Privacy Policy

Last updated: July 14, 2026

Overview

This Privacy Policy explains how Mavr collects, uses, shares, and protects information when you use our services. Where processing requires consent, including certain health-data processing, we ask for it separately.

Controller

Branvang (Belgium) is the data controller for your personal information in the EEA, UK, and Switzerland. You may lodge a complaint with your local authority or the Belgian Data Protection Authority (www.dataprotectionauthority.be, contact@apd-gba.be). Contact us at info@mavr.app.

Information We Collect

  • Account information: email, authentication identifiers, subscription status, and acceptance of Terms (version and timestamp).
  • Health, fitness, and nutrition data: body measurements, age, sex used for nutrition reference values, training plans and completed workouts, food and hydration entries, recovery information, allergies and dietary restrictions, pregnancy or lactation information, symptoms or check-ins, and derived nutrition, fueling, glycogen, recovery, and training-load estimates.
  • Connected-service data: information you choose to import from services such as Apple Health, Garmin, Strava, calendars, or training-plan providers, subject to the permissions you grant there.
  • AI feature data: prompts, conversations, files or images you submit, relevant profile context supplied to the AI feature, generated responses, and safety or quality metadata.
  • Device and usage data: IP address, browser type, and interactions for security and analytics.

How We Use Information

  • To provide, maintain, and improve the service
  • To authenticate users, prevent fraud, and ensure security
  • To calculate personalized nutrition, hydration, fueling, training, and recovery information
  • To provide AI-assisted nutrition coaching and identify safety limitations
  • To sync data from services you choose to connect
  • To communicate with you about updates and support
  • To comply with legal obligations

Lawful Bases (EEA/UK/CH)

  • Contract: to provide and support the service you request
  • Legitimate interests: service security, product improvement, limited analytics
  • Consent: non-essential cookies/marketing where required
  • Explicit consent under GDPR Article 9(2)(a): processing health, fitness, pregnancy or lactation, allergy, recovery, and related inferred data for personalized nutrition, training and recovery analysis, connected-health features, and AI nutrition coaching
  • Legal obligations and, where necessary, vital interests

Health Data and Consent

Health and fitness information can be sensitive. Before personalized health-data processing begins, we ask for a separate affirmative consent tied to the current Health Data Notice. You may withdraw that consent in Account → Health data & consent. Withdrawal stops new personalized processing and does not affect processing that was lawful before withdrawal. See our Health Data Notice for categories, purposes, sources, recipients, and consumer-health-data rights.

AI and Automated Outputs

Some features use AI or rules to generate nutrition and training information. We may send the minimum relevant profile and conversation context to contracted AI service providers. Outputs may be incomplete or inaccurate and are presented as AI-generated or automated guidance. Mavr does not use these outputs to make decisions that produce legal or similarly significant effects about you.

Sharing of Information

We do not sell your personal information. We may share information with service providers (e.g., authentication, hosting, analytics, and payments) that process data on our behalf and under contractual confidentiality. We may disclose information if required by law or to protect rights, property, and safety.

Our current sub‑processors are listed at /legal/subprocessors.

Data Retention

We keep account and health-feature data while your account is active. After a verified deletion request, we remove or de-identify active-account data within 30 days unless a longer period is legally required; encrypted backups may persist for up to 90 additional days before cycling out. Security logs, payment records, consent evidence, and dispute records may be retained for the period required by law or necessary to establish or defend legal claims. You may request the retention period applicable to a specific category.

Security

We use reasonable administrative, technical, and physical safeguards to protect information. No method of transmission or storage is completely secure.

Your Rights (EEA/UK/CH)

  • Access, rectification, erasure, restriction, and portability
  • Object to processing based on legitimate interests and to direct marketing
  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with your supervisory authority

Cookies and Tracking

In the EEA/UK/Switzerland, we set non‑essential cookies only with your consent via our cookie controls. You can update preferences at any time. Essential cookies necessary for the service may be set without consent.

Your Choices

  • Access, update, or delete your account data
  • Opt out of non-essential communications
  • Adjust browser settings for cookies and tracking

Regional Notices

United States (state privacy and consumer-health laws): We collect identifiers, commercial information, internet activity, health and fitness information, and inferences to operate and secure the service and provide requested features. We disclose information to processors for those purposes. We do not sell personal or consumer health data and do not share it for cross-context behavioral advertising. California residents may request access, deletion, and correction; Washington and Nevada residents may exercise consumer-health-data rights described in our Health Data Notice. Contact info@mavr.app.

Brazil (LGPD): We process data under LGPD legal bases including contract performance, legitimate interests, legal obligations, and consent where required. You may request confirmation, access, correction, anonymization/blocking/deletion of unnecessary or excessive data, portability, information on sharing, and revoke consent.

Canada (PIPEDA): We collect, use, and disclose personal information for specified purposes with your knowledge and consent, except where permitted by law. You may request access and correction.

Other regions (e.g., Australia, New Zealand, Singapore, South Africa, Japan, India): You may submit access/erasure/objection requests to info@mavr.app. We apply appropriate safeguards for international transfers where required.

International Data Transfers

We may store and process your personal information in the United States and in other countries where we or our service providers operate. If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, we will ensure that any transfer of your personal information outside of your jurisdiction complies with applicable data protection laws and includes appropriate safeguards.

These safeguards may include:

  • Where the U.S. recipient participates in the EU–U.S. Data Privacy Framework (and, as applicable, the UK Extension and Swiss–U.S. Data Privacy Framework), relying on that certification for the transfer.
  • Entering into the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) with recipients, together with the UK International Data Transfer Addendum or IDTA (for UK transfers) and appropriate Swiss-approved clauses or adaptations (for Swiss transfers).
  • Implementing supplementary technical and organizational measures, such as encryption in transit and at rest, access controls, and data minimization, where appropriate.

In limited cases and only where permitted by law (for example, to perform a contract at your request), we may rely on GDPR Article 49 derogations for specific transfers.

You can request a copy of the relevant transfer safeguards by contacting info@mavr.app.

Children

The service supports users aged 13 and over. Where local law requires permission from a parent or legal guardian for a minor to use the service or consent to data processing, that permission must be obtained. We do not knowingly collect personal information from anyone under 13 without verified authorization from a parent or legal guardian. Contact us if you believe this has occurred.

Changes

We may update this policy from time to time. If we make material changes, we will provide notice by email or through the service.

Contact

Questions? Contact info@mavr.app.