Privacy Policy
Last updated: April 2026
Important note: Cervio is a wellness and movement app and not a medical device. It does not provide diagnoses, therapy recommendations, or replace medical advice. This privacy policy describes the processing of personal data in the context of this wellness use.
1. Data Controller
The data controller under the GDPR is the operator named in the Legal Notice (Emanuel Bachmann, sole proprietor).
Contact for privacy inquiries: privacy@cervio.health
External Data Protection Officer: will be added here after appointment. Internal documentation (Art. 30 records of processing, Art. 35 DPIA) is maintained separately (see docs/VVT_TEMPLATE.md and docs/DSFA_TEMPLATE.md).
Supervisory authority: Bavarian Data Protection Authority (BayLDA), Promenade 18, 91522 Ansbach, lda.bayern.de.
2. Principle: Data Processing
Cervio offers two modes of use:
2.1 Use Without an Account (Local)
You can use Cervio without registration. In this case:
- No personal data is transmitted to any server.
- All data is stored exclusively in your browser's localStorage or IndexedDB.
- Your training and body-awareness data never leaves your device.
2.2 Use With an Account (Cloud Sync)
- Register via email/password or an OAuth provider (Google, Apple). On sign-up you must confirm that you are at least 16 years old (Art. 8 GDPR).
- Your training, wellness, and profile data are transmitted over HTTPS/TLS to Supabase and stored there (see Section 4).
- You can delete your account at any time (Art. 17 GDPR). Server-side data is removed immediately; residual backup copies rotate out within 90 days at the latest.
2.3 Consent and cookies
A granular consent banner is shown on first visit. You decide about three categories:
- Necessary (cannot be disabled): login token, language, theme, consent storage. Legal basis: Art. 6(1)(b) GDPR / § 25(2) TDDDG.
- Analytics (optional): Vercel Analytics + Speed Insights — only loaded after active opt-in. Legal basis: Art. 6(1)(a) GDPR / § 25(1) TDDDG.
- Functional (optional): convenience features such as draft storage. Legal basis: Art. 6(1)(a) GDPR.
The “Reject all” and “Accept all” buttons are equally weighted (position, size, contrast). You can change your choice at any time in settings or by clearing the local consent key. Vercel Analytics is loaded dynamically only when the analytics category is active.
3. Categories of Processed Data
Cervio processes the following categories in wellness mode. They are stored on your device and, if cloud sync is enabled, additionally at our processor Supabase.
3.1 Wellness and body-awareness data (voluntary)
- Body diary: free notes on tension, wellbeing, trigger situations, and an optional intensity scale (1–5).
- Body map markings: optional markings on body silhouettes for your personal overview of tension areas. These entries are subjective self-reports, not a medical diagnosis. Because body-map entries may indicate a person's physical situation, we treat them with the protection level of the special categories under Art. 9 GDPR as a precaution.
- Check-ins: voluntary mood, energy, and sleep-quality entries.
Legal basis: Art. 6(1)(a) GDPR (consent) and — where applicable — Art. 9(2)(a) GDPR (explicit consent). You can revoke consent at any time in settings.
3.2 Training Data
- Training sessions: date, completed/skipped exercises, duration, completion rate.
- Weights and notes: weights entered per exercise, personal records (PRs), free-text notes.
- Weekly progression: current training week (1–8), streak counter.
- Subjective exertion (RPE): voluntary self-rating per exercise.
- Custom exercises: your own exercises and templates.
- Volume tracking: sets and repetitions per exercise.
Legal basis: Art. 6(1)(b) GDPR (performance of the user-agreement / core service) or Art. 6(1)(a) GDPR when used without an account.
3.3 Journal
- Free-text entries about how you feel, which can be recorded after training.
Legal basis: Art. 6(1)(a) GDPR (consent). Where health-related: Art. 9(2)(a) GDPR.
3.4 Photos and avatar
- Progress photos: optional, via camera or gallery. Stored as Base64/IndexedDB exclusively locally. No server upload.
- Avatar image: optional upload for profile and physio chat. Uploaded to a private Supabase Storage bucket; display via short-lived Signed URLs. Note: an avatar may contain biometric aspects, so upload is voluntary and can be removed anytime.
Legal basis: Art. 6(1)(a) GDPR (consent through active use of the photo/avatar feature).
3.5 Profile and Settings Data
- Profiles: Name(s) and active profile (for locally distinguishing multiple users on one device).
- Settings: Language, dark mode, contrast mode, rest timer duration, sorting, location filter.
- Onboarding status: Whether the introduction has already been shown.
- Achievements: Unlocked milestones and XP points.
Legal basis: Art. 6(1)(a) GDPR (consent).
3.6 Physiotherapist mode (joint controllership)
When you connect with a physiotherapy practice via a therapist code, the setup is a joint controllership under Art. 26 GDPR. The medical responsibility lies exclusively with the practice; Cervio provides the technical infrastructure. The main terms of the Art. 26 agreement are captured in our internal template (docs/JOINT_CONTROLLERSHIP_TEMPLATE.md).
Specific to therapists: they are subject to the documentation obligation under § 630f BGB (10-year retention). If you delete your Cervio account, the therapist retains a pseudonymized treatment record for this period — this is a legal obligation that overrides the deletion right under Art. 17(3)(b) GDPR.
4. Authentication, Cloud Sync and Processors (Supabase)
If you create an account, Cervio uses Supabase Inc. (970 Toa Payoh North #07-04, Singapore 318992; with EU presence) as a processor under Art. 28 GDPR for authentication, database (Postgres), and storage (private buckets). Data resides in the EU region Frankfurt. Where sub-processors outside the EU are used, transfers are based on EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework (DPF).
4.1 Registration and Login
You can register and log in in the following ways:
- Email and password: Your email address and an encrypted password are stored at Supabase.
- Google OAuth: You are redirected to Google and authorize access to your profile (name, email, profile picture). Cervio only receives this basic data — no access to your Google account.
- Apple Sign In: You are redirected to Apple. Apple may give you the option to hide your email address (Private Relay). Cervio only receives your name and email.
- Facebook Login: You are redirected to Facebook/Meta and authorize access to your public profile and email address. Cervio does not receive any additional Facebook data.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract — provision of the user account).
4.2 Cloud Synchronization
With an active account, the following data is synchronized with Supabase:
- Training sessions and results
- Body diary and check-ins
- Settings and profile data
- Weights, notes, and progress data
- Chat messages in physio mode (see 4.5)
Transmission uses HTTPS/TLS. Data resides encrypted in a PostgreSQL database at Supabase. Row-level security (RLS) ensures only you can access your own data.
Legal basis: Art. 6(1)(b) GDPR (performance of contract), supplemented by Art. 9(2)(a) GDPR (explicit consent) for body-diary and body-map data.
4.3 Supabase as Data Processor
Supabase processes your data on our behalf. The servers are located in the EU (Frankfurt, Germany). Supabase is subject to the provisions of the GDPR and implements appropriate technical and organizational measures. More information: Supabase Privacy Policy.
4.4 Account deletion and retention concept
You can delete your account at any time in the app settings. Server-side data is cascade-deleted via the Postgres function delete_own_account(). Local data (localStorage, sessionStorage, service-worker caches) is automatically cleaned up on the next logout.
In addition, we automatically delete accounts after 24 months of inactivity. Backup residuals rotate out within 90 days at the latest. Details are documented in our internal retention concept.
4.5 Physiotherapist mode
Cervio lets you connect with a physiotherapy practice via a 6-digit therapist code. In that case a joint controllership under Art. 26 GDPR applies. Medical responsibility lies with the practice; Cervio provides technical infrastructure.
Shared data: training sessions, body diary, check-ins, subjective exertion (RPE), chat messages incl. media.
Physio chat and media: messages are transmitted and stored via Supabase (TLS). Media files reside in a private storage bucket chat-media; display happens exclusively through short-lived Signed URLs (~1 hour validity). End-to-end encryption is not currently implemented; Supabase as processor has technical access and uses it only for operations.
Consent and revocation: sharing is activated by code entry and can be ended anytime in the app.
Legal basis: Art. 6(1)(b) GDPR (performance of contract in the practice context), Art. 9(2)(a) GDPR for body-diary/body-map data.
4.6 Community Forum
- Forum content (posts, comments, likes) is stored in Supabase.
- Posts and comments are publicly visible to logged-in users.
- You can post anonymously (display name hidden).
- Upon account deletion, forum content is pseudonymized or removed.
- DSA (Digital Services Act): inappropriate content can be flagged via the report function; we moderate based on reports and publish community guidelines.
Legal basis: Art. 6(1)(a) GDPR (consent through active use of the forum).
4.7 Ratings and Feedback
You can optionally submit a rating and feedback text about the app. These are stored in Supabase and linked to your user account.
Legal basis: Art. 6(1)(a) GDPR (consent through active submission of feedback).
4.8 Email Settings (Weekly Report)
You can optionally activate a weekly training report via email. The following applies:
- Your preference (enabled/disabled) is stored in Supabase.
- Your email address is used exclusively for sending the weekly report.
- You can deactivate the report at any time in the app settings.
Legal basis: Art. 6(1)(a) GDPR (consent through activation of the feature).
5. Hosting (Vercel) and Analytics
Cervio is hosted via Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA). Standard server log data is collected by the hosting provider (IP, timestamp, user agent, URL). Vercel Privacy Policy.
Third-country transfer: Vercel is a US company. Transfers are based on EU Standard Contractual Clauses (SCCs) and, where applicable, additionally on the EU-US Data Privacy Framework (DPF).
Vercel Analytics and Speed Insights: both are loaded only after active consent in the banner. Without consent, no script from va.vercel-scripts.com or vitals.vercel-insights.com is rendered. Analytics data is pseudonymized (no cookies, no IP persistence). Legal basis: Art. 6(1)(a) GDPR / § 25(1) TDDDG.
Legal basis (hosting): Art. 6(1)(b) GDPR (provision of the core service) or Art. 6(1)(f) GDPR (operational security).
6. Fonts (Bunny Fonts)
This website uses the fonts "DM Sans", "Outfit", and "DM Mono" via the service Bunny Fonts by BunnyWay d.o.o. (Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia). Bunny Fonts is a GDPR-compliant, EU-hosted font service that serves as a privacy-friendly alternative to Google Fonts.
When loading the page, a connection is established to Bunny Fonts servers in the EU to retrieve the font files. No third-country transfer takes place and no personal data is logged or tracked. More information: Bunny Fonts Privacy.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a consistent visual presentation).
7. YouTube Links
The app contains links to exercise videos on YouTube (Google LLC). When you click a link, you are redirected to the YouTube website. The Google/YouTube Privacy Policy applies. No YouTube videos are embedded in the app — these are exclusively external links. As long as you do not click a link, no data connection to YouTube is established.
Legal basis: Art. 6(1)(a) GDPR (consent through actively clicking the link).
8. Optional Browser Permissions
The app may optionally request the following browser permissions. Each permission is only activated after explicit consent and can be revoked at any time in the browser settings.
8.1 Push Notifications (Web Notification API)
For optional training reminders, the app may request browser notifications. These are scheduled and triggered locally on your device — no external push server is used. The permission is obtained via the standard browser prompt (Notification.requestPermission()).
Legal basis: Art. 6(1)(a) GDPR (consent via browser dialog).
8.2 Camera
For optional progress photos, the app may request access to the camera. Captured images are stored exclusively locally in the browser and are never uploaded or transmitted.
Legal basis: Art. 6(1)(a) GDPR (consent via browser dialog).
8.3 Microphone / Speech Recognition (Web Speech API)
For optional voice control (e.g., saying "done" or "skip"), the app may request access to the microphone. Speech recognition is performed via the browser's Web Speech API.
Important notice: Depending on the browser, speech recognition may be processed locally or via a cloud service of the browser vendor (e.g., Google for Chrome). Cervio itself does not receive, store, or transmit any audio data. Please refer to your browser's privacy policy for information about the processing of speech data.
Legal basis: Art. 6(1)(a) GDPR (consent via browser dialog).
8.4 Text-to-Speech (Voice Output)
The app can read out exercise instructions. For this purpose, pre-produced MP3 audio files are played back, which are stored locally in the service worker cache. No API calls are made to external text-to-speech services. Additionally, the browser's native speechSynthesis API may be used for short announcements (purely local).
9. Service Worker, Offline Caching and Cron Jobs
The app uses a service worker to cache static assets (audio files, body-silhouette images, fonts, app code). The cache is invalidated on logout (see the localStorage section). No sensitive API responses are cached.
Push notifications: optional; neutral texts (e.g. “Reminder for your next session”), no medical vocabulary. Subscription tokens are stored in Supabase and invalidated on logout.
Server-side cron jobs: Cervio runs scheduled background jobs (e.g. weekly report emails). They use the Supabase service role key in a protected Vercel environment variable, are logged, and reviewed regularly.
Legal basis: Art. 6(1)(f) GDPR (operational security) and Art. 6(1)(a) GDPR (consent for push and optional reports).
10. localStorage, sessionStorage, consent storage
Cervio does not use tracking cookies. Login, settings, and consent storage use browser storage (localStorage / sessionStorage / service worker cache) on the basis of § 25(2) TDDDG (technically necessary) or § 25(1) TDDDG with your consent for optional categories.
On logout, localStorage entries with personal reference, sessionStorage entirely, and all service-worker caches for this origin are automatically cleared (“Clear-Site-Data”-style cleanup).
11. Sub-processors and recipients
Cervio does not share user data with third parties for advertising or marketing. Processing takes place only via the following service providers (processors under Art. 28 GDPR) or recipients:
| Vendor | Purpose | Region / transfer basis |
|---|---|---|
| Supabase Inc. | Auth, DB, Storage | EU (Frankfurt) · SCC · DPF |
| Vercel Inc. | Hosting, CDN, Analytics (consent-gated) | USA · SCC · DPF |
| Resend Inc. | Transactional emails | EU + USA · SCC · DPF |
| BunnyWay d.o.o. (Bunny Fonts) | Web fonts | EU (Slovenia) |
| Google LLC | optional: Sign-In with Google | USA · SCC · DPF |
| Apple Inc. | optional: Sign-In with Apple | USA · SCC |
In physio mode the connected physiotherapy practice also becomes a joint controller under Art. 26 GDPR. Details are in Section 4.5.
When using the app without an account, no data is shared apart from technically necessary connection data (IP at Vercel and Bunny Fonts).
12. Data Security
The connection to the app is via HTTPS (encrypted). Your locally stored data is as secure as your device and your browser.
Recommendations:
- Protect your device with a password or biometric lock.
- Use the app's export feature regularly to create backups of your data.
- Be aware that clearing your browser data will irrevocably delete all training data.
- On shared devices, other people may potentially access your locally stored health data.
13. Storage Duration
Local data: Your data remains stored in your browser's localStorage/IndexedDB until you actively delete it. There is no automatic deletion period.
Cloud data: When using the app with an account, your data is stored at Supabase until you delete it in the app or delete your account. After account deletion, all server-side data is irrevocably removed.
14. Your rights under the GDPR
The following rights can be exercised via privacy@cervio.health (response within 30 days, Art. 12(3) GDPR):
- Access (Art. 15): we provide a structured JSON/PDF copy of all stored data.
- Rectification (Art. 16): incorrect data will be corrected.
- Erasure (Art. 17): account deletion directly in the app or by email.
- Restriction (Art. 18): we can set your account to “restricted” on request.
- Data portability (Art. 20): JSON export.
- Objection (Art. 21): in particular for analytics, push, etc.
- Withdrawal of consent (Art. 7(3)): at any time, without disadvantages.
- Complaint (Art. 77): to the BayLDA or your competent supervisory authority.
Our internal process is described in docs/BETROFFENENRECHTE_WORKFLOW.md.
15. Special categories (Art. 9 GDPR)
Cervio is a wellness app and in principle does not process diagnoses, red-flag assessments, or clinical outcome scores in the core product (these features are disabled via feature flags; see the internal memorandum). Body-diary and body-map entries may, depending on context, allow inferences about a person's physical state. We treat them with the protection level of the special categories under Art. 9 GDPR and obtain your explicit consent (Art. 9(2)(a)) before syncing them to the cloud.
16. Minors (Art. 8 GDPR)
Cervio is intended for persons aged 16 or older. During sign-up you must actively confirm your age. If you are younger, you may only use the app with the consent of a parent or guardian.
17. Data breaches
In the event of a data breach under Art. 33/34 GDPR we report the incident to the competent supervisory authority (BayLDA) within 72 hours and notify affected individuals if the risk is high. Internal runbook: docs/INCIDENT_RESPONSE_RUNBOOK.md.
18. Changes
This privacy policy may be updated from time to time. The update date at the top is adjusted for material changes and you will be informed inside the app.