App Privacy Policy

Effective Date: 06/09/2025

myday is provided by Evexia Health International Ltd (“myday”, “we”, “us”, “our”). This Policy covers our mobile applications and our website at my-dayapp.com (“Services”). SmartHabits Mobile (Logitech-branded) runs on the myday platform and follows this Policy.

1. Introduction

1.1 This Privacy Policy explains what we collect, how we use it, who we share it with, how long we keep it, and your rights.
1.2 Controller: Evexia Health International Ltd (trading as myday), England & Wales No. 12935845. Registered office: Woodwater House, Pynes Hill, Exeter, Devon, United Kingdom EX2 5WR.
1.3 Depending on a client/Sponsor agreement, we may act as processor for specific reporting they instruct. Otherwise, we act as controller.

2. About this Policy

2.1 This Policy forms part of our Terms & Conditions. Questions: hello@myday.health. You may complain to your Supervisory Authority (in the UK, the ICO).
2.2 We use several lawful bases (see Section 6). Where we rely on consent, you can withdraw it at any time (Section 9).
2.3 We update this Policy from time to time. The latest version is always available in-app and on our website. Continued use constitutes acceptance.

3. Information we collect

3.1 Information you give us directly

(i) Account & profile: name, email, phone (optional), month and year of birth, employee ID, password, country/timezone/language, and content you post.
(ii) Wellbeing entries you choose to add: e.g., height, weight, water intake, sleep duration, and other wellbeing notes you input.
(iii) Calendars (Google/Outlook/Apple): we use the calendar.events.owned scope to create and manage only app-owned events (e.g., habit reminders). We do not read or alter your personal calendar events.
(iv) Third-party sources (including wearables): with your opt-in consent, you may connect Apple Health, Google Health Connect and/or a wearable via our provider Rook to import activity metrics (e.g., steps, distance/active minutes, calories, sleep). Heart-rate may be used transiently for validation/derivation but is not stored by us as a user-level metric.

3.2 Information we collect automatically

(i) Device & app telemetry: device/OS and app version, crash/error data, and limited technical identifiers used for stability/analytics. We do not use advertising IDs (AAID/IDFA).
(ii) Approximate location & session data: IP-based approximate location, time zone, session timestamps, feature usage, and performance metrics.
(iii) Website (cookies): see our Cookies Policy for details about website cookies.

4. How we use your information

We use information to:
(a) provide and personalise the Services (e.g., challenges, incentives, rewards, reminders);
(b) tailor content and insights you see;
(c) respond to questions and provide support;
(d) operate, secure and improve the Services (troubleshooting, testing, research, statistics);
(e) enable interactive features you choose;
(f) comply with law and enforce terms;
(g) protect users, our Services and our rights (e.g., fraud/abuse prevention).
We do not use HealthKit/Health Connect data for advertising or sell it to advertising platforms, data brokers, or information resellers.

5. Leaderboards & challenges

Only steps and active minutes are visible to other challenge participants via leaderboards. No heart-rate or other sensitive metrics are shown. You can opt out of sharing in leaderboards via in-app settings or by contacting support.

6. Lawful bases for processing (UK GDPR)

6.1 Consent – for special-category (health) data from Apple Health, Google Health Connect and connected wearables (Section 6.6), and for any optional features that explicitly request consent.
6.2 Contract – to provide the Services you request and that your Sponsor funds (e.g., create an account, deliver challenges, rewards, deep-link navigation).
6.3 Legal obligation – where processing is required to comply with law.
6.4 Vital interests / public task – only where applicable (rare).
6.5 Legitimate interests (LI) – to run a safe, stable and useful service (e.g., crash diagnostics, security, aggregated product analytics with ads features disabled). We balance these interests against your rights; you can object (Section 9). A summary LIA is available on request.
6.6 Special-category (health) data (GDPR Art. 9) – When you connect Apple Health, Google Health Connect or a wearable via Rook, we process health-related metrics only with your explicit consent (Art. 9(2)(a)). You can withdraw consent at any time by disconnecting in the app and/or revoking OS permissions. On withdrawal, collection stops immediately. Steps/active-minutes we hold are deleted on account deletion; see Retention (Section 9.4 & 10).

7. SDKs & trackers (mobile app)

We keep SDKs to the minimum required for functionality, stability and privacy-preserving analytics. Ads features are disabled, and we do not use AAID/IDFA.

Google Firebase Dynamic Links – deep-link navigation.
• Basis: contract / LI.
• Data: technical metadata to resolve links.
• Transfers: may occur outside UK/EEA under SCCs/UK Addendum.

Google Firebase Crashlytics – crash diagnostics and stability.
• Basis: LI (security/stability).
• Data: crash traces, device/OS metadata; no names/emails.
• Transfers: may occur outside UK/EEA under SCCs/UK Addendum.

Google Firebase Analytics – aggregated product analytics to improve the app; ads features off.
• Basis: LI (product improvement). You can object (Section 9); on request we will cease collection for your device (e.g., via App Instance ID) and delete associated analytics where feasible.
• Retention: 2 months (auto-delete).
• Transfers: may occur outside UK/EEA under SCCs/UK Addendum.

GIPHY SDK (Shutterstock) – optional GIF search/selection.
• Basis: LI (enhanced UX).
• Data: GIF search/selection plus limited technical info (e.g., IP/device). Your searches may indirectly reveal personal information, so please only search for content you are comfortable sharing. We do not send your name or email address to GIPHY. If you don’t open the GIF feature, no data is sent.
• Transfers: may occur outside UK/EEA under SCCs/UK Addendum.

Rook – wearable/health data connection layer.
• Basis: explicit consent for any health data (Art. 9(2)(a)).
• Data: steps, distance/active minutes and other permitted metrics; heart-rate may be used transiently for validation/derivation but is not stored by us as a user-level metric.
• Retention: service duration + up to 6 months post-termination.
• Transfers: may occur outside UK/EEA under SCCs/UK Addendum.

Huawei Mobile Services (HMS) – not used in production. No Huawei/AppGallery build is distributed; HMS code is excluded from production builds (no runtime calls to *.dbankcloud.cn).

8. Sharing & disclosures

8.1 Within group companies that support the Services.
8.2 With service providers (processors) that host, support or help deliver the Services under contract and appropriate safeguards.
8.3 With your Sponsor in anonymised/aggregated form. In limited, specific cases (e.g., programme administration or tax compliance), we may share identifiable information to the minimum necessary extent.
8.4 At your request; in corporate transactions; to comply with law; or to protect rights, users or the Service.
8.5 We will not use HealthKit/Health Connect information for advertising or sell it.

9. Your rights & choices

9.1 You have rights to be informed; access; rectification; erasure; restriction; portability; and to object (including to processing based on legitimate interests). You also have rights relating to automated decision-making and profiling.
9.2 Withdraw consent at any time for consent-based processing (e.g., health data): disconnect in the app and/or revoke OS permissions.
9.3 Object to analytics: contact us and we will cease Firebase Analytics collection for your device (e.g., via App Instance ID) and delete associated analytics where feasible.
9.4 Account deletion: you can request deletion at any time; steps/active-minutes stored in our app database are deleted when you delete your account.

Contact: hello@myday.health. We may need to verify your identity.

10. Retention

We keep personal data only as long as needed for the purposes in this Policy, to comply with law, or to resolve disputes. Key periods:
• Firebase Analytics events – 2 months (auto-deleted).
• Crash diagnostics (Crashlytics) – retained as necessary for stability and security troubleshooting.
• Rook-processed activity metrics (where connected) – retained for the duration of the service and up to 6 months after service termination.
• App database (steps/active minutes) – deleted when you delete your account (or sooner where required).
• Operational/debug logs (e.g., infrastructure monitoring) – retained short-term for security and reliability before automatic purge.
For exact retention by category, contact us.

11. International transfers

myday is UK-based. Personal data may be processed in the US and other countries. Where we transfer data outside the UK/EEA, we use appropriate safeguards (e.g., EU Standard Contractual Clauses + UK Addendum) and conduct transfer risk assessments. Details available on request.

12. Security

We apply technical and organisational measures appropriate to the risk (encryption in transit, access control, monitoring, least-privilege, etc.). No system is 100% secure; where required, we will notify authorities and users of personal data breaches.

13. Children

Our Services are not intended for individuals under 18. If we learn we have collected data from a child under 18, we will delete it.

14. California residents

If you are a California resident, see our “Notice to California Residents (CCPA/CPRA)” for disclosures and rights specific to California.

15. Contact (Data Protection Officer)

Name: James Parkes
Address: Edgcumbe, Moorhaven, Bittaford, PL21 0EX
Email: jamesparkes@myday.health
Tel: +44 7793 185448

16. Definitions

“Data Protection Legislation” means UK GDPR, the Data Protection Act 2018, PECR 2003, and any successor laws. “Personal Data”, “Controller”, “Processor”, “Data Subject” and “Supervisory Authority” have the meanings in that legislation.