Privacy Policy

Effective date: May 17, 2025 · Last updated: May 17, 2025

    Evaxify is a personal project. Your health data is sensitive — this policy explains exactly what we collect, why, and how you can control or delete it at any time.
  

1. Who We Are

Evaxify ("the App", "we", "our") is developed and operated by Aleksander Misuna, an individual developer. For all privacy matters, contact us at: a.misuna@yahoo.com.

Because the App is available to users in the European Union (including Poland), this policy is written to comply with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

2. Data We Collect

2.1 Account data (via Firebase Authentication)

Name and email address provided by your Apple ID or Google account when you sign in.
A unique Firebase user identifier (UID) used internally to link your data.
We do not store passwords — authentication is handled entirely by Apple / Google.

2.2 Profile data

For each family member or pet you add: name, date of birth, profile type (adult, child, dog, cat), and country.
Profile sort order (for your drag-and-drop arrangement).

2.3 Vaccination records

Vaccine name, dose number, administration date, status (completed / scheduled / skipped).
Optional: clinic or doctor name, free-text notes.

2.4 Document photos (optional)

If you photograph a vaccination card, the image is uploaded to secure cloud storage (AWS S3). Only you can access your documents — download links are time-limited (15 minutes) and generated on-demand.
Document photos may be analysed by an AI service (OpenAI GPT-4o or Anthropic Claude) to extract vaccination record data. You will always review and confirm extracted records before they are saved.

2.5 Technical data

Firebase Cloud Messaging token — for push notification delivery (upcoming vaccine reminders). Not shared with third parties.
Standard server access logs (IP address, timestamp, HTTP method/path). Retained for up to 30 days for security and debugging.

We do not collect location data, advertising identifiers, browsing history, or any data not listed above.

3. Legal Basis for Processing (GDPR)

Contract performance (Art. 6(1)(b)): Account data and profile data are necessary to provide the core service.
Consent (Art. 6(1)(a), Art. 9(2)(a)): Health-related data (vaccination records, document photos) is processed on the basis of your explicit consent given when you create a record or upload a document. You can withdraw consent at any time by deleting the data or your account.
Legitimate interest (Art. 6(1)(f)): Server access logs for security monitoring.

4. How We Use Your Data

To generate your personalised vaccination schedule ("Smart Calendar").
To store and display your vaccination history across devices.
To send push notifications reminding you of upcoming or overdue vaccines (only if you enable notifications).
To extract vaccination records from photos you choose to scan (AI processing).
We do not sell, rent, or share your data with advertisers or data brokers.
We do not use your health data for profiling, research, or any purpose other than providing the App to you.

5. Third-Party Services

Google Firebase Authentication — sign-in and UID management. Firebase Privacy.
Apple Sign In — sign-in via Apple ID. Apple Privacy.
Amazon Web Services (AWS S3) — encrypted document storage (EU region). AWS Privacy.
OpenAI / Anthropic — AI extraction of vaccination records from photos you submit. Images are not used to train models. OpenAI Privacy / Anthropic Privacy.
Google Firebase Cloud Messaging — push notification delivery.

All processors are contractually bound to process your data only on our instructions and in compliance with GDPR.

6. International Data Transfers

Some third-party services (Firebase, AWS, OpenAI) may store or process data outside the European Economic Area (EEA). Where this occurs, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an equivalent level of protection.

7. Data Retention

Your account and profile data are retained as long as your account is active.
Vaccination records and document photos are retained until you delete them or delete your account.
Server access logs are deleted after 30 days.
When you delete your account, all personal data is permanently erased within 30 days, except where retention is required by law.

8. Your Rights Under GDPR

If you are in the EU/EEA, you have the following rights:

Access Request a copy of all data we hold about you.

Rectification Correct inaccurate or incomplete data.

Erasure ("right to be forgotten") Delete your account and all associated data.

Restriction Ask us to pause processing your data.

Portability Receive your data in a machine-readable format.

Objection Object to processing based on legitimate interest.

Withdraw consent Withdraw consent for health data at any time.

Lodge a complaint File a complaint with your national DPA (e.g., UODO in Poland).

To exercise any of these rights, email a.misuna@yahoo.com. We will respond within 30 days.

9. Data Security

All data is transmitted over HTTPS/TLS.
Document photos are stored in encrypted S3 buckets with no public access.
Access to production data is restricted to the developer only.
No passwords are stored — we rely on Apple and Google's secure authentication infrastructure.

10. Children's Privacy

Evaxify allows you to create profiles for children in your family; however, the App account itself must be created by an adult (18+). We do not knowingly collect data directly from children. If you believe a child has created an account without parental consent, please contact us immediately.

11. Changes to This Policy

We may update this policy periodically. Significant changes will be notified via in-app notification or email at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

12. Contact

For any privacy questions, requests, or complaints:
Aleks Misuna
a.misuna@yahoo.com