate, sleep analysis, active energy, basal energy, steps, distance walked, distance cycled, flights climbed, stand time, exercise minutes, workout data, recovery metrics, and other health metrics that Apple Health makes available. You can revoke access to Apple HealthKit at any time through your device settings. Your HealthKit data is used only to generate your personalized protocol and is governed by the restrictions outlined below.
• Wearable device data: if you integrate wearables such as Apple Watch, Oura Ring, or Whoop 4.0 (or other compatible devices), we may receive data through HealthKit or direct API integration with those devices. This data is governed by the same restrictions as Apple HealthKit data and subject to each provider's terms of service.
• Protocol data: your generated nutrition protocol, including meal recommendations, supplement suggestions, and protocol adjustments based on your inputs.

Usage and Analytics Data

• Session data: we store a returning-user identifier in sessionStorage to detect if you are returning within the same browser session. This does not persist across sessions.
• Location data: we may use your IP address or device location (if you grant permission) to provide location-aware features such as restaurant recommendations near you, estimated delivery times, and distance calculations. Location data is used only for these purposes and not stored persistently.
• Access code usage: if you use an access code to enter Aevia, we may collect data about when and how the code was used to operate the service and prevent abuse.
• Signal-based usage: we track usage based on the number of meal recommendations and health signals generated during your time with Aevia. This data is used to measure your engagement with the platform and improve our algorithms.
• Analytics: we use Google Tag Manager (GTM-PMM33MQD) to track basic aggregated analytics such as pages viewed, features used, session duration, referrer information, and click patterns. This data is used only to improve the product and platform stability. We do not cross-site track (your activity is not tracked across other websites).
• Device information: browser type, operating system, screen size, and general location (country or region only, via IP geolocation) for rendering, performance optimization, and fraud prevention.

Apple HealthKit Data: Special Handling and Restrictions

If you connect your Apple Health account to Aevia, the following restrictions apply per Apple's HealthKit requirements:

• No advertising or marketing use: your HealthKit data will never be used to target you with advertising, marketing, or promotional content, whether by Aevia or any third party.
• No sale to data brokers: your HealthKit data will never be sold, rented, or shared with data brokers, advertising networks, or any entity engaged in the sale or licensing of health data.
• Permitted use only: your HealthKit data is used solely to generate your personalized nutrition protocol and to improve the accuracy of our recommendation engine in aggregate and de-identified form.
• Limited sharing: your HealthKit data is not shared with any third-party service providers, except that it may be processed by AWS (our infrastructure provider, under strict data processing agreements) and Anthropic via AWS Bedrock (for AI-powered protocol generation, under strict data processing agreements). Both AWS and Anthropic are bound by written data processing agreements that restrict them to processing your data only as necessary to provide services to us, and not for their own commercial purposes.
• Revocation: you can revoke HealthKit access at any time through your Apple device settings. Once revoked, no further HealthKit data will be collected, though previously collected data will be retained according to our standard retention schedule.

Third-Party Platforms and Services

When Aevia connects you to third-party services, those services may collect their own data. We are not responsible for their privacy practices. When you interact with the following platforms through or from Aevia, you are subject to their privacy policies:

• Meal delivery platforms: DoorDash, Uber Eats, Toast, Grubhub, Caviar, Instacart, Whole Foods, FreshDirect, Walmart+, Amazon Fresh, and other food delivery services.
• Meal prep providers: ACKitchen, Sakara Life, Factor, Trifecta, Green Chef, Thistle, and other meal preparation services.
• Wearable manufacturers: Apple, Oura (Oura Ring), Whoop, and other wearable device providers.

Aevia recommends, connects, and tells you what to order, but does not place orders, arrange purchases, or charge your payment methods on your behalf. When you click through to these platforms, you are responsible for reviewing their privacy policies and terms of service.

How We Use Your Information

Your information is used only for the following purposes:

• Authentication: to verify your identity via one-time passcode when you sign in, and to maintain your secure session.
• Service delivery: to generate your personalized nutrition protocol based on your health inputs, profile data, and HealthKit data (if connected).
• Account management: to store and retrieve your protocol, preferences, and account settings so you can return to your experience across sessions and devices.
• AI-powered features: to process your health inputs and chat requests through Claude AI via AWS Bedrock to generate protocol recommendations and natural language responses. Claude processes your data for real-time chat responses and protocol generation only; Claude does not retain your data beyond the request-response cycle, and Anthropic does not use your data to train or improve Claude itself, to the best of our knowledge and per our agreements with Anthropic.
• Aggregate analytics: to analyze aggregated and anonymized patterns to improve our recommendation algorithms, platform performance, and user experience. Individual health data is never used for this purpose.
• Customer support: to respond to your inquiries, troubleshoot issues, and provide technical support.
• Legal compliance: to comply with applicable law, legal process, or government requests.
• Fraud prevention: to detect, prevent, and address fraud, abuse, and security incidents.

Lawful Basis for Processing

We process your personal information on the following lawful bases:

• Performance of contract: we process information necessary to perform the services you've requested (generating your protocol, maintaining your account).
• Your consent: we process health information and biometric authentication data (HealthKit, WebAuthn) only with your explicit consent. You can withdraw this consent at any time.
• Legitimate interest: we process analytics data, device information, and fraud prevention data to operate a secure, performant platform that benefits all users.
• Legal obligation: we process information as required by law or legal process.

What We Do Not Do

We do not sell, rent, license, or share your personal information with third parties for marketing, advertising, or any other commercial purpose. Your data stays with us and is used only to power your experience on Aevia.

We do not send marketing or promotional messages to your phone number or email. The only messages you receive from us are verification codes for sign-in. If you receive any unsolicited marketing communications, please contact us immediately.

We do not use your data to build consumer profiles or make purchasing decisions on your behalf. Aevia recommends, connects, and tells you what to order, but does not place orders, arrange purchases, or charge your payment methods.

Data Sharing and Sub-Processors

We share data only in the following limited circumstances:

Infrastructure and Service Providers

We use the following third-party service providers. Each acts as a data processor under written data processing agreements that restrict them to processing your data only to provide services to us:

• Amazon Web Services (AWS): Aevia is hosted on AWS infrastructure (us-east-1 region). AWS provides compute, storage (S3, DynamoDB), security, and networking services. AWS acts as a data processor and does not use your data for its own commercial purposes beyond providing these services. AWS may maintain backups in other regions for disaster recovery purposes.
• Anthropic via AWS Bedrock: we use Claude AI (operated by Anthropic) through AWS Bedrock to power chat responses and protocol generation. Your request and health context are sent to Anthropic's servers only for the duration of the request. To the best of our knowledge and per our agreements with Anthropic, Anthropic does not retain your data for training, model improvement, or any purpose other than providing the real-time response. Anthropic's privacy policy applies to its processing; you may review it at anthropic.com/privacy.
• Google Tag Manager and Google Analytics: we use GTM-PMM33MQD to collect aggregated analytics. Google processes this data under its Google Analytics and GTM privacy policies. You can opt out of Google Analytics via the Google Analytics opt-out browser extension.
• AWS SES and SNS: we use AWS Simple Email Service (SES) to send verification emails and AWS Simple Notification Service (SNS) to send verification SMS. These services process only the verification code and your contact information.

Legal Requirements

If required by law, court order, subpoena, or valid legal process, we may disclose information to law enforcement, government agencies, or other entities as required. We will provide you with notice of such disclosure where legally permitted.

No Third-Party Sharing

We do not share your health inputs, protocol data, personal identifiers, or HealthKit data with any other third parties, including health insurance companies, employers, fitness apps, retailers, pharmaceutical companies, or data brokers.

Data Retention and Deletion

We retain your data according to the following schedule:

• Account data (email/phone, authentication records): retained for as long as your account is active. Deleted 30 days after account deletion request.
• Health and protocol data: retained for as long as your account is active. Deleted 30 days after account deletion request.
• HealthKit data: retained for as long as your account is active. Deleted 30 days after account deletion request or if you revoke HealthKit access.
• Device trust tokens and sessionStorage data: device trust tokens expire automatically after 30 days of inactivity. SessionStorage is cleared when your browser session ends.
• Aggregated, anonymized analytics: may be retained indefinitely for algorithm improvement and platform analysis.
• Legal and compliance records: retained as required by law.

Account deletion is permanent. Upon your request via email, we will initiate deletion and remove all personal data within 30 days. You will receive a confirmation email when deletion is complete. If Aevia ceases operations, we will delete or securely dispose of your personal data unless we are required to retain it by law.

Automated Decision-Making

Aevia uses automated decision-making and profiling to generate personalized nutrition protocols. Specifically:

• Deterministic algorithm: your health inputs (age, biological sex, health conditions, activity level, etc.) are processed through a deterministic scoring algorithm (scoring-engine.js) running in AWS Lambda (aevia-compute-protocol). This algorithm evaluates and ranks meal options and supplements based on your profile and generates your custom protocol.
• AI-powered natural language generation: we use Claude AI via AWS Bedrock to generate natural language explanations of your protocol and to power chat responses, but Claude is not used to score or rank meal options. The scoring and ranking are performed entirely by the deterministic algorithm.
• Non-contractual impact: the protocol is a recommendation, not a binding decision. You are not required to follow any recommendations, and the service remains available regardless of whether you follow them.
• Human review: our team can review and adjust protocols for quality and accuracy. You can also request changes to your protocol at any time.
• Opt-out unavailable: automated decision-making is core to our service and cannot be disabled. However, you can request manual review of your protocol by contacting hello@tryaevia.com.

Security

Your data is protected through multiple layers of security:

• Encryption in transit: all communication between your device and our servers uses TLS 1.3 (HTTPS). Data in transit cannot be intercepted or read by third parties.
• Encryption at rest: data stored in our database (DynamoDB) is encrypted using AES-256 encryption. We manage encryption keys securely using AWS Key Management Service (KMS).
• Biometric security: WebAuthn biometric authentication (fingerprint, Face ID) happens entirely on your device. We never receive or store biometric data; only the cryptographic public key is stored on our servers.
• No password storage: we do not store passwords. Authentication is handled via one-time passcodes (OTP) and WebAuthn, both of which are more secure than passwords.
• Access controls: we follow AWS security best practices for identity and access management (IAM), role-based access control, and principle of least privilege.
• Monitoring and logging: we monitor infrastructure for suspicious activity and maintain audit logs of administrative access.
• Data minimization: we collect only the information necessary to provide the service. We do not request unnecessary data.

While we implement industry-standard security measures, no system is completely secure. We encourage you to use strong, unique passwords if you use password-based authentication elsewhere, and to enable biometric or security key authentication for Aevia.

Data Breach Notification

In the event of a confirmed data breach that compromises your personal information, we will notify you without unreasonable delay. Notification will be sent to the email address or phone number associated with your account. If the breach affects a large number of users, we may provide notice via prominent posting on this website. We will also cooperate with relevant regulatory authorities and law enforcement as required by law.

Cookies, Tracking, and Do Not Track

We use the following tracking and storage technologies:

• localStorage (device trust tokens): we store a device trust token in your browser's localStorage to remember your device for 30 days. This is not a cookie, and cannot be transmitted across domains.
• sessionStorage (returning-user detection): we store a session identifier in sessionStorage to detect returning users within the same session. This is cleared when your browser session ends.
• Google Tag Manager and Google Analytics: we use GTM to collect aggregated analytics via Google Analytics cookies. Google sets cookies to track your sessions and aggregate analytics across your visits. You can disable these cookies by opting out via Google Analytics settings or the Google Analytics opt-out browser extension.

Do Not Track: some browsers include a "Do Not Track" (DNT) signal. We honor DNT signals by not loading Google Analytics when DNT is enabled in your browser. However, we may still use sessionStorage and localStorage for core functionality (session management, device trust).

Data Location and International Transfers

Aevia is operated in the United States. Your data is processed and stored primarily in us-east-1 (N. Virginia), an AWS region in the United States. We do not transfer data outside the United States at this time. If we expand internationally or change data location, we will update this policy.

Anonymization and Aggregation

We may combine health data from multiple users in anonymized, aggregated form to improve our recommendation algorithms. Specifically:

• Process: individual health inputs and HealthKit data are stripped of all personal identifiers (email, phone, account ID, dates, names) and combined with similar data from other users to identify patterns.
• Use: aggregated patterns are used to improve the accuracy of our protocol recommendations and meal scoring across all users.
• Irreversibility: once anonymized and aggregated, data cannot be linked back to you. Such data is no longer personal information and may be retained indefinitely.

Your Rights and Choices

You have the following rights regarding your personal information:

All Users

• Access: you have the right to know what personal data we hold about you and how we use it. Contact us to request a copy of your data.
• Correction: if your data is inaccurate, you can request correction or amendment.
• Deletion: you can request that we delete your account and all associated personal data. We will complete deletion within 30 days. Note that deletion is permanent and cannot be undone.
• Opt-out of communications: to opt out of any SMS communications, reply STOP to any message we send. To opt out of email communications, contact hello@tryaevia.com.
• Undo biometric authentication: if you enrolled in WebAuthn biometric authentication, you can revoke it through your account settings at any time. We will delete your public key credential.
• Revoke HealthKit access: if you connected Apple Health, you can revoke access through your device settings. Once revoked, no further HealthKit data will be collected.
• Data portability: you can request your personal data in a commonly used, machine-readable format (such as CSV or JSON) so you can transfer it to another service.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: you can request what personal information we have collected, the categories of sources, our business purposes, and the categories of third parties with whom we share data.
• Right to delete: you can request deletion of personal information we have collected from you, subject to certain exceptions (e.g., information necessary to complete a transaction, comply with law).
• Right to correct: you can request correction of inaccurate personal information.
• Right to opt out of sale or sharing: you can direct us not to sell or share your personal information for targeted advertising. We do not currently sell or share your data, but you may opt out in advance.
• Right to limit use: you can request that we limit use of sensitive personal information to purposes necessary to provide the service or as otherwise permitted by law.
• Right to non-discrimination: we will not discriminate against you for exercising your rights (no denial of service, no price discrimination, no difference in service quality).
• Right to appeal: if we deny your request, you have the right to appeal our decision.

To submit a CCPA/CPRA request, email hello@tryaevia.com with the request type and your account information. We will verify your identity and respond within 45 days (extendable to 90 days if necessary).

Florida Residents (Florida Data Breach Notification Law)

If you are a Florida resident, you have rights under the Florida Information Protection Act (FIPA) and Florida's data breach notification law. You have the right to know if your personal information has been compromised in a breach, to access your data, and to request deletion. Contact hello@tryaevia.com to exercise these rights.

Washington Residents (My Health My Data Act)

If you are a Washington resident, you have rights under the Washington My Health My Data Act (SHB 1579). You have the right to opt out of the sale or sharing of your health data for purposes other than treating you or operating our business. We do not sell or share your health data, but you can opt out by contacting hello@tryaevia.com.

Connecticut Residents (Connecticut Data Privacy Act)

If you are a Connecticut resident, you have rights under the Connecticut Data Privacy Act (CTDPA). You have the right to access, correct, delete, and port your personal information, and to opt out of targeted advertising based on your data. You also have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. Contact hello@tryaevia.com to exercise these rights.

Nevada Residents (Nevada SB 370)

If you are a Nevada resident, you have the right to opt out of the sale of personal information (email addresses and phone numbers). We do not sell your personal information, but you can direct us not to by contacting hello@tryaevia.com.

How to Exercise Your Rights

To exercise any of the rights described above, contact us at:

• Email: hello@tryaevia.com
• Mail: Aevia, Miami Beach, FL (attn: Privacy Team)

In your request, please specify which right you are exercising, provide your account email or phone number, and describe your request in detail. We will verify your identity and respond within the timeframe required by applicable law (typically 30-45 days). If we cannot verify your identity, we will contact you for additional information.

Third-Party Links

Aevia may contain links to third-party websites (restaurants, food delivery services, supplement retailers, etc.). We are not responsible for the privacy practices of third parties. When you click a link to a third-party site, you are subject to that site's privacy policy. We encourage you to review their policies before providing personal information.

Changes to This Privacy Policy

We may update this policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will update the effective date at the top. For material changes, we will notify you via email at the address associated with your account or by prominent posting on this website. Your continued use of Aevia after changes become effective means you accept the updated policy. We encourage you to review this policy periodically.

Policy Compliance and Questions

This policy complies with applicable privacy laws including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Florida Information Protection Act, Washington My Health My Data Act, Connecticut Data Privacy Act, and Nevada SB 370, and reflects best practices for health data privacy aligned with GDPR principles.

If you have questions about this policy, your data, or your rights, contact us:

• Email: hello@tryaevia.com
• Website: tryaevia.com
• Mailing address: Aevia, Miami Beach, FL

California Privacy Notice

If you are a California resident, this notice applies to your personal information. We collect the following categories of personal information: identifiers (email, phone), commercial information (account history), internet activity (analytics), professional information (health history), education information, and inferences drawn from this data to create a profile about you reflecting your health and preferences. We use this information to provide the service, improve algorithms, comply with law, and detect fraud. We share information with AWS and Anthropic. We do not sell or share your information for targeted advertising. You have the right to access, delete, correct, and port your information, and to opt out of profiling. We do not discriminate for exercising your rights.

Children's Privacy

Aevia is not intended for use by anyone under 18 years old. We do not knowingly collect information from minors. If you believe a minor has provided us with personal information, please contact us immediately at hello@tryaevia.com and we will delete it within a reasonable timeframe.

Aevia · Miami Beach, FL · Last Updated March 27, 2026