Close Cookie Popup
Cookie settings
By clicking "Accept all cookies", you agree to storing cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts as outlined in our privacy policy.
Accept all cookiesCookie settings
Close Cookie Preference Manager
Cookie settings
By clicking 'Accept all cookies', you agree to storing cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts as outlined in our privacy policy.
Strictly necessary (always active)
Cookies required to enable basic website functionality.
Accept all cookiesSave settings

Privacy

Privacy Policy - Aniva

Privacy Policy

Effective Date: January 2, 2025
Last Updated: August 20, 2025

1. Introduction

Welcome to Aniva. Your privacy is important to us. This Privacy Policy explains how we collect, use, and protect your personal information when you use our website and services.

We process your data in accordance with the General Data Protection Regulation (GDPR), as well as other applicable German data protection laws.

By accessing or using our platform, you confirm that you have read and understood this Privacy Policy. If you do not agree, please refrain from using our services.

2. Data Controller & Contact Information

The entity responsible for processing your personal data (Data Controller) is:

Livy Health GmbH

Retzbacher Weg 44, 13189 Berlin, Germany
Email:

You also have the right to contact the relevant data protection authority:

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Alt-Moabit 59–61, 10555 Berlin, Germany
Email:

3. Data We Collect and Process

We collect the following types of data:

a. Information You Provide

  • Personal Data: Name, email address, phone number.
  • Health Data: Information you provide through questionnaires or test results.
  • Payment Data: If you make purchases, we process your payment details securely via third-party providers.
  • Mobile number & SMS consent (opt-in status, timestamp, source of consent), and your preferences for receiving text messages.
  • SMS interactions (delivery status, opt-outs/"STOP", "HELP" requests, link clicks where supported).

b. Information Collected Automatically

  • Device & Browser Data: IP address, browser type, operating system.
  • Usage Data: Pages visited, time spent on site, interactions with our platform.
  • Klaviyo onsite identifiers (e.g., the __kla_id first-party cookie) used to recognize returning visitors and, if you've opted in, to link on-site activity with your profile for email/SMS personalization and abandoned-cart reminders.

c. Data from Third Parties

  • Connected Services: If you integrate third-party platforms (e.g., lab partners), we may receive related data.

4. Legal Basis for Processing (Art. 6 GDPR)

We process your data based on the following legal grounds:

  • Consent (Art. 6(1)(a) GDPR & Art. 9(2)(a) GDPR) → For processing sensitive health data.
  • Contractual necessity (Art. 6(1)(b) GDPR) → To provide our services.
  • Legal obligation (Art. 6(1)(c) GDPR) → For compliance with financial and regulatory laws.
  • Legitimate interest (Art. 6(1)(f) GDPR) → For security, fraud prevention, and service improvement.

You may withdraw your consent for data processing at any time by contacting .

5. How We Use Your Data

We process your data to:

  • ✔️ Provide personalized health recommendations.
  • ✔️ Enable test bookings and process results.
  • ✔️ Improve our platform based on user behavior.
  • ✔️ Send service-related communications (updates, notifications).
  • ✔️ Ensure compliance with legal requirements.
  • ✔️ Send service and transactional SMS (e.g., booking updates, delivery notifications).
  • ✔️ Send marketing SMS only if you opt in (message frequency varies; you can opt out anytime by replying STOP; reply HELP for help).

Legal bases: consent for marketing SMS (Art. 6(1)(a) GDPR), contract for necessary service updates (Art. 6(1)(b) GDPR). For any cookies/trackers used to trigger messages (e.g., abandoned cart), we rely on your device consent under §25 TTDSG / Art. 5(3) ePrivacy.

5a. Mobile Messaging (SMS) Program

We offer an optional SMS program for updates, tips, and offers.

  • Opt-in & Opt-out. You'll receive SMS only if you explicitly opt in. You can opt out at any time by replying STOP; reply HELP for help.
  • What we collect. Mobile number, consent status (with timestamp/source), and basic delivery/interaction metadata.
  • Purpose. To deliver the messages you requested, improve relevance (e.g., cart reminders if you consented to cookies), and keep records of consent/opt-outs for compliance.
  • No sale/sharing of opt-in data. Text messaging originator opt-in data and consent are not shared or sold to third parties for marketing or promotional purposes.

6. Data Sharing & Third-Party Services

We do not sell your personal data. We only share it with trusted partners who support us in delivering our services.

a. Service Providers & Integrations

To ensure smooth operation of our platform, we work with the following third-party subprocessors:

Provider Purpose Location Legal Safeguard for Data Transfers
Tally BV Collecting form responses Netherlands (EU) GDPR Compliant
Notion Labs, Inc. Managing content & internal operations USA SCCs (Standard Contractual Clauses)
Stripe, Inc. Processing payments securely USA SCCs
Meta Platforms, Inc. Analytics and Cookies USA SCCs
Slack, Inc. Internal communications USA SSCs
MNB Labor GmbH Laboratory analysis & fulfillment (in some cases) Germany GDPR Compliant
Trans-o-flex Express GmbH & Co. KGaA Shipping & fulfillment Germany GDPR Compliant
Deutsche Post AG (DHL) Shipping & fulfillment Germany GDPR Compliant
Praxis für gesundes Leben Blood collection Germany GDPR Compliant
OpenAI, L.L.C. Processing and analyzing lab data USA SCCs
Ornament Health AG Processing and analyzing lab data Switzerland GDPR Compliant
dunatura Tagespacks GmbH Fulfillment & supplement composition Germany GDPR Compliant
Shift Management GmbH Fulfillment & supplement delivery Germany GDPR Compliant.
TikTok Technology Limited Advertising (TikTok Ads) Ireland (EU) SCCs for international transfers.
LinkedIn Ireland Unlimited Company Advertising (LinkedIn Ads) Ireland (EU) DPF (via LinkedIn Corporation) and SCCs where applicable.
Meta Platforms Ireland Limited Advertising (Meta Ads) Ireland (EU) DPF (via Meta Platforms, Inc.) and SCCs where applicable.
PostHog Inc. Product analytics (onsite tracking) USA (EU hosting available) EU-U.S. DPF; SCCs where applicable.
Loops (Astrodon Corporation) Email newsletters & transactional email USA EU-U.S. DPF; SCCs where applicable.
Supabase, Inc. Backend (database, auth & storage) USA (region-based hosting options) SCCs (per DPA).
Vercel, Inc. App hosting & deployment USA (global edge network/EU regions) EU-U.S. DPF; SCCs where applicable.
Webflow, Inc. Website hosting & CMS (site building) USA EU-U.S. Data Privacy Framework (DPF); SCCs where applicable. (Webflow)

💡 International Data Transfers: When data is transferred outside the EU/EEA, we rely on EU-approved Standard Contractual Clauses (SCCs) or equivalent safeguards to ensure your data remains protected.

b. Legal Authorities

We disclose data if required to comply with legal obligations or regulatory requests.

7. Data Retention

We retain personal data only for as long as necessary:

Data Type Retention Period
Account Data Until you delete your account
Health Data Until you withdraw consent
Payment Data 10 years (legal requirement)
Customer Support Data 6 months after issue resolution

SMS consent logs & delivery/opt-out records: retained as long as you remain subscribed and up to 24 months after your last interaction or until you withdraw consent, to demonstrate compliance.

Once retention periods expire, we delete or anonymize your data securely.

8. Your Rights under GDPR

You have the following rights regarding your data:

  • Access (Art. 15 GDPR) – Request a copy of your stored data.
  • Correction (Art. 16 GDPR) – Fix incorrect or incomplete data.
  • Deletion (Art. 17 GDPR) – Request deletion of your data ("Right to be Forgotten").
  • Objection (Art. 21 GDPR) – Object to certain processing activities.
  • Portability (Art. 20 GDPR) – Receive your data in a transferable format.

📩 To exercise these rights, email us at: .

9. Data Security Measures

We implement strong security measures to protect your data:

  • ✔️ Encryption: All stored and transmitted data is encrypted.
  • ✔️ Access Controls: Restricted access based on role-based permissions.
  • ✔️ Regular Security Audits: We conduct regular security reviews.

⚠️ No system is 100% secure. If a data breach occurs, we will notify affected users and authorities as required by GDPR.

10. Cookies & Tracking

We use cookies and similar technologies to run our website, understand usage, and—only with your consent—to personalize email/SMS and ads (e.g., abandoned-cart reminders).

a. Essential Cookies (Required)

These are necessary to provide the site and services (e.g., load pages, prevent abuse, remember your cookie choices). In the EU/EEA, these do not require consent under § 25 TTDSG / ePrivacy.

b. Non-Essential Cookies (Consent-based)

  • Analytics & performance — to improve site experience (only if you opt in).
  • Marketing/personalization — to recognize returning visitors and measure/retarget ads (only if you opt in).
  • Klaviyo cart reminders — if you opted into SMS/email and consented to marketing cookies, we may trigger one-time or limited cart reminders (e.g., via __kla_id).

c. Our Tools & What They Set

Tool / Provider (Legal Entity) Purpose & Notes Typical Cookies / Storage Category & Retention
PostHog (PostHog, Inc.) Product analytics & optional session replay. We mask inputs by default; you can also mark elements as ph-no-capture. First-party cookie like ph_<project_api_key>_posthog (default up to ~365 days); can be configured cookieless. Analytics (consent). Replay respects privacy controls.
Google Tag Manager (Google LLC) Loads tags based on your consent. GTM itself doesn’t add tracking cookies to visitors; preview/debug mode may set temporary first-party cookies for the person debugging only. N/A for normal visitors; preview uses first-party debug cookies. Controller for consent gating; integrated with Consent Mode.
TikTok Ads (TikTok Technology Ltd./TikTok Information Technologies UK Ltd.) Conversion measurement & retargeting (via Pixel). Uses first-party and third-party cookies when enabled. _ttp and related; ttclid parameter may be stored/read. Marketing (consent).
Meta / Facebook Ads (Meta Platforms, Inc.) Conversion measurement & retargeting (via Meta Pixel). Common first-party cookies include _fbp and _fbc (lifetimes vary by setup). Marketing (consent).
LinkedIn Ads (LinkedIn Corporation) Conversion tracking, website audiences & demographics (Insight Tag). Relies on LinkedIn cookies / first-party LinkedIn Ads ID. Examples include li_sugr, lidc, UserMatchHistory, AnalyticsSyncHistory, li_fat_id. Marketing (consent).
Vercel Web Analytics (Vercel Inc.) Privacy-friendly traffic stats for our site. Cookie-free; uses daily rotating hash from the request. No cookies. Analytics (consent not required for cookies because none are used).
Tally BV Embedding forms and collecting responses. Tally is EU-hosted; may use necessary and analytics functions for forms. See Tally website/cookie notices (EU hosting; DPA available). Essential/Analytics depending on form features.
Webflow, Inc. Site builder/hosting. By default Webflow does not add tracking cookies to sites you create; any tracking comes from tools you integrate. None by default (tracking only if you add integrations). Essential (hosting).
Our backend (e.g., Supabase) Strictly necessary first-party storage to run features (e.g., session/auth, rate-limit/anti-abuse). In many setups session info is in localStorage or first-party cookies, depending on configuration. Session/local storage (names/config vary by environment). Essential.

About our ad tags: TikTok, Meta and LinkedIn tags are loaded via Google Tag Manager and fire only if you enable “Marketing” in the banner. GTM respects your choices through consent signaling.

d. Your Choices

  • In the EU/EEA (e.g., Germany/Finland), we set non-essential cookies only after you consent (§ 25 TTDSG and the CJEU Planet49 ruling). You can accept/reject each category in our banner and change choices anytime via “Manage Cookies” in the footer.
  • You can also block/delete cookies in your browser; doing so may break site features that rely on essential cookies. (General guidance only.)

Short Cookie Register (illustrative; names can vary by config)

Name Provider Purpose Type / Lifespan
ph_<project>_posthog PostHog Analytics/session identification across subdomains First-party; up to ~365 days. (PostHog)
_ttp TikTok Ad attribution/retargeting First/third-party; duration varies by settings. (TikTok For Business)
_fbp / _fbc Meta Ad attribution/retargeting First-party; typical lifetimes ~3 months / up to 2 years (implementation-dependent). (Cookiedatabase)
li_sugr, lidc, UserMatchHistory, AnalyticsSyncHistory, li_fat_id LinkedIn Ad attribution/retargeting & demographics First/third-party; durations vary. (Cookie Library)

Cookie inventories can change when vendors update their scripts. If you need, we can run a fresh scan and append the full cookie list with exact lifetimes.

f. Managing Consent

Use our banner to opt in/out by category at any time (“Manage Cookies”). We honor your choices by gating tags through Google Tag Manager/Consent Mode so non-essential tools do not fire without consent.

11. Third-Party Links

Our website may contain links to third-party sites. We are not responsible for their privacy practices. Please review their policies before providing any data.

12. Updates to This Privacy Policy

We may update this Privacy Policy when necessary. The latest version will always be available on our website with an updated "Last Revised" date.

13. Contact Us

For any privacy-related inquiries, please contact:

📩

Your future self is waiting

Start building the healthiest decade of your life.

Join Beta
Stay Sharp, Energized, and in Control. For Decades.
HomeHomeHomeHomeHome
CompanyBiomarkerFAQOur ManifestoMembership
Aniva forStartupsPractitioners
Legal & SafetyImprintData privacyPartner & Process Integrity
© Aniva Health 2025