Privacy Policy

Effective: February 27, 2025 (Last Updated: December 30, 2025)

This Privacy Policy describes how Impaq L.L.C-FZ (“we“, “us” or “our“) handles personal information that we collect through our website https://evaai.health/ (the “Site”), application for virtual reality devices (the “VR App”) and other online services (collectively, the “Service”). Although Impaq L.L.C-FZ is organized in the UAE, certain secure processing and storage occur in the United States.

By accessing or using our Services, you signify that you have read, understood, and agree to our collection, storage, use, and disclosure of your personal information as described in this Privacy Policy and our Terms of Service. For privacy requests, contact privacy@impaq.io. For appeals of privacy-request decisions (where applicable), contact privacy-appeal@impaq.io.

Depending on how you interact with us, the following may also apply to you:

Some components or features of our Service may include additional privacy notices, such as an optional feature that uses your personal information in a unique way. The language of those terms and privacy notices supplement this Privacy Policy unless there is a conflict, in which case those additional terms and privacy notices will apply.

You may follow links contained in our Service or provided to you by other users to third-party websites or products not operated by us. This Privacy Policy does not apply to third-party websites or products. We strongly suggest you review their privacy policies to understand how your personal information is used and stored by those third parties.

Similar to the above point, you may use single sign-on (SSO) features to access our Service, such as through your social media accounts. That use may be subject to your SSO provider’s terms and privacy policies, and we encourage you to review them prior to using those features.

Please read the following carefully to understand our practices regarding your personal information. We also encourage you to review our Terms and Conditions here (https://evaai.health/terms-conditions).

1. Collection of personal information

We get information about you in a range of ways. We may collect or process the following personal information about you from what you provide us directly, what we receive from others, and personal information we may automatically collect when you interact with our Service. Where applicable under U.S. state law, we treat information relating to a user’s mental or physical well-being as “sensitive personal information” or “consumer health data.” We obtain explicit consent where required and provide mechanisms to revoke consent at any time.

– Information you provide to us

– Transactional data, such as information relating to your subscription plan or needed to complete your orders on or through the Service, including order numbers, subscription method and transaction history.

– Marketing data, such as your preferences for receiving our marketing communications.

User-generated content, such as voice recordings. We collect voice recordings solely to deliver in-app functionality; we do not create, derive, or store biometric identifiers or “voiceprints,” and we contractually prohibit re-identification by service providers.

Relationship data, such as familial or other relationship to third parties whose personal information you may provide to us.

– Mood and feelings, physical health data based on your voluntary responses to surveys and questionnaires. We will not use consumer health data for targeted advertising or sell consumer health data.

– Body dimensions that you choose to store in the tracking features of your VR device such as a Meta Quest.

– Payment information needed to complete transactions, including payment card information or bank account number. Payments are processed by third-party marketplaces or payment processors. We do not receive full payment card numbers. Those providers act as independent controllers for financial data; please review their privacy notices.

Survey and promotions data, including information you share when you choose to participate in a promotion or complete a survey. We recommend that you read any instructions, terms or rules applicable to the survey or promotion before participating.

– Other data not specifically listed here, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

– Information from others.

In certain circumstances, we may collect personal information about you from others. This may include the following:

– Public sources, such as government agencies, public records, social media platforms, and other publicly available sources.

– Data providers, such as information services and data licensors that provide demographic and other information.

– Our affiliate partners, such as our affiliate network provider and publishers, influencers, and promoters who participate in our paid affiliate programs.

– Marketing partners, such as joint marketing partners and event co-sponsors.

– Third-party services, such as social media services, that you use to log into, or otherwise link to, your Service account. This data may include your username, profile picture and other information associated with your account on that third-party service that is made available to us based on your account settings on that service.

Information we automatically collect

Our Service may collect information from you automatically during your use which may include:

– Device data, such as your computer, mobile or headset’s operating system type and version, manufacturer and model, browser type, graphics processing unit, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including VR App identifiers and identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such as city, state or geographic area.

– Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them.

– Interaction data, such as information about the content, features, length and frequency of EvaAI taken on the VR App.

– Technical system information, such as crash logs which may contain your user ID, device ID, IP address, local computer file path, feature quality, and use of that feature. SDKs used in the VR App are restricted by contract from collecting consumer health data for their own purposes; we provide in-app controls to disable non-essential SDK collection.

– Cookies and other technologies (applicable for the Site).

Some of the automatic collection described above is facilitated by the following technologies:

– Cookies, which are small text files that websites store on user devices and that allow web servers to record users’ web browsing activities and remember their submissions, preferences, and login status as they navigate a site. Cookies used on our sites include both “session cookies” that are deleted when a session ends, “persistent cookies” that remain longer, “first party” cookies that we place and “third party” cookies that our third-party business partners and service providers place.

– Local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data on your device outside of your browser in connection with specific applications.

– Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email address was accessed or opened, or that certain content was viewed or clicked.

– Software development kits (SDKs), or third-party computer code, that may be used for a variety of purposes, including to provide us with analytics regarding the use of our applications, to integrate with social media, add features or functionality to our applications, or to facilitate online advertising. SDKs may enable third parties to collect information directly from our applications. We offer a “Do Not Sell or Share My Personal Information” link and honor Global Privacy Control (GPC) signals where required.

– Data about others.

We may offer features that help users invite their friends or contacts to use the Service, and we may collect contact details about these invitees so we can deliver their invitations. Please do not refer someone to us or share their contact details with us unless you have their permission to do so.

2. Use of personal information

We may use your personal information in the following ways:

– To provide our Service

– provide, operate and improve the Service and our business;

– facilitate your invitations to friends who you want to invite to join the Service;

– communicate with you about the Service, including by sending announcements, updates, security alerts, and support and administrative messages;

– understand your needs and interests, and personalize your experience with the Service and our communications; and

– provide support for the Service, and respond to your requests, questions and feedback. 

Where a jurisdiction requires consent for processing consumer health data or sensitive personal information, we obtain a separate, clear, and conspicuous consent before collection and provide a mechanism to revoke consent at any time. Upon revocation, we cease processing for those purposes and delete or de-identify such data unless retention is legally required.

Research and development. We may use your personal information for research and development purposes, including to analyze and improve the Service and our business. Where we reference anonymization or de-identification, we either (i) remove the enumerated identifiers consistent with HIPAA’s “safe harbor” method or (ii) apply “expert determination” to conclude the risk of re-identification is very small, as appropriate for the dataset and use case, and we prohibit re-identification by contract. Training Consents (Free Mode only). We use user prompts and outputs from Free Mode to improve model quality only with your explicit opt-in consent. You can withdraw consent at any time in settings; upon withdrawal, we will stop using new interactions for training and will delete or de-identify prior interactions used for training within 30 days, subject to legal holds and backup cycles.

Marketing and advertising. 

We, our service providers and our third-party advertising partners may collect and use your personal information for marketing and advertising purposes:

– to maintain and improve the quality of our Service, including to perform research and development, understand user trends, and, in a limited way, understand the effectiveness of our marketing and advertising such as recording a sales conversion. For example, we use Google Analytics for this purpose. You can learn more about Google Analytics and how to prevent the use of Google Analytics relating to your use of our sites here: https://tools.google.com/dlpage/gaoptout?hl=en. 

– to provide you with information about new products and services, promotions, and other opportunities that we believe may be of interest to you, whether offered by us or third-party partners, and to personalize, measure, and improve such offers. 

– to personalize the advertisements you receive about our Service through third-party platforms, on other websites and apps. We do not sell personal information as that term is defined by applicable U.S. state privacy laws. We may “share” limited identifiers for cross-context behavioral advertising; you may opt out of such “sharing” at any time via our “Do Not Sell or Share My Personal Information” link. We honor GPC signals where required. We do not use consumer health data or sensitive personal information for targeted advertising.

3. Compliance and protection. We may use your personal information to:

– comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;

– protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);

– audit our internal processes for compliance with legal and contractual requirements or our internal policies;

– enforce the terms and conditions that govern the Service; and

– prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft. Our Law Enforcement Guidelines describe how we evaluate and respond to government data requests and emergency disclosures.

4. Aggregated, anonymous, and de-identified data. 

We may create anonymous, aggregated or de-identified data from your personal information and other individuals whose personal information we collect. We make personal information into anonymous data by removing information that makes the data identifiable to you. We may use this anonymous, aggregated or de-identified data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business. We prohibit re-identification by contract and require any recipients of de-identified data to use it only for permitted purposes and not attempt to re-identify individuals.

5. Sharing of personal information.

We may disclose your personal information with the following categories of third parties:

Affiliates. We may share your personal information with any member of our business group, which includes our subsidiaries and our affiliates for any of the purposes described in this Privacy Policy. If Impaq L.L.C-FZ, including any of our subsidiaries, brands, or affiliates, is involved in a merger, acquisition, asset sale, or other corporate combination, your personal information may be transferred to the acquiring or surviving entity. If such transfer results in a material change to the use of your personal information, we will provide notice before your personal information is transferred or becomes subject to a different privacy policy.

Service providers. Third parties that provide services on our behalf or help us operate the Service or our business (such as hosting, information technology, customer support, email delivery, marketing, consumer research and analytics). We engage service providers under written agreements that limit use to our instructions, prohibit secondary use and re-identification, and require appropriate security controls.

Third party advertising platforms. We work with third party platforms who provide us with analytics and advertising services. This includes helping us understand how users interact with our Service, serving advertisements on our behalf to those who may be interested, and measuring the performance of those advertisements. We do not allow use of consumer health data or sensitive personal information for targeted advertising and we provide opt-out controls for any “sharing” of personal information for cross-context behavioral advertising.

Business and marketing partners. Third parties with whom we co-sponsor events or promotions, with whom we jointly offer products or services, or whose products or services may be of interest to you.

Linked third-party services. If you log into the Service with, or otherwise link your Service account to, social media or other third-party service, we may share your personal information with that third-party service. The third party’s use of the shared information will be governed by its privacy policy and the settings associated with your account with the third-party service.

Professional advisors. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.

Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above. For international transfers, we rely on appropriate safeguards (for example, Standard Contractual Clauses) and conduct transfer impact assessments where required.

6. Data security and retention

The security of your personal information is important to us. We follow generally accepted standards, practices, and procedures to protect the personal information submitted to us, both during transmission and once it is received. We maintain an information-security program with administrative, technical, and physical safeguards, including encryption in transit and at rest, access controls, logging and monitoring, vendor security reviews, and periodic risk assessments aligned with recognized frameworks (e.g., ISO/IEC 27001 controls). Where required by law, we will notify you and applicable regulators and consumer reporting agencies of a data breach without unreasonable delay.

We will keep your personal information for as long as needed to perform our obligations to you, or for as long as legally permitted. We retain account metadata for the life of the account and up to 180 days after deletion for fraud and chargeback prevention; technical telemetry for 90 days unless extended by security or legal holds; and voice recordings or transcripts only while the user has enabled history, after which they are deleted or irreversibly de-identified within 30 days. Backup media observe a rolling 90-day overwrite schedule. We will preserve specific records upon valid legal preservation requests.

7. Your privacy rights

We believe that you should have control of your personal information. To that end we provide the following rights to make requests regarding your personal information. You may make these requests by contacting privacy@impaq.io or in some cases using features within the Service.

Access. You have the right to know what personal information we collect about you and how we use it. This Privacy Policy serves to inform you about that collection and use. If we have personal information about you, you may also request a copy of that information.

Correction. You have the right to request the correction of your inaccurate personal information.

Portability. You may request an export of your personal information in a structured and machine readable format such as a .csv or .pdf. Where feasible, we can send that export to a third party you identify.

Deletion. You have the right to request, under certain circumstances, the deletion of your personal information that we collect.

Restriction. You have the right to request that we restrict the use of your personal information in certain circumstances. Please note that in some cases we may not be able to place a restriction due to the use being necessary for Service functionality or delivery of the Service.

No retaliation or discrimination. You have the right not to receive discriminatory or retaliatory treatment for making a request.

Limit use of sensitive personal information. Where applicable (e.g., California), you may request that we limit our use and disclosure of your sensitive personal information to purposes authorized by law. We provide a “Limit the Use of My Sensitive Personal Information” control and honor Global Privacy Control (GPC) signals for relevant opt-outs.

Sale/Share opt-out. We do not sell personal information. If we “share” personal information for cross-context behavioral advertising, you can opt out at any time via our “Do Not Sell or Share My Personal Information” link; we honor GPC signals where required.

Verification, agents, and appeals. We verify requests using information reasonably related to your account or device. You may designate an authorized agent to submit requests on your behalf, subject to identity verification and proof of authorization. Where appeal rights apply (e.g., CO/CT/VA), if we decline your request, you may appeal by emailing privacy-appeal@impaq.io; we will respond within the statutory deadline with our rationale and further recourse options. We endeavor to respond to verified requests within 45 days and may extend once by 45 days where permitted.

8. Children’s privacy

We are committed to protecting and respecting children’s privacy. Our Service is generally intended for individuals at least 18 years old and we do not intentionally collect personal information from individuals under 18 years old. We offer the Services only to individuals 18+. We do not knowingly process personal information of users under 18, and we prohibit targeted advertising or any “sale/share” relating to users we know are under 18. We implement age-gating where appropriate.

If you are a parent or guardian and you are aware that a child under age 18 has provided us with their personal information without parental consent, please contact us at hello@impaq.io and we will take steps to remove that personal information from our servers.

9. Changes

This Privacy Policy is effective as of the date posted at the top. We may update this Privacy Policy from time to time to reflect Service changes, make corrections, improve clarity, reflect changes in our privacy practices, or as required by applicable laws. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service or other appropriate means. Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your use of the Service after the effective date of any modified Privacy Policy indicates your acceptance of the modified Privacy Policy. If required by law, we will seek your consent to material changes that affect how we process your sensitive personal information or consumer health data.

10. Contact us

We want to hear from you if you have questions, concerns, or requests regarding this Privacy Policy. You can reach us by emailing hello@impaq.io. For privacy requests, contact privacy@impaq.io. For appeals of privacy-request decisions (where applicable), contact privacy-appeal@impaq.io.

11. Supplemental notices

Depending on your jurisdiction, you have additional rights that apply to you under your jurisdiction’s privacy laws. We provide the supplemental information in this section in our efforts to comply with those additional privacy laws and inform you about your rights. Please note that your personal information will be stored within the US. Government requests for user data are handled pursuant to applicable U.S. law and our Law Enforcement Guidelines; non-U.S. authorities generally must proceed via MLAT or letters rogatory unless an emergency exception applies.

California Privacy Notice (CPRA)

We disclose the categories of personal information collected, the purposes for which they are used, the categories of sources, and the categories of third parties to whom we disclose personal information. We do not “sell” personal information. We may “share” limited identifiers for cross-context behavioral advertising; you may opt out at any time via our “Do Not Sell or Share My Personal Information” link, and we honor GPC signals. We treat mood and feelings and any information that may relate to a user’s mental or physical well-being as sensitive personal information; you may request that we limit use and disclosure of sensitive personal information to the purposes authorized by law. We provide retention periods by category as described in “Data security and retention.” You have the rights to access, delete, correct, and data portability as described above, and you may use an authorized agent.

Colorado, Connecticut, Virginia, New Jersey, Delaware, Oregon

We describe targeted advertising and profiling (if any) and provide opt-out mechanisms where applicable. We provide an appeal process for denied requests by emailing privacy-appeal@impaq.io and respond within statutory timelines. We obtain opt-in consent where required for sensitive data processing and honor universal opt-out signals as required by law.

Consumer Health Data Disclosures (e.g., Washington, Nevada, Colorado)

We may process information that could be considered “consumer health data” under certain state laws. We provide a separate, clear, and conspicuous notice at or before collection describing categories, sources, purposes, and disclosures; obtain explicit consent where required; and offer mechanisms to revoke consent. We do not sell consumer health data. We disclose consumer health data only to processors under written contracts that limit use to our instructions and require appropriate safeguards.

Biometric Information (e.g., Illinois, Texas)

We do not collect or create biometric identifiers. Specifically, we do not derive, extract, or maintain “voiceprints” from voice recordings. If our practices change, we will first implement the notices, consents, retention schedules, and security measures required by applicable biometric-privacy laws.

International transfers

When we transfer personal information internationally, we implement appropriate safeguards (for example, Standard Contractual Clauses) and, where required, conduct transfer impact assessments. We also impose contractual restrictions on onward transfers and re-identification.

Law Enforcement and Emergencies

Our Law Enforcement Guidelines describe how we evaluate and respond to government data requests and emergency disclosure requests in situations involving imminent danger of death or serious physical injury.

Your Privacy Choices

You may exercise your rights via in-app settings, our “Do Not Sell or Share My Personal Information” link, “Limit the Use of My Sensitive Personal Information” control, by emailing privacy@impaq.io, or by using supported universal opt-out signals such as Global Privacy Control.