Privacy Policy

Effective date: May 17, 2025 · Last updated: May 25, 2026

    Evaxify is a personal project. Your health data is sensitive — this policy explains exactly what we collect, why, and how you can control or delete it at any time.
  

1. Who We Are

Evaxify ("the App", "we", "our") is developed and operated by Aleksander Misuna, an individual developer. The App is available to users in the European Union (including Poland), and this policy is written to comply with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

Data Controller & Data Protection Contact:
Aleks Misuna
a.misuna@yahoo.com
Response time: within 30 days of any privacy request.

2. Data We Collect

2.1 Account data

Email address — provided directly at registration or shared by your Apple ID / Google account when you sign in via social login.
A unique internal user identifier (generated by Evaxify's own backend) used to link your data.
Password — stored as a secure one-way hash (bcrypt). If you sign in via Apple or Google, no password is stored.

2.2 Profile data

For each family member or pet you add: name, date of birth, profile type (adult, child, dog, cat), and country.
Profile sort order (for your drag-and-drop arrangement).

2.3 Vaccination records

Vaccine name, dose number, administration date, status (completed / scheduled / skipped).
Optional: clinic or doctor name, free-text notes.

2.4 Document photos (optional, planned feature)

If you photograph a vaccination card, the image is uploaded to secure cloud storage (AWS S3, region: eu-central-1, Frankfurt). Only you can access your documents — download links are time-limited (15 minutes) and generated on-demand.
Document photos may be analysed by an AI service (OpenAI GPT-4o or Anthropic Claude) to extract vaccination record data. You will always review and confirm extracted records before they are saved. Images are not used to train AI models.

2.5 Technical data

Firebase Cloud Messaging (FCM) device token — used to deliver push notifications (upcoming vaccine reminders) on Android. Not shared with third parties beyond FCM's delivery function.
Standard server access logs (IP address, timestamp, HTTP method/path). Retained for up to 30 days for security and debugging, then deleted automatically.

We do not collect location data, advertising identifiers, browsing history, or any data not listed above.

3. Legal Basis for Processing (GDPR)

Contract performance (Art. 6(1)(b)): Account data and profile data are necessary to provide the core service.
Consent (Art. 6(1)(a), Art. 9(2)(a)): Health-related data (vaccination records, document photos) is processed on the basis of your explicit consent given when you create a record or upload a document. You can withdraw consent at any time by deleting the data or your account.
Legitimate interest (Art. 6(1)(f)): Server access logs for security monitoring.

4. How We Use Your Data

To generate your personalised vaccination schedule ("Smart Calendar").
To store and display your vaccination history across devices.
To send transactional emails (OTP codes for account verification and password reset).
To send push notifications reminding you of upcoming or overdue vaccines (only if you enable notifications).
To extract vaccination records from photos you choose to scan (AI processing — planned feature).
We do not sell, rent, or share your data with advertisers or data brokers.
We do not use your health data for profiling, research, or any purpose other than providing the App to you.

5. Third-Party Services

Apple Sign In — optional sign-in via Apple ID. Apple may share your email or a private relay address with us. Apple Privacy Policy.
Google Sign In — optional sign-in via Google account. Google Privacy Policy.
Resend — transactional email delivery (OTP verification and password reset emails). Resend processes your email address solely to deliver these messages. Resend Privacy Policy.
Amazon Web Services (AWS S3) — encrypted document storage. Region: eu-central-1 (Frankfurt, Germany). Data does not leave the EU. AWS Privacy Policy.
Google Firebase Cloud Messaging (FCM) — push notification delivery on Android. FCM receives your device token to route notifications; no health data is transmitted. Firebase Privacy.
OpenAI / Anthropic — AI extraction of vaccination records from photos you submit (planned feature). Images are processed transiently and are not used to train models. OpenAI Privacy / Anthropic Privacy.

All processors are contractually bound (via Data Processing Agreements or Standard Contractual Clauses) to process your data only on our instructions and in compliance with GDPR.

6. International Data Transfers

Your account, profile, and vaccination data is stored on servers within the EU (AWS eu-central-1, Frankfurt). Some third-party services (Firebase FCM, Apple, Google, OpenAI) may process data outside the European Economic Area (EEA). Where this occurs, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an equivalent level of protection.

7. Data Retention

Your account and profile data are retained as long as your account is active.
Vaccination records and document photos are retained until you delete them or delete your account.
OTP codes (for email verification / password reset) are short-lived and deleted automatically upon expiry.
Server access logs are deleted after 30 days.
When you delete your account (available in-app under Settings), all personal data is permanently erased within 30 days, except where retention is required by applicable law.

8. Your Rights Under GDPR

If you are in the EU/EEA, you have the following rights:

Access Request a copy of all data we hold about you.

Rectification Correct inaccurate or incomplete data.

Erasure ("right to be forgotten") Delete your account and all associated data directly in-app, or by emailing us.

Restriction Ask us to pause processing your data.

Portability Receive your data in a machine-readable format.

Objection Object to processing based on legitimate interest.

Withdraw consent Withdraw consent for health data at any time by deleting the relevant records.

Lodge a complaint File a complaint with your national DPA — e.g., UODO in Poland.

To exercise any of these rights, email a.misuna@yahoo.com. We will respond within 30 days.

9. Data Security

All data is transmitted over HTTPS/TLS.
Passwords are stored as bcrypt hashes — never in plain text.
Document photos are stored in encrypted S3 buckets (server-side encryption) with no public access; download links are time-limited.
JWT access tokens are short-lived; refresh tokens allow session continuity without re-login.
Access to production data is restricted to the developer only.

10. Children's Privacy

Evaxify allows you to create profiles for children in your family; however, the App account itself must be created by an adult (18+). We do not knowingly collect data directly from children. If you believe a child has created an account without parental consent, please contact us immediately at a.misuna@yahoo.com.

11. Changes to This Policy

We may update this policy periodically. Significant changes will be notified via in-app notification or email at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

12. Contact & Supervisory Authority

For any privacy questions, data requests, or complaints:
Aleks Misuna (Data Controller)
a.misuna@yahoo.com

You also have the right to lodge a complaint directly with a supervisory authority. In Poland: Urząd Ochrony Danych Osobowych (UODO).