THROVA — PRIVACY POLICY

Effective Date: March 28, 2026

Last Updated: March 28, 2026

Application: Throva (the “App”)

Developer: Brandt LaBrasca (“Developer,” “we,” “us,” or “our”)

Contact: brandt@throva.com

This Privacy Policy describes how Throva collects, uses, stores, shares, and protects information obtained from users (“you” or “your”) of the Throva mobile application. Throva is an AI-powered general wellness application that analyzes food photographs, estimates caloric and macronutrient values, and generates automated meal suggestions and fueling information based on your health, fitness, and training data. Throva is not a licensed nutritionist, registered dietitian, or healthcare provider. All nutritional content generated by the App constitutes general wellness information, not individualized dietary counseling or medical nutrition therapy. See the Terms of Service, Section 5.11, for important scope-of-practice disclaimers.

By downloading, installing, accessing, or using Throva, you acknowledge that you have read, understood, and agree to this Privacy Policy. Your use of AI-powered features requires separate, explicit consent as described in Section 3.0. These terms should be read in conjunction with our Terms of Service, available at https://throva.app/terms.

1. Information We Collect

We collect only the information necessary to provide you with general wellness nutritional information.

1.1 Account Information

What we collect: Your name and email address.

How: Provided directly via Apple Sign In or Google Sign In. Authentication processed through Supabase.

Purpose: Account creation, authentication, and account-related communications.

1.2 Profile and Health Information

What we collect: Height, weight, age, biological sex, activity level, fitness goal (fuel endurance, gain muscle, lose weight, maintain weight), dietary preferences (vegetarian, vegan, keto, paleo, gluten-free, dairy-free, pescatarian, halal, kosher, nut-free, low-FODMAP).

How: Provided by you during onboarding and updatable in profile settings.

Purpose: To calculate estimated daily caloric and macronutrient targets and tailor nutritional information to your dietary needs.

1.3 Food Photos

What we collect: Photographs of food taken via device camera or selected from photo library. These photographs may incidentally capture non-food content visible in the frame, such as background environments, other individuals, or text. To minimize unnecessary data capture, images are automatically resized to a maximum of 1,200 pixels before transmission.

How: Voluntarily captured or selected. Images transmitted to Anthropic’s Claude Vision AI via Supabase proxy for nutritional analysis.

Purpose: Automated nutritional estimation of meals.

1.4 Voice Input

What we collect: Text transcriptions generated from spoken food descriptions. We do NOT collect, store, or create voice recordings, voiceprints, or any biometric identifier derived from your voice.

How: You voluntarily activate the microphone. All speech-to-text processing occurs entirely on your device using Apple’s Speech Recognition framework with on-device processing enabled (requiresOnDeviceRecognition = true). Raw audio is processed in real-time, is not recorded, is not stored, and is not transmitted. Only the text transcription is retained. No voiceprint, voice template, or biometric identifier is created at any time.

Biometric data notice: This feature does not collect biometric identifiers as defined under the Illinois Biometric Information Privacy Act (740 ILCS 14/), the Texas Capture or Use of Biometric Identifier Act, or any comparable law.

Retention: Audio exists only transiently in device memory during recognition and is immediately discarded. Text transcriptions are retained in your food log and deleted when you delete the entry or uninstall the App.

Purpose: Hands-free food logging.

1.5 Health and Fitness Data (Apple HealthKit)

What we collect: Throva requests access to the following HealthKit data types:

Throva requests read access to the data types above and write access to Dietary Energy Consumed only. You may grant or deny each type independently. Throva functions with reduced personalization if you decline permissions.

Purpose: Estimating daily caloric needs, adjusting macronutrient targets based on activity, calculating heart rate training zones (Karvonen method), assessing sleep quality for recovery nutrition, and providing post-workout nutritional information.

1.6 Approximate Location and Weather Data

What we collect: Your approximate geographic location, limited to city-level precision (approximately 5-kilometer / 3-mile radius), and corresponding weather conditions (temperature, humidity).

How: The App requests “When In Use” location permission. iOS presents a system dialog; you may select “Allow Once,” “Allow While Using,” or “Don’t Allow.” You may change this at any time in iOS Settings > Privacy & Security > Location Services > Throva. The App requests reduced-accuracy location only. Precise GPS coordinates are never collected, stored, or transmitted. The approximate location is not retained after weather data is retrieved.

Purpose: Solely to calculate hydration estimates based on ambient conditions.

Prohibited uses: Location data is never used for advertising, profiling, tracking, geofencing, or any purpose other than retrieving weather conditions.

1.7 Barcode Scan Data

What we collect: UPC barcode numbers from packaged food items.

How: Scanned via camera. UPC sent to Open Food Facts, a community-contributed, open-source database. Product data returned — including name, brand, nutritional values, serving size — is cached locally on your device for up to seven (7) days and may be incorporated into food log entries. Nutritional data in Open Food Facts is entered by volunteer contributors and has not been independently verified by the Developer.

Purpose: Packaged food nutritional information lookup.

1.8 Food Log and Nutrition Data

What we collect: Meal entries, descriptions, meal types, calorie/macronutrient/micronutrient values, hydration entries, portion sizes, health scores, timestamps.

How: Generated through your use of the App and stored on your device.

Purpose: Nutrition tracking, gap identification, and informational meal suggestions.

1.9 Device and Diagnostic Information

What we collect: Device model and OS version.

How: Collected automatically.

Purpose: Crash diagnostics only. Not used for advertising, tracking, or profiling.

1.10 Apple Reminders Data

The App requests write-only access to Apple Reminders via EventKit. We do not read your existing Reminders. Grocery list creation occurs entirely on-device.

1.11 Menstrual Cycle Data (Optional)

What we collect: Current menstrual cycle phase only. Throva does not store historical cycle data, does not calculate fertility windows or ovulation dates, does not detect or flag missed periods, and does not collect data that could determine pregnancy status.

How: Provided voluntarily through a dedicated, standalone consent prompt separate from general onboarding. You may disable cycle-aware nutrition and permanently delete all stored menstrual data at any time through Settings.

Automatic deletion: Phase data is overwritten each time you update. No historical record of past phases is retained.

Restricted transmission: When included in AI prompts, only an abstracted phase label (e.g., “follicular,” “luteal”) is transmitted. Cycle length, dates, and data enabling reconstruction of a reproductive timeline are never transmitted.

Purpose: Cycle-aware caloric and micronutrient adjustments based on general population research.

1.12 Local Notifications

The App generates notifications locally on your device. No notification data is transmitted to servers.

Service Notifications: Morning check-in, post-workout recovery, pre-workout fuel, hydration nudge, evening fuel check.

Engagement Notifications: Weekly recap, race countdown.

You may enable/disable each type individually in Settings or disable all via iOS Settings > Notifications > Throva. Disabling notifications does not affect feature access or your rights.

1.13 Biometric Data Statement

Throva does NOT collect, store, process, or transmit biometric identifiers or biometric information as defined under BIPA, Texas CUBI, Washington RCW 19.375, or comparable laws. Specifically: no voiceprints, facial geometry scans, fingerprints, or retina scans. Food photo analysis identifies food items only and does not perform facial recognition.

Data we do not collect: Financial/payment information, cookies, contacts, browsing history, advertising identifiers. We do not sell, rent, or share personal data with data brokers or advertisers.

2. How We Use Your Information

2.1 Purposes

(a) Nutritional estimation of food photographs via third-party AI.

(b) Calculation of estimated caloric and macronutrient targets using metabolic formulas.

(c) Training-aware nutritional adjustments using HealthKit data.

(d) Generation of meal suggestions, fuel information, and grocery lists via AI.

(e) Account management and authentication.

(f) Subscription and purchase processing via Apple StoreKit.

(g) Grocery reminder list creation via Apple EventKit.

(h) App functionality improvement using aggregated, de-identified data.

(i) Scheduling local notifications based on your profile, food log, and workout history. This processing occurs entirely on-device.

2.2 Prohibited Uses

• Advertising. Never used to serve advertisements.
• Third-Party Marketing. Never shared for marketing.
• Sale of Personal Data. We do not sell personal data.
• Non-Nutritional Profiling. Not used for behavioral profiles unrelated to nutritional information.
• Discrimination. Not used for unlawful discrimination.

2.3 Nature of Nutritional Information

All nutritional estimates, meal suggestions, and fuel information are produced by automated algorithms and AI. This content constitutes general wellness information for informational purposes. It does not constitute individualized dietary counseling, medical nutrition therapy, or the practice of dietetics. No licensed dietitian or nutrition professional reviews, supervises, or approves the App’s outputs.

3. Artificial Intelligence and Third-Party Data Processing

IMPORTANT: Throva uses third-party artificial intelligence services to process your personal data, including photographs and health-related information. Please read this section carefully.

3.0 In-App AI Disclosure and Consent

Before you use any AI-powered feature for the first time, Throva presents an in-app disclosure screen that:

(a) States clearly that your personal data — including food photographs and health profile information — will be transmitted to Anthropic, a third-party AI provider, for processing.

(b) Identifies the specific categories of data transmitted.

(c) Confirms that Anthropic does not use your data to train its AI models.

(d) Requires you to tap “I Understand and Agree” before any data is transmitted. You may decline; if you decline, AI-powered features will be unavailable, but you may still use manual food logging, barcode scanning, HealthKit integration, hydration tracking, and all non-AI features.

(e) You may withdraw consent at any time via Settings > Privacy > AI Data Processing.

Your use of the App constitutes acceptance of general terms only. AI data processing requires separate, affirmative consent obtained through this in-app screen.

3.1 Overview of AI-Powered Features

Throva integrates AI provided by Anthropic, PBC (“Anthropic”), which acts as a data processor within the meaning of GDPR Article 28, processing personal data on our behalf pursuant to a Data Processing Agreement. Supabase similarly acts as a data processor with a corresponding DPA in place.

When you use AI features, your data is transmitted to Anthropic:

• Food Photo Analysis — nutritional estimation via Claude Vision AI
• Meal Information and Fuel Plans — AI-generated nutritional guidance
• Weekly Meal Plans and Grocery Lists
• Race Day Fueling Information
• Recovery Nutrition Suggestions

3.2 Categories of Personal Data Transmitted

(a) Food Photographs. Images encoded and transmitted. These may incidentally contain non-food content (backgrounds, faces). Anthropic may retain photographs for up to 30 days for safety monitoring.

(b) Health and Fitness Profile Data. Your fitness goal, dietary preferences, body metrics, workout history (type, intensity, duration), and menstrual cycle phase (abstracted label only, if enabled).

(c) Contextual Meal and Nutrition Data. Recently logged meals, daily intake, hydration status.

(d) Incidental Image Content. Food photographs may contain incidental personal information beyond food. All such content is transmitted and subject to the same processing terms. Users are encouraged to frame photographs to capture only food.

3.3 How Your Data Is Transmitted

Your data is not sent directly to Anthropic. All requests route through a Supabase edge function proxy:

1. Your device sends an authenticated request to Supabase.
2. Supabase forwards to Anthropic using a server-side API key (never on your device).
3. Anthropic returns the analysis.
4. Supabase relays the response to your device.

3.4 Anthropic’s Data Handling

As of the effective date of this Privacy Policy, Anthropic’s API Terms provide that:

• Anthropic does not use API data to train its models.
• Anthropic may retain API inputs — including food photographs — and outputs for up to thirty (30) days for trust and safety monitoring, abuse prevention, and legal compliance.
• Anthropic’s practices are governed by their privacy policy at https://www.anthropic.com/privacy and by the DPA between the Developer and Anthropic.
• Anthropic may engage sub-processors (cloud infrastructure providers); our DPA requires Anthropic to maintain a sub-processor list and notify us of changes.

We monitor our processors’ terms and will update this Privacy Policy if material changes affect your data.

In the event our AI provider’s data use policies change to permit training on user data, we will notify you and provide an opt-out mechanism before any such change takes effect.

3.5 On-Device Caching

AI responses cached locally: fuel plans up to 24 hours, meal suggestions up to 4 hours. Cached data is on-device only and deleted when the cache expires or the App is deleted.

3.6 Your Choices and Controls

(a) Consent Withdrawal. Disable AI processing via Settings > Privacy > AI Data Processing. Throva immediately stops transmitting data to Anthropic.

(b) Functionality Without AI. Manual food logging, barcode lookup (Open Food Facts), HealthKit import, hydration tracking, Apple Reminders export, caloric target calculation, and food log history remain available without AI.

(c) Data Minimization. You control what optional data you provide.

(d) Account Deletion. Delete your account and all data as described in Section 6.

3.7 Legal Basis for AI Processing

• Consent. Before data is transmitted to Anthropic, you provide explicit, informed consent via the in-app screen (Section 3.0). You may withdraw at any time.
• Performance of a contract. For non-health personal data, processing is necessary to deliver the service.
• Consent for special categories (GDPR Article 9(2)(a)). Health data and menstrual cycle data require explicit consent, obtained via dedicated consent screens.

3.8 AI Transparency

All nutritional estimates, meal plans, fuel information, and other AI content within the App are identified as AI-generated. Throva does not present AI-generated content as human-authored professional advice. AI models may change over time, and outputs may vary between sessions for identical inputs.

4. HealthKit Data

4.1 Data Types

See Section 1.5 for the complete list of 16 read types and 1 write type. Throva requests read access to all listed types and write access to Dietary Energy Consumed.

4.2 How We Use HealthKit Data

Exclusively for health-management purposes:

• TDEE Estimation. Workout and active energy data.
• Workout-Aware Macro Adjustment. Type, duration, intensity, calories.
• Adaptive Intensity Zones. Karvonen HR Reserve method using resting HR. (This is a general estimation formula, not a clinically validated individual assessment.)
• Sleep-Based Recovery Nutrition. Sleep quality score (derived, approximate — consumer wearable data has known accuracy limitations).
• VO2 Max and fitness context for general nutritional adjustment.
• Body mass and height for metabolic calculations.

4.3 AI-Assisted Processing Disclosure

Derived contextual summaries from HealthKit data are transmitted to Anthropic’s API. This includes: workout context (type, intensity, duration, distance), sleep quality context, HR-derived intensity, body weight context, VO2 Max / fitness level context, step count context, and menstrual cycle phase (abstracted label) if enabled.

What is transmitted: Derived descriptions — e.g., “User completed a hard-intensity 10-mile run.”

What is NOT transmitted: Raw HealthKit sample arrays, time-series data, timestamps, or Apple Health identifiers.

Your explicit consent for this AI processing is obtained via the in-app consent screen (Section 3.0).

4.4 On-Device Storage

HealthKit data stored locally in SwiftData. Not in iCloud, CloudKit, or any cloud database. Not uploaded to servers in raw form. Protected by iOS hardware encryption.

4.5 Prohibited Uses — HealthKit Compliance

• No Advertising. Never.
• No Sale of Data. Never.
• No Use-Based Data Mining. Only for health-management features.
• No Disclosure for Non-Health Purposes. HealthKit data is never disclosed for any purpose unrelated to providing health-management and nutrition features. The AI processing in Section 4.3 constitutes a health-management purpose.

4.6 Your Controls

• Revoke via iOS Settings > Health > Data Access & Devices > Throva.
• Delete via account deletion (wipes all local data) or App uninstallation.
• Granular Permissions. Grant/deny each type individually.

5. Third-Party Services

We do not sell your personal data. Anthropic and Supabase act as data processors under DPAs. Third-party privacy policies may change; links were accurate as of the effective date.

5.1 Supabase, Inc.

Data: Email, hashed password, session tokens. Food photos and context transit through edge functions but are not persistently stored.

Infrastructure: AWS, United States.

Security: Encryption in transit and at rest. In the event of a Supabase security incident, the Developer will notify affected users per applicable law.

Privacy Policy: https://supabase.com/privacy

5.2 Apple Inc.

(a) Sign in with Apple. Name and email for account creation.

(b) HealthKit. Health data with consent. Not for advertising or marketing.

(c) StoreKit. Subscription processing. No payment card data retained.

(d) EventKit. Write-only grocery lists.

(e) Apple Weather. City-level location for hydration calculations.

Privacy Policy: https://www.apple.com/legal/privacy/

5.3 Google LLC

Name, email, profile photo via Google Sign-In.

Privacy Policy: https://policies.google.com/privacy

5.4 Anthropic, PBC (Data Processor)

Food photos and health context transmitted for AI analysis pursuant to a DPA. Anthropic does not train on API data per current terms. Retention: up to 30 days for safety/compliance. Sub-processors: available in Anthropic’s sub-processor list.

Privacy Policy: https://www.anthropic.com/privacy

5.5 Open Food Facts

UPC codes transmitted for product lookups. Community-contributed, unverified data. No user identifiers transmitted.

Privacy Policy: https://world.openfoodfacts.org/privacy

6. Data Storage, Retention, and Deletion

6.1 Storage Locations

On-Device: Food logs, workouts, nutrition data, preferences — all in SwiftData. Not synced to any cloud.

Supabase: Email, hashed password, session tokens only.

Food Photos: Processed in real-time. Not permanently stored on Developer servers. Anthropic may retain up to 30 days (Section 3.4).

AI Caches: On-device via UserDefaults (fuel plans up to 24h, meals up to 4h).

Purchases: Apple StoreKit; not stored by Developer.

6.2 Retention

• On-Device Data: Until you delete entries or uninstall.
• Authentication Data: Until account deletion.
• Server-Side Health/Nutrition Data: None stored.
• Voice/Audio Data: Not retained. Exists transiently during recognition only.

6.3 Account Deletion

Navigate to Settings > Account > Delete Account. Confirmation required.

Upon deletion:

(a) Supabase auth record permanently deleted within forty-eight (48) hours.

(b) Sign in with Apple tokens revoked via REST API. If revocation fails due to network error, retried automatically.

(c) All on-device data — food logs, nutrition data, preferences, cached AI responses (UserDefaults), and authentication tokens (Keychain) — permanently deleted immediately.

(d) You will have the option to export your data before confirming deletion.

(e) On-device deletion is immediate. Server-side deletion within 48 hours.

(f) Deletion is permanent and irreversible.

6.4 Data Beyond Developer Control

Apple purchase history retained by Apple. Data you independently exported or screenshotted is outside our control.

6.5 User Rights

• Deletion. At any time via Settings.
• Selective Erasure. Delete individual entries through the App.
• Data Portability. Export via Settings > Account > Export My Data, or by contacting us.

7. Data Security

We use commercially reasonable security measures:

• On-Device Encryption. iOS hardware-level AES-256.
• Authentication. Bcrypt password hashing, JWT session tokens.
• Encryption in Transit. HTTPS/TLS 1.2+ (industry-standard encryption).
• Server-Side Key Management. Anthropic API key stored as encrypted server secret; never in client app.
• Credential Storage. iOS Keychain Services.
• Keychain Persistence. Keychain items may persist after uninstallation. Account deletion programmatically removes them. If you uninstall without deleting your account, tokens remain until you reinstall and delete, or perform a full device erase.
• On-Device Speech. All speech recognition on-device; no audio transmitted.
• Input Validation. User inputs validated and sanitized before AI processing.
• No Third-Party Tracking. No analytics, advertising, or tracking SDKs.
• Session Management. Time-limited tokens with periodic renewal.

No method of electronic transmission or storage is completely secure. We cannot guarantee absolute security. Any transmission is at your own risk.

We periodically review security practices and may engage third-party professionals for assessment.

Security Vulnerability Reporting. Report vulnerabilities to brandt@throva.com. We ask for reasonable time to investigate before public disclosure.

Breach Notification. In the event of a confirmed breach, we will notify affected users within thirty (30) calendar days (or sooner where required by law), notify relevant state attorneys general as required, and provide identity theft protection resources where required by applicable law. Notification may be delayed at law enforcement’s written request.

7A. Law Enforcement and Government Data Requests

7A.1 We will not voluntarily disclose your personal data to law enforcement. We will only produce data in response to valid, binding legal process that we have reviewed.

7A.2 Menstrual and Reproductive Health Data. We will not disclose menstrual cycle data, reproductive health data, or data from which reproductive status could be inferred to any law enforcement agency — whether voluntarily, in response to a subpoena, or in response to a court order — except where compelled by a final, non-appealable court order after exhaustion of available legal challenges.

7A.3 User Notification. If we receive a legal demand for your data, we will notify you before disclosure unless legally prohibited. If subject to a gag order, we will notify you when it expires.

7A.4 Design for Privacy. The substantial majority of your data is stored on your device and is not accessible to the Developer.

8. Tracking and Analytics

Throva does not track you:

• No third-party analytics. No Firebase, Mixpanel, Amplitude, or similar.
• No advertising. No advertising SDKs or ad networks.
• No cross-app tracking.
• No IDFA collection.
• No tracking pixels or web beacons.
• No cookies. Native iOS application.

Apple analytics. Apple may collect aggregated data per Apple’s privacy policy.

9. Your Rights Under GDPR (European Economic Area)

9.1 Data Controller

Brandt LaBrasca, United States. Contact: brandt@throva.com

As of the effective date, we have not appointed an EU representative under Article 27. We are evaluating this and will update accordingly. EEA data subjects may contact us directly.

9.2 Legal Basis for Processing

9.3 Your Rights

(a) Access (Article 15). View data in-App or request a copy.

(b) Rectification (Article 16). Edit in-App.

(c) Erasure (Article 17). In-app account deletion or contact us.

(d) Restriction (Article 18). Contact us.

(e) Data Portability (Article 20). Export in JSON or CSV via Settings > Account > Export My Data, or contact us. Includes profile, food logs, nutrition data, recipes, hydration, workout summaries. Delivered via secure download within one (1) month.

(f) Object (Article 21). Object to legitimate-interests processing.

(g) Withdraw Consent. Revoke HealthKit via device settings; disable AI processing via Settings > Privacy; disable notifications; disable cycle-aware nutrition; delete account. Withdrawal does not affect prior lawful processing.

(h) Lodge Complaint. https://edpb.europa.eu/about-edpb/about-edpb/members_en

We respond within one (1) month. Complex requests may be extended by two (2) additional months with notice.

9.4 Automated Decision-Making

AI outputs are informational and advisory. No decisions producing legal effects are made solely on automated processing. You retain full control to edit or disregard AI output.

9.5 Data Protection Impact Assessment

We have conducted a DPIA under Article 35 for health data processing through AI services. A summary is available upon request.

10. Your Rights Under US State Privacy Laws

10.1 California Residents (CCPA/CPRA)

Categories of Personal Information Collected:

We do not sell your personal information. We have not sold PI in the preceding 12 months. We do not share PI for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals.

Your Rights:

1. Right to Know. Disclosure of data collected, sources, purposes, third parties.
2. Right to Delete. Deletion of your PI.
3. Right to Correct. Correction of inaccurate data.
4. Right to Opt-Out. We do not sell/share, but you may submit opt-out requests.
5. Right to Limit Sensitive PI. Our use of sensitive PI is already limited to providing requested services. You may exercise this right by contacting us.
6. Right to Non-Discrimination.

Verification. We verify identity by matching account email. Authorized agents may submit requests with written authorization.

Financial Incentives. The difference between free and Pro tiers is feature access, not based on collection or sale of PI.

10.2 Other US States

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, Kentucky, Rhode Island, and other states with comprehensive privacy laws have similar rights. Contact us to exercise them.

10.3 Washington My Health My Data Act

If you are a Washington resident: (a) we collect health data only with your affirmative consent; (b) you may delete health data at any time via account deletion; (c) we do not sell health data; (d) we do not geofence health facilities; (e) our processors are contractually limited to performing services for Throva.

10.4 How to Exercise Your Rights

• Email: brandt@throva.com
• In-App: Settings > Privacy > Submit a Privacy Request

We acknowledge receipt within ten (10) business days and respond within forty-five (45) calendar days. Extensions of up to forty-five (45) additional days with notice of reason.

11. International Data Transfers

Throva is operated in the United States. Your data is processed on US servers.

11.1 Transfer Mechanisms

(a) Standard Contractual Clauses (SCCs). Supabase and Anthropic make available DPAs incorporating EU Commission SCCs (Decision 2021/914). We operate under those DPAs. Copies available upon request.

(b) UK International Data Transfer Addendum. As approved by the ICO under Section 119A of the Data Protection Act 2018.

(c) Swiss Transfers. SCCs as recognized by the Swiss FDPIC with required modifications.

(d) Consent (Article 49(1)(a) GDPR). As a residual fallback where no other mechanism applies. You are informed that US transfers involve risks including potential government access under US surveillance laws.

11.2 Transfer Impact Assessment

We have conducted a TIA evaluating the US legal framework. Given transient AI processing, nutritional data focus, and robust encryption, we conclude the applicable mechanisms provide adequate safeguards. Available upon request.

11.3 Supplementary Safeguards

TLS 1.2+ in transit, AES-256 at rest, JWT-secured access, transient AI processing, server-side key management.

11.4 Sub-Processors

12. Children’s Privacy

Throva is not directed at individuals under sixteen (16). We do not knowingly collect data from anyone under sixteen (16). There is no provision for parental consent for users under sixteen (16).

If we become aware of data from someone under sixteen (16), we will delete all associated data and disable the account within seven (7) calendar days.

Parents or guardians: contact us at brandt@throva.com to request deletion.

For US residents under thirteen (13): we comply with COPPA by not knowingly collecting data from children and by deleting any such data upon discovery.

13. Changes to This Privacy Policy

13.1 Non-Material Changes. Formatting, clarifications — updated “Last Updated” date.

13.2 Material Changes. Changes to data categories, AI processing, third-party processors, or data sharing: at least thirty (30) days’ advance notice via in-app notification and email. For changes affecting health data or sensitive PI processing, we will require your affirmative opt-in consent before changes take effect. If you do not consent, you may continue under the prior terms or delete your account.

13.3 Version History. Prior versions available upon request.

14. Contact Us

Brandt LaBrasca
Developer, Throva
Email: brandt@throva.com
Security: brandt@throva.com
Accessibility: brandt@throva.com

We respond within thirty (30) calendar days. For accessibility concerns, see our Accessibility section in the Terms of Service.

This Privacy Policy applies solely to information collected through the Throva mobile application.