Privacy Policy

1. Who We Are

Vitalé Health, LLC ("Vitalé," "we," "us") operates the vitalehealth.co platform and related mobile and messaging services. We are the data controller for all personal information collected through our services.

We are a health and wellness coaching platform — not a covered entity or business associate under HIPAA. However, we voluntarily apply HIPAA-equivalent security standards to all health data because you deserve that level of protection.

2. Information We Collect

2a. Information you provide directly

• Identity: Full name, preferred name, email address, phone number
• Health profile: GLP-1 medication type, dose, and duration; primary health goals; dietary restrictions and allergies; reported side effects; current weight; activity level
• Food & nutrition logs: Meals you log (photos, voice recordings, or text), portion data, hydration logs, supplement stack
• Check-in responses: Mood, energy, symptom, and progress data submitted through coaching check-ins
• Recipes & meal plans: Recipes you save, import, or create; weekly plans you build
• Payment information: Processed entirely by Stripe, Inc. — we never store, transmit, or access card numbers, bank accounts, or CVV codes

2b. Information collected automatically

• Session data: Login timestamps, authentication tokens (JWT), session duration
• Device & browser: IP address, browser type and version, operating system, screen resolution (used only for debugging and security monitoring — never for fingerprinting)
• Feature usage: Which tabs you visit, features you use, chat interactions (stored for coaching continuity)
• Error logs: Crash reports and API errors (stripped of PII before storage)

2c. Information we do NOT collect

• Social Security Numbers or government ID numbers
• Precise GPS location (we never request location permissions)
• Biometric data (fingerprints, facial recognition)
• Medical records or clinical diagnoses from healthcare providers
• Information from minors (our service is 18+)

3. How We Use Your Information

We use your information only for the following purposes:

• Service delivery: Generate personalized meal plans, coaching check-ins, recipe recommendations, and GLP-1 lifestyle guidance
• AI personalization: Provide context to our AI models (Claude by Anthropic) so responses are relevant to your health profile, goals, and current medication stage
• Progress tracking: Store weight, nutrition, hydration, and symptom data so you can review trends over time
• Communications: Send transactional emails (receipts, password resets) and SMS coaching messages if you opt in
• Billing: Process subscription payments, handle upgrades/downgrades, and send billing receipts via Stripe
• Security: Detect and prevent fraud, unauthorized access, and abuse of our platform
• Service improvement: Analyze anonymized, aggregated usage patterns to improve our product (never individual health profiles)
• Legal compliance: Respond to lawful requests from regulatory authorities or law enforcement as required

We do not and will never:

• Sell your personal or health information to any third party
• Share your health data with insurance companies, employers, or pharmaceutical companies
• Use your data for targeted advertising or behavioral profiling for ad networks
• Use your conversations or health data to train AI models without your explicit opt-in consent

4. AI Processing & Third-Party Models

Vitalé uses Claude (developed by Anthropic, PBC) to power personalized coaching conversations, meal planning, and recipe recommendations. When you interact with AI features, relevant portions of your health profile and session context are transmitted to Anthropic's API to generate a response.

What Anthropic receives: Your health profile fields (medication, goals, restrictions), recent conversation history, and nutrition data for the current session. Anthropic's privacy policy governs their handling of this data. Anthropic does not train on API request data by default.

What Anthropic does not receive: Your name, email, phone number, payment information, or any directly identifying information. We transmit context with first names only and never include account credentials.

Pexels: Food and recipe images are fetched from Pexels using search queries describing dishes (e.g., "grilled salmon overhead"). No personal data is sent to Pexels.

Stripe: Payment processing. Stripe is PCI-DSS Level 1 compliant. We receive only a customer token and subscription status — never card details.

Twilio: SMS coaching delivery if you opt in to text messaging. Your phone number and message content are transmitted to Twilio. Twilio is SOC 2 Type II certified.

Resend: Transactional email delivery (receipts, password resets). Your email address is transmitted to Resend for delivery only.

5. Data Security

We implement layered security controls modeled on SOC 2 Type II and HIPAA Security Rule standards:

Infrastructure

• Encryption in transit: TLS 1.2 minimum on all connections; HSTS enforced with 1-year max-age
• Encryption at rest: AES-256 encryption on all database storage (Supabase / AWS RDS)
• Database access: Row-Level Security (RLS) policies enforce that authenticated users can only access their own data — enforced at the database layer, not just application code
• API authentication: All member-scoped API endpoints require a valid JWT session token and verify that the requested resource belongs to the authenticated user
• Admin access: Administrative endpoints require separate admin-role authentication; admin operations are logged
• Webhook security: Stripe webhooks verified via HMAC-SHA256 signature with replay-attack prevention (5-minute window)

Application

• Security headers: X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Content-Security-Policy, Strict-Transport-Security, Referrer-Policy, and Permissions-Policy enforced on all responses
• Rate limiting: API endpoints are rate-limited per authenticated user to prevent abuse and credential stuffing
• Input validation: All user-supplied inputs are validated and sanitized before processing or storage
• Error handling: Internal error details are logged server-side only; generic messages are returned to clients

Operational

• Production secrets (API keys, database credentials) are stored in environment secret management — never in source code or version control
• Access to production systems is restricted to authorized personnel and logged
• Dependency vulnerabilities are monitored and patched on a rolling basis

No system is 100% secure. If you discover a security vulnerability, please report it responsibly to security@vitalehealth.co. We will acknowledge within 48 hours.

6. Cookies & Local Storage

We use the following:

• Authentication cookies: Supabase session tokens that keep you logged in. These are essential and cannot be disabled without breaking the service.
• Preference storage: Local browser storage may store UI preferences (e.g., active tab). No personal health data is stored in the browser.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies (e.g., Google Analytics). We do not participate in any ad networks or cross-site tracking.

7. Your Rights

Regardless of where you live, you have the following rights with respect to your personal information. California residents have additional rights under CCPA/CPRA. EU/UK residents have rights under GDPR/UK GDPR.

• Access: Request a copy of all personal data we hold about you, including your health profile, nutrition logs, chat history, and account information
• Correction: Request correction of inaccurate or incomplete data
• Deletion ("Right to be Forgotten"): Request permanent deletion of your account and all associated data. We will complete deletion within 30 days.
• Portability: Export your data in a machine-readable format (JSON or CSV)
• Restriction: Request that we limit processing of your data in certain circumstances
• Objection: Object to processing based on legitimate interests
• Opt-out of AI training: Your data is not used for AI training by default. No opt-out required.
• Opt-out of SMS: Reply STOP at any time to stop SMS messages, or update in Account Settings

To exercise any of these rights, email privacy@vitalehealth.co with your request. We will respond within 30 days (or 45 days for complex requests with written notice).

We will never discriminate against you for exercising privacy rights.

8. Data Retention

• Active accounts: All data retained for the duration of your membership
• After cancellation: We retain your data for 90 days in case you reactivate, then permanently delete it — unless you request earlier deletion
• Financial records: Transaction records retained for 7 years as required by financial regulations (name, amount, date only — no card data)
• Security logs: Authentication and access logs retained for 90 days for security monitoring, then deleted
• Deleted accounts: All personal and health data is permanently deleted within 30 days of account deletion request. Backups containing your data are purged within 90 days.

9. Data Sharing & Disclosure

We share your information only in the following limited circumstances:

• Service providers: Anthropic (AI), Supabase (database), Stripe (payments), Twilio (SMS), Resend (email), Vercel (hosting), Pexels (images). Each is bound by a data processing agreement and may only process data on our behalf.
• Legal requirements: When required by law, court order, or governmental authority — only to the extent legally required and with notice to you where possible
• Safety: If we have a good-faith belief that disclosure is necessary to prevent imminent harm to you or others
• Business transfer: In the event of a merger, acquisition, or sale of substantially all assets, your data may transfer to the acquiring entity under equivalent privacy protections. We will notify you at least 30 days in advance.

10. International Data Transfers

Vitalé is based in the United States. If you access our services from the European Economic Area, United Kingdom, or other regions with data protection laws, your information may be transferred to and processed in the United States.

We rely on Standard Contractual Clauses (SCCs) and/or adequacy decisions for transfers from the EEA/UK. Our service providers (Anthropic, Supabase, Stripe, Twilio) maintain appropriate transfer mechanisms.

11. California Privacy Rights (CCPA / CPRA)

California residents have the following additional rights under the California Consumer Privacy Act:

• Know: The categories and specific pieces of personal information we collect
• Delete: Request deletion of your personal information
• Opt-out of sale: We do not sell personal information. No opt-out required.
• Non-discrimination: We will not discriminate against you for exercising CCPA rights
• Sensitive data: Health data is treated as sensitive personal information under CPRA. We use it only to provide the service.

To submit a verifiable California privacy request, email privacy@vitalehealth.co.

12. Children's Privacy

Vitalé is intended for adults 18 and older. We do not knowingly collect personal information from anyone under 18. If we learn we have collected data from a minor, we will delete it immediately. If you believe a minor has submitted information, please contact privacy@vitalehealth.co.

13. SMS Messaging

If you provide your phone number and opt in to SMS coaching:

• Message frequency varies based on your coaching plan (typically 1–3 per day)
• Standard message and data rates may apply
• Reply STOP to unsubscribe at any time
• Reply HELP for support
• Messages are sent via Twilio and contain no advertising content

14. Changes to This Policy

We will notify you of material changes to this policy at least 14 days before they take effect — via email and via a notice in the app. Continued use of Vitalé after the effective date constitutes acceptance of the updated policy. The most current version is always available at vitalehealth.co/privacy.

Non-material changes (clarifications, typo fixes, formatting) may be made without notice and will be reflected by updating the effective date.

15. Contact & Data Protection Officer

For privacy inquiries, data requests, or to report a security concern:

If you are an EU/UK resident and believe we have not adequately addressed your privacy concern, you have the right to lodge a complaint with your local supervisory authority.