VITAL. ← Back to home

Legal

Privacy Policy

Last updated: 21 April 2026

This is the privacy policy for Vital, an iOS health-tracking app.

Who we are

Vital is operated by three people working together as joint data controllers under UK GDPR:

  • Mason Hillan — Ayrshire, Scotland (primary contact)
  • Scott Anderson
  • Lee Gordon

Contact for any privacy question: masonhillan@gmail.com

Under UK GDPR, joint controllers are jointly responsible for how your data is handled. You can exercise your rights by contacting any of us, but the email above is the fastest route — Mason handles the day-to-day technical side.

The short version

  • Your health data stays yours. We don't sell it, rent it, or share it for advertising.
  • The app runs in the EU (Stockholm). Your data is stored there, not in the US.
  • We use AI (Anthropic's Claude) to generate insights, but only if you're a premium user and only on data you choose to process.
  • You can export everything we have about you, or delete your account entirely, from inside the app.
  • There are no analytics SDKs, no ad networks, no third-party trackers.

The long version is below, because the law requires detail and you deserve specifics.

What data we collect

When you create an account

  • Email address (required — used as your login)
  • Optional display name
  • A user ID generated by Supabase (a long random string)
  • If you sign in with Apple: a private relay email address and the Apple-provided identifier

When you set up your profile

  • Age, biological sex (optional), height, weight
  • Your unit preference (metric or imperial)
  • Your calorie and protein goals
  • Whether you want to track your menstrual cycle (optional)

Health data you choose to log or connect

  • From Apple HealthKit (read-only, with your permission): sleep stages and duration, heart rate, heart rate variability (HRV), resting heart rate, steps, active and basal calories burned, exercise minutes, stand hours, flights climbed, workouts, body weight, body fat percentage, lean mass, height, waist circumference, VO₂ max, blood oxygen, respiratory rate
  • Dietary data from HealthKit: calories, protein, carbs, fat, fibre, sugar, sodium, water, plus six vitamins, five minerals, caffeine, cholesterol, and fat subcategories — but only if other apps (like Cronometer) have already logged them to your iPhone
  • Food entries you log directly in the app
  • Mood check-ins (mood level, energy level, anxiety level, symptoms, triggers)
  • Cycle entries (flow intensity, symptoms, notes) if you've enabled cycle tracking
  • Physique photos (optional, if you upload them)
  • Chat messages you send to the in-app AI assistant

Derived data the app creates

  • Daily score snapshots (recovery, exertion, stress, health, readiness — all computed from the data above)
  • Cached AI-generated insights (daily narratives about your data)

Data that stays on your device only

  • Your biometric-lock preference (whether Face ID is enabled)
  • Onboarding state
  • App settings

What we don't collect

  • No location data
  • No contact list access
  • No advertising identifier (IDFA)
  • No analytics SDK — no Firebase Analytics, Mixpanel, Amplitude, or anything similar
  • No cross-app tracking
  • No ad network integration
  • No microphone or photo access beyond what you explicitly grant for the physique-photo feature

Why we collect each type of data

Lawful basis under UK GDPR.

Data Legal basis
Account email + user ID Contract — needed to give you an account
Profile fields you enter Consent + contract — needed to compute accurate scores for you
Health data from HealthKit Explicit consent (Article 9) — you grant HealthKit permission, and using Vital signifies agreement to its processing for scoring and insights
Food, mood, cycle, physique entries Explicit consent — you choose to log them
Chat messages Contract + consent — the feature requires sending your message + a snapshot of your health data to Claude
Derived scores + insights Legitimate interest — core product functionality

Health data is a special category of personal data under Article 9 of UK GDPR. My lawful basis for processing it is your explicit consent, which you give by signing up and enabling HealthKit. You can withdraw that consent at any time by deleting your account.

Who processes your data on our behalf

We use three third-party services ("data processors" in GDPR terms):

Supabase (storage + authentication)

  • Where: EU — specifically Stockholm (eu-north-1 region)
  • What they store: everything in your account — profile, daily snapshots, food entries, mood, cycle entries, chat messages, physique photos, and AI insights
  • Security: AES-256 encryption at rest, TLS in transit, row-level security so users can only read their own rows
  • Data processing agreement: covered by Supabase's standard DPA
  • Privacy policy: supabase.com/privacy

Anthropic (AI insights and chat)

  • Where: United States
  • What they process: the specific prompt sent when you generate an insight or chat message — this includes a snapshot of your recent health data (sleep, HRV, scores, recent entries) plus your message
  • What they don't do: Anthropic's API does not train on API data by default. Your messages aren't used to improve their models.
  • How long they keep it: Anthropic retains API request data for up to 30 days for safety/abuse monitoring
  • Transfer to US: covered by Anthropic's Standard Contractual Clauses (SCCs)
  • Only used if: you're a premium user and you trigger an insight or send a chat message
  • Privacy policy: anthropic.com/legal/privacy

Apple (HealthKit + payments)

  • HealthKit data stays on your device and is controlled by Apple's own permissions. We never receive or store your raw HealthKit samples on a server — the app reads them locally and only sends aggregated numbers to the AI when you use those features.
  • In-app purchases are processed by Apple; we never see your payment details.
  • Privacy policy: apple.com/legal/privacy

Cloudflare (landing page only)

  • Hosts the marketing landing page + waitlist signup form
  • Does not have access to any in-app user data
  • Privacy policy: cloudflare.com/privacypolicy

How long we keep your data

  • While you have an account: indefinitely, because the whole point is to show you your long-term trends
  • After you delete your account: immediately deleted from Supabase via a cascading database deletion
  • Backups: our Supabase backups retain data for 7 days before being overwritten
  • Chat messages: currently kept for the life of your account. We're considering adding an auto-purge after 90 days — if that changes, this policy will be updated

Your rights under UK GDPR

You have the following rights, and we've built the app to make most of them one-tap:

  • Right of access — Settings → Account → Export data generates a JSON file with everything we hold about you
  • Right to rectification — edit your profile or any entry in the app
  • Right to erasure ("right to be forgotten") — Settings → Account → Delete account erases your data within seconds
  • Right to data portability — the same JSON export is machine-readable
  • Right to restrict processing — email masonhillan@gmail.com and we'll action it within 30 days
  • Right to object — same as above
  • Right to withdraw consent — deleting your account withdraws all consent

If you're unhappy with how we've handled your data, you have the right to complain to the UK's data protection regulator, the Information Commissioner's Office (ICO):

We'd appreciate the chance to fix things first, but you're not required to come to us before going to the ICO.

International data transfers

  • Your account data lives in the EU (Stockholm, Supabase).
  • When you use the AI features, specific prompts are sent to Anthropic in the United States. This transfer is covered by Standard Contractual Clauses, which are the UK-approved mechanism for transferring personal data to the US.
  • HealthKit data never leaves your device except when you explicitly use the AI features.

Children

Vital is not for anyone under 13. UK law requires parental consent for children under 13, and we don't have a mechanism to collect that. If you're between 13 and 17, the app is intended to be used with a parent or guardian's knowledge. If we become aware that a user under 13 has signed up, we'll delete the account and all associated data.

Security

  • All data in transit is encrypted with TLS.
  • All data at rest is encrypted with AES-256 (Supabase infrastructure).
  • Access to your account requires your email + password (or Sign in with Apple).
  • Optional biometric lock (Face ID / Touch ID) for in-app access.
  • Row-level security on every database table means even if an attacker gained access to the Supabase API with another user's credentials, they couldn't read your data.

If we discover a data breach affecting you, we'll notify the ICO within 72 hours and email you directly as soon as we can identify the impact.

Changes to this policy

If anything material changes — a new processor, a new data type, a retention change — we'll update this page and notify you in-app before the change takes effect. Trivial clarifications may be updated without notice.

The date at the top of this policy is the last update.

Questions, complaints, or requests

Email: masonhillan@gmail.com

We aim to reply within 5 working days. For formal GDPR requests (access / deletion / restriction), we have 30 days to respond under UK law, but we'll usually be quicker.