Almavivo

Transparency

What we see, what we don’t.

Privacy claims are easy to make. This page is the audit. Every network request Almavivo makes, what it carries, and why — so you can verify the promise rather than take our word for it.

Verify in 30 seconds in DevTools

Three checks anyone can run, right now, without trusting this page:

  1. Network tab:Open DevTools → Network, reload, and count the requests. Every origin should be almavivo.com. No fonts.google.com, no analytics, no pixels.
  2. Application tab:DevTools → Application → Local Storage → almavivo.com. Every key should start with almavivo.. No third-party storage exists because no third party can run code.
  3. Document headers:Network → the document request → Headers → Response Headers. Look for Content-Security-Policy. It should contain connect-src ‘self’— the browser itself will reject any non-almavivo.com fetch. Here’s the excerpt you should see, taken from the same source as the live header:default-src 'self'; connect-src 'self'; script-src 'self'; frame-ancestors 'none'

Each check is detailed further down the page; this card is the short version.

Current deployed build fingerprint

Loading…

Every outbound request, itemised

OriginPurposeWhat it carriesOptional
almavivo.comServing the site itself: HTML, CSS, and JavaScript. The supplement catalog is bundled into the JavaScript and loaded once.Standard web request data only — your IP address, user agent, and the URL you requested. No intake answers are ever included.Always
Citation links on supplement pagesEach evidence claim links out to NIH, PubMed, Cochrane, or peer-reviewed journals. These are plain hyperlinks. They only fire when you click them.Standard browser referrer if you click. Almavivo does not preload or prefetch these links.Yes — only fires if you act
Affiliate links (only when clicked)Affiliate product links are not currently shipped on the site. When they are, clicking will take you to a retailer like Amazon, which may set its own cookies. Every affiliate link will carry a clear disclosure at the link itself.Whatever the retailer collects after you click — same as visiting them directly. Almavivo does not pass them anything about your intake.Yes — only fires if you act
Clinician export (only if you choose)At the end of the flow you can email a structured summary to a clinician, or print / download a PDF locally.Whatever you choose to include in the export. The PDF is generated in your browser and never touches our servers. Email is sent through your own mail client to the address you specify.Yes — only fires if you act
Save-to-folder / Share (only if you choose)From the Data page you can write your backup directly to a local folder you pick (e.g. a Dropbox / iCloud / Google Drive / OneDrive sync folder) via the browser's File System Access API, or hand the file to your operating system's share sheet. Both flows are entirely browser- and OS-mediated.Whatever you choose to send. The file is created in your browser and either written to disk or passed to the OS share sheet — almavivo.com sees no request and has no record of the destination.Yes — only fires if you act

What we store on your device

Almavivo holds everything in your browser’s localStorage, scoped to your active profile. Nothing is sent to a server. You can wipe everything from backup & restore or your browser’s site settings.

  • almavivo.profile.<id>.intake.v1 — your quiz answers.
  • almavivo.profile.<id>.medications.v1 — your medication review prep list (used only by the medication review tool; never read by the supplement engine).
  • almavivo.profile.<id>.labs.v1— any lab values you’ve typed in.
  • almavivo.profile.<id>.favourites.v1 and ratings.v1— your saved supplement list and any ratings or notes you’ve left.
  • almavivo.profile.<id>.shift.v1— your shift-work schedule (if you’ve used the shift-work tool).
  • almavivo.profile.<id>.prediabetesRisk.v1, sleepApneaRisk.v1, and alcoholRisk.v1 — the most recent result for each standalone risk screener you’ve completed (FINDRISC, STOP-BANG, AUDIT-C). Each stores your answers, the computed band, and the timestamp. Read by the screener pages themselves and surfaced as a passive banner on /physical-prep.
  • almavivo.profile.<id>.reactionPatternLog.v1, intoleranceTrial.v1, and symptomLog.v1 — data from the Symptom & Trigger Log and its optional single-food trial worksheet. The first stores your most recent log answers and the pattern label. The second stores any single-food trials you’ve started, with before/during/after severity. The third stores symptom journal entries (severity, category, optional suspected trigger and notes). All three are read by the tool itself and by /journal; nothing is sent to a server.
  • almavivo.profile.<id>.family-tree.v1 — your family tree (graph of persons + partner / parent edges), shared by the family health history tool and the family tree wall-chart tool. Family health data is sensitive; this is read only by those two tools, their printable analysis and wall-chart sheets, and the LLM import helper at /tools/family-history/import (which runs no model itself — it hands you a prompt for your own ChatGPT / Claude account and parses the JSON you paste back). Never by the supplement engine, and never sent to a server. The record stores:
    • About you— current age, sex at birth, adopted-with-limited-history flag, donor-conceived flag, optional free-text name used as your label on the chart (defaults to “Self” when blank), and an optional free-text chart title used as the header on the printed wall chart.
    • Each person you add— optional free-text display label (e.g. “Grandma Rose”), sex at birth, alive-or-deceased status, current age, age-at-death, optional birth year and death year, a “this is me” flag (true for exactly one person — the proband), cause of death with cancer subtype where applicable, your confidence in the cause-of-death info, a free-text cause-of-death override, an unexplained-sudden-death flag, smoking history, optional free-text medical notes (clinical context, kept off the wall chart), and optional free-text family-tree notes (the line that prints on the wall chart, e.g. “loved fishing”).
    • Partner links between two people. Used to draw couples on the chart.
    • Parent-child links between two people. Each link records whether the relationship is biological, adoptive, step, foster, or unknown — only biological links feed hereditary-pattern analysis. A biological parent of you can also carry a lineage hint (paternal / maternal / don’t-know) which is read by same-side cluster rules (Lynch, HBOC). Lineage is never inferred — only what you set is used.
    • Each diagnosis on a relative— the condition, cancer subtype where applicable, age at diagnosis (or “unknown”), your confidence in that info, and an optional free-text label for “other” conditions.
    • Known genetic tests — whether they were on you or a relative, which condition was tested for, the result, and what context the testing happened in (known familial variant vs general panel).
  • almavivo.profiles.v1 — the profile index itself (labels, age band, sex hints).
  • almavivo-backup-dest (IndexedDB) — only if you use Save to folder, a handle to the folder you picked, so future backups go there without re-prompting. Browser-scoped; cannot be read by any server-side code, never transmitted.
  • almavivo.profile.<id>.labs.history.v1, prediabetesRisk.history.v1, sleepApneaRisk.history.v1, alcoholRisk.history.v1 — per-tool history sidecars. When you save a new value for any of these four tools, the previous one is kept on your device so you can see what shifted over time. Capped at 24 entries per tool. You can delete any entry, or clear the whole history per tool, from inside each tool. Nothing about history leaves the device.

Things we deliberately do not do

  • No client-side analytics. None. No JavaScript runs in your browser to count or track you.
  • No Google Analytics, Tag Manager, or any tracking pixel.
  • No Facebook / Meta Pixel, TikTok Pixel, or any ad-network beacon.
  • No session-replay tools (Hotjar, FullStory, LogRocket, Clarity).
  • No third-party fonts loaded from Google Fonts or similar — Almavivo uses your operating system's fonts only.
  • No third-party scripts of any kind — enforced by a strict Content Security Policy that blocks all non-almavivo.com origins for scripts, styles, fonts, images, and network requests.
  • No cookies. State is held in your browser's localStorage only, scoped to almavivo.com.
  • No server-side rendering of your intake answers or recommendations.
  • No storage of your intake answers, plan, or labs in any database, anywhere.

The one thing we count, server-side

The web server keeps an old-school hit counter — an integer per route, per day. When the server renders a page, it adds 1to that day’s counter for that route. That is the entirety of our analytics.

We never write your IP address to disk. We never set a cookie. We never store your raw user agent. We do classify the user-agent header into coarse all-time buckets — device (mobile / tablet / desktop), OS family, and browser family — and increment a single integer for each. Two visitors loading the home page on the same day are indistinguishable in the route counter — it just becomes { "/": 2 }.

Under GDPR, briefly processing an IP for the purpose of counting an aggregate page view (without retention) falls under legitimate interest, and no cookie banner is required because no cookies are set.

Enforced, not just promised

Almavivo ships with a strict Content Security Policy that instructs your browser to block any script, style, font, image, or network request that is not from almavivo.com. If we ever accidentally introduce a third-party origin, your browser refuses to load it. The policy is part of the source code, not a marketing claim — you can read it in next.config.tsand confirm it in your browser’s response headers.

Offline cache (service worker)

Almavivo registers a service worker so the app keeps working when you go offline and loads instantly on repeat visits. The worker stores a copy of the site’s static assets and previously visited pages in your browser’s cache. It is the same code we serve on first visit, just kept locally instead of re-fetched.

The worker makes no network requests of its own and sends nothing about you anywhere. It only serves cached responses or, when online, passes your normal request through to almavivo.com. You can disable it any time in your browser’s developer tools, or by uninstalling the app if you added it to your home screen. The source is at /sw.js.

Cloudflare for security

Almavivo is served through Cloudflare for TLS, caching, and DDoS protection. Cloudflare sees request metadata (URL, IP, user agent) and the response in transit. Your intake answers live in your browser’s localStorage and are never sent over the network, so Cloudflare never sees them. All optional Cloudflare features that inject scripts or set tracking cookies are disabled.

Verify it yourself

Open your browser’s developer tools, switch to the Network tab, and use Almavivo. You will see requests to almavivo.com and nothing else, until you choose to click an outbound link or export your plan.

If you ever see a request from Almavivo that is not on this page, that is a bug. Email [email protected] and we will fix it.

The rules themselves, also auditable

Network behaviour is one layer. The clinical logic is another. The recommendation engine is open source at github.com/almavivo/open-health-engine. Every question in the intake, every supplement rule, every excluded item with reasoning, every safety guard — published, tested, and Apache-2.0 licensed. The repo’s EXCLUDED_TESTS and EXCLUDED_SUPPLEMENTSarrays are the canonical record of what this engine refuses to recommend, and why.

Read more

The privacy page explains what stays on your device and what happens when you choose to share. The methodology page explains how recommendations are generated — entirely in your browser, from a deterministic rules engine. The safety matrix lists every safety gate the engine checks and the supplements it gates.