Privacy Policy

Effective 25 May 2026 · Last updated 29 May 2026

At a glance

What we collect: your account info, the answers you give to the wellness assessment, optional derived facial-expression measurements (numerical values, not images or biometric identifiers) from the in-assessment face-scan step, and basic device diagnostics.
How we use it: to provide your personalised assessment and recommendations inside the Oliv™ app, and to respond when you contact support. We do not sell your data, do not run advertising, and do not share with third parties beyond what's required to deliver the app. Oliv is currently free to use; there are no payments.
Your rights: you can delete your account inside the app at any time. For any other request (access, correction, portability, withdrawing consent, complaints), email support@olivwellness.com.

1. Who we are

This Privacy Policy describes how VisiumGroup, LLC (referred to as "Oliv", "we", "us", or "our"), incorporated in the Commonwealth of Virginia, United States, with its principal place of business at 19854 Don Juan Ln, Leesburg, VA 20175-6768, collects, uses, discloses, and otherwise processes your personal data.

For purposes of the UK General Data Protection Regulation ("UK GDPR") and EU General Data Protection Regulation ("EU GDPR"), VisiumGroup, LLC is the data controller of your personal data.

For purposes of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), and other applicable US state privacy laws, VisiumGroup, LLC is the business or controller of your personal information.

2. Scope of this policy

This policy applies to personal data we process in connection with:

the Oliv™ iOS mobile application (the "App"), distributed through the Apple App Store;
the marketing website at olivwellness.com (the "Site"); and
email correspondence with our support team at support@olivwellness.com.

It does not apply to third-party products, services, or websites we link to. The App is distributed through the Apple App Store, which is governed by Apple Inc.'s own privacy policy.

Launch markets: at the date of this policy, the Oliv™ App is available for download from the Apple App Store in the European Union, the United Kingdom, and the United States. Marketing activity is initially focused on the European Union; the App itself is available to residents of all three regions. Sections of this policy that describe rights under specific regimes (UK GDPR, EU GDPR, CCPA/CPRA, VCDPA, Illinois BIPA, and other US state privacy laws) apply to you depending on where you reside.

3. Personal data we collect

3.1 Account & identity data

When you create an Oliv account we collect the email address you use to sign in. You may optionally provide a display name. We do not require government ID, date of birth in identifiable form, or social-media login.

3.2 Wellness assessment responses

When you complete the in-app wellness assessment, your answers are stored against your account so you can review your history and refresh the assessment over time. Some answers describe how you feel, what you eat, how you sleep, and your mood — which under UK/EU GDPR are treated as special category data concerning health (Article 9). We process this data only with your explicit consent (Article 9(2)(a)), which you give by taking the assessment.

3.3 Face scan

The face scan is an optional step within the wellness assessment. If you choose to use it:

What the camera captures stays on your device. Raw camera frames, photographs, video, depth maps, infrared imagery, and 3D facial geometry are processed entirely on your iPhone. They are never transmitted to VisiumGroup, LLC or any third party.
A small set of derived expression measurements is transmitted to our servers. When you submit the assessment, a small set of normalised facial-expression coefficients — Apple-defined numeric values 0.0–1.0 representing expression intensities such as jaw open, brow raise, or eye blink — together with the scan duration and a quality indicator are sent to our servers alongside your assessment answers. These coefficients are derived from your expressions; they are not images, not 3D face geometry, and cannot identify you.
What we use it for. They are used solely to inform the personalised wellness recommendations Oliv shows you.
Where it is stored. They are stored on cloud infrastructure in the EU (Frankfurt) and are never shared with any third party.
Retention. They are retained only while your account is active, and are deleted immediately when you delete your account in-app (Profile → Delete Account).
Not for identification. We do not process biometric data for the purpose of uniquely identifying a natural person.

3.4 Subscription & billing data

We do not currently collect any subscription or billing data, because Oliv™ is free to use. There are no in-app purchases at this time. If we introduce paid features in future we will update this policy in advance and obtain any consent required by law.

3.5 Device & technical data

The App collects a small amount of technical data necessary to operate: iOS version, device model and language, App version, time-zone, and anonymised crash logs. This data is used to diagnose problems and is not combined with your assessment responses for any marketing or profiling purpose.

3.6 Support correspondence

If you email support, we keep a record of the message and our response so we can follow up. Support correspondence is stored only in our inbox and is not used for any other purpose.

3.7 What we do not collect

We do not use cookies or web-tracking technologies on olivwellness.com.
We do not use third-party analytics, advertising trackers, or behavioural-advertising SDKs in the App.
We do not access your contacts, photo library, location, microphone, or other device sensors (other than the camera, only when you actively use the optional face scan).
We do not knowingly collect data from anyone under 18 (see Section 11).

4. How we use your data & lawful bases

The table below summarises why we process each category of data and the lawful basis under UK/EU GDPR. For US residents, the "purpose" column also represents our notice of "business purpose" under the CCPA/CPRA.

Data	Purpose	Lawful basis (UK/EU)
Account & identity	Create and authenticate your account; communicate essential service messages.	Performance of contract (Art. 6(1)(b))
Assessment responses	Generate your personalised assessment results and recommendations; show your history.	Explicit consent (Art. 9(2)(a)) + contract (Art. 6(1)(b))
Face-scan measurements	Process the optional face scan, then store a small set of derived facial-expression measurements (numerical values) alongside your assessment to inform your personalised recommendations. Raw camera frames and 3D face geometry are not stored.	Explicit consent (Art. 9(2)(a)); BIPA written consent for the on-device processing
Device & technical	Diagnose crashes, maintain stability, fix bugs.	Legitimate interests (Art. 6(1)(f)) — operating a reliable app
Support comms	Respond to your queries; keep a record so we can follow up.	Legitimate interests (Art. 6(1)(f))

We do not use your data to make solely automated decisions that produce legal or similarly significant effects on you (UK/EU GDPR Art. 22). The recommendations Oliv generates are informational suggestions, not decisions affecting your rights or access to a service.

5. Sharing & disclosure

We do not sell your personal data. We do not share your personal data for "cross-context behavioural advertising" or "targeted advertising" within the meaning of CCPA/CPRA, VCDPA, or any other US state privacy law. We do not run any advertising programme.

We share personal data with the following category of recipient, in the listed circumstance only:

Recipient	What & why
Apple Inc.	Apple distributes the App via the App Store. To do so Apple may receive device identifiers, account identifiers associated with your Apple ID, and standard App Store analytics about downloads. Oliv™ does not currently use In-App Purchase or process any payment via Apple. Apple processes the data it does receive under Apple's privacy policy.
Cloud hosting provider	Our application and database are hosted on cloud infrastructure provided by DigitalOcean, on servers located in Frankfurt, Germany. DigitalOcean stores the data on our behalf as a processor under a data-processing agreement and does not use it for its own purposes.
Technical service provider	A technical service provider based in the United Kingdom maintains and supports the App's systems on our behalf, under a data-processing agreement. They access data only as needed to operate and support the Service, and do not use it for their own purposes.

Apart from the providers listed above, Oliv does not use third-party analytics, advertising, payment processors, CRM, or marketing tools. If this changes, we will update this policy and, where required, notify you and obtain fresh consent before activating any new processing.

We may also disclose personal data:

To comply with law — including in response to a valid legal request from a government authority of competent jurisdiction.
To protect rights and safety — to investigate, prevent, or take action regarding suspected illegal activity, fraud, or threats to the safety of any person.
In connection with a business transaction — such as a merger, financing, or sale of company assets, in which case we will use commercially reasonable efforts to notify you and require the recipient to honour the commitments in this policy.

6. International data transfers

Your personal data is processed and stored on servers located in the European Union (Frankfurt, Germany). This means:

If you are in the EU, your data stays in the EU and is not transferred outside it for storage.
If you are in the UK, your data is stored in the EU. Transfers from the UK to the EEA are permitted under the UK's adequacy regulations, which recognise the EEA as providing an adequate level of protection.
If you are in the US, your data is likewise stored on our EU servers.

Who accesses the data, and from where. The App's systems and database are operated entirely from within the EU and the UK. The data is hosted in the EU (Frankfurt) and is maintained on our behalf by a technical service provider based in the United Kingdom. Movement of personal data between the EU and the UK is covered by adequacy decisions in both directions, so no additional transfer safeguards are required for it.

We do not host or administer your data in the United States. Although VisiumGroup, LLC is incorporated in the United States, your assessment data, face-scan results, and account information are stored on our EU servers and are not copied to, stored in, or accessed by us from the United States; day-to-day technical access is solely from the UK. If you use the App from the United States, your own data naturally travels between your device and our EU servers in order to deliver the Service to you — that is how the Service reaches you, and is separate from where we store and manage your data. If our arrangements ever change — for example, if we add a US-based service provider — we will update this policy and put appropriate safeguards (such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum) in place before doing so.

We do not transfer your personal data onward to any third party for their own purposes. Apple Inc. handles App Store distribution under its own privacy policy. We protect the data we hold with encryption in transit and at rest and with access controls (see Section 12). You may ask about our current arrangements at any time by emailing support@olivwellness.com.

7. How long we keep data

Category	Retention
Account & identity	Deleted immediately when you delete your account in-app. Limited records may be retained only where law requires.
Assessment & face-scan results	Stored for as long as your account is active. Deleted immediately when you delete your account in-app. No biometric identifier (in the BIPA-defined sense of a scan of facial geometry) is ever stored.
Device & crash logs	Up to 90 days from collection, then deleted or fully anonymised.
Support correspondence	Up to 24 months from your last message, then deleted.
Backups	Encrypted backups are rotated and purged on a 90-day schedule.

8. Your rights

Depending on where you live, you may have some or all of the following rights in respect of personal data we hold about you. We honour these rights from every user, regardless of jurisdiction, where it is operationally possible to do so.

8.1 UK and EU residents (UK GDPR / EU GDPR)

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — ask us to delete your data; subject to limited exceptions such as legal-retention obligations.
Restriction — ask us to restrict processing in certain circumstances.
Portability — receive your data in a structured, commonly-used, machine-readable format (we provide this on request — see Section 9).
Object — object to processing based on legitimate interests.
Withdraw consent — where processing relies on your consent (such as the optional face-scan feature), withdraw it at any time; withdrawal does not affect lawfulness of processing before withdrawal.
Complain to a supervisory authority — UK residents: the Information Commissioner's Office (ico.org.uk). EU residents: your national or regional data-protection authority.

8.2 California residents (CCPA/CPRA)

Right to know — request the categories and specific pieces of personal information we have collected about you, the sources, the business or commercial purpose for collecting, and the categories of recipients.
Right to delete — request deletion of personal information we have collected from you.
Right to correct — request correction of inaccurate personal information.
Right to opt out of sale/sharing — we do not sell or share your personal information for cross-context behavioural advertising. There is nothing to opt out of, but this right is yours.
Right to limit use of sensitive personal information — we use sensitive personal information (the health information you provide through the assessment and the derived facial-expression measurements from the optional face scan) only to provide the App's features you have requested. We do not store or further use any biometric identifier. You can withdraw consent at any time, which limits our use.
Right to non-discrimination — we will not deny you service, charge you a different price, or provide a different level of service because you exercised a privacy right.
Authorised agent — you may use an authorised agent to submit a request on your behalf, with proof of authorisation.

8.3 Virginia residents (VCDPA)

Right to access, correct, delete, and request a copy of (port) personal data we process about you.
Right to opt out of targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects. We do not engage in any of these.
Right to appeal a denial of your request. To appeal, reply to our response email with subject "VCDPA Appeal" within 45 days. We will respond within 60 days of the appeal.

8.4 Other US state residents

Residents of Colorado, Connecticut, Utah, Tennessee, Texas, Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey, Indiana, Minnesota, and Maryland have comprehensive privacy rights similar in substance to those of Virginia residents above. Use the same contact channel (Section 9) to exercise them. Specific rights, timelines, and appeal processes follow your state law.

8.5 Illinois residents — Biometric Information Privacy Act (BIPA) notice

What we collect: When you use the optional face scan, the App reads facial-expression intensities on your device. Raw camera frames, photographs, video, depth maps, infrared imagery, and 3D scans of your face geometry are not transmitted off the device or retained. The App does derive and transmit a small set of normalised expression coefficients (Apple-defined values such as jawOpen, browInnerUp, eyeBlinkLeft, each in 0.0–1.0) alongside your assessment submission. These derived coefficients are not a "biometric identifier" within the meaning of BIPA, which defines biometric identifier as a scan of face geometry or similar features used to identify a person; they describe expression intensity, not face geometry, and cannot identify you.

Purpose: To generate a brief observational reading that helps Oliv personalise your recommendations inside the App.

Storage and retention: Raw biometric inputs (camera frames, face geometry) are not stored at any time — neither on your device after the scan completes, nor on our servers. The derived expression measurements are stored alongside your assessment record on our EU server only for as long as your account is active.

Disclosure: We do not sell, lease, trade, or otherwise profit from the derived measurements or from any biometric identifier. We do not disclose them to any third party.

Destruction: Because no biometric identifier (as defined by BIPA) is retained, there is none to destroy. The derived expression measurements are deleted immediately when you delete your account inside the App.

Consent: By enabling the face-scan feature in the App, you provide your written consent to the on-device processing and to the transmission of the derived measurements described above.

9. How to exercise your rights

9.1 Delete your account

You can delete your Oliv account at any time directly inside the App:

Profile → Delete Account

This is the only privacy right that has a self-service in-app flow. When you confirm deletion in the App, we immediately and permanently remove your account, your assessment history, and any face-scan measurements. Limited records may be retained only where law requires.

9.2 All other requests

For any other privacy request — access, rectification, portability, restriction, objection, withdrawing consent, or making a complaint — email support@olivwellness.com with the subject line "Privacy request". Include the email address associated with your Oliv account and a clear statement of what you would like us to do.

We will respond within:

30 days for requests under UK/EU GDPR (extendable by a further 60 days for complex requests, with notice);
45 days for requests under CCPA/CPRA (extendable once for another 45 days, with notice);
45 days for requests under VCDPA and similar US state laws (extendable once for another 45 days, with notice).

For portability requests, we will provide your data in a structured, machine-readable format — typically JSON or CSV — delivered as a downloadable file via a secure link. There is no in-App export at launch; requests are handled manually by our team.

To protect your account we will need to verify your identity before responding to a substantive request — usually by confirming you control the email address on file.

9.3 No fee, no discrimination

Privacy requests are free. We will not deny you the App, charge you a different price, or give you a lesser experience because you exercised a privacy right.

10. Cookies & tracking

The Oliv website and App do not use cookies, advertising trackers, or third-party analytics at launch. See our Cookie & Tracking Notice for details. If this changes, we will update both this policy and the Cookie Notice, present a consent banner to UK and EU users, and notify existing users in-App.

11. Children

Oliv is intended for users aged 18 years or older. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a person under 18 without verified consent of a parent or legal guardian, we will delete that data as soon as reasonably possible. If you believe a child has provided us with personal data, please contact support@olivwellness.com.

12. Security

We use reasonable technical and organisational measures designed to protect your personal data, including:

encryption in transit (TLS) for all communications with our servers;
encryption at rest for stored data;
on-device processing of camera frames, photographs, video, depth maps, infrared imagery, and 3D face geometry — these are never transmitted to our servers. Only the derived numerical expression measurements (which are not biometric identifiers under BIPA) are transmitted, encrypted in transit and at rest;
access controls limiting which personnel can view personal data; and
periodic review of our security practices.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay, as required by law.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes — for example, changing the purposes for which we process your data, or adding a new category of sub-processor — we will notify you at least 30 days in advance by email and through the App. Non-material changes (typo fixes, clarifications) will be reflected by updating the "Last updated" date at the top of this policy.

14. UK & EU representatives

Because VisiumGroup, LLC is not established in the United Kingdom or the European Union, we have appointed representatives in each region under UK GDPR Article 27 and EU GDPR Article 27 respectively. UK and EU residents may contact the relevant representative directly in relation to questions about how we process their personal data.

Our representative, Prighter, gives you an easy way to exercise your privacy rights (for example, requests to access or erase your personal data). To contact us through Prighter, or to make a data-subject request, visit app.prighter.com/portal/16815533921.

UK Representative

Prighter Ltd
20 Mortlake, Mortlake High Street
London, SW14 8JN
United Kingdom

EU Representative

Prighter EU Rep GmbH
Schellinggasse 3/10
1010 Vienna
Austria

15. Contact us

For any question about this Privacy Policy, our data practices, or to exercise any privacy right:

Email: support@olivwellness.com
Post: VisiumGroup, LLC, 19854 Don Juan Ln, Leesburg, VA 20175-6768

UK and EU residents also have the right to contact our UK or EU representative directly.