VeloraVELORA

Consumer Health Data Privacy Notice

Effective Date: July 4, 2026

Last Updated: July 4, 2026

This Consumer Health Data Privacy Notice (the “Notice”) supplements the Velora Privacy Policy and describes how Havra LLC (“Havra,” “Velora,” “we,” “us,” or “our”) collects, uses, shares, and protects “consumer health data” under the Washington My Health My Data Act (MHMDA), Nevada SB370, and the Connecticut Data Privacy Act (CTDPA). For residents of Washington, Nevada, and Connecticut, this Notice governs consumer health data and controls over the Privacy Policy if there is any conflict.

Velora is intended only for users who are 18 years of age or older. Velora is not a medical device, is not a HIPAA-covered entity, and does not provide medical advice or diagnosis.

In plain terms: Your stored health content (progress photos, coach chats, nutrition history) is encrypted, and your progress photos, coach chats, and nutrition history are additionally encrypted on your device before upload so we store only ciphertext. Meal-scan photos are deleted promptly after the AI returns your result. Menstrual cycle data and Apple Health data are stored only on your device — they are not uploaded to our servers. We send your data to our AI providers only to generate your response, and we contractually restrict them from using it to train or improve their models. We do not sell your consumer health data, and we do not use it for targeted advertising.

Contents

1. Scope — What Is Consumer Health Data

This Notice applies to “consumer health data” as defined under the Washington My Health My Data Act, Nevada SB370, and the Connecticut Data Privacy Act. We treat the following as consumer health data:

2. Categories of Consumer Health Data We Collect

We collect: (a) body and fitness metrics and goals you enter; (b) nutrition, meal, and dietary logs, including calorie and macronutrient information and barcode scan results; (c) images you upload, including body-progress, fat-loss, and workout photos, and meal-scan photos; (d) menstrual cycle entries and estimates, if you enable cycle tracking; (e) Apple Health metrics and on-device wellness scores, if you connect Apple Health; and (f) health-related inferences our AI features generate to provide coaching, nutrition guidance, cycle insights, and progress insights. We do not collect consumer health data that we do not need to provide the features you use.

3. Sources

4. Purposes for Which We Use Consumer Health Data

We collect and use consumer health data only to: provide the fitness, nutrition, body-progress, cycle, and AI coaching features you request; generate your AI coaching and meal-scan responses; maintain your logs, history, and progress; manage your account and subscription; apply safety guardrails; secure the service and prevent fraud; and comply with law.

We do not use your consumer health data for cross-context behavioral or targeted advertising. We do not sell your consumer health data. We do not use, and we contractually prohibit our AI providers from using, your consumer health data to train, fine-tune, or improve any artificial-intelligence model.

5. Categories of Consumer Health Data We Share and With Whom

We share consumer health data only with service providers that process it on our behalf and under contract, solely to provide the service to you:

We also exchange barcode query data with Open Food Facts (only the product barcode — not your identity or health data), and we receive subscription status from Apple. Our advertising partner (Start.io) and our subscription manager (RevenueCat) receive no consumer health data of any kind — advertising involves only a device advertising identifier for free-tier users (Privacy Policy, “Advertising”), and subscription management involves only an internal account identifier and purchase data. These are service-provider relationships, not sales, and we do not disclose your consumer health data to third parties for their own purposes.

6. Affiliates

Velora is operated by Havra LLC. We do not currently share your consumer health data with any affiliates. If this changes, we will update this Notice to identify each affiliate by name before any such sharing occurs.

7. Security, Image Encryption, and Meal-Scan Deletion

Images you upload — including body-progress, workout, and meal-scan photos — are encrypted in transit (TLS) and at rest (strong, industry-standard, provider-managed encryption such as AES-256). Your body-progress and workout photos, coach chat history, and nutrition history are additionally encrypted on your device (AES-256) before upload, so our servers store only ciphertext we cannot read; the encryption key is held only on your device and is not recoverable by us if you lose it.

Photos you submit for AI meal scanning are processed only to return your scan result and are deleted promptly afterward; we do not retain meal-scan images for any other purpose. Profile, body-progress, and workout photos that you choose to save are stored only while your account is active and are deleted on account deletion (within our standard window, currently up to 30 days), except for residual copies in encrypted backups (purged on our normal rotation) and where retention is required by law.

When we send your data to our AI providers to generate a response, we do so only to produce that response for you (“inference”), and our AI providers are contractually restricted from using your data to train, fine-tune, or improve their models; they may retain limited data briefly to operate the service and detect abuse under their standard terms.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security; we use reasonable, industry-standard safeguards.

8. Consent for Collection and Sharing Beyond What Is Necessary

We collect and share consumer health data that is necessary to provide a feature you have requested without separate consent. For any collection or sharing beyond what is necessary to provide a feature you request, we will first obtain your consent through a clear, affirmative, opt-in choice separate from your acceptance of our Terms and Privacy Policy. Optional health features — Apple Health and cycle tracking, and sharing your cycle context with the AI coach — are off by default and require a separate, affirmative opt-in. We do not use pre-checked boxes or deceptive designs, and you may withdraw consent at any time as described below.

9. No Sale of Consumer Health Data Without Valid Authorization

We do not sell your consumer health data. We will not sell it unless we first obtain your separate, written, signed valid authorization meeting applicable law (describing the data, recipient, and purpose, expiring no later than one year from signing, and revocable at any time). We will provide you a copy of any authorization you sign.

10. No Geofencing Around Health Facilities

We do not, and will not, use a geofence to establish a virtual boundary around any facility that provides in-person health-care services in order to identify or track consumers seeking those services, collect consumer health data, or send notifications, messages, or advertisements related to a consumer’s health data or health care. (Velora requests no device-location permission at all.)

10A. Menstrual Cycle Data (On-Device)

Cycle tracking is an optional feature. If you use it:

11. Your Consumer Health Data Rights and How to Exercise Them

If you are a resident of Washington, Nevada, or Connecticut, you have the right to:

You can delete your account and data in the app; for access, a third-party list, or a formal withdrawal, email support@joinvelora.app. We will respond within 45 days; if we need more time, we may extend by an additional 45 days and will tell you why. We will not discriminate or retaliate against you for exercising these rights.

12. Right to Appeal

If we decline to act on your request, we will tell you why. You may appeal by replying to our response or emailing support@joinvelora.app with the subject line “Consumer Health Data Appeal.” We will respond within 45 days and explain our decision. If we deny your appeal, you may submit a complaint to your state Attorney General — in Washington, Nevada, and Connecticut, the respective Office of the Attorney General.

13. Data Retention

Meal-scan photos are transient and are deleted promptly after the AI returns your scan result. Menstrual cycle data and Apple Health data are stored only on your device and are removed when you delete them in the app, turn off the feature, or delete the app. Other consumer health data is retained while your account is active and is deleted on account deletion (immediately, and in all cases within our standard window of 30 days) unless deleted by you earlier or unless a longer period is required by law, to resolve disputes, or to enforce our agreements. On deletion, certain records may persist as permitted by law: de-identified analytics/abuse-prevention records (with your identifier removed) and anonymous records that never contained an identifier. Our internal administrative audit log (records of administrator actions, which may reference an affected account) is append-only and permanent by design for security and compliance integrity; it is access-restricted and is not used for any consumer-health-data purpose.

14. Contact

Havra LLC support@joinvelora.app ← Back to Velora