Android Privacy Policy

The data controller within the meaning of Article 4(7) GDPR responsible for the processing of your personal data is:

Given the nature and scale of our data processing, the appointment of a Data Protection Officer is not required under Article 37 GDPR. For all data protection inquiries, please contact us at the address above.

Vitalstat for Android is designed with a privacy-first approach. Your health, fitness, and recovery data stays on your device. We do not sell, rent, or share your personal data with advertisers, data brokers, or any third parties for marketing purposes.

The app connects to the Polar AccessLink API to retrieve your health data and caches it locally on your device. No health data is uploaded to our servers.

Vitalstat for Android uses Polar OAuth 2.0 to authenticate you with your Polar account. When you sign in, you are redirected to Polar's authorization page where you grant the app permission to access your health data. No personal information (name, email, phone number) is collected by Vitalstat directly.

The OAuth access token and your Polar user ID are stored locally on your device using Android's encrypted DataStore. These credentials are never sent to our servers.

Under the GDPR, we process your personal data only when we have a valid legal basis. The following table outlines the legal basis for each category of processing:

Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal. See "Your Rights" below for details.

Vitalstat for Android retrieves health and fitness data from your Polar account. Data is used solely to display insights, trends, and metrics within the app.

Polar

Connects via OAuth 2.0 to the official Polar AccessLink API. After you authorize access through Polar, the app retrieves the following data:

• Sleep data — sleep start/end times, sleep phases (light, deep, REM), sleep score, sleep quality, sleep continuity, and interruption durations
• Exercise data — exercise type, duration, calories burned, distance, heart rate (average and max), heart rate zones, training load, and steps
• Daily activity — total and active calories, steps, active time by intensity, resting heart rate, and distance
• Recovery & nightly recharge — ANS charge status and recovery metrics
• Cardio load (strain) — cardio load metrics, strain levels, cardio load ratio, and status
• Continuous heart rate — per-minute heart rate samples and average calculations
• User profile — Polar user ID, name, birthdate, gender, weight, height, and registration date
• Physical information — body measurements, max heart rate, resting heart rate, aerobic/anaerobic thresholds, and VO2 max

OAuth tokens are stored locally on your device using Android's encrypted DataStore. Health data is cached locally in an on-device Room database (SQLite).

On-Device Storage (Room Database)

The following data is stored locally on your device in an encrypted Room database and is removed when you uninstall the app or clear app data:

• Sleep history and sleep metrics
• Recovery and nightly recharge data
• Daily activity summaries
• Cardio load and strain history
• Exercise and training sessions
• Heart rate summaries by date

DataStore (Encrypted Preferences)

The following preferences are stored locally using Android DataStore:

• Polar OAuth access token and token expiration
• Polar user ID
• Dark mode preference
• Custom metric display ordering

Firebase Remote Config

The app uses Firebase Remote Config solely to retrieve API configuration values (Polar OAuth client credentials). No personal data, health data, or usage analytics are sent to Firebase. Firebase Remote Config does not track or profile users.

No Cloud Storage of Health Data

No health data is stored on our servers or any cloud service. All health data remains exclusively on your device. The only network communication is between your device and the Polar AccessLink API to retrieve your data, and to Firebase Remote Config for API configuration.

The app interacts with the following external services:

• Polar AccessLink API — retrieves your authorized fitness and health data via OAuth 2.0.
• Firebase Remote Config — delivers API configuration values. No personal or health data is sent to Firebase.
• Google Play Store — processes in-app purchases and subscription management through the Play Store.

6a. Analytics

Vitalstat for Android does not use any analytics services. We do not use Firebase Analytics, Google Analytics, or any other third-party analytics or tracking SDKs. No usage data, behavioral data, or crash reports are collected or transmitted to external services. We do not use advertising or tracking SDKs.

Some of the third-party services we use are operated by companies based outside the European Economic Area (EEA), primarily in the United States. When your data is transferred outside the EEA, we ensure appropriate safeguards are in place as required by Chapter V of the GDPR:

• Firebase / Google (USA) — Google LLC is certified under the EU-US Data Privacy Framework and additionally employs Standard Contractual Clauses (SCCs) for international data transfers. Only configuration data is retrieved; no personal data is sent.
• Polar (Finland) — Polar Electro Oy is based in the EEA. Data flows to and from Polar's servers according to their own privacy policy, which you accept when authorizing the connection via OAuth.

Vitalstat for Android requests only the following device permission:

• Internet — required to communicate with the Polar AccessLink API to retrieve your health data and with Firebase Remote Config for API configuration.

The app does not request access to your camera, microphone, location, contacts, storage, or any other sensitive device permissions.

We take reasonable measures to protect your data:

• OAuth tokens are stored locally using Android's encrypted DataStore, accessible only to the Vitalstat app.
• Health data is stored in an on-device Room database, sandboxed by Android's application security model.
• API configuration is delivered via Firebase Remote Config and is never hardcoded in publicly accessible locations.
• All network communication uses HTTPS/TLS encryption.

We recommend enabling a screen lock (PIN, pattern, fingerprint, or face unlock) on your device and keeping your Polar account credentials private.

We retain your data only for as long as necessary for the purposes described in this policy. The following table summarizes our retention periods:

Since all data is stored exclusively on your device, you have full control over its deletion. You can delete all app data at any time by uninstalling the app or clearing app data through Android Settings > Apps > Vitalstat > Storage > Clear Data.

Vitalstat offers auto-renewing subscriptions that unlock premium features and insights.

Payment is charged to your Google Play account upon purchase. Subscriptions renew automatically unless canceled at least twenty-four hours before the renewal date. You can manage or cancel your subscription at any time through Google Play Store > Subscriptions.

Vitalstat does not make automated decisions that produce legal effects or similarly significantly affect you within the meaning of Article 22 GDPR. All health metrics, scores, and trends displayed in the app are informational only and do not constitute medical advice, diagnoses, or legally binding decisions. You are always free to disregard any information presented.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — request a copy of any personal data we store about you and information about how it is processed.
• Right to rectification (Art. 16) — request correction of inaccurate personal data we hold about you.
• Right to erasure ("right to be forgotten") (Art. 17) — request deletion of your personal data. Since all data is stored on your device, you can exercise this right directly by uninstalling the app or clearing app data.
• Right to restriction of processing (Art. 18) — request that we limit the processing of your personal data under certain circumstances.
• Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, and machine-readable format, and transmit that data to another controller.
• Right to object (Art. 21) — object to processing based on our legitimate interest. Since we do not use analytics or tracking, this right applies primarily to any future processing activities.
• Right to withdraw consent (Art. 7(3)) — withdraw any consent you have given at any time. You can revoke Polar access by disconnecting your account in the app or revoking access through Polar Flow.
• Revoke health source access — disconnect Polar at any time in the app settings or through Polar Flow.

To exercise any of these rights, contact us at support@vital-stat.com. We will respond to your request within 30 days. There is no fee for exercising your rights.

Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement (Art. 77 GDPR). The supervisory authority responsible for our operations is:

We may update this Privacy Policy as needed. The most recent version will always be available on our website. Each update will include a clear "Last Updated" date.

For material changes that affect your rights or the scope of data processing, we will notify you via the app at least 30 days before the changes take effect.