Privacy Policy

Effective Date: 2025-08-17

Last Updated: 2025-08-17

Version: 1.1 (Geoblocked launch)

Contact (Privacy): [email protected]

Security (Incidents/Vulns): [email protected]

Data Protection Officer (if required): [email protected]

        Important – Geographic Availability. At launch, the Service is not offered to individuals located in the European Economic Area (EEA) or the United Kingdom. If you are located in the EEA or the UK, you must not use the Service. We implement app-store regional settings and IP-based controls to geoblock those regions. We will update this Policy (and designate EU/UK representatives and notices) if/when the Service becomes available there.
    

Quick Summary

We collect account, preference, usage, and health/wellness data you provide to deliver the Service.
Certain features use AI, including third‑party services (OpenAI) and on‑device models. We minimize data sent to providers and do not allow training of third‑party foundation models on your data under our enterprise terms.
You can access, correct, export, and delete your data. California, Canada, Australia (and some other jurisdictions) provide additional rights, detailed below.
We may transfer data internationally with appropriate safeguards; see Sections 7–9.

1. Introduction and Scope

This Privacy Policy explains how VITALITY ("VITALITY," "we," "us") collects, uses, discloses, and protects personal data when you use our web (PWA), iOS, and Android applications and related services (the "Service"). By using the Service, you agree to this Policy. If you do not agree, please do not use the Service.

1.1 Controller and Contact Details

For privacy matters, contact [email protected].

Controller: [Insert full legal company name and registered address].

(We will update this section with full corporate details prior to public release.)

1.2 Territorial Scope and Geoblocking

The Service is offered only to individuals outside the EEA and the United Kingdom. If we detect access from the EEA/UK, we may block access and/or delete any inadvertently collected data after addressing security and fraud-prevention needs.

2. Information We Collect

2.1 Information You Provide

Identity Data: email address, name, and account credentials.
Profile Data: age (18+ required), height, weight, target weight, goals, dietary preferences, units, theme, onboarding status.
Health & Wellness Data (may be considered sensitive): nutrition entries, exercise logs, body measurements, and health metrics.
Images (optional): food photos for analysis (Pro tier).

2.2 Information Collected Automatically

Behavioral & Usage Data: feature usage, search queries, interaction events, preferences.
Technical Data: device type, OS/app version, performance metrics, crash logs, IP address.

2.3 Information from Third Parties

App Stores (Apple/Google): purchase and subscription status.
Backend/Authentication (Supabase): account and session metadata.

3. How We Use Your Information

We use personal data to:

Provide, operate, and personalize the Service (including health/wellness features).
Perform analytics, maintain security, and prevent fraud/abuse.
Offer AI‑powered insights and recommendations (see Section 6).
Provide customer support and communicate about the Service.
Comply with legal obligations and enforce our Terms.

4. Special Category / Sensitive Data (Health Data)

We treat health/wellness entries and measurements as sensitive. We process such data only as necessary to provide the Service and with your consent where required by applicable law. You may withdraw consent in settings; withdrawal may limit functionality and does not affect prior lawful processing.

5. Children's Privacy

The Service is intended for users 18 and older. We do not knowingly collect personal data from children under 18. If you believe a child has provided data, contact us to delete the account and associated data.

6. AI and Automated Processing

6.1 Overview

The Service uses AI to analyze nutrition data, summarize meals, and assist discovery. AI outputs are estimates and may be inaccurate.

6.2 Providers and Modalities

OpenAI services: models from the GPT‑4 and GPT-5 family (e.g., text and image analysis). Data may be processed in the U.S. or other regions per provider terms.
On‑Device Models: e.g., Local semantic search models; data for these features does not leave your device.

6.3 Data Handling & Training

We minimize data sent to AI providers and transmit it with encryption. Under our current enterprise terms, OpenAI does not use submitted data to train its foundation models for our account. We do not permit third‑party providers to use your data for their own advertising.

6.4 Your Choices and Rights

Where automated processing could have significant effects, you may request human review (see Section 11). You can disable optional AI features in settings where offered.

6.5 OpenAI Policy References and Consent

Some AI features are powered by OpenAI. By using these features, you acknowledge OpenAI’s Usage Policies, Service Terms, and Privacy Policy may apply to the processing of your inputs for those features. You consent to such processing consistent with those policies and this Privacy Policy.

7. Information Sharing and Disclosure

We do not sell personal information. We share data with:

Service Providers/Processors: to operate and support the Service under contractual safeguards.
Supabase: database, authentication, storage, and edge functions (regional deployment subject to our configuration).
RevenueCat: subscription and billing status for mobile platforms.
OpenAI: AI processing as described in Section 6.
App Stores (Apple/Google): distribution and billing.

We may disclose information to comply with law, respond to lawful requests, protect safety, and enforce our rights. In a merger, acquisition, or asset sale, data may be transferred subject to this Policy.

Subprocessors List. We maintain a current list of key subprocessors (including locations and purposes) and will make it available upon request.

8. International Data Transfers

We may transfer personal data internationally, including to the United States. We implement appropriate safeguards (e.g., contractual and technical measures) and comply with applicable transfer rules in the regions where the Service is offered. Regional transfer frameworks for the EEA/UK are not applicable at launch (see Annex D – Reserved).

8.1 Third‑Party Links and Services Disclaimer

The Service may include links to third‑party websites, apps, or services, and may integrate third‑party modules or SDKs. We are not responsible for the content, security, or privacy practices of third parties. Your use of third‑party resources is governed by their terms and privacy policies.

9. Data Security

We use administrative, technical, and organizational measures to protect data, including encryption in transit and at rest, access controls, and monitoring. No system is 100% secure; we maintain incident response procedures.

10. Data Retention

We retain personal data only as long as necessary for the purposes described or as required by law. Indicative periods:

Account & Profile Data: for the life of the account plus a limited period after deletion.
Health & Wellness Data: user‑controlled; deleted upon account deletion subject to legal retention.
Usage/Telemetry: typically up to 2 years; security logs up to 3 years.

Actual retention may vary based on legal, security, and operational needs.

11. Your Rights and Choices

11.1 General

Depending on your jurisdiction, you may have rights to access, correct, delete, or port your data; to restrict or object to certain processing; and to withdraw consent where processing relies on consent. Submit requests to [email protected]. We will verify requests and respond as required by law.

11.2 California Residents (CCPA/CPRA)

Rights: know/access, delete, correct, and non‑discrimination.
Sale/Share: We do not sell or share personal information as defined by CPRA. We honor applicable opt‑out rights.
Sensitive Personal Information: used only for limited, permitted purposes (e.g., to provide the Service) and not for inferring characteristics beyond those purposes.
Authorized Agents & Verification: We verify identity and accept authorized agent requests per law.

11.3 Canada (PIPEDA) and Australia (APPs)

You may request access to and correction of personal information and raise complaints with local authorities. We will explain our process and timelines when you contact us.

11.4 EEA & United Kingdom (Reserved)

At launch, the Service is not offered in the EEA/UK. If/when we expand, we will publish region‑specific notices, designate representatives, and describe GDPR/UK GDPR rights (access, rectification, erasure, restriction, objection, portability, withdrawal of consent, complaint to authorities).

12. Cookies and Similar Technologies

We may use cookies and similar technologies to operate the Service, remember preferences, and measure performance. Where required, we will request consent. You can manage cookies in your browser or device settings. A detailed Cookie/Tracking Policy may be provided separately.

13. Communications and Marketing

We may send administrative messages (e.g., security, service updates). Marketing communications are sent with consent where required; you may opt out via unsubscribe links or settings.

14. Changes to This Policy

We may update this Policy. When we make material changes, we will notify you via the App or email and update the "Last Updated" date. Your continued use after the effective date constitutes acceptance.

14.1 No Affiliation with OpenAI or ChatGPT

We are an independent company and are not affiliated with, endorsed by, or sponsored by OpenAI or its ChatGPT service. References to OpenAI or ChatGPT are for identification only. All trademarks are the property of their respective owners.

15. Contact Us

Privacy inquiries and rights requests: [email protected]

Security and incident reports: [email protected]

Data Protection Officer (if required): [email protected]

Annexes

Annex A – California (CCPA/CPRA)

Categories Collected: identifiers (email, device IDs), personal information categories (health entries you submit), internet activity (usage), commercial information (subscription status), inferences (AI recommendations), and approximate geolocation (IP‑based).

Purposes: service provisioning, billing, security, analytics, support, improvements.

Sharing/Sale: service providers only; no sale/share as defined by CPRA.

Rights: know/access, delete, correct, opt‑out of sale/share (not applicable), non‑discrimination.

Annex B – Canada (PIPEDA)

Consent: meaningful consent for collection, use, and disclosure.

Access/Correction: available upon request; identity verification required.

Transfers: contractual and technical safeguards for cross‑border processing.

Annex C – Australia (Privacy Act 1988)

Compliance with the Australian Privacy Principles (APPs).

Notifiable Data Breaches scheme: we will notify affected users and the OAIC where required.

Annex D – EEA/UK (Reserved)

Reserved for region‑specific notices applicable when the Service becomes available in the EEA or the UK (including designation of EU/UK data protection representatives and local transfer frameworks).