Privacy Policy

Last updated: May 2026

Zareva is a medication reminder and wellness companion published by BDKM LLC, a Delaware limited liability company ("BDKM," "we," "us," or "our"). We built Zareva with privacy at its core. This policy explains what data we collect, why, how it's protected, and the choices you have. We wrote it to be clear and readable — no legalese tricks.

1. What We Collect

Zareva collects only the minimum data needed to provide medication reminders and wellness tracking:

• Medication names and schedules you enter
• Reminder acknowledgment status (taken, skipped, snoozed)
• Daily wellness check-in data (mood, energy, pain, hydration, meals, sleep)
• Vitals readings you log (e.g. blood pressure, weight, blood sugar)
• Side effects and lab results you optionally record
• Feedback you choose to send via the in-app feedback form (free text + optional contact email)
• Anonymous app event data (e.g. "subscription upgraded", "feature used") — only with your Analytics consent, never includes medication names, dosages, notes, or wellness data
• A pseudonymous user ID for account management
• Device notification token for delivering reminders
• Notification preferences

We do not collect your real name, physical address, or phone number (unless you voluntarily provide a phone number for caregiver escalation). We do not collect anything beyond what you explicitly enter into the app.

2. How We Use Your Data

• Deliver medication reminders and wellness notifications
• Store your wellness routine for offline access
• Sync data across your devices (if you opt into Cloud Backup)
• Share wellness summaries with caregivers you explicitly invite via Care Circle
• Generate wellness reports you can share with your healthcare provider
• Improve the app through anonymous, aggregated usage analytics (if you opt in)

3. What We Never Do

• We never use your health data for advertising or marketing
• We never share your medication information with advertisers, data brokers, or social media platforms
• We never send your health data to behavioral analytics or ad-tracking services. We do not use Firebase Analytics, Meta Pixel, or ad SDKs. Our in-app event analytics are anonymous, opt-in, and never include medication names, dosages, notes, or wellness data. Firebase Crashlytics is crash-only, opt-in, and scrubbed of health data before sending
• We never store health data in iCloud (Apple Guideline 5.1.3(ii))
• We never use health data for profiling, scoring, or automated decision-making

4. Third-Party Services

Zareva uses a small number of carefully selected third-party services:

Supabase (database & authentication) — Stores your account and wellness data with encryption at rest (AES-256) and in transit (TLS 1.3+). Row-level security policies ensure that only you (and caregivers you explicitly authorize) can access your data.

Firebase Cloud Messaging (notifications) — Delivers push notifications to your device. Only an opaque device token is shared with Google. No health data, medication names, or personal information is included in push notification payloads.

Firebase Crashlytics (crash diagnostics, opt-in) — Reports app crash stack traces and device/OS information so we can identify and fix stability issues. Disabled by default. Only active if you grant the Analytics consent in Settings → Privacy & Data. Every crash report is passed through a client-side redactor that strips emails, quoted free-text, URL query strings, and JSON bodies before sending — so medication names, dosages, notes, and wellness data never reach Crashlytics. No user identifier is ever attached. Collection toggles off immediately when you revoke consent.

OpenFDA (drug information) — When you check drug interactions, medication names are sent to the U.S. FDA's public API. No user identifiers, device information, or account data is included in these requests.

Affiliate links (GoodRx, EzRx, Amazon) — When you choose to visit an external savings service, your medication name may be visible to that service in the URL. You are always notified and asked for confirmation before leaving the app. Zareva may earn affiliate commissions from these services at no additional cost to you. These commissions are disclosed in-app.

5. Data Sharing

Your data is shared only in these specific circumstances:

• With caregivers you explicitly invite via Care Circle — you control who has access and can revoke it at any time
• With external services you explicitly choose to visit (GoodRx, EzRx, Amazon) — only after you confirm
• If required by law (court order, subpoena, or valid legal process)

We never share data with advertisers, data brokers, or any party for marketing purposes.

6. Data Security

We take the security of your data seriously:

• Encryption at rest: AES-256 encryption for all locally stored data (Hive database)
• Encryption in transit: TLS 1.3+ for all network communications
• Row-level security: Database policies ensure user-level data isolation
• Secure key storage: Encryption keys stored in iOS Keychain / Android EncryptedSharedPreferences
• No plain-text storage: Sensitive data is never stored in plain text on your device
• HIPAA-aligned practices: While Zareva is not a HIPAA-covered entity, our infrastructure voluntarily applies security practices aligned with HIPAA's technical safeguards

7. Data Retention & Deletion

You can delete your account at any time from Settings → Account → Delete Account. Upon deletion:

• All your data is permanently removed within 45 days (consistent with applicable consumer-privacy laws, including the California Consumer Privacy Act and the Washington My Health My Data Act for residents of those states)
• This includes medications, logs, check-ins, journal entries, caregiver relationships, and device tokens
• Local data (on-device database) is cleared immediately
• This action cannot be undone

You may also request data deletion by emailing privacy@zareva.app. We will process your request within 45 days.

For instructions on deleting your account, see our account deletion page.

8. Your Choices

You control your data through separate consent categories in Settings → Privacy & Data:

• Core Functionality (required) — Local storage of your medication schedules and reminders
• Cloud Backup (optional) — Sync your data to secure cloud storage for cross-device access
• Caregiver Sharing (optional) — Share your wellness data with Care Circle members
• Analytics (optional) — Anonymous, aggregated usage data to help us improve the app

You can change these choices at any time. Withdrawing consent does not affect the lawfulness of processing performed before withdrawal.

9. Age Requirement & Children's Privacy

Zareva is intended for users who are at least 18 years of age. We do not knowingly collect personal information from individuals under 18. If you are managing medications for a minor (such as a child or dependent), you must have legal authority to do so as a parent, legal guardian, or authorized caregiver — and the account must be in your name, not the minor's.

If you believe a child has provided us with personal information, please contact us immediately at privacy@zareva.app and we will delete the account and data promptly.

10. International Data Transfers

Zareva is operated from the United States. By using the app, you acknowledge that your personal data will be processed in the United States, where our infrastructure provider (Supabase, running on Amazon Web Services in the US) is located. The United States may not provide the same level of data protection as your home country.

For users in the United Kingdom, the European Economic Area, Ireland, or Switzerland: we transfer personal data outside your jurisdiction under the European Commission's Standard Contractual Clauses (SCCs) as incorporated into our data-processing agreement with Supabase, supplemented by technical measures (AES-256 encryption at rest, TLS 1.3+ in transit, row-level access controls) that limit the practical accessibility of your data to anyone other than you and the caregivers you authorize.

If you do not consent to the transfer of your data to the United States, please do not create an account or use the app.

11. Data Breach Notification

If we become aware of a personal-data breach that affects you, we will notify you and the relevant supervisory authority where required by law:

• U.S. users — within the timeframe required by the applicable state breach-notification statute (commonly within 30 to 60 days of discovery).
• Users in the EEA, UK, Ireland, or Switzerland — we will notify the competent supervisory authority within 72 hours of becoming aware of the breach, and we will notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms.

To report a suspected breach or vulnerability, contact us at security@zareva.app.

12. Your Rights Under GDPR / UK GDPR (EU, UK, IE Residents)

If you are located in the European Economic Area, the United Kingdom, Ireland, or Switzerland, you have the following rights with respect to your personal data:

• Right to access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — ask us to delete your data; we honor erasure requests within 45 days.
• Right to restrict processing — ask us to limit how we process your data.
• Right to data portability — receive your data in a structured, commonly used, machine-readable format. Settings → Account → Export Data provides CSV/JSON export.
• Right to object — object to processing based on our legitimate interests.
• Right to withdraw consent — withdraw consent at any time for processing that is based on consent (Settings → Privacy & Data).

Data controller. BDKM LLC, a Delaware limited liability company, is the data controller for personal data we collect through Zareva. Contact us at privacy@zareva.app for any data-protection request.

Lawful bases. We process personal data on the following bases:

• Performance of a contract — to deliver the service you signed up for (medication reminders, wellness tracking, caregiver features).
• Consent — for optional categories you toggle in Settings → Privacy & Data (cloud sync, caregiver sharing, analytics).
• Legitimate interests — to keep the service secure, prevent abuse, and improve reliability (e.g., crash reports when enabled).

Right to lodge a complaint. If you believe we have not handled your data properly, you have the right to lodge a complaint with your supervisory authority:

• United Kingdom — Information Commissioner's Office (ICO), ico.org.uk
• Ireland — Data Protection Commission (DPC), dataprotection.ie
• Other EEA member states / Switzerland — your national data-protection authority.

13. Your Rights Under CCPA / CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"):

• Right to know — request the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties we share it with.
• Right to delete — request deletion of your personal information; we honor deletion requests within 45 days.
• Right to correct — request correction of inaccurate personal information.
• Right to opt out of the sale or sharing of personal information.
• Right to limit use and disclosure of sensitive personal information.
• Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercise these rights.

Do Not Sell or Share My Personal Information. We do not sell or share your personal information for cross-context behavioral advertising, and we have not sold or shared any personal information in the preceding 12 months. We do not knowingly collect or sell the personal information of consumers under 16 years of age.

To exercise any of these rights, contact us at privacy@zareva.app with the subject line "CCPA Request". We may need to verify your identity by confirming the email address associated with your account before fulfilling the request. You may also designate an authorized agent to make a request on your behalf — the agent must provide written authorization and we may require you to verify your identity directly.

14. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you through the app before the changes take effect. Continued use of Zareva after changes constitutes acceptance of the updated policy. The "Last updated" date at the top of this page indicates when this policy was last revised.

15. Contact Us

For privacy questions, concerns, or data deletion requests:

Email: privacy@zareva.app
Publisher: BDKM LLC
Governing law: State of Delaware, United States