← ← Back to homepage ← Overview
🇩🇪 DE🇬🇧 EN🇫🇷 FR🇪🇸 ES🇮🇹 IT
PenVita

Privacy policy

As of: May 20, 2026
1. Controller
ICR Parkett GmbH, Sommerstr. 27 A, 92421 Schwandorf, Germany
Represented by: Jürgen J. Schober
Data Protection Officer: legal@penvita.app

2. Principle of local data storage
PenVita stores all data exclusively locally on your device. No personal data is transmitted to our own servers.

3. Data processed
Health data (weight, symptoms, medication, bowel movements, cycle), wellbeing data, injection data, profile data. Under Art. 9 GDPR these qualify as special categories (health data).

4. Legal basis
Art. 6(1)(a) and Art. 9(2)(a) GDPR (explicit consent at first app start).

5. Import from Apple Health / Google Health Connect
Optional connection reads: weight, steps, sleep data, workouts, water intake. PenVita never writes back to Apple Health or Google Health Connect.

6. Anonymous data use for research
With voluntary consent, fully anonymized data may be used for:
• Scientific GLP-1 research
• Further development of PenVita
• Sharing with research partners (universities, pharmaceutical companies)

PenVita may earn revenue from this sharing. Withdrawal possible at any time under Settings → Privacy. Already anonymized data cannot be deleted due to the lack of personal reference.

Technical details of data transmission:
• Transfer: once every 24 hours at app start in the background (HTTPS, encrypted)
• Endpoint: https://penvita.app/research/upload.php
• Anonymous ID: random UUID, not a device fingerprint
• Storage at provider: 180 days, then automatic deletion

Data categories transmitted (all aggregated):
• Country (code, e.g. "DE"), app language
• Gender, age bucket (e.g. "36–45", no specific date of birth)
• Medication, therapy week, current dose
• Averages of the last 30 days: symptoms (nausea, fatigue etc.), sleep, steps, mood, cravings
• Total change in weight and waist circumference since therapy start

NOT transmitted: name, email, device ID, IP address, GPS data, address, individual daily entries with specific date, photos.
7. Your GDPR rights
• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17) — via Settings → Delete all data
• Right to data portability (Art. 20) — via Settings → Backup
• Right to withdraw consent (Art. 7(3))

These rights remain in effect even after a free trial expires or in read-only mode — you can export or delete your data at any time.

8. Notes on the backup format
The backup is a JSON file containing all your data in machine-readable form — including your progress photos as Base64-embedded image data. The file is created exclusively on your device; you choose the storage location and how to send it (e.g. locally, your own cloud, your own email). PenVita itself does not send backup data to third parties.

9. Complaints (Art. 77 GDPR)
Under Art. 77 GDPR, you have the right to lodge a complaint with any EU/EEA data protection supervisory authority — in particular in the Member State of your habitual residence or workplace. The lead supervisory authority for ICR Parkett GmbH is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
https://www.lda.bayern.de

Other national authorities (non-exhaustive):
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
• Ireland: Data Protection Commission (DPC) — dataprotection.ie
• France: CNIL — cnil.fr
• Spain: AEPD — aepd.es
• Italy: Garante per la protezione dei dati personali — garanteprivacy.it

10. Notice for U.S. residents (HIPAA / CCPA)
HIPAA: PenVita is NOT a "covered entity" or "business associate" under the U.S. Health Insurance Portability and Accountability Act (HIPAA). HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses — none of which PenVita is. The health information you enter into PenVita is consumer-generated health data and is not subject to HIPAA protections. However, PenVita stores all data locally on your device and never transmits health data to our servers.

CCPA / CPRA (California residents): If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, including the right to know, delete, and opt-out of "sale" or "sharing" of personal information. PenVita does not "sell" personal information for monetary consideration. If you opt in to anonymous research data sharing (Section 6), this involves fully de-identified data and is your voluntary, opt-in choice — revocable at any time.

To exercise your CCPA rights, contact: legal@penvita.app

11. Children
PenVita is intended exclusively for persons aged 18 and over. We do not knowingly collect data from children. If you believe a child has used PenVita, contact legal@penvita.app for immediate deletion.

12. Contact
legal@penvita.app
Response within 30 days.