Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is the operator named in the Legal Notice.

Contact for privacy inquiries: See Legal Notice.

2. Principle: Data Processing

Cervio offers two modes of use:

2.1 Use Without an Account (Local)

You can use Cervio without registration. In this case:

• No personal data is transmitted to any server.
• All data is stored exclusively in your browser's localStorage or IndexedDB.
• Your health and training data never leaves your device.

2.2 Use With an Account (Cloud Sync)

Optionally, you can create a user account to synchronize your data across devices. In this case:

• You can register and log in via email/password or through an OAuth provider (Google, Apple, Facebook).
• Your training and health data is transmitted in encrypted form to Supabase (see Section 4a) and stored there.
• You can delete your account and all server-side data at any time.

In both modes:

• No analytics, tracking, or advertising tools are used.
• No cookies are set by Cervio. For authentication, only session tokens are stored in localStorage.

3. Categories of Processed Data

The following categories of data are stored on your device and, if cloud sync is enabled, additionally transmitted to Supabase:

3.1 Health Data (Special Categories, Art. 9 GDPR)

• Symptom ratings: Dizziness and headache ratings (1–10) before and after training (check-in / check-out).
• Pain diary: Pain intensity, affected body regions, triggers, and notes.
• Pain map: Markings on body silhouettes to localize symptoms.
• Complaint profile (intake): Type and severity of your symptoms (dizziness, headaches, neck tension, etc.), medical history, safety check (red flags).
• ROM measurements: Cervical spine range of motion data.
• Pain relief tracking: Documentation of pain relief measures and their effectiveness.

Legal basis: Art. 9(2)(a) GDPR (explicit consent). You enter this data voluntarily. Without an account, it remains exclusively on your device. With an account, it is additionally transmitted in encrypted form to Supabase (see Section 4a).

3.2 Training Data

• Training sessions: Date, completed/skipped exercises, duration, completion rate.
• Weights and notes: Weights entered per exercise, personal records (PRs), and free-text notes.
• Weekly progression: Current training week (1–8), streak counter.
• RPE ratings: Subjective exertion rating per exercise.
• Custom exercises: Exercises and training templates created by the user.
• Volume tracking: Sets and repetitions per exercise.

Legal basis: Art. 6(1)(a) GDPR (consent through voluntary use of the app).

3.3 Journal

• Free-text entries about how you feel, which can be recorded after training.

Legal basis: Art. 6(1)(a) GDPR (consent). Where health-related: Art. 9(2)(a) GDPR.

3.4 Photos

• Optional progress photos taken via the camera or selected from the gallery.
• Photos are stored as Base64 data in local storage (IndexedDB/localStorage) and are never uploaded or transmitted.

Legal basis: Art. 6(1)(a) GDPR (consent through active use of the photo feature).

3.5 Profile and Settings Data

• Profiles: Name(s) and active profile (for locally distinguishing multiple users on one device).
• Settings: Language, dark mode, contrast mode, rest timer duration, sorting, location filter.
• Onboarding status: Whether the introduction has already been shown.
• Achievements: Unlocked milestones and XP points.

Legal basis: Art. 6(1)(a) GDPR (consent).

3.6 Physiotherapist Notes

• Optional notes from a physiotherapist and a patient code for local association.
• This data is stored exclusively locally.

Legal basis: Art. 6(1)(a) GDPR (consent).

4. Authentication and Cloud Sync (Supabase)

If you create a user account, Cervio uses the service Supabase Inc. (970 Toa Payoh North #07-04, Singapore 318992) for authentication and data storage.

4.1 Registration and Login

You can register and log in in the following ways:

• Email and password: Your email address and an encrypted password are stored at Supabase.
• Google OAuth: You are redirected to Google and authorize access to your profile (name, email, profile picture). Cervio only receives this basic data — no access to your Google account.
• Apple Sign In: You are redirected to Apple. Apple may give you the option to hide your email address (Private Relay). Cervio only receives your name and email.
• Facebook Login: You are redirected to Facebook/Meta and authorize access to your public profile and email address. Cervio does not receive any additional Facebook data.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — provision of the user account).

4.2 Cloud Synchronization

With an active account, the following data is synchronized with Supabase:

• Training sessions and results
• Symptom ratings and pain diary
• Settings and profile data
• Weights, notes, and progress data

Data is transmitted in encrypted form via HTTPS. The data is stored in a PostgreSQL database at Supabase.

Legal basis: Art. 6(1)(a) GDPR (consent through account creation). For health data: Art. 9(2)(a) GDPR (explicit consent).

4.3 Supabase as Data Processor

Supabase processes your data on our behalf. The servers are located in the EU (Frankfurt, Germany). Supabase is subject to the provisions of the GDPR and implements appropriate technical and organizational measures. More information: Supabase Privacy Policy.

4.4 Account Deletion

You can delete your user account at any time in the app settings. All server-side data will be irrevocably deleted. Locally stored data remains unaffected and can be deleted separately.

4.5 Physiotherapist Mode

Cervio offers the option to link with a physiotherapist who has created an individual training plan for you.

Training plan codes: Your physiotherapist creates an individual training plan and provides you with a 6-digit code. By actively entering this code in the app, you consent to the linked therapist being able to view the data described below.

Shared data: The following data is made accessible to the linked therapist:

• Training sessions: Date, exercises performed, completion rate, and duration.
• Symptom ratings: Dizziness and headache ratings before and after training.
• Pain diary: Entries with body regions and pain intensity.
• Daily check-ins: Pain, mood, and energy levels.
• RPE ratings: Subjective exertion rating per exercise.

Physio chat: Bidirectional messaging is available between patient and linked therapist. Messages are transmitted and stored in encrypted form via Supabase. The operator has technical access to the messages but uses this access exclusively to ensure the operation of the service.

Consent and revocation: Data sharing is explicitly initiated by actively entering the therapist code. You can end the link at any time by deselecting the physio plan in the app. Once the link is removed, the therapist's access to your data is revoked.

Legal basis: Art. 9(2)(a) GDPR (explicit consent through code entry) for the transmission of health data to the therapist. Art. 6(1)(a) GDPR (consent) for messaging via the physio chat.

4.6 Community Forum

Cervio offers a community forum where you can create posts, comment, and like. The following applies:

• Forum content (posts, comments, likes) is stored in Supabase.
• Posts and comments are publicly visible to all forum users.
• Anonymous posts: You can publish posts anonymously. In this case, only the display name is hidden — the post is not linked to your user account.
• Upon account deletion, all your forum posts, comments, and likes are irrevocably deleted.

Legal basis: Art. 6(1)(a) GDPR (consent through active use of the forum).

4.7 Ratings and Feedback

You can optionally submit a rating and feedback text about the app. These are stored in Supabase and linked to your user account.

Legal basis: Art. 6(1)(a) GDPR (consent through active submission of feedback).

4.8 Email Settings (Weekly Report)

You can optionally activate a weekly training report via email. The following applies:

• Your preference (enabled/disabled) is stored in Supabase.
• Your email address is used exclusively for sending the weekly report.
• You can deactivate the report at any time in the app settings.

Legal basis: Art. 6(1)(a) GDPR (consent through activation of the feature).

5. Hosting (Vercel)

The application is hosted as a static website via Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA). When accessing the site, standard server log data is collected by the hosting provider (IP address, timestamp, user agent, requested URL). This data is processed by Vercel and is subject to their Privacy Policy.

The operator does not have access to this server log data.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing the website).

Third-country transfer: Vercel operates servers in various regions, including the USA. The transfer is based on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR), which Vercel enters into with its customers.

6. Fonts (Bunny Fonts)

This website uses the fonts "DM Sans", "Outfit", and "DM Mono" via the service Bunny Fonts by BunnyWay d.o.o. (Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia). Bunny Fonts is a GDPR-compliant, EU-hosted font service that serves as a privacy-friendly alternative to Google Fonts.

When loading the page, a connection is established to Bunny Fonts servers in the EU to retrieve the font files. No third-country transfer takes place and no personal data is logged or tracked. More information: Bunny Fonts Privacy.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a consistent visual presentation).

7. YouTube Links

The app contains links to exercise videos on YouTube (Google LLC). When you click a link, you are redirected to the YouTube website. The Google/YouTube Privacy Policy applies. No YouTube videos are embedded in the app — these are exclusively external links. As long as you do not click a link, no data connection to YouTube is established.

Legal basis: Art. 6(1)(a) GDPR (consent through actively clicking the link).

8. Optional Browser Permissions

The app may optionally request the following browser permissions. Each permission is only activated after explicit consent and can be revoked at any time in the browser settings.

8.1 Push Notifications (Web Notification API)

For optional training reminders, the app may request browser notifications. These are scheduled and triggered locally on your device — no external push server is used. The permission is obtained via the standard browser prompt (Notification.requestPermission()).

Legal basis: Art. 6(1)(a) GDPR (consent via browser dialog).

8.2 Camera

For optional progress photos, the app may request access to the camera. Captured images are stored exclusively locally in the browser and are never uploaded or transmitted.

Legal basis: Art. 6(1)(a) GDPR (consent via browser dialog).

8.3 Microphone / Speech Recognition (Web Speech API)

For optional voice control (e.g., saying "done" or "skip"), the app may request access to the microphone. Speech recognition is performed via the browser's Web Speech API.

Important notice: Depending on the browser, speech recognition may be processed locally or via a cloud service of the browser vendor (e.g., Google for Chrome). Cervio itself does not receive, store, or transmit any audio data. Please refer to your browser's privacy policy for information about the processing of speech data.

Legal basis: Art. 6(1)(a) GDPR (consent via browser dialog).

8.4 Text-to-Speech (Voice Output)

The app can read out exercise instructions. For this purpose, pre-produced MP3 audio files are played back, which are stored locally in the service worker cache. No API calls are made to external text-to-speech services. Additionally, the browser's native speechSynthesis API may be used for short announcements (purely local).

9. Service Worker and Offline Caching

The app uses a service worker to cache files locally on your device. This includes:

• Audio files (MP3s for voice output and sounds)
• Images (body silhouettes for the pain map)
• Fonts and app files

Caching serves exclusively for offline capability and performance. No usage data is collected or transmitted via the service worker.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the functionality of the app).

10. No Cookies

Cervio does not use any cookies — neither its own nor from third parties. Local data storage is handled exclusively via localStorage and IndexedDB.

11. Disclosure to Third Parties

Cervio does not share user data with third parties for advertising or marketing purposes. Data is only transmitted to the following service providers or recipients, insofar as this is necessary for the operation of the app or you have given explicit consent:

• Supabase (authentication and cloud sync, see Section 4)
• Vercel (hosting, see Section 5)
• Bunny Fonts / BunnyWay d.o.o. (fonts, EU-hosted, see Section 6)
• Google (optional OAuth login)
• Apple (optional OAuth login via Sign In with Apple)
• Resend Inc. (email delivery for registration confirmations and password resets via noreply@cervio.health. Resend processes the recipient's email address. Servers in the EU. Resend Privacy Policy)
• Linked physiotherapist (when using the physiotherapist mode, see Section 4.5): Your therapist gains access to your training sessions, symptom ratings, pain diary, daily check-ins, and RPE ratings. Sharing is exclusively initiated by your explicit consent via code entry.

When using the app without an account, no user data is shared (except for technically necessary connection data such as IP addresses at Vercel and Bunny Fonts).

12. Data Security

The connection to the app is via HTTPS (encrypted). Your locally stored data is as secure as your device and your browser.

Recommendations:

• Protect your device with a password or biometric lock.
• Use the app's export feature regularly to create backups of your data.
• Be aware that clearing your browser data will irrevocably delete all training data.
• On shared devices, other people may potentially access your locally stored health data.

13. Storage Duration

Local data: Your data remains stored in your browser's localStorage/IndexedDB until you actively delete it. There is no automatic deletion period.

Cloud data: When using the app with an account, your data is stored at Supabase until you delete it in the app or delete your account. After account deletion, all server-side data is irrevocably removed.

14. Your Rights Under the GDPR

You have full control over your data. You are entitled to the following rights:

• Access (Art. 15 GDPR): All data is directly accessible in your browser (Developer Tools → Application → Local Storage / IndexedDB).
• Rectification (Art. 16 GDPR): You can modify your data at any time in the app (profile, entries, etc.).
• Erasure (Art. 17 GDPR): You can delete all data via the app settings ("Delete all data") or via the browser settings. Technically, this executes localStorage.clear().
• Data portability (Art. 20 GDPR): The app offers an export feature that allows you to download all data as a JSON file. The data can be restored on another device using the import feature.
• Restriction of processing (Art. 18 GDPR): Since no server-side processing takes place, you can simply choose not to use individual features.
• Objection (Art. 21 GDPR): Since no server-side processing takes place, no objection is necessary. Browser permissions (camera, microphone, notifications) can be revoked at any time in the browser settings.
• Withdrawal of consent (Art. 7(3) GDPR): You can withdraw your consent at any time by ceasing to use the app and deleting your local data. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

If you still have questions, please contact us via the contact details provided in the Legal Notice.

15. Special Categories of Personal Data (Art. 9 GDPR)

The app processes health data (dizziness, headaches, pain diary, complaint profile, medical history). This data belongs to the special categories of personal data under Art. 9(1) GDPR.

Processing is permissible on the basis of Art. 9(2)(a) GDPR (explicit consent). You give your consent by voluntarily entering this data in the app. Without an account, the data remains exclusively on your device. With an account, it is additionally stored in encrypted form at Supabase (see Section 4).

16. Minors

The app is not intended for persons under 16 years of age. If you are under 16, please use the app only with the consent of a parent or legal guardian.

17. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data violates the GDPR (Art. 77 GDPR). The supervisory authority responsible for you depends on your place of residence or the registered office of the data controller.

18. Changes

This privacy policy may be updated from time to time. The current version is always available at this URL. In the event of material changes, the update date at the top will be adjusted.