Privacy Policy

Effective date: May 30, 2026 · Version 1.0

The short version: VITALUS does not sell your data. We do not show ads. We do not share your personal information with third parties for advertising or marketing. We do not use your personal data to train AI models. Your data exists to serve you. The full legal detail follows below.

Contents

Who We Are (Data Controller)
Scope of This Policy
What Data We Collect
Legal Basis for Processing
How We Use Your Data
AI Processing (Vick)
Data Storage and Security
Data Retention
Sub-Processors and Third Parties
International Data Transfers
Automated Decisions and Profiling
Your Rights
Data Breach Notification
Children
Cookies and Website
Changes to This Policy
Contact and Complaints

1. Who We Are (Data Controller)

VITALUS is a personal life-tracking application and the website vitalus.health (together, the "Service"), operated by [Your Full Name], [Street and Number], [Postal Code and City], Germany ("we", "us", "our"). We are the data controller within the meaning of Article 4(7) of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

You can reach us regarding any privacy matter at: vitalus.app@proton.me. We have not appointed a Data Protection Officer because we are not legally required to do so under Art. 37 GDPR; the operator named above is responsible for all data protection matters.

2. Scope of This Policy

This policy applies to all personal data we process when you visit vitalus.health, join our waitlist, create a VITALUS account, or use the VITALUS application. It does not apply to third-party services that you may access through links, or to the Google Play Store, which is governed by Google's own privacy policy.

3. What Data We Collect

We practice data minimisation (Art. 5(1)(c) GDPR): we collect only what is necessary to provide the Service. The categories are:

Category	Examples	Source
Account data	Display name, email address, hashed password / authentication token	You, at sign-up
Health & wellness data (special category, Art. 9 GDPR)	Body weight, height, calorie intake, sleep duration and quality, water intake, stress level, mood, workouts, habits, step count	You, when tracking
Financial data	Manually entered expense names, amounts, categories, savings goals	You, when tracking
Journal data	Free-text journal entries and reflections	You, when writing
Voice-derived text (optional)	Text transcribed on your device from voice commands to Vick	You, when using Vick
Technical data	App version, operating system version, device model, anonymised crash logs	Automatic
Waitlist data	Email address	You, on the website

We do not collect: your precise location (GPS), your device advertising identifier, your contacts, your photos (unless you explicitly attach one), your IP address for tracking purposes, or any biometric identifiers.

4. Legal Basis for Processing

Every processing activity has a legal basis under Art. 6 and, for special category data, Art. 9 GDPR:

Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)): for all health, wellness, mood and journal data. We obtain this consent through a clear, affirmative action during onboarding. You may withdraw it at any time.
Performance of a contract (Art. 6(1)(b)): for account data and the core functionality you signed up for, including processing your Premium subscription.
Legitimate interests (Art. 6(1)(f)): for anonymised crash reports and aggregate stability metrics needed to keep the app working. We have weighed these interests against your rights and limited the data to the minimum.
Consent (Art. 6(1)(a)): for adding your email to the waitlist.

5. How We Use Your Data

We use your data exclusively to:

Calculate your Life Score, activity rings, streaks and progress metrics
Generate personalised insights through Vick when you use it
Display your history, trends and charts back to you
Send notifications, only if you opted in
Process and manage your Premium subscription
Maintain the security and stability of the Service
Respond to your support and data-rights requests

We will never use your data for advertising, for profiling on behalf of third parties, for sale to data brokers, or to train artificial intelligence models on your personal content.

6. AI Processing (Vick)

Vick is an optional AI assistant powered by the Claude API provided by Anthropic PBC. When you actively use Vick online:

Your typed or transcribed text query, together with limited relevant context (such as recent tracked figures needed to answer), is transmitted to Anthropic's API to generate a response.
Per Anthropic's commercial API terms, your inputs and outputs are not used to train Anthropic's models.
Anthropic may retain API inputs and outputs for a limited period (up to 30 days) for trust-and-safety purposes, after which they are deleted, unless a longer retention is legally required.
No audio recording is transmitted; speech is converted to text on your device first.

You can use VITALUS fully without Vick. In offline mode, Vick uses only on-device pattern matching, and no data leaves your phone.

7. Data Storage and Security

Your data is stored in two layers:

On your device: all tracking data is written first to encrypted local storage. The app functions offline; a connection is needed only for sync, Vick and Premium.
On our servers: if you create an account, data is synced to Supabase (PostgreSQL with Row-Level Security, so each account can access only its own rows). Data in transit is protected with TLS; data at rest is encrypted with AES-256.

Passwords are never stored in plain text; authentication uses industry-standard hashing and signed tokens. We apply the principle of least privilege to all administrative access, and we maintain reasonable technical and organisational measures appropriate to the risk, as required by Art. 32 GDPR.

8. Data Retention

Free accounts: the last 7 days of history are shown in the app. Older entries remain stored under your account but are not displayed until you upgrade.
Premium accounts: full history is retained while your account is active.
Account deletion: when you delete your account, all personal data is permanently erased from our active systems within 30 days, and from encrypted backups within a further 90 days.
Waitlist email: retained until you unsubscribe or the waitlist purpose ends, whichever is first.
Legal retention: where law requires us to keep certain records (e.g. tax records relating to a purchase), we retain only those records for the legally mandated period.

9. Sub-Processors and Third Parties

We share data with the minimum number of processors needed to operate, each bound by a Data Processing Agreement under Art. 28 GDPR:

Processor	Purpose	Data shared
Supabase Inc.	Database hosting, authentication, sync	Account & tracked data (encrypted)
Anthropic PBC	AI responses for Vick	Text query & minimal context, only when you use Vick
Google LLC / Google Ireland Ltd.	App distribution & subscription billing	Purchase & payment data (we never see card numbers)
Netlify Inc.	Website hosting & waitlist form	Waitlist email address

We do not share your data with any other parties. We will only ever disclose data to authorities where we are legally compelled to do so by a valid legal order, and we will resist over-broad requests to the extent the law allows.

10. International Data Transfers

Some of our processors are based in or operate from the United States. Where personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, supplementary measures, to ensure your data receives a level of protection essentially equivalent to that guaranteed within the EU, in line with Art. 46 GDPR. You may request a copy of the relevant safeguards by contacting us.

11. Automated Decisions and Profiling

VITALUS calculates a "Life Score" and generates insights from your data. This is a convenience feature presented to you for your own use; it does not produce any legal or similarly significant effect on you within the meaning of Art. 22 GDPR. We do not make automated decisions that have legal consequences for you, and we do not profile you for advertising. Vick's suggestions are informational only and are never used to make decisions about you.

12. Your Rights

As a data subject you have the following rights, which we honour free of charge and within one month (Art. 12(3) GDPR):

Access (Art. 15): obtain confirmation and a copy of your data.
Rectification (Art. 16): correct inaccurate or incomplete data.
Erasure (Art. 17): have your data deleted ("right to be forgotten").
Restriction (Art. 18): restrict processing in certain circumstances.
Data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format (available in-app under Settings → Export my data, as JSON or CSV).
Objection (Art. 21): object to processing based on legitimate interests.
Withdraw consent (Art. 7(3)): withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
Not be subject to automated decision-making (Art. 22): as described in section 11, we do not carry out such decision-making.

To exercise any right, email vitalus.app@proton.me with the subject "Data Rights Request". We may need to verify your identity before acting, to protect your data.

13. Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it, as required by Art. 33 GDPR, and we will inform affected users without undue delay where the breach is likely to result in a high risk, as required by Art. 34 GDPR.

14. Children

VITALUS is not directed at and not intended for persons under 16 years of age. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected such data without the consent of a holder of parental responsibility, we will delete it promptly. If you believe a child has provided us data, contact us.

15. Cookies and Website

The website vitalus.health does not use tracking cookies, advertising cookies, Google Analytics, or any third-party analytics. Fonts are self-hosted on our own servers and are not loaded from Google, so no data is transmitted to Google when you visit. The only personal data collected through the website is the email address you voluntarily submit to join the waitlist. No cookies are set for tracking purposes.

16. Changes to This Policy

We may update this policy to reflect changes in the Service or the law. If we make material changes, we will notify you in the app or by email before they take effect. The version number and effective date at the top reflect the current revision. Continued use after the effective date constitutes acknowledgement of the updated policy.

17. Contact and Complaints

For any privacy question or to exercise your rights, contact us at vitalus.app@proton.me.

You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State of your residence or place of the alleged infringement. The authority competent for the operator is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2–4, 40213 Düsseldorf, Germany
Website: www.ldi.nrw.de

Data Controller
VITALUS · [Your Full Name]
[Street and Number]
[Postal Code and City], Germany
Email: vitalus.app@proton.me