Privacy Policy

Gavi Health is an editorial catalog of wellness gear, run by Mac Jablonski (sole proprietor, based in Warsaw, Poland). The data controller for the purposes of GDPR is Mac Jablonski. Contact: hello@gavihealth.com.

• Email address — only if you sign in to save your wishlist across devices, or subscribe to The Letter (our newsletter).
• Wishlist items — the product slugs you star. Stored in your browser by default; synced to our database only if you sign in.
• Click data — when you click an outbound product link, we record which product, the date, and your country (derived from IP, IP not stored). No personal identifiers are attached. Used to learn which picks readers find useful.
• Authentication metadata — when you sign in, our authentication provider (Supabase) receives your email plus a session token. If you sign in with Google, Google provides us your email and basic profile (name, avatar URL); we use only the email.
• No analytics tracking — we do not use Google Analytics, Facebook Pixel, or any third-party advertising trackers. Aggregate click data is the only usage signal we collect.

• Email — to give you an account that holds your wishlist, and (separately, only if you opt in) to send The Letter.
• Wishlist — so the feature works.
• Click data — to improve the catalog. If a product gets no clicks for a year, we reconsider whether it belongs.

For EU/EEA users, we rely on the following legal grounds:

• Contract — to provide the account and wishlist features you asked for (Art. 6(1)(b) GDPR).
• Consent — for The Letter newsletter (Art. 6(1)(a) GDPR). You opt in explicitly via an unchecked checkbox; you can unsubscribe from any email or by emailing us.
• Legitimate interest — for aggregate, non-identifying click data used to improve the catalog (Art. 6(1)(f) GDPR).

We use the following third-party processors. Each has signed a Data Processing Agreement and complies with applicable EU transfer mechanisms (Standard Contractual Clauses).

• Supabase, Inc. (US) — database, authentication. Hosts your email, wishlist, and session tokens.
• Vercel Inc. (US) — hosting and edge delivery.
• Google LLC (US) — if you choose to sign in with Google. Subject to Google’s Privacy Policy.
• Resend (US) — transactional email and newsletter delivery.

We do not sell, rent, or share your personal data with advertisers, brokers, or third parties beyond the processors above.

• Account data — for as long as your account is active. Delete it any time and we erase the row.
• Newsletter subscription — until you unsubscribe; your email is then removed from the active list within 7 days.
• Click data — kept for 24 months in raw form, then aggregated and the raw rows deleted.

Under GDPR you have the right to:

• Access — ask what we hold about you.
• Rectify — correct inaccurate data.
• Erase — delete your account and associated data.
• Port — receive your data in a machine-readable format.
• Withdraw consent — for newsletter, at any time.
• Object — to processing based on legitimate interest.
• Lodge a complaint — with your local supervisory authority. In Poland, this is the Urząd Ochrony Danych Osobowych (UODO).

Email hello@gavihealth.com with any of the above. We respond within 30 days.

We use the following client-side storage:

• Session cookie — after sign-in, a secure, HTTP-only cookie keeps you logged in. Strictly necessary; no consent banner required.
• Local storage— your wishlist is stored in your browser when you’re not signed in. Lives entirely on your device. Note: some browsers (Safari especially) clear local storage after about 7 days of inactivity. Sign in to keep your wishlist safe across devices and over time.
• No advertising or analytics cookies.

When you click a product link, you are redirected through our short URL /go/[slug] to the merchant’s website. Once on the merchant’s site, their privacy policy applies, not ours. We have no control over and accept no responsibility for the privacy practices of third-party merchants.

Some links are affiliate links — we may earn a small commission if you purchase, at no extra cost to you. This does not influence which products we list or which earn badges.

Our processors (Supabase, Vercel, Google, Resend) are US-based. Where we transfer EU/EEA personal data to the United States, we rely on the EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

Gavi Health is not directed at children. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, contact us and we will delete the account.

We may update this policy as the catalog evolves or regulations change. The effective date at the top reflects the latest version. Material changes will be announced via The Letter and at the top of this page for at least 30 days.

Questions, deletion requests, or anything privacy-related — hello@gavihealth.com. You can also reach the data controller (Mac Jablonski) at the same address.