LUVVICARE FAMILY MOBILE APPLICATION PRIVACY POLICY

PRIVACY AT A GLANCE

This summary provides a high-level overview of how Luvvi Sarl (“Luvvi,” “we,” “our”) handles your personal information when you use the LuvviCare Family Mobile Application (“App”). For full details, please read the complete Privacy Policy below.

Who operates the App? Luvvi Sarl, based in Geneva, Switzerland, is the technology provider. Your healthcare facility ("Healthcare Facility") — such as a hospital, NICU, PICU, hospice, or other pediatric care setting — is the data controller (GDPR) or covered entity (HIPAA) responsible for your patient data. Luvvi acts as the data processor (GDPR) or business associate (HIPAA) on the Healthcare Facility's behalf.

What data do we collect? Parent/guardian name, mobile phone number, child’s name and date of birth, messages and media from your Healthcare Facility's clinical team, voice recordings you create via Audio Care, milestone and tracking entries you input, and pseudonymous, non-identifying usage analytics. We do not use IP addresses, device identifiers, or other technical data for analytics or user tracking purposes.

Why do we collect it? To deliver communications from your Healthcare Facility to you, to enable video calls and livestreams, to process Audio Care recordings, to authenticate your identity, and to help Healthcare Facilities understand how the App supports their care programs (through pseudonymous, non-identifying analytics only).

Do we sell your data? No. We never sell personal information or electronic Protected Health Information (ePHI) to anyone. We do not share ePHI with advertisers, sponsors, or marketing partners.

Where is your data stored? In regionally isolated AWS infrastructure: US data in Virginia, Canadian data in Montreal, UK data in London, EU data in Frankfurt, and Australian data in Sydney. Your ePHI and patient data do not leave their designated region. Non-ePHI analytics, diagnostics, and transient country-detection data may be processed by approved subprocessors as described below.

How is your data protected? All ePHI data is encrypted at rest and in transit. Two-factor authentication (SMS OTP) is required. The App does not operate on jailbroken or rooted devices.

What are your rights? Depending on your jurisdiction, you may have rights to access, correct, delete, or port your data, and to lodge complaints with a supervisory authority. Because the Healthcare Facility is the data controller, many rights related to patient data must be exercised through your Healthcare Facility. See Section 10 and the jurisdiction-specific addenda for details.

How to contact us: privacyofficer@luvvi.com 

1. INTRODUCTION AND SCOPE

This Privacy Policy (“Policy”) describes how Luvvi Sarl (“Luvvi,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information and electronic Protected Health Information (“ePHI”) when you use the LuvviCare Family Mobile Application (“App”).

The App is a secure communication platform provided to families of children receiving care in pediatric healthcare settings — including Neonatal Intensive Care Units (NICUs), Pediatric Intensive Care Units (PICUs), pediatric palliative care, hospice, and other pediatric care settings — by their healthcare facility ("Healthcare Facility"). The App enables families to receive messages, photos, videos, audio clips, and eCards from the Healthcare Facility's clinical team, participate in video calls and livestreams, record voice messages via the Audio Care feature, and track milestones and other information about their child’s care journey.

Important: This Policy applies only to the LuvviCare Family Mobile App. It does not cover the LuvviCarePro Clinician App, the LuvviCare Web Administration Portal, or any third-party websites or services linked from within the App. Those are governed by separate agreements and policies between Luvvi and the Healthcare Facility.

This Policy should be read together with the LuvviCare Family App Terms of Service, which governs your use of the App.

The App is not intended to function as a medical device or to provide clinical decision-making support. It does not provide medical advice, diagnosis, or treatment. All clinical content you receive through the App originates from your Healthcare Facility's clinical team, not from Luvvi.

The App is not intended for use in medical emergencies. If you believe a medical emergency is occurring, contact your healthcare provider or emergency services immediately.

2. DATA CONTROLLER AND DATA PROCESSOR ROLES

The LuvviCare platform operates under a three-party model. Understanding who plays which role is important because it determines who is responsible for your data and who you should contact to exercise your rights.

2.1 Your Healthcare Facility

Your Healthcare Facility is where your child is receiving care and that has enrolled with the LuvviCare platform. You may be registered on the App through one of two paths:

(a) Self-registration: You scan a unique LuvviCare QR code provided to you by the care team at your Healthcare Facility (for example, on a poster in the unit waiting area or on an informational flyer). This QR code is unique to your Healthcare Facility and directs you to the LuvviCare website, where you provide the activation code shown on the poster or flyer, your name, and your mobile phone number. After verifying your identity via SMS OTP, you can download and install the App. At this point, your account is registered with your Healthcare Facility but is not yet activated — you can access educational content, track your child’s parameters, and access Audio Care content, but your Healthcare Facility must validate your registration before you can receive messages, video calls, or have your voice recordings played for your child by clinical staff.

(b) Healthcare Facility-initiated enrollment: Your Healthcare Facility's care team directly enrolls you and your child on the LuvviCare platform. You receive an SMS message notifying you that you have been onboarded and asking you to install the LuvviCare Family App. To log in, you enter your child’s last name, date of birth, the registered parent mobile phone number, and the Healthcare Facility's country, and then verify your identity via SMS OTP.

Access to patient communications is only enabled after validation and activation by the Healthcare Facility. Regardless of which registration path is used, you cannot receive clinical messages, video calls, or other patient-related communications until the Healthcare Facility has verified and activated your account.

Under applicable privacy laws:

• HIPAA (United States): Your Healthcare Facility is the Covered Entity. The Healthcare Facility determines what patient information is shared with families through the App, validates parent registrations or directly enrolls families, and is responsible for obtaining any required patient consents or authorizations.

• GDPR / UK GDPR (Europe and United Kingdom): Your Healthcare Facility is the Data Controller. The Healthcare Facility determines the purposes and means of processing your personal data and special category health data through the App, including the decision to activate your account for clinical communications or to enroll you directly.

• PIPEDA (Canada): Your Healthcare Facility is the organization accountable for personal health information. Luvvi processes data on the Healthcare Facility's behalf under contractual safeguards.

• Australian Privacy Act: Your Healthcare Facility is the APP entity responsible for personal information. Luvvi processes data under contractual arrangements with the Healthcare Facility.

2.2 Luvvi

Luvvi is the technology provider that builds and operates the App. We act as:

• Business Associate under HIPAA, operating under a Business Associate Agreement (BAA) with each Healthcare Facility;

• Data Processor under GDPR / UK GDPR, operating under a Data Processing Agreement (DPA) with each Healthcare Facility; and

• an equivalent processing role under PIPEDA and the Australian Privacy Act, operating under contractual safeguards with each Healthcare Facility.

  
  

Luvvi does not independently determine the purposes or means of processing ePHI or patient data. We act solely on the documented instructions of the Healthcare Facility, except where required by applicable law.

2.3 You (The User)

You are a parent, legal guardian, or authorized family contact who has self-registered through your Healthcare Facility's unique QR code or been directly enrolled by your Healthcare Facility's care team to receive communications about a specific patient through the App. Under GDPR, you are a “data subject.” Under HIPAA, you are an authorized recipient of the patient’s ePHI as designated by the Healthcare Facility upon account activation.

3. PERSONAL INFORMATION WE COLLECT

The following describes the categories of personal information and ePHI processed through the App:

1. Parent/Guardian Identity
   
   

Data elements: First name, last name, mobile phone number.

Source: Provided by parent during registration (initiated by Healthcare Facility).

2. Secondary Contact Identity
   
   

Data elements: First name, last name, mobile phone number.

Source: Provided by parent or Healthcare Facility.

3. Patient (Child) Identity
   
   

Data elements: First name, last name, date of birth.

Source: Provided by Healthcare Facility during patient enrollment.

4. Authentication Data
   
   

Data elements: OTP codes (transient, not stored), session tokens.

Source: Generated by Luvvi systems.

5. Communications (ePHI)
   
   

Data elements: Messages, photos, videos, audio clips, eCards received from Healthcare Facility clinicians.

Source: Generated by Healthcare Facility clinicians via the LuvviCare Pro App.

6. User-Generated Content
   
   

Data elements: Voice recordings (lullabies, stories) via Audio Care, milestone entries, growth data entries, feeding/pumping logs, skin-to-skin tracking, experience ratings.

Source: Created by parent in the Family App.

7. Device and Technical Data
   
   

Data elements: Device type, operating system version, app version, language setting, push notification tokens.

Source: Automatically collected by the App.

8. Usage Analytics
   
   

Data elements: App engagement metrics (e.g., app engagement events, feature usage, content interaction events, and timestamps).

Source: Collected via Mixpanel analytics SDK as pseudonymous, non-identifying usage analytics.

Important: No ePHI, IP addresses, advertising identifiers, hardware device identifiers, backend account identifiers, patient identifiers, family identifiers, names, phone numbers, dates of birth, message content, media, voice recordings, or clinical data are transmitted to Mixpanel. Mixpanel receives a random app-instance analytics ID used only to measure non-identifying app usage.

What we do NOT collect: We do not collect Social Security numbers, financial account information, biometric identifiers (other than voice recordings you voluntarily create), precise GPS location data, browsing history, or information from your device’s contacts, calendar, or other apps.

3.1 Two Categories of Data: Clinical Communications vs. Your Personal Entries

To help you understand how your data is handled — particularly when your account is deactivated or deleted — it is important to distinguish between two categories of data processed through the App:

Clinical communications from your care team. This includes messages, photos, videos, audio messages, eCards, video call records, and other content sent to you by the Healthcare Facility's clinical staff. This category constitutes ePHI and forms part of the Patient's medical record. The Healthcare Facility, as the data controller (GDPR) or covered entity (HIPAA), is legally required to retain this data for extended periods under applicable medical record retention laws. When your account is deleted, you will lose access to this content through the App, but the Healthcare Facility retains it as part of the Patient's medical record. Luvvi continues to store this data on the Healthcare Facility's behalf for the duration of the applicable retention period.

Your personal entries. This includes tracking data you enter (growth measurements, milestones, feeding logs, pumping logs, skin-to-skin sessions, hospital visits, and similar parental contributions) and Audio Care voice recordings you create. This category is data you generate and is not part of the Patient's medical record. When you use the in-app "Delete account" function, this data is permanently deleted from Luvvi's servers, subject to the timeframes described in Section 9.

This distinction reflects the legal reality that medical records and personal user-generated content are governed by different rules. It does not affect the security, encryption, or regional isolation applied to either category — both are protected to the same standard while in our systems. See Section 9 for full retention details and Section 10 for your rights with respect to each category.

4. HOW WE USE YOUR INFORMATION

We process your personal information and ePHI only for the purposes described below. We do not use your data for marketing, advertising, profiling, or any purpose unrelated to the delivery and improvement of the App.

• Deliver messages and media from your Healthcare Facility to you. GDPR basis: Performance of contract with Healthcare Facility / Legitimate interest. HIPAA basis: Treatment, Payment, Healthcare Operations (TPO) under BAA.

• Enable two-way video calls and livestreams initiated by clinicians. GDPR basis: Performance of contract. HIPAA basis: TPO under BAA.

• Process and play back Audio Care voice recordings. GDPR basis: Performance of contract / Consent. HIPAA basis: TPO under BAA.

• Authenticate your identity via SMS OTP (two-factor authentication). GDPR basis: Performance of contract / Legal obligation. HIPAA basis: Security safeguard under BAA.

• Translate messages to your device’s language setting. GDPR basis: Performance of contract. HIPAA basis: TPO under BAA.

• Store messages and media locally on your device for offline access. GDPR basis: Performance of contract. HIPAA basis: TPO under BAA.

• Send push notifications (content does not include ePHI). GDPR basis: Legitimate interest / Consent. HIPAA basis: Operational necessity.

• Analyze pseudonymous, non-identifying usage metrics to help Healthcare Facilities assess App adoption. GDPR basis: Legitimate interest. HIPAA basis: De-identified data — not ePHI.

• Provide educational content and resources. GDPR basis: Performance of contract. HIPAA basis: N/A (no ePHI involved).

• Maintain security, prevent fraud, detect jailbroken/rooted devices. GDPR basis: Legitimate interest / Legal obligation. HIPAA basis: Security safeguard under BAA.
  
  

Legitimate Interest Assessment: Where we rely on legitimate interest as a legal basis under GDPR, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may contact us at privacyofficer@luvvi.com to request details of these assessments.

5. HOW WE SHARE YOUR INFORMATION

We share your information only in the following limited circumstances:

5.1 With Your Healthcare Facility

We share aggregated and non-identifying usage and engagement data with the Healthcare Facility that enrolled you so they can assess how the App supports their care program. The Healthcare Facility's authorized clinical team can access communications they have sent to you through the App. We do not share your personal messages, voice recordings, or private entries with anyone outside the Healthcare Facility's authorized personnel.

5.2 With Third-Party Service Providers (Subprocessors)

We use a small number of carefully vetted third-party service providers to operate the App. Each is contractually bound to process data only as described below.

5.2.1 With Mixpanel (Analytics Provider)

We use Mixpanel to process pseudonymous, non-identifying usage analytics. The App generates a random app-instance analytics ID that is not derived from, stored with, or linkable in our backend to a parent ID, child ID, phone number, name, date of birth, patient record, or clinical content. Mixpanel receives event names, timestamps, Healthcare Facility-level context, app context, and non-identifying feature usage data. We do not send ePHI, names, phone numbers, child identifiers, dates of birth, message content, media, voice recordings, clinical data, backend account identifiers, IP addresses, advertising identifiers, or hardware device identifiers to Mixpanel.

5.2.2 With Sentry (Diagnostic Provider)

We use Sentry to collect crash reports and diagnostic information so we can identify and fix technical errors. Sentry may receive app version, device/OS information, stack traces, error messages, and limited diagnostic breadcrumbs. We configure our logging and error reporting to avoid sending ePHI, message content, media, voice recordings, names, phone numbers, child identifiers, dates of birth, or clinical data to Sentry.

5.2.3 With IPinfo (Country-detection Provider)

The App may process your public IP address transiently through our country-detection provider to infer country/region for app configuration, such as measurement units or regional setup. We do not send this IP address to Mixpanel, do not use it for advertising or tracking, and do not store it as ePHI.

5.3 With Amazon Web Services (Infrastructure Provider)

All ePHI is stored and processed on AWS infrastructure under a HIPAA Business Associate Agreement and a GDPR-compliant Data Processing Agreement. AWS acts as a sub-processor to Luvvi. Data is regionally isolated as described in Section 8 and encrypted as described in Section 6.

5.4 What We Do NOT Do

• We do NOT sell personal information or ePHI to any third party.

• We do NOT share ePHI with advertisers, sponsors, or marketing partners.

• We do NOT use your data for targeted advertising or behavioral profiling.

• We do NOT provide any personal data or ePHI to white-label Sponsors whose branding may appear in the App.

  
  

5.5 Law Enforcement and Legal Process

We may disclose personal information if required to do so by applicable law, regulation, or valid legal process (such as a subpoena, court order, or government request). Where legally permitted, we will notify you before making such a disclosure. We will also notify the relevant Healthcare Facility, as the data controller or covered entity, of any such request relating to patient data.

6. DATA STORAGE, ENCRYPTION, AND SECURITY

We implement comprehensive administrative, technical, and physical safeguards to protect your personal information and ePHI. These measures are designed to comply with HIPAA Security Rule requirements, GDPR Article 32 security obligations, and equivalent standards under PIPEDA and the Australian Privacy Act.

6.1 Encryption

• At rest: All ePHI stored on our servers is encrypted using AWS Key Management Service (KMS) with custom encryption keys managed by Luvvi. Encryption keys are subject to automatic rotation.

• In transit: All data transmitted between the App and our servers is encrypted using industry-standard TLS protocols.

• On device: Messages and media stored locally on your device for offline access are encrypted using the device’s native encryption capabilities.

  
  

6.2 Authentication and Access Controls

• Two-factor authentication (SMS OTP) is required for all Family App users.

• The App does not operate on jailbroken (iOS) or rooted (Android) devices.

• Access to ePHI within Luvvi’s systems follows zero-trust and least-privilege principles.

• Role-based access controls restrict internal access to authorized personnel only.
  
  

6.3 Additional Security Measures

• Regular external penetration testing of the App and infrastructure.

• Continuous monitoring and logging of access to ePHI.

• Video livestream sessions are never recorded by Luvvi.

• Incident response and breach notification procedures are in place (see Section 14).

• Luvvi is pursuing ISO 27001 and HITRUST certifications.

  
  

7. LOCAL DEVICE STORAGE

The App stores messages and media received from the Healthcare Facility in encrypted form on your device to enable offline access. This allows you to view content even when you do not have an internet connection.

This locally stored data remains on your device until:

(a)   You delete the App from your device;

(b)   The Healthcare Facility deactivates your account; or

(c)   You manually clear the App’s data through your device’s settings.

Your responsibility: Once data resides on your device, Luvvi cannot remotely access, control, or retrieve it. You are responsible for maintaining the security of your device, including using a device passcode or biometric lock, keeping your operating system up to date, and not sharing your device with unauthorized persons.

If ePHI leaves the App’s encrypted environment (for example, via a screenshot), it may no longer be protected under HIPAA or other privacy regulations.

8. INTERNATIONAL DATA TRANSFERS AND REGIONAL ISOLATION

Luvvi operates regionally isolated infrastructure to ensure that your data stays within the geographic region where your Healthcare Facility is located. This architecture is a core element of our privacy and compliance strategy.

• United States: Data is stored in AWS US-East (Virginia). Primary legal framework: HIPAA. Transfer safeguards: BAA with AWS; domestic processing.

• United Kingdom: Data is stored in AWS UK (London). Primary legal framework: UK GDPR / Data Protection Act 2018. Transfer safeguards: UK International Data Transfer Addendum; DPA with AWS.

• European Economic Area: Data is stored in AWS EU (Frankfurt, Germany). Primary legal framework: EU GDPR. Transfer safeguards: Standard Contractual Clauses (SCCs) with AWS.

• Canada: Data is stored in AWS Canada (Montreal). Primary legal framework: PIPEDA and provincial privacy laws. Transfer safeguards: DPA with AWS; domestic processing.

• Australia: Data is stored in AWS Australia (Sydney). Primary legal framework: Australian Privacy Act / APPs. Transfer safeguards: Contractual safeguards with AWS; domestic processing.

  
  

Your ePHI data does not leave the region in which it is stored. No ePHI crosses regional boundaries. In the limited circumstances where cross-border transfers may be necessary (for example, for technical support), such transfers are governed by Standard Contractual Clauses (EU), UK International Data Transfer Addendum (UK), or equivalent contractual safeguards. Non-ePHI analytics, diagnostics, and transient country-detection data may be processed by approved subprocessors as described in this Policy and are not used for advertising or tracking.

Luvvi’s corporate headquarters are in Geneva, Switzerland. Switzerland has received an adequacy decision from the European Commission under GDPR, meaning transfers of personal data from the EEA to Switzerland are permitted without additional safeguards.

9. DATA RETENTION

We retain your personal information and ePHI only for as long as necessary to fulfill the purposes described in this Policy, or as required by applicable law. Retention obligations differ depending on the type of data, the jurisdiction, and the Healthcare Facility's medical record retention policy.

ePHI from your care team (messages, photos, videos, audio messages, eCards, and video call records): Retained on Luvvi's servers in accordance with the Healthcare Facility's medical record retention policy and applicable law. These communications form part of the patient's medical record and are subject to mandatory retention requirements that vary by jurisdiction and may extend for many years, particularly for pediatric patients. For specific retention periods that apply to your data, please contact your Healthcare Facility's Privacy Officer.

During this retention period:

• The Healthcare Facility, as the data controller (GDPR) or covered entity (HIPAA), retains access to these communications for legal, clinical, audit, and compliance purposes.

• You will no longer have access to this content through the App after your account is deleted.

• Retained data remains stored in encrypted form within the regional infrastructure described in Section 8 and is accessed only as required by law, regulation, or authorized Healthcare Facility personnel.

• Luvvi does not use retained ePHI for any purpose other than fulfilling its obligations to the Healthcare Facility under the Business Associate Agreement (HIPAA), Data Processing Agreement (GDPR/UK GDPR), or equivalent contractual safeguards.

Patient identity data (child's first name, last name, date of birth): Provided by the Healthcare Facility and retained as part of the Healthcare Facility's medical record under the same retention obligations described above for ePHI. Patient identity data is not deleted when a parent deletes their account.

Account data (parent/guardian name, mobile phone number, secondary contact information): Retained for as long as your account is active. Account data is deleted within a reasonable period following:

• Deactivation of your account by the Healthcare Facility; or

• Your use of the in-app "Delete account" function.

Account data may be retained beyond this period where required by applicable law (for example, to comply with audit, tax, or legal-hold obligations).

Tracking data you enter (growth measurements, milestones, feeding logs, pumping logs, skin-to-skin sessions, hospital visits, and other parental contributions): Retained for as long as your account is active. When you use the in-app "Delete account" function, all tracking data you have entered is permanently deleted from Luvvi's servers within a reasonable period. This data is not part of the Healthcare Facility's medical record and is not subject to the clinical retention obligations described above.

Audio Care voice recordings (recordings you create): Retained on Luvvi's servers and made available for playback by authorized clinical staff for the duration of the patient's care, in accordance with the Healthcare Facility's policy. You may delete individual recordings at any time through the App, in which case they are removed from Luvvi's servers and the Healthcare Facility's access. Where a recording has been incorporated into a clinical playback session that forms part of the patient's medical record, metadata about that session (but not the recording itself, where deletion is requested) may be retained as part of the medical record under the same retention rules described above.

Audio catalog content (lullabies and curated audio provided by Luvvi): Owned by Luvvi or its licensors and not subject to user-driven retention.

Usage analytics (Mixpanel): Pseudonymous and non-identifying. Mixpanel receives a random app-instance analytics ID that is not derived from, stored with, or linkable in our backend to a parent ID, child ID, phone number, name, date of birth, patient record, or clinical content. Analytics data is retained according to our analytics retention settings and deleted or aggregated when no longer needed for product improvement and Healthcare Facility program reporting.

Diagnostic data (Sentry): Crash reports and diagnostic information are retained by Sentry for the period configured in our Sentry account, after which they are deleted. We configure our error reporting to exclude ePHI, message content, media, voice recordings, names, phone numbers, child identifiers, dates of birth, and clinical data.

Local device data (messages and media stored on your mobile device for offline access): Retained on your device until you delete the App, clear the App's data through your device settings, or use the in-app "Delete account" function, which removes locally stored content from your device. Luvvi cannot remotely access, retrieve, or delete data stored on your device.

Authentication data (SMS OTP codes, session tokens): Transient. OTP codes expire within minutes of issuance and are not stored after use. Session tokens are retained only for the duration of an active session and are invalidated upon logout, account deactivation, or deletion.

Backups: Encrypted backups of Luvvi's systems are retained for a limited period for disaster recovery purposes. When data is deleted from production systems, residual copies in backups are overwritten in accordance with our standard backup rotation cycle. We do not restore deleted data from backups except in the event of a documented disaster recovery scenario.

Effect of account deletion: When you use the in-app "Delete account" function, the deletion is permanent and cannot be undone. You will lose access to all communications from your care team that were previously available to you in the App, and all tracking data you entered will be permanently deleted from Luvvi's servers. ePHI that forms part of the patient's medical record will continue to be retained by the Healthcare Facility in accordance with applicable medical record retention laws and Healthcare Facility policy, but you will no longer be able to access it through the App.

10. YOUR RIGHTS

Your rights regarding your personal information depend on your jurisdiction and on the type of data involved. Key rights may include: accessing your data, correcting inaccurate data, deleting your data, restricting or objecting to processing, data portability, withdrawing consent, and lodging complaints with a supervisory authority.

For detailed rights specific to your jurisdiction, please see the applicable addendum at the end of this Policy:

• California residents: Addendum A (CCPA/CPRA rights)

• EEA and UK residents: Addendum C (GDPR rights, including access, rectification, erasure, restriction, portability, objection, and consent withdrawal)

• Canadian residents: Addendum D (PIPEDA rights)

• Australian residents: Addendum E (Australian Privacy Principles)

• U.S. residents (HIPAA): Rights regarding your patient data and ePHI must be exercised through your Healthcare Facility, which is the covered entity under HIPAA. Key HIPAA rights include access to your records (45 CFR §164.524), amendment of inaccurate records (45 CFR §164.526), and an accounting of disclosures.

• 
  

Important: Because the Healthcare Facility is the data controller (GDPR) or covered entity (HIPAA), many data subject rights relating to patient data and ePHI must be exercised through your Healthcare Facility. Luvvi will assist the Healthcare Facility in responding to such requests in accordance with applicable law.

For rights exercised directly with Luvvi (for example, regarding your account data or analytics preferences), please contact us at privacyofficer@luvvi.com. We will respond to verified requests within the timeframes required by applicable law (generally 30 days under GDPR, 45 days under HIPAA, and 45 days under CCPA/CPRA).

We will not discriminate against you for exercising any of your privacy rights.

11. CHILDREN’S PRIVACY

The LuvviCare Family App is intended for use by adults (parents, legal guardians, and authorized family contacts) only. You must be 18 years of age or older, or the age of majority in your jurisdiction, to create an account and use the App.

We do not knowingly collect personal information directly from children under 13 (as defined by the U.S. Children’s Online Privacy Protection Act, “COPPA”), under 16 (as defined by GDPR), or under the applicable age of digital consent in other jurisdictions.

Patient (child) information processed through the App is provided by the Healthcare Facility — not by the child — and is processed under the Healthcare Facility's authority as the data controller or covered entity, in accordance with applicable health privacy laws.

If we learn that we have inadvertently collected personal information directly from a child without appropriate authorization, we will take steps to delete that information promptly. If you believe a child has provided personal information to us directly, please contact us at privacyofficer@luvvi.com.

12. COOKIES AND TRACKING TECHNOLOGIES

The LuvviCare Family App is a native mobile application. It does not use cookies.

We use the Mixpanel analytics SDK to collect pseudonymous, non-identifying usage metrics, as described in Sections 3 and 4. No ePHI, IP addresses, advertising identifiers, hardware device identifiers, backend account identifiers, patient identifiers, family identifiers, names, phone numbers, dates of birth, message content, media, voice recordings, or clinical data are transmitted to Mixpanel. The data collected by Mixpanel is designed not to identify you or your child.

Push notification tokens are used solely for delivering notifications to your device and are not shared with any third party other than the platform notification service (Apple Push Notification Service for iOS, Firebase Cloud Messaging for Android).

We do not use any tracking technologies for advertising, retargeting, or cross-app tracking purposes.

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, the App’s features, legal requirements, or regulatory guidance. When we make material changes, we will:

(a)   Notify you through the App or via the email or phone number associated with your account;

(b)   Update the “Effective Date” and “Last Updated” dates at the top of this Policy; and

(c)   Where required by applicable law, seek your renewed consent before applying material changes to your data processing.

We encourage you to review this Policy periodically. Your continued use of the App after the updated Policy becomes effective constitutes your acknowledgment of the changes. If you do not agree with the updated Policy, you should discontinue use of the App and contact your Healthcare Facility about deactivating your account.

14. DATA BREACH NOTIFICATION

In the event of a data breach involving your personal information or ePHI, Luvvi will:

(a)   Notify the affected Healthcare Facility or Healthcare Facilities without undue delay and, where feasible, within 24 hours of becoming aware of the breach;

(b)   Cooperate with the Healthcare Facility in notifying affected individuals and supervisory authorities, as required by applicable law;

(c)   Comply with the following notification timelines:

• GDPR / UK GDPR: Notification to the supervisory authority within 72 hours (Article 33). Notification to affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34).

• HIPAA: Notification to affected individuals within 60 days, and to HHS and media outlets as required by the Breach Notification Rule (45 CFR §§ 164.400–414).

• Australian Privacy Act: Notification to the OAIC and affected individuals under the Notifiable Data Breaches (NDB) scheme where the breach is likely to result in serious harm.

• PIPEDA (Canada): Notification to the OPC and affected individuals where the breach creates a real risk of significant harm.

• U.S. State Laws: Notification in accordance with applicable state breach notification statutes.

(d)   Document the breach, its effects, and the remedial actions taken, and retain such documentation for a minimum of five years.

15. HOW TO CONTACT US

If you have questions about this Privacy Policy, wish to exercise any of your privacy rights, or have concerns about how your data is handled, please contact us:

General Privacy Inquiries:

Luvvi Sarl
 Attn: Privacy Team
 Rue Adrien Lachenal 26
 1207 Geneva, Switzerland
 Email: privacyofficer@luvvi.com

For HIPAA-related inquiries (U.S. users):

Please contact your Healthcare Facility's Privacy Officer for matters relating to your patient data. For matters relating to Luvvi’s role as Business Associate, contact us at privacyofficer@luvvi.com.

For GDPR / UK GDPR inquiries:

Please contact our Privacy Officer at privacyofficer@luvvi.com. If Luvvi appoints an EU Representative under Article 27 GDPR or a UK Representative under the UK GDPR, their contact details will be published on our website.

To exercise data subject rights: Email privacyofficer@luvvi.com with the subject line “Data Subject Request — [Your Jurisdiction].”

16. SUPERVISORY AUTHORITIES

If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction:

• United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk

• European Union: Your national Data Protection Authority (e.g., BfDI in Germany, CNIL in France, DPA in Ireland)

• Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch

• United States: U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR) for HIPAA matters; Federal Trade Commission (FTC) and state Attorneys General for consumer privacy matters

• Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca

• Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au

ADDENDUM A: ADDITIONAL INFORMATION FOR CALIFORNIA RESIDENTS

This addendum applies to residents of California and supplements the information in the main Privacy Policy above with disclosures required under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”).

A.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA/CPRA:

• Identifiers: Parent/guardian name, mobile phone number, child’s name and date of birth.

• Protected Health Information: Messages, photos, videos, audio clips, and other clinical communications received from your Healthcare Facility. Note: To the extent this information constitutes protected health information governed by HIPAA, it is exempt from the CCPA/CPRA under California Civil Code § 1798.145(c)(1)(A).

• Audio Information: Voice recordings created by you via the Audio Care feature.

• Internet or Electronic Network Activity: Pseudonymous, non-identifying app usage metrics only (IP addresses and device identifiers are not used for analytics or tracking; no browsing history).

  
  

A.2 Sale and Sharing of Personal Information

We do not sell your personal information. We do not “share” your personal information for cross-context behavioral advertising as defined by the CCPA/CPRA.

A.3 Your California Privacy Rights

As a California resident, you have the following rights under the CCPA/CPRA:

(a)   Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.

(b)   Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.

(c)   Right to Correct: You may request that we correct inaccurate personal information we maintain about you.

(d)   Right to Opt Out of Sale/Sharing: Because we do not sell or share personal information, there is no need to opt out. However, we honor “Do Not Sell or Share My Personal Information” requests as a matter of policy.

(e)   Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (health data) only for the purposes of providing the App’s services, which is a permitted use under the CCPA/CPRA.

(f)    Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

A.4 How to Submit a Request

To exercise your California privacy rights, email us at privacyofficer@luvvi.com with the subject line “California Privacy Request.” We will verify your identity before processing your request. We will respond within 45 days, which may be extended by an additional 45 days where reasonably necessary.

A.5 HIPAA Exemption

To the extent that your personal information constitutes protected health information governed by HIPAA and the HITECH Act, it is exempt from the CCPA/CPRA. Rights relating to such information should be exercised through your Healthcare Facility under HIPAA.

ADDENDUM B: ADDITIONAL INFORMATION FOR NEVADA RESIDENTS

Under Nevada Revised Statutes Chapter 603A, Nevada residents may submit a request directing a website operator not to sell certain information the operator has collected about the consumer.

Luvvi does not sell your personal information as defined under Nevada law. If you are a Nevada resident and wish to submit a verified request, please email privacyofficer@luvvi.com with the subject line “Nevada Privacy Request.”

ADDENDUM C: ADDITIONAL INFORMATION FOR USERS IN THE EEA AND UNITED KINGDOM

This addendum applies to users located in the European Economic Area (“EEA”) and the United Kingdom (“UK”) and supplements the information in the main Privacy Policy with disclosures required under the EU General Data Protection Regulation (“GDPR”) and the UK General Data Protection Regulation / Data Protection Act 2018 (“UK GDPR”).

C.1 Data Controller

Your Healthcare Facility is the data controller for patient data and ePHI processed through the App. Luvvi acts as the data processor, processing data on the Healthcare Facility's behalf under a Data Processing Agreement that includes the European Commission’s Standard Contractual Clauses (SCCs) for international transfers.

For personal data that Luvvi processes independently of the Healthcare Facility's instructions (for example, pseudonymous, non-identifying usage analytics), Luvvi acts as an independent data controller.

C.2 Legal Bases for Processing

The legal bases for our processing of your personal data are set out in the table in Section 4 of the main Privacy Policy. In summary:

(a)   Performance of a contract: Processing necessary to deliver the App’s services to you as described in the Terms of Service.

(b)   Legitimate interests: Processing necessary for our legitimate interests (or those of a third party), such as maintaining security, improving the App, and providing aggregated and non-identifying analytics to Healthcare Facilities, where those interests are not overridden by your rights.

(c)   Legal obligation: Processing necessary to comply with applicable laws and regulations.

(d)   Consent: Where required, particularly for the processing of special category health data under Article 9(2)(a) GDPR.

C.3 Special Category Data

Health data processed through the App constitutes special category data under Article 9 GDPR. This data is processed on the legal basis of:

• Article 9(2)(h): Processing necessary for the provision of health care, under the Healthcare Facility's responsibility as the data controller; and

• Article 9(2)(a): Explicit consent, where applicable.

• 
  

C.4 Your GDPR Rights

In addition to the rights summarized in Section 10 of the main Privacy Policy, you have the right to:

• Request a copy of the Standard Contractual Clauses or other safeguards governing international data transfers;

• Object to processing based on legitimate interests, in which case we will cease processing unless we demonstrate compelling legitimate grounds; and

• Withdraw consent at any time for processing based on consent, without affecting the lawfulness of processing before withdrawal.

  
  

C.5 Data Protection Impact Assessment

Luvvi has conducted a Data Protection Impact Assessment (DPIA) under Article 35 GDPR in connection with the processing of health data through the App. A summary of the DPIA is available upon request to your Healthcare Facility or by contacting privacyofficer@luvvi.com.

C.6 EU/UK Representative

If Luvvi does not have an establishment in the EEA or UK, it will appoint a representative under Article 27 GDPR and the equivalent UK provision. If Luvvi appoints an EU Representative under Article 27 GDPR or a UK Representative under the UK GDPR, their contact details will be published on our website at luvvi.com/legal/privacy.

C.7 Supervisory Authority

You have the right to lodge a complaint with your national Data Protection Authority. See Section 16 of the main Privacy Policy for contact details.

ADDENDUM D: ADDITIONAL INFORMATION FOR CANADIAN USERS

This addendum applies to users located in Canada and supplements the information in the main Privacy Policy with disclosures required under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applicable provincial privacy legislation.

D.1 Accountability

Your Healthcare Facility is the organization primarily accountable for the personal health information processed through the App. Luvvi processes this information on the Healthcare Facility's behalf under contractual safeguards that require Luvvi to implement appropriate security measures and to process personal information only as directed by the Healthcare Facility.

D.2 Consent

By creating an account and using the App, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. You may withdraw your consent at any time by contacting your Healthcare Facility or by emailing privacyofficer@luvvi.com. Please note that withdrawing consent may affect your ability to use the App.

D.3 Your Rights Under PIPEDA

Under PIPEDA, you have the right to:

(a)   Access your personal information held by Luvvi and request a copy;

(b)   Challenge the accuracy and completeness of your personal information and have it amended;

(c)   Withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions; and

(d)   Complain to the Office of the Privacy Commissioner of Canada (OPC) if you believe your privacy rights have been violated.

D.4 Data Storage

Personal information and ePHI of Canadian users is stored on AWS servers located in Canada (Montreal). Your data does not leave Canada except in limited circumstances described in Section 8 of the main Privacy Policy, and any such transfer is subject to contractual safeguards.

D.5 Breach Notification

In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm, Luvvi will notify the affected Healthcare Facility, which will notify you and the OPC in accordance with PIPEDA’s breach notification requirements.

ADDENDUM E: ADDITIONAL INFORMATION FOR AUSTRALIAN USERS

This addendum applies to users located in Australia and supplements the information in the main Privacy Policy with disclosures required under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”).

E.1 APP Entity

Your Healthcare Facility is the APP entity primarily responsible for the handling of your personal information and health information under the Privacy Act. Luvvi processes this information on the Healthcare Facility's behalf under contractual arrangements that require Luvvi to comply with obligations equivalent to the APPs.

E.2 Collection and Use

We collect only the personal information reasonably necessary to provide the App’s services, as described in Section 3 of the main Privacy Policy. We do not collect personal information by unlawful or unfair means.

E.3 Disclosure Overseas

Personal information of Australian users is stored on AWS servers located in Australia (Sydney). Your data does not leave Australia except in limited circumstances described in Section 8 of the main Privacy Policy. Before any overseas disclosure, Luvvi takes reasonable steps to ensure the overseas recipient does not breach the APPs, or the disclosure is covered by an exception under APP 8.2.

E.4 Your Rights Under the APPs

Under the Australian Privacy Principles, you have the right to:

(a)   Request access to the personal information Luvvi holds about you (APP 12);

(b)   Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13);

(c)   Complain about a breach of the APPs (APP 1). Luvvi will respond to complaints within 30 days.

E.5 Notifiable Data Breaches

In the event of an eligible data breach (as defined by Part IIIC of the Privacy Act) that is likely to result in serious harm, Luvvi will notify the affected Healthcare Facility, which will notify you and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

E.6 Contact for Australian Privacy Concerns

Australian users may contact us at privacyofficer@luvvi.com or lodge a complaint with the OAIC at oaic.gov.au.