VitalixTerms of Service

Privacy Policy

Effective date: March 15, 2026  ·  Last updated: March 15, 2026

Vitalix ("we", "us", or "our") is a personal wellness application that helps you understand your health data through AI-powered insights. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

Vitalix is a consumer wellness application, not a medical device. We are not a HIPAA-covered entity. Nothing in this app constitutes medical advice — always consult a qualified healthcare professional for medical decisions.

1. Information We Collect

Health and fitness data

When you connect a device or sync health data, we collect:

  • Sleep duration and quality metrics
  • Heart rate and heart rate variability (HRV)
  • Daily steps, active calories, and workout sessions
  • Blood oxygen (SpO₂) and respiratory rate
  • Readiness and recovery scores
  • Symptoms and wellness journal entries you log manually
  • Lab results you upload (PDF or manual entry)

Account information

  • Email address (used for authentication)
  • Name (optional, used to personalise your experience)
  • Subscription tier and billing history (via Stripe — we do not store card numbers)

Usage data

  • App interactions (screens visited, features used)
  • Crash reports and performance logs
  • Device type and operating system version

Information we do NOT collect

  • Payment card numbers (handled entirely by Stripe)
  • Precise GPS location
  • Contacts or social graph
  • Any data from your device other than health metrics you explicitly sync

2. How We Use Your Information

  • Provide the service: generate personalised health insights, health scores, correlations, and AI agent responses using your data
  • AI analysis: your health data is sent to Anthropic's API to generate insights — see Section 4 for details
  • Billing: manage your subscription through Stripe
  • Communications: send weekly health summaries and important account notices (you can opt out of summaries at any time)
  • Improve the app: analyse aggregated, anonymised usage patterns to fix bugs and improve features
  • Security: detect and prevent fraud or abuse

We do not sell your personal data to third parties. We do not use your health data for advertising.

3. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your data under the following legal bases:

  • Contract performance: processing necessary to provide the Vitalix service you signed up for
  • Legitimate interests: improving the app, preventing fraud, maintaining security
  • Consent: sending marketing emails and optional health summary emails — you can withdraw consent at any time
  • Explicit consent (Article 9): processing special category health data — you provide this by choosing to sync health data into the app

4. Third-Party Services

We share data with these service providers solely to operate Vitalix. Each has its own privacy policy and, where required, a Data Processing Agreement (DPA) with us.

Supabase

Database and authentication (stores your account and health data)

📍 AWS us-east-1 (United States)

Privacy policy ↗

Anthropic

AI analysis — your health data is sent to generate insights and AI agent responses

📍 United States

Privacy policy ↗

Oura

If you connect your Oura Ring, we receive your ring data via Oura's API

📍 United States / Finland

Privacy policy ↗

Dexcom

If you connect a Dexcom CGM, we receive your glucose data via Dexcom's API

📍 United States

Privacy policy ↗

WHOOP

If you connect a WHOOP band, we receive your recovery and strain data via WHOOP's API

📍 United States

Privacy policy ↗

Garmin

If you connect a Garmin device, we receive your fitness data via Garmin's API

📍 United States

Privacy policy ↗

Fitbit

If you connect a Fitbit device, we receive your health data via Fitbit's API

📍 United States

Privacy policy ↗

Stripe

Payment processing and subscription management

📍 United States

Privacy policy ↗

Vercel

Web application hosting

📍 Global edge network

Privacy policy ↗

Sentry

Crash reporting and error monitoring (may include device info and stack traces)

📍 United States

Privacy policy ↗

5. Data Storage and Security

  • All data is encrypted in transit using TLS 1.3
  • All data is encrypted at rest using AES-256 (Supabase / AWS)
  • Access to your data is controlled by Row Level Security — only you can read your health records
  • We use Supabase Pro with daily backups and point-in-time recovery
  • Employees and contractors do not have routine access to individual health records

6. Data Retention

  • Your health data and account are retained for as long as your account is active
  • If you delete your account, all personal data is deleted within 30 days
  • Anonymised, aggregated analytics data may be retained longer
  • Billing records are retained for 7 years as required by tax law

7. Your Rights

Depending on where you live, you have the following rights:

All users

  • Access: request a copy of your personal data
  • Deletion: delete your account and all associated data from Settings → Delete Account, or by emailing us
  • Correction: update your profile information in-app at any time
  • Opt-out of emails: unsubscribe link in every marketing email

EU / EEA / UK users (GDPR)

  • Data portability: receive your data in a machine-readable format (JSON export — email us to request)
  • Restriction: ask us to stop processing your data while a dispute is resolved
  • Objection: object to processing based on legitimate interests
  • Withdraw consent: at any time, without affecting prior processing
  • Lodge a complaint: with your local data protection authority

California users (CCPA)

  • Right to know what personal information we collect
  • Right to delete your personal information
  • Right to opt-out of sale — we do not sell personal information
  • Non-discrimination for exercising your rights

To exercise any of these rights, email privacy@vitalix.health. We respond within 30 days (10 days for CCPA requests).

8. Children's Privacy

Vitalix is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal data, contact us at privacy@vitalix.health and we will delete it promptly.

9. International Data Transfers

Vitalix is operated from the United States. If you access the service from the EU, EEA, or UK, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) with our service providers (Supabase, Anthropic, Stripe) as the legal mechanism for these transfers under GDPR.

10. Cookies and Tracking

The Vitalix web app uses strictly necessary cookies for authentication (session tokens). We do not use third-party advertising cookies or cross-site tracking. We may use first-party analytics to understand how features are used — this data is anonymised and not shared with third parties.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and notify you by email if changes are material. Continued use of Vitalix after changes constitutes acceptance.

12. Contact Us

For privacy questions, data requests, or concerns:

Email: privacy@vitalix.health

Website: vitalix.health