VITAL. ← Back to home

Legal

Privacy Policy

Effective date: 1 May 2026 · Last updated: 7 June 2026

1. Who we are

Vital is an iOS app that turns Apple HealthKit data, your daily logs, and your workouts into recovery, exertion, stress, health and readiness scores. The app is operated by LMS Labs Ltd, a private limited company registered in Scotland (company number SC888839), which is the data controller for the purposes of UK GDPR. LMS Labs Ltd is registered with the UK Information Commissioner's Office under reference C1930353. The company's directors are:

  • Mason Hillan
  • Scott Anderson
  • Lee Gordon

For all privacy queries, including data-access requests, erasure, correction, complaints, or anything else covered below, write to business@lmslabsltd.com. We will respond within one calendar month, as required by UK GDPR Article 12(3).

The Vital service is operated from Ayrshire, Scotland, United Kingdom. Our backend infrastructure is hosted in the European Union (Stockholm region, see Section 7).

2. The short version

We built Vital because we wanted a health app that didn't sell us out. So:

  • We do not sell, rent, or share your data with advertisers. Vital does not contain advertising and is not funded by tracking.
  • Your raw HealthKit samples never leave your device. We read them on-device, compute aggregated daily scores from them, and only those scores ever sync to our backend.
  • You can delete everything in one tap. Settings → Privacy & Security → Delete account removes your data from our servers within 30 days.
  • Three named people run Vital. They can see your account basics and daily scores, the same numbers you see in the app. Your food log, mood notes, chat history, AI insights and progress photos stay hidden unless one of them records a reason for looking.

The rest of this document is the long version of those four points.

3. What data we collect, why, and on what legal basis

The table below covers every category of personal data Vital touches. Where the legal basis is "explicit consent (UK GDPR Article 9(2)(a))," that consent is given by a separate, deliberate action in the app, not by accepting this policy: a dedicated health-data permission step at onboarding, plus per-feature toggles (cloud sync, AI insights, AI chat, photo analysis, mood and cycle logging) that you can grant or withdraw individually in Settings. Each choice is recorded in a consent ledger with a timestamp. Health information is "special category data," so this is the strictest consent rule that applies. If you're signed out and using Vital free, your HealthKit data is processed entirely on your iPhone and none of it reaches us.

Account identifiers

Your email, sign-up date, last sign-in time, display name. If you sign in with Google or Apple, the avatar URL.

Why: Authenticate you and link your data across devices.
Legal basis: Article 6(1)(b): performance of contract.

HealthKit samples

We read sleep, HRV, heart rate, resting heart rate, walking heart rate, heart-rate recovery, blood oxygen, respiratory rate, VO₂ max, steps, distance, flights climbed, active energy, basal energy, exercise minutes, stand hours, mindful minutes, body weight, body fat %, lean mass, dietary energy and macros, water, caffeine, and workouts. We also read your biological sex and date of birth to personalise BMR and baselines.

None of this is stored in our database. It stays on your iPhone and is read only at refresh time to compute the scores below. (Cycle tracking, if you use it, is something you log inside Vital, not read from Apple Health; it's covered under "Logged content" below.)

Why: Compute Recovery, Exertion, Stress, Health, Readiness, TDEE and per-system breakdowns.
Legal basis: Article 9(2)(a): explicit consent.

Aggregated daily scores

One row per calendar day per user, containing the five numeric scores, training-load metrics, sleep summary, dietary totals, mood signals, and a small text summary.

This row is what syncs to our backend so your iPhone and your widgets show the same number.

Why: Cross-device sync; historical chart views; AI insight generation.
Legal basis: Article 6(1)(b) and 9(2)(a).

Logged content

Food entries, mood check-ins, supplement intake, custom workouts, exercise sets, planned workouts, your training split, cycle entries (if you use cycle tracking), progress photos, AI chat history, AI-generated insight cards, your "feels right / too low / too high" calibration feedback.

Why: Provide the logging features themselves and feed the score calculations.
Legal basis: Article 6(1)(b) and 9(2)(a).

Profile preferences

Age, sex, height, weight, activity level, dietary preferences, hydration goal, calorie goal, macro goals, unit system (metric / imperial), biometric-lock preference, cycle settings if applicable.

Why: Personalise the formulas (BMR, hydration, score weighting).
Legal basis: Article 6(1)(b) and 9(2)(a).

Subscription status

Whether you have active premium access (Boolean), which plan you are on (Vital AI Monthly, Vital AI Annual, or legacy lifetime access), the renewal or expiry date, whether you are inside the 3-day free trial, and the date of your most recent transaction. We do not store payment details, Apple holds those.

Vital AI is an auto-renewable subscription sold through Apple. It renews automatically each period unless you cancel at least 24 hours before the period ends. You manage or cancel it in your Apple ID settings under Subscriptions; we cannot cancel it for you, and deleting the app does not cancel it. Anyone granted premium before we moved to subscriptions keeps it free for life and is never charged.

Why: Gate premium features and respond to billing disputes.
Legal basis: Article 6(1)(b) and 6(1)(f): legitimate interests in billing integrity.

AI feature usage counters

Per-user, per-month counts of how often you used Vital's AI chat, insight regeneration, and photo analysis features. The contents of those interactions also stay on our backend (chat messages, insight bodies, photo bytes).

Why: Enforce monthly fair-use caps, detect runaway costs, generate the daily insight from your data.
Legal basis: Article 6(1)(b) and 6(1)(f).

Diagnostic events

App crashes via Apple's MetricKit, written to disk on your device. We do not automatically upload these, you have to choose to share them with us.

Why: Fix bugs.
Legal basis: Article 6(1)(f).

Things we do not collect

  • We do not collect IP addresses for analytics or fingerprinting.
  • We do not embed any third-party SDK for advertising, attribution, A/B testing, or behavioural analytics.
  • We do not collect device identifiers (IDFA / IDFV) for tracking.
  • We do not track your location.
  • We do not record audio or video.
  • We do not access your contacts, photos library (other than progress photos you explicitly add), or calendar.

4. How long we keep your data

  • Active-account data: while your account is active.
  • Deleted-account data: removed from production within 30 days of your erasure request, including from automated backups within 90 days.
  • Audit log of operator actions: 2 years (legal-defensibility window for controller accountability under UK GDPR).
  • Anonymised search-miss queries: retained indefinitely in aggregate form (no user identifier attached) so we can improve the food catalogue.

Closing the app or signing out does not delete data, only Settings → Privacy & Security → Delete account does.

5. Operator access

A small number of named operators (currently Mason Hillan, Scott Anderson, and Lee Gordon, the directors of LMS Labs Ltd) have access to an internal admin panel. Operator access is necessary so we can investigate support requests, debug sync or sign-in issues, fix billing disputes, comply with subject-access requests under UK GDPR, and keep the service running.

5.1 What operators can see by default

When an operator looks up your account, they automatically see:

  • Your account email, sign-up date, and last sign-in time
  • Your subscription status (free, trial, or premium)
  • Counts of how often you've used each app feature in the last 30 days (food logs, mood check-ins, workouts, AI insights, AI chat, photos)
  • Timestamps of your most recent activity
  • Your aggregated daily health scores (Recovery, Exertion, Stress, Health, Readiness)

These are the same kinds of metrics any account owner would see in the app.

5.2 What operators only see with a recorded reason

The contents of your food log, mood notes, workout notes, AI chat history, AI-generated insights, and progress photos are gated behind a separate "reveal" step in our admin panel. Before any operator can view this content, they must:

  1. Choose a reason from a fixed list, Support, Billing, Abuse investigation, Subject Access Request, Debugging, Other.
  2. For "Other", supply a written explanation.

Every reveal is recorded in an immutable audit log that includes the operator's email, the reason given, the data category accessed, and the timestamp. Directors spot-check each other's audit entries periodically. You can request a copy of all operator accesses to your account by emailing business@lmslabsltd.com; this is included in our standard Subject Access Request response.

The admin panel itself requires Face ID, Touch ID, or device passcode authentication every time it is opened, physical access to an unlocked operator phone is not enough to view your data.

5.3 What operators cannot see, ever

  • Your raw HealthKit samples (individual heart-rate, HRV, sleep stage, or workout records). Apple's Health app stores these on your device and we only ever read them on-device to compute the aggregated daily scores you see in Vital. Our database doesn't keep them.
  • Your password. We never store or transmit it; authentication runs through Supabase Auth which only stores a salted, hashed credential.
  • Apple receipt data beyond your premium status flag, refunds, billing disputes, and cancellation history live in App Store Connect, not Vital.

5.4 Operator actions that affect your account

Operators can:

  • Grant or revoke premium status (used for billing dispute resolution and complimentary access)
  • Grant or revoke admin status (used to onboard or off-board operators)
  • Permanently delete your account and all your data (used for GDPR erasure requests and operator off-boarding)

All three actions are logged in the audit log and require explicit confirmation in the panel. We never delete an account without your written request, except where we are obliged to do so by law or our terms of service.

6. Who we share data with (data processors)

We use a small number of carefully chosen third-party services to run Vital. Each one is a "processor" under UK GDPR Article 28, they process data on our instructions, are bound by a written agreement, and may not use your data for any other purpose.

Supabase (Supabase Inc., USA, with EU subsidiary)

What they do: Database, authentication, file storage, edge functions.
Where: Stockholm, Sweden (EU North region).
Data they see: All synced Vital data (account, daily scores, food, mood, workouts, photos, AI usage). RLS-enforced, Supabase staff cannot read your data without a court order.

Anthropic (Anthropic, PBC, USA)

What they do: The Claude AI models that power our daily insights, AI chat, and progress-photo analysis. We route every Anthropic request through our own edge function that holds the API credentials, so your phone never talks directly to Anthropic.
Where: United States.
Data they see: The contents of the messages you send to chat, the snapshot of your scores, recent activity, and mood signals used to generate an insight, and any progress photo you choose to analyse. Anthropic does not train models on data sent through their API per their published policy.

Apple (Apple Inc., USA)

What they do: App Store distribution, in-app purchases (StoreKit), HealthKit framework, Sign in with Apple, push notifications.
Where: United States.
Data they see: Your Apple ID email (if you use Sign in with Apple), purchase records, and app-level diagnostic data Apple collects independently of Vital.

Google (Google LLC, USA, only if you sign in with Google)

What they do: OAuth sign-in only.
Where: United States.
Data they see: Your Google account email and avatar URL. We never read your Gmail, Drive, or any other Google data.

Food databases (Open Food Facts, USDA FoodData Central, FatSecret)

What they do: Resolve the calories and macronutrients for foods you search by name or scan by barcode. Open Food Facts (a non-profit based in the EU) is queried directly from your device; USDA FoodData Central (U.S. Department of Agriculture) and FatSecret are reached through our own edge function that holds the API credentials.
Where: European Union (Open Food Facts) and the United States (USDA FoodData Central, FatSecret).
Data they see: Only the food text you type or the barcode you scan, never your account, device identifier, scores, or any health data. We ask for your explicit consent before the first food lookup; if you decline, Vital falls back to its own food catalogue and nothing is sent to these providers.

We do not currently use any analytics, advertising, attribution, fingerprinting, customer-data-platform, or cookie-tracking processor.

International transfers from the UK to the United States (Anthropic, Apple, USDA FoodData Central, FatSecret, and, only if you use it, Google) are protected under the UK Government's data adequacy decision for the EU–US Data Privacy Framework and, where applicable, by Standard Contractual Clauses included in each processor's terms.

Equivalent protection. We only share your personal data with a processor that protects it to a standard equivalent to this policy and to UK GDPR. Supabase and Anthropic are bound by written data-processing agreements, with Standard Contractual Clauses covering any US transfer; they must apply equivalent technical and organisational security measures, may use your data only on our instructions, and may not sell it or train their own products on it, Anthropic's Commercial Terms expressly prohibit training on data sent through their API. The food databases receive only the food text or barcode you enter, never your account, device identifier, or any health data, so no information that could identify you ever reaches them; their use of that query text is governed by their published API terms.

7. Where your data is stored

The Vital backend runs in the Supabase Stockholm (EU North) region. Your synced data is therefore subject to UK and EU data protection law and stays inside the EEA at rest.

The exceptions (covered in Section 6):

  • AI features route through Anthropic's API in the United States.
  • Apple-platform features (StoreKit, push, Sign in with Apple) are handled by Apple in the United States.
  • Google sign-in (optional) is handled by Google in the United States.

Each of these international transfers is necessary to provide the specific feature you asked for; you can avoid them by not using AI features and by signing in with email instead of Apple or Google.

8. How your data is protected

  • Encryption in transit: every connection to our backend uses TLS 1.2+. Connections from your iPhone to Apple, Anthropic, and Google likewise use TLS.
  • Encryption at rest: Supabase encrypts the database and the photo storage bucket on its managed infrastructure. The iOS app stores your local SwiftData database with completeUnlessOpen file protection, the OS encrypts it whenever your device is locked.
  • Access control: every database table uses Postgres Row Level Security so a request authenticated as user A can never read user B's rows. Admin queries are wrapped in SECURITY DEFINER Postgres functions that re-check operator status server-side; the iOS admin gate is convenience, not the trust boundary.
  • Authentication: passwords (if you sign up with email) are hashed and salted by Supabase Auth, we never see the cleartext. JWT tokens expire on a 1-hour rotation. Two consecutive auth failures force a sign-out so a stolen device can't replay tokens indefinitely.
  • No API keys on device: the credentials for our AI provider, our food databases, and our backend are held server-side. A decompiled Vital binary contains only the publishable Supabase key, which is read-only and bound by Row Level Security to whatever user is signed in.
  • Biometric lock (optional): you can require Face ID or Touch ID before the app will display any data. Settings → Privacy & Security → App Lock.

9. Your rights under UK GDPR

You have the right to:

  • Access (Article 15): Receive a copy of all personal data we hold about you. Email business@lmslabsltd.com. We respond within one month.
  • Rectification (Article 16): Correct inaccurate or incomplete data. Most fields are editable in-app under Settings; for anything you can't edit, email us.
  • Erasure / "right to be forgotten" (Article 17): Have your data deleted. Settings → Privacy & Security → Delete account, or email us. We complete erasure within 30 days.
  • Restriction (Article 18): Pause our processing while you contest accuracy or oppose a basis. Email us.
  • Portability (Article 20): Receive your data in a machine-readable format you can take elsewhere. Email us; we deliver JSON within one month.
  • Object (Article 21): Object to processing based on legitimate interests. Email us.
  • Withdraw consent (Article 7(3)): Pull the explicit consent you gave us to process special-category health data. Effective immediately for future processing; we then delete your data within 30 days because we have no other lawful basis to keep it.
  • Complain: Lodge a complaint with the UK Information Commissioner's Office at ico.org.uk/make-a-complaint, but please contact us first; we'd like a chance to fix it.

We never charge for any of these except in the limited cases UK GDPR specifically allows (e.g. manifestly unfounded or repeated requests).

10. Children

Vital is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided us personal data, contact business@lmslabsltd.com and we will delete it immediately.

If you are between 13 and 16, you must have a parent or guardian's permission to use Vital. (UK GDPR sets the digital-consent age at 13, but we recommend 16+ given that Vital is a health-tracking app.)

11. Automated decision-making

Vital generates AI-written insights and chat responses using the Claude language model. These are suggestions, not decisions, nothing in Vital takes legally significant action against you (no insurance pricing, no medical diagnosis, no employment decision, no loan grant). UK GDPR Article 22 does not apply because no automated decision with legal or similarly significant effects is made.

The scores Vital displays are computed by deterministic formulas (Mifflin-St Jeor for TDEE, Edwards TRIMP for exertion, weighted composites for the rest). These are mathematical, not "automated decisions" in the GDPR sense.

12. Changes to this policy

When we change this policy materially, adding a new processor, expanding what we collect, changing how long we keep data, we will:

  1. Update the "Effective date" at the top.
  2. Surface an in-app notice the next time you open Vital.
  3. For changes that broaden the scope of your consent (new special-category data, new processor handling sensitive content), require you to re-accept before the change applies to your data.

For minor updates (typo fixes, clearer wording), we'll just bump the "Last updated" date. The current version is always available at this URL.

13. This website

tryvital.app is a static site hosted on Cloudflare. We do not run analytics, advertising, or cookie-tracking on it, and it sets no cookies. The fonts are served from our own domain, so visiting these pages sends your IP address to no third party beyond Cloudflare's standard edge logging (used only to serve the page and guard against abuse). The one exception is the optional "tell me if Android happens" form on the comparison page: if you choose to submit it, your email address is sent to our backend (Supabase, EU) and used only to contact you once if that changes.

14. Contact

For anything in this policy:

LMS Labs Ltd
Attn: Mason Hillan (director, primary contact)
Email: business@lmslabsltd.com
Company number: SC888839 (Scotland)
ICO registration: C1930353
Registered office: 10 Dalwhinnie Court, Lawthorn, Irvine, Scotland, KA11 2ES

For complaints we cannot resolve, the supervisory authority is:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
0303 123 1113, ico.org.uk

This policy is written in plain English and signed off by all three directors of LMS Labs Ltd. If anything in it is unclear or feels evasive, that's a bug, tell us.