Privacy Policy

Last updated: 17 June 2026

This policy explains what personal data Fovisto collects, why, how it is used, and your rights. Section 4 details how each individual tool handles your data.

PLATFORM-WIDE β€” applies to all Fovisto tools

1. Who we are (Data Controller)

Fovisto ("we", "us", "our") operates the platform at https://fovisto.com and all associated tools.

Data controller contact: info@fovisto.com

2. Platform-wide data we collect

Across all Fovisto tools, we collect the following data when you register or use the platform:

  • Identity & contact data: first name, last name, email address β€” collected for all tools upon account registration.
  • Account data: account type (personal, business, organisation), company name, role, VAT number (optional, for business accounts).
  • Usage data: pages visited, timestamps, and IP address β€” used for security, rate-limiting, and anonymous aggregate statistics. We do not use tracking cookies or advertising scripts.

Tool-specific data collected is detailed in Section 4 below.

3. Legal basis for processing (GDPR)

PurposeLegal basis
Providing all Fovisto tools and operating your accountArt. 6(1)(b) β€” performance of a contract
Processing special-category health data in F HealthArt. 9(2)(a) β€” explicit consent
Processing candidate and employee data in F HRArt. 6(1)(b) β€” contract; Art. 6(1)(c) β€” legal obligation
Sending transactional emails (verification, password reset)Art. 6(1)(b) β€” contract performance
AI-generated insights across all toolsArt. 6(1)(b) β€” contract; Art. 9(2)(a) for health data
Security, fraud prevention, rate limitingArt. 6(1)(f) β€” legitimate interests
Compliance with legal obligationsArt. 6(1)(c) β€” legal obligation
Subscription and payment managementArt. 6(1)(b) β€” contract performance
TOOL-SPECIFIC DATA β€” what each tool collects and how it is used

4. Tool-specific data and processing

The sections below describe the additional data collected and processed by each individual Fovisto tool.

F Health

Data collected: health entries you log (weight, blood pressure, glucose, sleep, symptoms, lab results, medications, exercise and more), health profile (date of birth, height, medical conditions, allergies), personal medical notes, and β€” for clinic accounts β€” patient data (reference numbers, insurance IDs, phone numbers) and clinical records.

How it is used: to provide personalised health dashboards, trend analysis, and AI-powered health insights. Clinic accounts may access their authorised patients' records. Health data is never used for advertising or shared with third parties without your explicit consent.

Special category data (GDPR Art. 9): health data is sensitive personal data. We process it only with your explicit consent, which you may withdraw at any time by deleting your account. Clinic accounts act as independent data controllers for their patients' records; Fovisto acts as data processor.

AI insights: AI-generated health summaries and protocol suggestions are computed using your logged data and are not shared externally. They are for informational purposes only and do not constitute medical advice.

Mobile app β€” camera & photos: the Fovisto mobile app may, with your permission, use your device camera and photo library so you can photograph meals (for AI calorie & macro estimation) and attach images to your health records. Meal photos are processed to estimate nutrition and may be retained to improve our AI; you can delete them at any time. We do not access your photo library without your action.

Mobile app β€” precise location (GPS): during a live workout session you may enable location so the app can measure distance, route and pace. Location is collected only while you are recording a session, is used solely for that workout, and is never used for advertising or shared with third parties.

Mobile app β€” Apple Health & Health Connect: with your explicit consent, the app may read health and fitness data (such as steps, heart rate, calories, sleep and activity) from Apple HealthKit (iOS) or Health Connect (Android) to display your daily summary, and may write your logged workouts back to them. This data is used only to provide app functionality, is never used for advertising, and is not shared with third parties. You can revoke access at any time in your device’s Health settings.

Motion & sensors: the app may use motion/step sensors during a live workout to count steps. This data stays on your device and in your workout record.

F Inventory

Data collected: product names, SKUs, barcodes, stock levels, categories, reorder thresholds, warehouse locations, supplier names, supplier contact details, and purchase/order history.

How it is used: to track stock levels, generate restocking alerts, produce AI-powered demand forecasts, and create inventory reports for your business. Supplier contact details are stored solely to support your internal procurement workflows.

Third-party data: if you store supplier or partner data in F Inventory, you are responsible for ensuring you hold a lawful basis for doing so under GDPR.

F Logistics

Data collected: shipment details, sender and recipient names and addresses, courier assignments, parcel weights and dimensions, tracking events, and delivery timestamps.

How it is used: to track and manage shipments, assign couriers, predict delays, and generate route and delivery reports. Recipient personal data is processed solely to enable shipment tracking within your organisation.

Third-party recipient data: you are the data controller for recipient personal data entered into F Logistics and are responsible for maintaining a lawful basis for storing it.

F Invoice

Data collected: client names, billing addresses, email addresses, VAT numbers, invoice line items, amounts, payment statuses, and payment dates.

How it is used: to create and manage invoices, track payment statuses, and generate billing reports. Client billing information is processed solely to provide the F Invoice service to you and is not used for any other purpose.

Client data responsibility: you are the data controller for client personal data in F Invoice. Fovisto acts as data processor. You are responsible for ensuring clients are informed their data is stored and processed via the platform.

F Data

Data collected: datasets and files you upload for processing, reconciliation, or report generation. File content is not inspected, profiled, or used for any purpose other than processing your request.

How it is used: to process, reconcile, and clean datasets, and to generate AI-powered analysis reports. Uploaded files are treated as strictly confidential business data.

Automatic deletion: uploaded files are deleted from our servers within 24 hours of export unless you explicitly choose to save them. Saved datasets are retained until you delete them or close your account.

F HR

Data collected: job posting details (title, description, requirements, location), candidate application data (names, contact details, CV/rΓ©sumΓ© content, cover letters, assessment results), employee records (position, contract type, employment status), and internal HR notes.

How it is used: to manage job postings, track candidate applications, and maintain internal HR records for your organisation. Candidate data is accessible only to authorised HR users within your account.

Data controller responsibility: you act as data controller for candidate and employee personal data stored in F HR. Fovisto acts as data processor. You are responsible for informing candidates how their data is used and for complying with applicable employment and data protection law.

Retention: candidate data is retained for the duration of the recruitment process. We recommend you delete candidate data you no longer need, in line with your own data retention policies and legal obligations.

F QA

Data collected: inspection records, quality checklists, defect logs, audit trail entries (including the name of the user who made each entry and the timestamp), non-conformance reports, and quality metric summaries.

How it is used: to support quality management workflows, maintain audit trails, track defects and non-conformances, and generate quality reports for your organisation. Audit trail data β€” including user identity and timestamps β€” is preserved to ensure record integrity.

Retention: quality and audit records are retained for the duration of your account. We recommend you export and archive records in accordance with any regulatory retention requirements applicable to your industry before closing your account.

PLATFORM-WIDE β€” data sharing, retention, and your rights

5. Data sharing and transfers

We do not sell your personal data. We do not share data with advertisers. We share data only with:

  • Mailjet (Sinch): transactional email delivery (EU-based servers). Mailjet privacy policy.
  • Stripe: payment processing for subscriptions. Data shared is limited to billing information only. Stripe privacy policy.
  • Your managing clinic (F Health only): if you are a patient account linked to a clinic, your assigned healthcare provider can view your authorised health records within F Health.

Our servers are located in the European Union (Germany). We do not transfer your data outside the EEA.

6. Data retention

  • Your account and all associated data are retained for as long as your account remains active.
  • If you delete your account, all personal data is permanently erased within 30 days.
  • F Data uploaded files are deleted within 24 hours of export unless saved.
  • Anonymised aggregate statistics (e.g. platform usage counts) may be retained indefinitely as they contain no personal data.
  • We may retain data for longer where required by applicable law (e.g. tax record requirements).

7. Your rights under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15) β€” request a copy of all data we hold about you.
  • Right to rectification (Art. 16) β€” request correction of inaccurate data.
  • Right to erasure (Art. 17) β€” request deletion of your data ("right to be forgotten").
  • Right to restrict processing (Art. 18) β€” ask us to limit how we use your data.
  • Right to data portability (Art. 20) β€” receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) β€” object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) β€” withdraw consent at any time (this does not affect prior processing).

To exercise any of these rights, email us at info@fovisto.com. We will respond within 30 days.

You also have the right to lodge a complaint with your national supervisory authority β€” e.g. the BfDI in Germany or the ICO in the UK.

8. Security measures

  • All data is transmitted over HTTPS / TLS 1.2+.
  • Passwords are stored as bcrypt hashes (cost factor 12). We never store plain-text passwords.
  • Authentication uses JWT tokens with 30-day expiry.
  • Our API enforces rate limiting on authentication endpoints (20 requests / 15 minutes per IP).
  • Security headers are set on all responses: X-Content-Type-Options, X-Frame-Options: DENY, Content-Security-Policy, Referrer-Policy.
  • Database access is restricted to application-level credentials; direct external access is blocked by firewall.

9. Cookies

We use only a single, strictly necessary session token stored in localStorage to keep you logged in. We do not use tracking cookies, advertising cookies, or third-party analytics scripts.

10. Children's data

The Fovisto platform is not directed to children under 16. We do not knowingly collect personal data from children under 16. In F Health, patient records for minors may only be created by an authorised medical professional with appropriate guardian consent.

11. Changes to this policy

We may update this Privacy Policy from time to time. Significant changes will be communicated by email or by a prominent in-platform notice. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact

For any privacy-related questions or to exercise your rights:

← Back to Home