Privacy Policy

Last updated: May 2026

Zareva is a medication reminder and wellness companion published by BDKM LLC, a Washington limited liability company ("BDKM," "we," "us," or "our"). We built Zareva with privacy at its core. This policy explains what data we collect, why, how it's protected, and the choices you have. We wrote it to be clear and readable — no legalese tricks.

1. What We Collect

Zareva collects only the minimum data needed to provide medication reminders and wellness tracking:

• Medication names and schedules you enter
• Reminder acknowledgment status (taken, skipped, snoozed)
• Daily wellness check-in data (mood, energy, pain, hydration, meals, sleep)
• Vitals readings you log (e.g. blood pressure, weight, blood sugar)
• Side effects and lab results you optionally record
• Feedback you choose to send via the in-app feedback form (free text + optional contact email)
• Anonymous app event data (e.g. "subscription upgraded", "feature used") — only with your Analytics consent, never includes medication names, dosages, notes, or wellness data
• A pseudonymous user ID for account management
• Device notification token for delivering reminders
• Notification preferences

We do not collect your real name, physical address, or phone number (unless you voluntarily provide a phone number for caregiver escalation). We do not collect anything beyond what you explicitly enter into the app.

2. How We Use Your Data

• Deliver medication reminders and wellness notifications
• Store your wellness routine for offline access
• Sync data across your devices (if you opt into Cloud Backup)
• Share wellness summaries with caregivers you explicitly invite via Care Circle
• Generate wellness reports you can share with your healthcare provider
• Improve the app through anonymous, aggregated usage analytics (if you opt in)

3. What We Never Do

• We never use your health data for advertising or marketing
• We never share your medication information with advertisers, data brokers, or social media platforms
• We never send your health data to behavioral analytics or ad-tracking services. We do not use Firebase Analytics, Meta Pixel, or ad SDKs. Our in-app event analytics are anonymous, opt-in, and never include medication names, dosages, notes, or wellness data. Firebase Crashlytics is crash-only, opt-in, and scrubbed of health data before sending
• We never store health data in iCloud (Apple Guideline 5.1.3(ii))
• We never use health data for profiling, scoring, or automated decision-making

4. Third-Party Services

Zareva uses a small number of carefully selected third-party services:

Supabase (database & authentication) — Stores your account and wellness data with encryption at rest (AES-256) and in transit (TLS 1.3+). Row-level security policies ensure that only you (and caregivers you explicitly authorize) can access your data.

Firebase Cloud Messaging (notifications) — Delivers push notifications to your device. Only an opaque device token is shared with Google. No health data, medication names, or personal information is included in push notification payloads.

Firebase Crashlytics (crash diagnostics, opt-in) — Reports app crash stack traces and device/OS information so we can identify and fix stability issues. Disabled by default. Only active if you grant the Analytics consent in Settings → Privacy & Data. Every crash report is passed through a client-side redactor that strips emails, quoted free-text, URL query strings, and JSON bodies before sending — so medication names, dosages, notes, and wellness data never reach Crashlytics. No user identifier is ever attached. Collection toggles off immediately when you revoke consent.

OpenFDA (drug information) — When you check drug interactions, medication names are sent to the U.S. FDA's public API. No user identifiers, device information, or account data is included in these requests.

Affiliate links (GoodRx, EzRx, Amazon) — When you choose to visit an external savings service, your medication name may be visible to that service in the URL. You are always notified and asked for confirmation before leaving the app. Zareva may earn affiliate commissions from these services at no additional cost to you. These commissions are disclosed in-app.

5. Data Sharing

Your data is shared only in these specific circumstances:

• With caregivers you explicitly invite via Care Circle — you control who has access and can revoke it at any time
• With external services you explicitly choose to visit (GoodRx, EzRx, Amazon) — only after you confirm
• If required by law (court order, subpoena, or valid legal process)

We never share data with advertisers, data brokers, or any party for marketing purposes.

6. Data Security

We take the security of your data seriously:

• Encryption at rest: AES-256 encryption for all locally stored data (Hive database)
• Encryption in transit: TLS 1.3+ for all network communications
• Row-level security: Database policies ensure user-level data isolation
• Secure key storage: Encryption keys stored in iOS Keychain / Android EncryptedSharedPreferences
• No plain-text storage: Sensitive data is never stored in plain text on your device
• HIPAA-aligned practices: While Zareva is not a HIPAA-covered entity, our infrastructure voluntarily applies security practices aligned with HIPAA's technical safeguards

7. Data Retention & Deletion

You can delete your account at any time from Settings → Account → Delete Account. Upon deletion:

• All your data is permanently removed within 45 days (compliant with Washington MHMDA)
• This includes medications, logs, check-ins, journal entries, caregiver relationships, and device tokens
• Local data (on-device database) is cleared immediately
• This action cannot be undone

You may also request data deletion by emailing privacy@zareva.app. We will process your request within 45 days.

For instructions on deleting your account, see our account deletion page.

8. Your Choices

You control your data through separate consent categories in Settings → Privacy & Data:

• Core Functionality (required) — Local storage of your medication schedules and reminders
• Cloud Backup (optional) — Sync your data to secure cloud storage for cross-device access
• Caregiver Sharing (optional) — Share your wellness data with Care Circle members
• Analytics (optional) — Anonymous, aggregated usage data to help us improve the app

You can change these choices at any time. Withdrawing consent does not affect the lawfulness of processing performed before withdrawal.

9. Age Requirement & Children's Privacy

Zareva is intended for users who are at least 18 years of age. We do not knowingly collect personal information from individuals under 18. If you are managing medications for a minor (such as a child or dependent), you must have legal authority to do so as a parent, legal guardian, or authorized caregiver — and the account must be in your name, not the minor's.

If you believe a child has provided us with personal information, please contact us immediately at privacy@zareva.app and we will delete the account and data promptly.

10. International Data Transfers

Your data may be processed in the United States where our servers are located. By using Zareva, you consent to the transfer and processing of your data in the United States. We ensure that appropriate safeguards are in place to protect your data regardless of where it is processed.

11. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you through the app before the changes take effect. Continued use of Zareva after changes constitutes acceptance of the updated policy. The "Last updated" date at the top of this page indicates when this policy was last revised.

12. Contact Us

For privacy questions, concerns, or data deletion requests:

Email: privacy@zareva.app
Publisher: BDKM LLC
Governing law: State of Washington, United States