Document version: 4.0
Effective date: 19 May 2026
Last updated: 19 May 2026

Navamedic AB (“we”, “our”, or “us”) respects your privacy and does our utmost to protect your personal data. This privacy policy explains how we collect, use, store, and protect your personal data and sensitive health data when you use the Levilog app.

1. Who we are (Controller and processors)

Navamedic AB is the data controller. This means that we determine the purpose and means of the processing of your personal data when you use Levilog.

Our company details:
Navamedic AB
Göteborgsvägen 74
433 63 Sävedalen
Sverige

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our handling of personal data. If you have any questions about how we process your personal data, please contact our DPO at: gdpr@navamedic.com

In order to provide our services, we also use third party data processors who process personal data according to our strict instructions. These data processors do not use your data for their own purposes.

2. What data we collect

Personal details

When you use Levilog, we collect:

• Email address (if you selected email registration)‍
• Google or Apple sign-in credentials (if you selected Google or Apple as the registration method)
• Device ID (to maintain the functionality of the app)

Health data (sensitive information)

To provide services to facilitate adherence to prescribed treatment, we process:

• Medication name
• Dosage schedule
• Logged intake of the medication‍‍

Optional data (requires voluntary consent)

If you give consent, we use OpenAI to process images when scanning the dosing schedule and drug label. This may include personal or health-related data.

3. How we collect your personal information:

• Manual input Users enter drug details directly into the app.
• Image upload (optional): Users can upload images on their dosing schedule for recognition provided explicit consent is given.
• Account registration: Users can register with:
  • Email and password
  • Google
  • Apple

4. Why we collect your data (purpose and legal basis)

We process your personal data and health data for the following purposes according to the legal bases of the GDPR:

• Provision of medication reminders and medication intake history — Legal basis: Contractual obligation (Article 6(1)(b)) & Explicit consent (Article 9(2)(a))
• Account creation and secure storage of data — Legal basis: Contractual obligation (Article 6(1)(b))
• Authentication via Google or Apple (if chosen) — Legal basis: User consent (Article 6(1)(a))
• Analysis (only anonymized data) — Legal basis: Legitimate interest (Article 6(1)(f))
• Scanning of dosage schedule via Open AI — Legal basis: Explicit consent (Article 9(2)(a))

5. How users give and withdraw consent

• Mandatory consent (necessary to use the app): Appears with a clear prompt upon registration.
• Voluntary consent (for dosing schedule/drug label scanning and Google/Apple sign-in): Users may accept or decline when using these features.
• Withdrawal: Users can withdraw consent at any time via the app settings.

6. How we store and protect your data

• We take appropriate security measures to prevent the unauthorised access, disclosure, alteration, or destruction of your data.
• Data is encrypted during transmission and storage.
• Access is limited to authorised personnel only.

7. Data sharing and third-party processing

We use third party providers to support the functionality of the app. They process personal data only on our behalf and under strict supervision.

• AWS Cognito — User authentication (email, Google, Apple). Location: EU. Safeguards: GDPR compliant.
• AWS — Cloud storage. Location: EU. Safeguards: GDPR compliant.
• Mixpanel — Analytics (no identifying information). Location: EU. Safeguards: GDPR compliant.
• Sentry — Crash analysis (no identifying information). Location: EU. Safeguards: GDPR compliant.
• OpenAI — Image recognition of dosage schedule and medication label (if consent is given). Location: Outside EU. Safeguards: Standard Contractual Clauses (SCC), Adequacy Decision under GDPR Article 45 (if applicable).
• Expo — Delivery of push notifications. Location: US. Safeguards: EU–US Data Privacy Framework (DPF).

We never sell your data or share it with advertisers.

8. How long do we store your data?

• Personal details: Stored until you delete your account or after two years of inactivity.
• Health data: Stored until you delete your account or after two years of inactivity.
• Anonymised user data: Retained for analysis without identifying data.

9. Your Rights Under the GDPR

Under the GDPR (Articles 15-22), you have the following rights:

• Right of access – Request a copy of the data we hold about you.
• Right to rectification – Correct incorrect or incomplete data.
• Right to erasure (“right to be forgotten”) – Request that we delete your data.
• Right to restriction of processing – Ask us to restrict how we use your data.
• Right to data portability – Request an export of your data in machine-readable format.
• Right to object – Object to processing based on legitimate interest.
• Right to withdraw consent – If you have given consent (e.g. AI-based image scanning), you can recall it at any time via the app settings.

To exercise your rights, email: gdpr@navamedic.com

10. Procedures in the event of a data breach

We comply with the GDPR guidelines and will:

• Assess the intrusion and its impact.
• Inform affected users if the breach poses a high risk.
• Notify regulators if there is any doubt that an infringement poses a high risk to user data
• Notify regulators within 72 hours if required.

11. Children and age limits

• Minimum age: 18 years
• We do not collect data from minors.

12. Complaints and contact details

If you have any questions or complaints about your data, please contact our Data Protection Officer:

gdpr@navamedic.com

If you believe that we have not handled your data correctly, you can also submit a complaint to the Swedish Data Protection Authority (IMY).