Vitality Privacy Policy
Last updated: July 14, 2026 · Status: founding beta
Vitality (the trade name of the operating company currently being formed — the legal entity name will be inserted here upon formation; “Vitality”, “we”, “us”) is a personal data vault: you connect accounts you own (like a WHOOP wearable), we keep a fresh copy of that data in a vault only you can open, and we serve it back to you through one read-only key or an AI connector. This policy says exactly what we collect, why, where it lives, and what your rights are — in plain words first, because you should not need a lawyer to know what happens to your health data.
The short version
- We collect your account email, the health data from devices you choose to connect, and billing status.
- Your data is served to exactly one party: you (via your key and connectors you set up).
- We never sell your data. We never share it for advertising. There is no ad tech here at all.
- Member data is isolated at the database level — the database itself refuses to serve one member’s rows to another.
- You can disconnect a device, kill your key, or ask us to delete everything, at any time.
1. What we collect
- Account data. Your email address and name, received from Google when you sign in. We do not see or store your Google password.
- Health and wellness data you connect. When you connect a device provider (for example WHOOP), we import and store the data that provider makes available for your account: sleep, recovery/readiness, workouts, daily activity, and body measurements (height, weight, max heart rate), plus your name/email as the provider reports it. We only receive read access, and only after you approve the connection on the provider’s own login page. We never see your provider password.
- Connection credentials. The provider issues us access tokens for your account. We store them encrypted (AES-256-GCM) and use them only to refresh your data.
- Billing data. Payments are processed by Stripe. We store your subscription status and Stripe customer reference. Your card number never touches our servers.
- Technical logs. We log events like “this key read the sleep shelf at this time” — who, what, when. Log entries do not contain the health values themselves.
- Support messages. If you email us, we keep the thread so we can help you.
2. What we use it for
- Running the service you pay for: keeping your vault fresh and serving it back to you.
- Operating, debugging, and securing the pipes (the technical logs exist for this).
- Billing and account management.
- Responding when you contact us.
That is the whole list. We do not use your data for advertising, we do not build profiles for third parties, we do not train AI models on your data, and we never sell personal data — including consumer health data — to anyone.
3. Who your data is shared with
No one, except the infrastructure that runs the service (our “processors”), and any consumer you point your own key at:
- Supabase — our database and authentication infrastructure (this is where your vault lives).
- Vercel — application hosting.
- Stripe — payments.
- Google — sign-in.
- Sentry — error monitoring (receives technical error reports, not your health values).
- Whatever you connect your key to. If you paste your key into Claude, ChatGPT, a dashboard you built, or any other tool, that tool receives your data because you directed it there. That sharing is under your control, governed by that tool’s terms — revoke your key at any time to cut it off everywhere at once.
We may also disclose data if the law genuinely compels us to, and we will tell you it happened unless we are legally barred from doing so.
4. Consumer health data (Washington My Health My Data Act and similar laws)
The health data described in Section 1 is “consumer health data.” We collect it only with your explicit consent — the act of connecting a provider on its own consent screen — and use it only for the purposes in Section 2. We do not sell consumer health data, we do not share it for advertising, and we do not use geofencing. You may withdraw consent at any time by disconnecting the provider (which deletes our copies of its access tokens and purges the data we synced from it) and may request deletion of any remaining data as described in Section 7.
5. Where your data lives and how it is protected
- Data is processed on Supabase and Vercel infrastructure in the United States. If you use Vitality from the EU/UK, you consent to this transfer; formal transfer mechanisms will be finalized with counsel as the company completes formation.
- Provider tokens are encrypted at rest (AES-256-GCM). All traffic is encrypted in transit (TLS).
- Your Vitality key is never stored — only its fingerprint (SHA-256 hash). It is shown to you once; even we cannot read it back.
- Member isolation is enforced by the database itself (row-level security): every read runs as you, and the database refuses to return another member’s rows.
- If a breach affecting your personal data ever occurs, we will notify you and regulators as applicable law requires.
No system on earth can honestly promise perfection, and we will never use the words “100% secure.” What we promise is the architecture above, maintained as the core of the product.
6. How long we keep it
- Vault data: for as long as your account is active and the provider stays connected.
- Provider tokens: deleted when you disconnect the provider.
- Synced data: when you disconnect a provider, the data we synced from it is purged from your vault along with the tokens.
- Revoked keys: only the fingerprint remains, marked revoked.
- On account deletion (Section 7): vault data is deleted, and residual copies in infrastructure backups purge within a commercially reasonable period (typically ~30 days).
- Billing records: kept as long as tax and accounting law requires.
7. Your rights
- Access & portability — built into the product: your key returns every field we hold, in clean machine-readable JSON, any time you want. That is the product.
- Withdraw consent — disconnect any provider; its tokens and everything we synced from it are deleted immediately.
- Cut off downstream access — revoke or regenerate your key; every copy dies the same second.
- Deletion — email usevitality.support@gmail.com from your account email and we will delete your account and vault within 30 days, confirming when done.
- Correction — your health data mirrors your provider; correct it at the source and the vault follows. Account details can be corrected on request.
- Complaint — EU/UK/Washington and other residents may also complain to their local supervisory authority; we would rather you email us first so we can fix it.
We respond to rights requests within 30 days and do not discriminate against you for exercising them.
8. What Vitality is not
- Not a medical service: Vitality is not a healthcare provider, your data here is consumer wellness data, and we are not a HIPAA covered entity.
- Not for children: Vitality is for adults 18 and older. We do not knowingly collect children’s data; if you believe a minor has an account, contact us and we will delete it.
- Not an advertising business: there are no trackers, no ad pixels, and no data brokers here.
9. Changes to this policy
If we change this policy in any meaningful way, we will post the new version here with a new date and email active members before it takes effect. Quiet edits to substance are not how we operate.
10. Contact
usevitality.support@gmail.com — a founder reads every message.