App Privacy Policy
How Evident processes personal data, health data, device access, analytics, and your data protection rights in the mobile app.
Last updated: May 26, 2026
Effective date: May 26, 2026
Last updated: May 26, 2026
Policy version: 1.0
1. Controller and Contact
Controller within the meaning of Article 4(7) of the General Data Protection Regulation (GDPR):
Maximillian Joel Stabe
Welserstrasse 3
87463 Dietmannsried
Germany
Email: privacy@evidentapp.com
Phone: +49 176 21462252
Website: https://evidentapp.com
For any data protection request, you may also contact: privacy@evidentapp.com
2. Scope of this Policy
This policy applies to your use of the Evident mobile application ("the App") and the backend services operated for it ("the Service"). It explains which personal data we process about you, why we process it, on what legal basis, with whom we share it, how long we retain it, and which rights you have.
Evident is a health and self-improvement application that helps you discover statistical relationships between your habits and your subjective well-being using the Pearson correlation coefficient. The App is currently in a pre-release / beta stage.
This policy does not cover third-party services that you may link from within the App (e.g. an external web page opened in your browser); those services have their own privacy policies.
A separate Website Privacy Policy for https://evidentapp.com is available at https://evidentapp.com/privacy-policy/web.
3. Definitions
For brevity, this policy uses terms as defined in Art. 4 GDPR (e.g. "personal data", "processing", "controller", "processor", "consent", "data subject"). "Health data" refers to a special category of personal data under Art. 9 GDPR.
4. Categories of Data, Purposes and Legal Bases
The following table summarises what we process. Detailed explanations follow in sections 4.1 – 4.11.
| # | Category | Examples | Purpose | Legal basis |
|---|---|---|---|---|
| 4.1 | Account data | email, password hash, Apple ID token, friend code | Account creation, authentication | Art. 6 (1)(b) GDPR (contract) |
| 4.2 | Profile data | display name, avatar, age range, gender, body measurements, occupation, primary goals, wearable type | App personalisation, similar-user matching | Art. 6 (1)(b), Art. 9 (2)(a) GDPR for special-category attributes |
| 4.3 | HealthKit data | sleep, steps, active energy, exercise minutes, heart rate, HRV, VO₂max, respiratory rate, body mass, mindful sessions, etc. (full list in 4.3) | Automatic trackable filling, score calculation, correlation analysis | Art. 9 (2)(a) GDPR (explicit consent) + § 25 (1) TDDDG (terminal-device access) |
| 4.4 | Consent records | consent type, granted/revoked timestamps, policy version | Proof of consent (Art. 7 (1) GDPR) | Art. 6 (1)(c) GDPR (legal obligation) |
| 4.5 | Logs & trackables (local + community-aggregated) | daily pillar scores 0–100, completed trackables | Score history, correlation analysis, community insights | Art. 9 (2)(a) GDPR for personal logs; Art. 6 (1)(f) GDPR for aggregated, non-personal community logs |
| 4.6 | Friendships & friend scores | friend code, requester / addressee IDs, status, shared pillar scores | Social comparison feature | Art. 6 (1)(b) GDPR |
| 4.7 | Challenge interactions | participations, saves | Challenge feature | Art. 6 (1)(b) GDPR |
| 4.8 | Recommendation & matching data | user embeddings (vector), similar-users cache, recommendation cache | Similar-user matching, content recommendations | Art. 9 (2)(a) GDPR (explicit consent linked to profile/health data) |
| 4.9 | Analytics & crash reports | anonymous usage events, crash stack traces | Product improvement, stability | Art. 6 (1)(a) GDPR (consent) |
| 4.10 | Email communications | email address, contact preferences | Transactional (verification, password reset) and - if opted in - marketing emails | Art. 6 (1)(b) GDPR (transactional) and Art. 6 (1)(a) GDPR (marketing) |
| 4.11 | Technical access data | IP address, request timestamps, user agent (server logs) | Security, troubleshooting | Art. 6 (1)(f) GDPR (legitimate interest in operating a secure service) |
4.1 Account data
When you create an account you provide an email address and a password (or sign in with Apple, in which case Apple shares an authentication token and, depending on your Apple settings, your email or an Apple-relay email). A unique friend_code is generated for you so other users can connect with you.
We use Supabase Auth to manage authentication. Passwords are not stored in plain text; only a salted hash is retained.
4.2 Profile data
During onboarding you may provide profile attributes such as age range, gender, occupation type, primary goals, body measurements and the wearable device you use. These attributes are used to personalise the app and to compute similarity with other users (see 4.8). Providing these attributes is voluntary; you can use the App without them, but matching and recommendations will be less accurate.
Some of these attributes may qualify as special category data under Art. 9 GDPR (e.g. data concerning health, sexual orientation if implied by certain goals). We process such attributes only on the basis of your explicit consent (Art. 9 (2)(a) GDPR), which you grant during onboarding and can withdraw at any time.
4.3 HealthKit data
If you grant the App permission to access Apple Health, we read selected health data types from your device in order to populate your daily trackables automatically and to compute your pillar and overall scores. The following Apple Health types may be read:
- Date of birth (characteristic)
- Active energy burned, exercise time, stand time/hour, flights climbed
- Step count, distance (walking/running, cycling)
- Heart rate, heart rate variability (SDNN), resting heart rate, respiratory rate, oxygen saturation, VO₂ max
- Sleep analysis, mindful session
- Body mass, time in daylight, environmental audio exposure, UV exposure
- Workouts (HKWorkoutType)
HealthKit data is processed as follows:
- Raw HealthKit samples remain on your device.
- Only aggregated pillar scores on a 0 – 100 scale are sent to our backend; we do not upload raw heart-rate traces, GPS routes or comparable raw signals.
- HealthKit data is read only after you grant the relevant authorisation in the system dialog. You can revoke authorisation at any time via iOS Settings → Health → Data Access & Devices → Evident.
Legal basis. Reading HealthKit data on your device falls under § 25 (1) TDDDG (terminal-equipment access) and requires your prior consent. Processing the resulting health data on our backend is based on your explicit consent under Art. 9 (2)(a) GDPR.
4.4 Consent records
We record each consent you give (terms of service, privacy policy, analytics/crash reporting, marketing emails and, where applicable, special-category processing). The record contains the consent type, the time of granting, the time of revocation (if any), and the policy version. This is required to demonstrate compliance with Art. 7 (1) GDPR.
For the same reason, consent records are deliberately not deleted when you delete your account; they are kept as evidence that consent existed and was withdrawn. We delete consent records only when the underlying legal retention obligation expires (see section 7).
4.5 Logs, trackables and community aggregates
You can log daily trackables (e.g. running, water intake, mindfulness). The App computes pillar scores (Sleep, Activity, Wellbeing, Productivity) and an overall Evident Score on a 0 – 100 scale.
Personal logs are kept locally on your device (SwiftData) and synchronised to your authenticated account in our backend.
Community logs are an aggregated and anonymised view used to compute community insights. Community-log tables (community_logs, community_log_metrics, community_log_trackables) do not contain a user identifier: they cannot be re-associated with you by us. For this reason, community-log entries are not deleted when you delete your account, and are returned as an empty list in your data export (see 8.4).
4.6 Friendships and friend scores
If you accept or send a friend request, we store the friendship (requester ID, addressee ID, status) and your pillar scores in friend_scores so that your friends can see them. Row-level security ensures that only you and confirmed friends can read your friend scores.
4.7 Challenge interactions
If you participate in or save a curated challenge, your participation and save data are stored under your user ID. Challenges are manually curated by us; users may submit challenges, which are reviewed before publication.
4.8 Recommendation and matching data
To find users with a similar lifestyle and goals (the "Similar User Matching" feature), we generate a numerical vector ("embedding") from your profile attributes and stored scores. The embedding is stored in user_embeddings (pgvector). We also cache the resulting matches and recommendations.
These caches and embeddings are deleted entirely when you delete your account.
4.9 Analytics and crash reports
If you grant the corresponding consent (analytics_crash_reporting), we collect anonymised usage events and crash reports via Google Firebase Analytics and Firebase Crashlytics. These data do not include your health data. Firebase is operated by Google LLC in the United States; the transfer relies on the EU Standard Contractual Clauses (see section 6).
You can grant or revoke this consent at any time via App → Profile → Settings → Privacy Settings.
4.10 Email communications
We use Resend (Resend, Inc., USA) to send transactional emails such as account verification, password reset and security notifications. The legal basis is Art. 6 (1)(b) GDPR (performance of the user contract). The transfer to Resend relies on the EU Standard Contractual Clauses (see section 6).
If you opt in to marketing emails (marketing_emails consent), we additionally use Resend to send product updates. The legal basis is Art. 6 (1)(a) GDPR (consent); you can withdraw consent at any time via the unsubscribe link in each email or in the App's privacy settings.
4.11 Technical access data
When you connect to our backend, our hosting provider Supabase processes technical data necessary for the connection - in particular IP address, request timestamps, request method, response status, and user agent. We use this data to ensure availability and security of the Service (e.g. rate limiting, abuse detection). The legal basis is Art. 6 (1)(f) GDPR; our legitimate interest is operating a secure and reliable service. These logs are retained for a short period (see section 7).
5. Source of Data
We collect personal data directly from you (when you create an account, complete the onboarding, log trackables, send a friend request, etc.) and from your device with your prior consent (HealthKit and analytics SDKs).
We do not purchase personal data from third parties.
6. Recipients and International Transfers
We share your personal data only with the following recipients and only to the extent necessary for the purposes set out above.
| Recipient | Role | Country | Transfer mechanism |
|---|---|---|---|
Supabase, Inc. (supabase.com) | Hosting / database / authentication / edge functions | EU (eu-west-1, Ireland) | Within the EU - no transfer mechanism required |
| Google LLC (Firebase Analytics, Crashlytics) | Analytics, crash reporting | United States | EU Standard Contractual Clauses (Art. 46 (2)(c) GDPR) + Data Privacy Framework |
| Resend, Inc. | Transactional and (with consent) marketing email | United States | EU Standard Contractual Clauses (Art. 46 (2)(c) GDPR) |
| Apple, Inc. | App distribution, Sign in with Apple, HealthKit on-device framework | United States / on-device | Apple's own privacy framework; HealthKit data does not leave your device through Apple |
We do not sell personal data. We do not transfer personal data to recipients other than those listed above unless we are legally required to do so (e.g. court order) or you have given us specific consent.
Note on Firebase. Firebase processing only takes place if you have given the analytics_crash_reporting consent. The App is configured so that Firebase SDKs do not transmit data while this consent is absent or has been revoked.
7. Retention
We keep personal data only for as long as necessary for the purposes set out in section 4 or as required by law.
| Data | Retention |
|---|---|
| Account & profile data | Until account deletion |
| HealthKit-derived pillar scores | Until account deletion |
| Friendships, friend scores, challenge interactions, embeddings, caches | Until account deletion |
Personal logs (evidentscore history, trackable history) | Until account deletion |
| Anonymous community logs | Indefinite (no user identifier exists, so no deletion right attaches) |
| Consent records | Retained as evidence of consent under Art. 7 (1) GDPR; typically up to three years after account deletion, unless a longer statutory retention period applies |
| Backups (Supabase point-in-time recovery) | Up to 7 days (default Supabase retention; may differ depending on the active plan) |
| Server access logs | Up to 30 days |
When you delete your account, our delete-account edge function performs the following:
- Deletes
recommendation_cache,similar_users_cache,challenge_saves,challenge_participations,friendships,friend_scores,user_embeddings. - Anonymises
user_profile_attributes,user_profiles, and challengecreator_id(set toNULL). - Does not delete consent records (legal obligation, see above) and community logs (already anonymous and cannot be linked to you).
8. Your Rights
You have the following rights regarding your personal data. To exercise any of them, contact us at privacy@evidentapp.com. We will respond within one month (Art. 12 (3) GDPR).
8.1 Right of access (Art. 15)
You have the right to obtain confirmation as to whether we process your data and, if so, to receive a copy and information about the processing.
8.2 Right to rectification (Art. 16)
You have the right to have inaccurate personal data corrected and incomplete data completed. You can update most profile data directly in the App.
8.3 Right to erasure ("right to be forgotten", Art. 17)
You can delete your account at any time via Settings → Account → Delete Account. The technical details of what is deleted, anonymised or retained are described in section 7. The right may be limited where retention is required by law (e.g. consent records).
8.4 Right to data portability (Art. 20)
You can export your personal data in a structured, commonly used and machine-readable format. The export is generated by our export_user_data() function and includes your profile, attributes, logs, scores, friendships and challenge interactions. Anonymous community logs cannot be exported as they cannot be associated with you.
8.5 Right to restrict processing (Art. 18) and right to object (Art. 21)
You may request that we restrict processing of your data, or object to processing based on our legitimate interests (Art. 6 (1)(f) GDPR), in particular for direct marketing.
8.6 Right to withdraw consent (Art. 7 (3))
Where processing is based on your consent (Art. 6 (1)(a) or Art. 9 (2)(a) GDPR), you can withdraw consent at any time, with effect for the future. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
You can manage consents in the App: Settings → Privacy Settings.
8.7 Right to lodge a complaint (Art. 77)
You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement. The competent authority for the Controller is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany
Phone: +49 (0) 981 180093-0
Website: https://www.lda.bayern.de
9. Automated Decision-Making and Profiling (Art. 22)
We use automated processing to compute pillar and overall scores and to find similar users. These computations do not produce legal effects or similarly significantly affect you within the meaning of Art. 22 (1) GDPR. Recommendations and matches are informational; they do not, for instance, restrict any service available to you.
You can opt out of similar-user matching by not granting the related consent or by withdrawing it. The Pearson correlation analysis and pillar scoring are core features of the App and required to provide the service you signed up for (Art. 6 (1)(b) GDPR).
10. Children
The App is not directed at children under 16. We do not knowingly process personal data of children under 16 without the consent of a holder of parental responsibility (Art. 8 GDPR). If you believe that a child has provided us with personal data without such consent, please contact us at privacy@evidentapp.com and we will delete the data.
11. Terminal-Equipment Access (TDDDG)
The App stores information on, and reads information from, your device in the following ways that require your consent under § 25 (1) TDDDG, unless an exemption under § 25 (2) TDDDG applies:
| Mechanism | Purpose | Consent / exemption |
|---|---|---|
| Local SwiftData store | Storing your logs, scores and profile locally | § 25 (2) No. 2 TDDDG (strictly necessary to provide the requested service) |
| HealthKit access | Reading health data | § 25 (1) TDDDG - explicit consent in the iOS system dialog |
| Firebase Analytics / Crashlytics SDK identifiers | Anonymous analytics and crash diagnostics | § 25 (1) TDDDG - requires consent; not loaded without the analytics_crash_reporting consent |
| Apple Push Notifications | Reminders and notifications | § 25 (1) TDDDG - requires consent; only after iOS system prompt |
We do not use advertising identifiers (IDFA) and do not track you across other apps or websites for advertising purposes.
12. Security
We use industry-standard technical and organisational measures to protect your data, including:
- Encrypted transport (HTTPS / TLS) for all communications with our backend.
- Authentication via Supabase Auth with hashed and salted passwords.
- Row-level security (RLS) on every table that holds personal data, restricting access to the relevant user (and confirmed friends for friend scores).
- Health data uploaded to the backend is reduced to aggregated 0 – 100 scores; raw HealthKit samples never leave your device through Evident.
- Edge functions verify access tokens before processing requests.
- Backup and point-in-time recovery via Supabase.
No method of electronic storage or transmission is 100% secure. If, despite our measures, a personal data breach occurs that is likely to result in a high risk to your rights and freedoms, we will notify you in accordance with Art. 34 GDPR.
13. Changes to this Policy
We may amend this policy from time to time, in particular to reflect changes in our processing activities or legal requirements. We will publish the updated policy in the App and on https://evidentapp.com/privacy-policy/app and update the "Last updated" date at the top of this document. Where the change materially affects you, we will additionally ask you to re-confirm your consent in the App. We record the policy_version so we know which version of this policy you have accepted.
14. Contact
For any question or request related to this policy or your personal data, please contact:
Maximillian Joel Stabe
Attn.: Privacy
Welserstrasse 3
87463 Dietmannsried
Germany
Email: privacy@evidentapp.com