Back to Home

Vitalize — Privacy Policy

Effective date: 9.9.2025
Who we are: BetterVue e.U., Sobieskigasse 25/24, 1090 Vienna, Austria ("Vitalize", "we", "us"). We are the data controller for personal data processed in/through the Vitalize mobile app and our website.

This policy explains what we collect, how we use it, and your rights. We designed Vitalize to be privacy-first: most health-related data lives only on your device.

1) What we collect & where it lives

A. Stored locally on your device (never leaves unless you export/sync)

  • Food diary entries & meal descriptions
  • Daily gut scores and sub-scores
  • Feelings check-ins (e.g., energy, mood, sleep, focus 1–5)
  • Water intake & hydration
  • Correlation analyses and insights
  • Personal goals, preferences, onboarding answers
  • Historical tracking data (e.g., 60+ days)
  • App preferences, cached AI tips

Security: data encrypted at rest (AES-256). Keys stored in iOS Keychain/Android Keystore; device crypto used as fallback.

B. Sent to our backend AI meal analysis (minimal, purpose-limited)

Sent: short meal text (e.g., "Greek yogurt with berries"), portion size, meal timing, optional demographic context (age range, dietary preference, goals).

Not sent: identity, feelings/mood data, historic health logs, correlation results, per-food scores.

Purpose: generate gut-health scoring and short coaching suggestions.

Processing location: Azure OpenAI deployed in EU region; prompts/outputs not used to train foundation models; private networking enforced. All data processing and storage occurs within the EU.

C. Third-party services we use (as processors)

Firebase (Google)

  • Auth: anonymous ID (or Apple/Google sign-in), timestamps.
  • Crashlytics: crash reports, device model/OS, app version (no health content).
  • Firestore: anonymous user ID, subscription plan/entitlements, free-tier usage counters, last active timestamp. No health/feelings data.
  • Analytics: disabled by default.

Other Services

  • RevenueCat: subscription status, purchase receipt validation, product entitlements, expiration dates (linked to anonymous app/user IDs; not your Apple ID).
  • Apple App Store / Play Billing: payment processing & subscription management.
  • Device fingerprint (abuse prevention): device model/OS, screen size, locale/timezone, iOS Vendor ID (anonymized/hashed). Stored locally; used only to enforce free-tier limits.

A current list of sub-processors and regions is available on request.

2) Why we use your data (lawful bases)

  • Provide the app & features (performance of contract): account, subscription status, core functionality.
  • Privacy-first wellness insights (your consent): optional AI meal analysis; optional integrations (e.g., Apple Health/WHOOP).
  • Security & abuse prevention (legitimate interests): crash diagnostics, device fingerprint to prevent free-tier abuse, service protection.
  • Legal compliance: tax/audit/payment records via app stores.

You can withdraw consent in Settings at any time; this doesn't affect prior processing.

3) Integrations (off by default)

Apple Health / WHOOP (coming soon): if enabled, we read selected metrics (e.g., HRV, resting HR, sleep quality) to compute correlations. Continuous metrics use Pearson correlation; subjective ratings use Spearman. We never write data back. You can revoke access in iOS Health settings/WHOOP.

Cloud backup/export (optional): if you export to iCloud/Drive or email, that copy is outside our control and governed by that provider.

4) Data retention

Specific Retention Periods

Account Data

Data collected: Email address, account preferences, subscription status

Retention period: Until account deletion or 3 years after last activity

Payment Data

Data collected: Transaction IDs, subscription details (payment details are processed by RevenueCat/Apple/Google)

Retention period: 7 years for tax/accounting purposes

Health & Wellness Content

Data collected: Food diary entries, gut scores, wellness check-ins, personal insights

Retention period: Until you delete the content or close your account

Technical Data

Data collected: Device identifiers, IP addresses, app usage logs, crash reports

Retention period: 1 year for logs, crash reports deleted after 90 days

  • On-device data: stays until you delete it or uninstall the app.
  • AI meal analysis: meal text is processed to return a response; we do not store meal texts beyond transient processing and operational logs.

5) Your rights (GDPR/EEA & UK)

You have the following rights under the GDPR:

  • Art. 15 GDPR: Access to your personal data and related information
  • Art. 16 GDPR: Correction of inaccurate or incomplete data
  • Art. 17 GDPR: Deletion of your data ("Right to be forgotten")
  • Art. 18 GDPR: Restriction of processing under certain conditions
  • Art. 19 GDPR: Notification to third parties if your data has been corrected or deleted
  • Art. 20 GDPR: Right to data portability
  • Art. 7(3) GDPR: Right to withdraw your consent at any time
  • Art. 77 GDPR: Right to file a complaint with a supervisory authority

How to Exercise Your Rights

To exercise any of these rights, contact us at support@getvitalize.app with your request. Please include:

  • Your full name and email address
  • Specific right you wish to exercise
  • Any relevant details about your request

Response time: We will respond within one month of receiving your request. In complex cases, we may extend this by up to two months.

Cost: Exercising your rights is free of charge, unless your request is manifestly unfounded or excessive.

Right to Object (Art. 21 GDPR)

You may object at any time to the processing of your data based on legitimate interests (Art. 6 (1)(f) GDPR) if your situation justifies it.

If your data is processed for direct marketing purposes, you can object at any time. After objection, we will no longer process your data for these purposes.

You may complain to your local authority; in Austria: Datenschutzbehörde (dsb.gv.at).

6) U.S. state privacy (CCPA/CPRA and similar)

We do not sell or share personal information for cross-context behavioral advertising. California and other state residents can request access/deletion and learn more by contacting support@getvitalize.app.

6A) No Sale, No Ads Policy

We do not sell your personal data. We do not use advertising trackers and do not serve personalized ads within our App.

We do not run marketing analytics. We use crash reporting only to maintain and improve App stability.

7) Security

AES-256 at rest (local), Keychain/Keystore for keys, TLS for all network traffic, optional certificate pinning, least-privilege access, monitoring and incident response.

8) Children

Our Service is intended for users aged 18 and above. We do not knowingly collect personal data from anyone under 18 years of age.

If you become aware that a child has provided us with personal data, please contact us at support@getvitalize.app and we will take steps to remove such information.

9) Data processing and storage location

EU-Only Processing: All personal data processing and storage occurs exclusively within the European Union. We do not transfer personal data outside the EU/EEA.

Our infrastructure and all service providers are located within the EU to ensure your data remains under European data protection standards at all times.

10) Updates to this Privacy Policy

We may update this Privacy Policy as necessary to reflect changes in law or our services. The current version is always accessible in the App and/or on our website.

For material changes, we will notify you via in-app notice or email before the changes take effect.

11) Contact

If you have any questions about this Privacy Policy or how we handle your personal data, you can contact us at:

Email: support@getvitalize.app
Privacy Inquiries: support@getvitalize.app
Address: BetterVue e.U., Sobieskigasse 25/24, 1090 Vienna, Austria
Data Protection Officer: Not required for our operations scale, but privacy inquiries can be directed to support@getvitalize.app

Effective date: 9.9.2025