Privacy Policy

1. Introduction

Valiora ("we", "us", "the Company") operates the mobile applications VitalIA and EstudIA (collectively, "the Apps"). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights.

By using any Valiora app, you accept the practices described here. If you do not agree, please do not use the Apps.

This policy is designed to comply with: GDPR (EU), CCPA (California), Ley 25.326 (Argentina), and Google Play / App Store privacy requirements.

2. Who Controls Your Data

Valiora — valioragroup@gmail.com  ·  www.valiora.app

3. Apps Covered by This Policy

This policy covers the following Valiora applications. Each app collects different data appropriate to its purpose:

3.1 VitalIA (wellness & routines)

VitalIA is a personal wellness and self-organization tool. It collects the following data categories:

Data you enter directly (wellness check-ins):

• Mood (scale 1–10), sleep (hours, quality, start/end time), stress (1–10), energy (1–10)
• Hydration (cups of water), physical activity (type, duration, distance, calories, heart rate)
• Nutrition (meals, macronutrients: calories, protein, carbohydrates, fats, fiber, sodium)
• Medication and supplements (name, dose, frequency)
• Menstrual cycle (phase), body weight (kg), physical or emotional symptoms
• Personal notes and free-text entries (diary, annotations, reflections)

These are special-category health data under GDPR and are treated with the corresponding level of protection.

Health data from your device (with explicit permission):

• Free plan (Health Connect / HealthKit): steps, distance, total and active calories burned, hydration, sleep, exercise recorded
• Premium plan: heart rate, heart rate variability (HRV), resting heart rate, VO2 max, blood oxygen (SpO2), heart rate zones

Account and profile data: unique user ID (UUID), email address (authentication), language and timezone settings, notification preferences, active subscription plan and activation date.

App usage data: check-in streak, sessions completed, tools used and duration, ambient sound selected, app version, OS version, device language at registration.

Technical diagnostics: crash reports via Firebase Crashlytics containing error type, stack trace, app and OS version, anonymous device identifier. These reports never contain your health data, personal notes, or any user-entered content.

3.2 EstudIA (study & focus)

EstudIA is a study planning and academic organization tool. It collects:

• Account information: email address (authentication), unique user ID
• Academic data: subjects, exams, study plans, goals, Pomodoro sessions, progress statistics
• AI interaction data: queries to the AI study assistant (processed by Google Gemini)
• App usage and analytics: session data, feature usage, app version, device language
• Technical diagnostics: crash reports via Firebase Crashlytics (no user content)

3.3 What We Do NOT Collect (all apps)

• We do not collect your real name (unless you voluntarily enter it in notes).
• We do not collect your geographic location.
• We do not use advertising tracking cookies.
• We do not collect contacts or camera access.
• We do not sell any data to third parties.

4. Why We Use Your Data

For health data (special category under GDPR), the legal basis is explicit consent requested when activating each feature that requires it.

5. How We Store Your Data

5.1 Local storage (all users)

• Local database (SQLite/Drift): All check-in records, goals, preferences, and settings stored on your device first.
• Secure system storage: Credentials and access tokens stored in OS-encrypted storage (Keystore on Android, Keychain on iOS) via flutter_secure_storage.
• Local preferences: App settings, check-in streaks, and tool selections.

Uninstalling the app removes all locally stored data from your device.

5.2 Cloud storage (Premium plan only)

If you have a Premium plan, your data is securely replicated to Firebase Firestore (Google Cloud), encrypted in transit (TLS) and at rest. Storage path: users/{your_unique_id}/{collection}/{entry_id}. Upon cancellation or account deletion, Firestore data is deleted within 30 business days.

5.3 Security measures

• HTTPS/TLS encryption in transit for all external communications
• Encryption at rest for credentials and tokens
• Production data access restricted to authorized Valiora personnel
• Anonymous identifiers (UUID) used in logs instead of direct identifiers
• Internal prohibition on logging user-generated content in diagnostic logs
• On-device ML models (LiteRT/TFLite) for predictions — no data sent to external servers

6. Who We Share Data With

We do not sell, rent, or transfer your personal data to third parties for commercial purposes. We share data only with the service providers strictly necessary to operate the apps:

• Google — Firebase (Firestore, Auth, Crashlytics): Authentication, cloud sync (Premium), crash reporting. Privacy policy
• Google — Gemini AI: Generates AI observations from aggregated, anonymized metrics. Personal notes and free text are never sent. Legal basis: explicit consent. Privacy policy
• Apple — HealthKit / Google — Health Connect: VitalIA reads health metrics from your device's health service. We do not write data back to HealthKit/Health Connect.
• App stores (Google Play / App Store): Premium purchases are processed by the stores. Valiora does not receive or store payment card data.
• Legal disclosure: We may disclose information when required by law, court order, or to protect rights.

7. International Data Transfers

Firebase (Google Cloud) servers may be located outside your country, including the United States. Google maintains GDPR-compliant transfer mechanisms (Standard Contractual Clauses). EU residents can review Google's transfer mechanisms at cloud.google.com/privacy/gdpr.

8. Data Retention

9. Your Rights

Universal rights (all jurisdictions): access, rectification, erasure ("right to be forgotten"), data portability, withdrawal of consent.

Additional GDPR rights (EU): restriction of processing, objection, right not to be subject to solely automated decisions, right to lodge a complaint with a supervisory authority.

CCPA rights (California): right to know, deletion, and opt-out of sale. Valiora does not sell personal data.

Ley 25.326 rights (Argentina): access, rectification, update, and deletion of personal data.

To exercise your rights: email valioragroup@gmail.com. Response time: 30 business days (extendable to 60 in complex cases, with prior notice). Identity verification may be requested.

10. Children's Privacy

VitalIA requires a minimum age of 16. EstudIA requires a minimum age of 13 (or the age of digital consent in your jurisdiction). We do not knowingly collect personal data from children below these ages. If you believe a minor has created an account, contact valioragroup@gmail.com for immediate deletion.

11. Changes to This Policy

We may update this policy periodically. For material changes, we will notify you via an in-app alert and/or email at least 15 days in advance and update the "Last updated" date above. Continued use after the new policy takes effect constitutes acceptance.

12. Contact

Privacy inquiries: valioragroup@gmail.com
General support: valioragroup@gmail.com
Website: www.valiora.app

EU residents who do not receive a satisfactory response may contact their national data protection authority. Directory: edpb.europa.eu