Privacy Policy

Effective date: 2026-05-30 Version: privacy-v1

Suvant is built on a single principle: your data belongs to you, not us. This policy explains plainly what we collect, why, and how you can delete it at any time.


1. Who we are

Suvant ("we", "us", "our") is a web-based personal improvement service at app.suvant.com. Contact: privacy@suvant.com.


2. What we collect and why

Account data

Biometric data (facial features)

When you use the audit feature you upload 3 selfies. These photos are biometric information under the Illinois BIPA, the Washington My Health MY Data Act, and similar state laws. We handle them as follows:

A separate, explicit consent step is required before any selfie is accepted. See our Biometric Policy for the full disclosure.

Subscription and billing

Usage data


3. How we use your data

We use your data to:

We do not use your data for:


4. Data retention

Data typeRetention
Selfie photos (raw)Deleted within 30 days of audit, or on account deletion
Audit numeric scoresRetained while subscription active; deleted on account deletion
Biometric consent recordsRetained for your account lifetime + 4 years (legal hold)
Billing recordsRetained per Stripe and tax law requirements
Account dataDeleted on account deletion request

5. Your rights

You have the right to:

Requests are fulfilled within 30 days for GDPR/CCPA purposes. Biometric deletion requests are fulfilled within 72 hours.


6. Geographic restrictions

Suvant is designed for adult users in the United States and general international markets. Users in the European Union, United Kingdom, and European Economic Area are not permitted to complete a purchase at this time. This restriction is documented and will be revisited as we expand.


7. Security

We use AES-256-GCM encryption at rest for sensitive fields, TLS for all data in transit, and Google Cloud KMS for selfie bucket key management. Access to the selfie bucket is restricted to the backend service account; no human employee has direct access to raw selfie files.


8. Subprocessors

SubprocessorPurposeData shared
OpenAI (API)Vision audit + optional "after you" image generationSelfie images (not retained per API terms)
Google Cloud (GCS)Selfie storageEncrypted selfie files
Neon (Postgres)DatabaseAccount and progress data
StripePayment processingEmail, billing info
PostmarkTransactional emailEmail address
Google Analytics 4Funnel analyticsHashed user ID, events (no biometrics)
Microsoft ClaritySession replayMasked UI interactions (biometric screens excluded)
Meta (CAPI)Conversion measurementHashed email on purchase only

9. Contact

For privacy questions or to exercise your rights: privacy@suvant.com.