Prufio processes blood glucose readings, medication details, dietary information, and other health-related data. Under the General Data Protection Regulation (GDPR), this is classified as special category personal data (Article 9 GDPR). We process this data only with your explicit consent and only to provide the services you request.
1. Data Controller
The data controller for all personal data processed through the Prufio application and website is:
If you have questions about this Privacy Policy or the handling of your personal data, contact our Data Protection Officer at dpo@prufio.app. We will respond within 30 days.
2. Data We Collect
2.1 Account Data
- Email address and password (hashed)
- Display name
- Account creation date and last login
- Subscription tier and billing status (payment processed by third parties)
2.2 Health Data (Special Category — Article 9 GDPR)
The following data is processed only with your explicit consent:
- Blood glucose readings (value, timestamp, context such as pre/post meal)
- Diabetes type and diagnosis information
- Medications and dosage information
- Meal logs (foods consumed, carbohydrates, calories, macros)
- Physical activity records (type, duration, intensity)
- Weight and body measurements
- HbA1c readings (if entered)
- Target glucose ranges set by you or your healthcare provider
- Menstrual cycle data (if optionally enabled)
- Symptoms and notes you add manually
2.3 Device & Technical Data
- Device type and operating system version
- App version
- Crash reports and error logs (anonymised)
- Network connectivity status (for sync decisions — not stored)
2.4 Usage Data
- Feature usage frequency (to improve the app)
- AI interaction counts (for rate limiting)
- Session timestamps
2.5 Data You Choose NOT to Provide
All health data fields are optional. You can use Prufio while providing only the data you are comfortable sharing. The app functions with partial data, though some insights will be less accurate with less data.
3. Legal Basis for Processing
| Data Type | Legal Basis | GDPR Article |
|---|---|---|
| Account registration & authentication | Performance of a contract (app service) | Article 6(1)(b) |
| Health data (glucose, meals, meds, etc.) | Explicit consent — you must actively opt in | Article 9(2)(a) |
| AI insights & personalisation | Explicit consent (given at onboarding) | Article 9(2)(a) |
| Security, fraud prevention, safety | Legitimate interests | Article 6(1)(f) |
| Crash & error reporting | Legitimate interests (app improvement) | Article 6(1)(f) |
| Legal compliance (GDPR, ePrivacy) | Legal obligation | Article 6(1)(c) |
| Optional analytics cookies | Consent (via cookie banner) | Article 6(1)(a) |
Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. To withdraw consent for health data processing, delete your account in the app settings or contact privacy@prufio.app.
4. How We Use Your Data
- To display your health tracking history and trends
- To generate personalised AI insights via Oliver
- To send medication and activity reminders you have configured
- To produce reports you can share with your healthcare team
- To detect patterns in your health data over time
- To maintain and improve the security and stability of the app
- To respond to your support requests
- To comply with legal obligations
We do not:
- Sell or rent your personal data to any third party
- Use your health data for advertising or profiling for commercial purposes
- Share your data with insurance companies, employers, or healthcare commissioners without your explicit, separate consent
- Use your data to make automated decisions with significant legal or similarly significant effects without human review
5. AI Processing & Automated Decisions
Prufio uses Google Gemini (via a secure Cloud Function proxy) to power Oliver, the AI assistant. When you send a message to Oliver:
- Relevant, anonymised context from your health logs is included in the AI prompt
- Your message and relevant data are sent to Google's AI infrastructure and processed outside the EU (see Section 7 on international transfers)
- Responses are generated by the AI model and returned to you
- We do not store AI conversation history server-side beyond what is needed for the current session
AI-generated insights are informational and motivational only. They are not medical diagnoses or treatment recommendations. Prufio does not make automated decisions that produce legal or similarly significant effects about you (as defined in GDPR Article 22).
You can disable Oliver AI at any time in Settings → AI Features.
6. Data Sharing & Processors
We use the following sub-processors under Data Processing Agreements (DPAs) compliant with GDPR Article 28:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Google Firebase (Auth, Firestore, Crashlytics, Analytics) | Authentication, cloud sync, crash reporting, anonymised usage analytics | EU (eur3) and global | SCCs, Google DPA, EU-US DPF |
| Google Cloud Functions | Secure AI proxy (rate limiting, key protection) | EU region by default | Google DPA, SCCs |
| Google Gemini AI | Powering Oliver's AI responses | US / global | SCCs, Google AI DPA |
| Apple App Store / Google Play | App distribution and subscription billing | Global | Apple/Google DPAs |
We may also disclose data if required by law, a court order, or regulatory authority. We will notify you unless legally prohibited from doing so.
7. International Transfers
Some of our processors are located outside the European Economic Area (EEA). When your data is transferred outside the EEA, we ensure adequate protection through one or more of:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The EU-US Data Privacy Framework (DPF) where applicable
- Adequacy decisions by the European Commission
- Binding Corporate Rules
You may request a copy of the transfer safeguards we rely on by writing to dpo@prufio.app.
8. Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Active account data & health logs | Duration of account plus 30 days | Service provision; grace period for recovery |
| Deleted account data | 30 days (then permanently deleted) | Accidental deletion recovery |
| Anonymised analytics | Up to 24 months | Product improvement (no personal identifiers) |
| Crash & error logs | 90 days | Security and stability monitoring |
| Legal/compliance records | As required by applicable law | Legal obligation |
| Consent records | 3 years from collection | Accountability (GDPR Article 5(2)) |
When data reaches its retention limit, it is permanently deleted from all our systems and sub-processors within 30 days.
9. Your GDPR Rights
As a data subject under GDPR, you have the following rights. To exercise any of these, visit our Data Rights page or contact privacy@prufio.app. We will respond within 30 days (extendable to 90 days for complex requests, with notice).
- Right of Access (Article 15): Obtain a copy of all personal data we hold about you.
- Right to Rectification (Article 16): Correct inaccurate or incomplete data.
- Right to Erasure / "Right to be Forgotten" (Article 17): Request deletion of your data. Within the app: Settings → Account → Delete Account.
- Right to Restriction of Processing (Article 18): Restrict how we use your data while a dispute is resolved.
- Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format (JSON or CSV). Available in-app under Reports → Export.
- Right to Object (Article 21): Object to processing based on legitimate interests.
- Right to Withdraw Consent (Article 7(3)): Withdraw consent for health data processing at any time.
- Right not to be subject to automated decision-making (Article 22): We do not make solely automated decisions with significant effects.
These rights are not absolute and may be subject to exceptions. We will explain any limitations when responding.
10. Children's Privacy
Prufio is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@prufio.app and we will delete the data promptly.
In EU member states where the age of consent for digital services is set lower than 16 (minimum 13 per GDPR Article 8), the applicable national minimum age applies. If you are under that age, you require parental consent to use Prufio.
11. Security Measures
We implement technical and organisational measures appropriate to the risk, including:
- AES-256 encryption for all health data stored locally on your device (Hive encrypted storage)
- TLS 1.3 encryption for all data in transit
- Firebase Security Rules restricting cloud data access to authenticated account owners only
- Encrypted key management for local storage keys (Android Keystore / iOS Keychain)
- API rate limiting and abuse prevention on all Cloud Functions
- Regular security audits and penetration testing
- Staff access controls and privacy training
Despite our best efforts, no security system is impenetrable. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Article 33-34.
12. Cookies
This website uses cookies and similar technologies. See our full Cookie Policy for details. In summary:
- Necessary cookies — required for the site to function (session security, cookie consent storage). No consent required.
- Functional cookies — remember your preferences. Require your consent.
- Analytics cookies — anonymised usage statistics. Require your consent.
We do not use advertising or tracking cookies. Your health data is never used in cookies.
13. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe we are processing your data in violation of the GDPR. You may contact:
- The supervisory authority in your EU member state of residence or place of work
- Your national data protection authority (DPA)
However, we would appreciate the opportunity to address your concerns first. Please contact our DPO at dpo@prufio.app before filing a complaint.
14. Changes to this Policy
We may update this Privacy Policy to reflect changes in our practices or applicable law. We will notify you of material changes by:
- Displaying a notice in the Prufio app at your next login
- Sending an email to your registered address for significant changes
- Updating the "Last updated" date at the top of this page
Continued use of Prufio after the effective date of a revised policy constitutes your acceptance of the changes. Where changes affect how we process your health data, we will request renewed explicit consent.
15. Contact & Data Protection Officer
For all privacy-related queries, data subject requests, or concerns:
Response time: within 30 days of receiving a verified request.