iOS Privacy Policy

The data controller within the meaning of Article 4(7) GDPR responsible for the processing of your personal data is:

Given the nature and scale of our data processing, the appointment of a Data Protection Officer is not required under Article 37 GDPR. For all data protection inquiries, please contact us at the address above.

Vitalstat is designed with a privacy-first approach. The majority of your health, fitness, and nutrition data stays on your device. We do not sell, rent, or share your personal data with advertisers, data brokers, or any third parties for marketing purposes.

Some features require limited data exchange with external services to function. Each case is described in detail below.

Vitalstat uses Firebase Anonymous Authentication to generate a unique identifier for each installation. This is required to securely access backend services such as Garmin data sync and leaderboard features. No personal information (name, email, phone number) is required to use the app.

We record the anonymous identifier and the date of first sign-up in Firebase Firestore for aggregate usage statistics (e.g. total user count, signups per week). These statistics are count-based and do not contain any personal or health data.

You may optionally provide your email address to help us verify and restore your subscription status in case of issues. This email is stored in Firebase Firestore alongside your subscription status. It is never shared, sold, or used for marketing.

Under the GDPR, we process your personal data only when we have a valid legal basis. The following table outlines the legal basis for each category of processing:

Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal. See "Your Rights" below for details.

Vitalstat retrieves health and fitness data from the source you choose during onboarding. You may switch sources at any time in Settings. Data from each source is used solely to display insights, trends, and coaching within the app.

Polar

Connects via OAuth 2.0 to the official Polar AccessLink API. After you authorize access through Polar Flow, the app retrieves exercises, daily activity, sleep, nightly recharge, heart rate samples, training load, and physical info. OAuth tokens are stored in your device's Keychain (encrypted, device-locked). Health data is cached locally on your device.

Apple Health

Connects via Apple's HealthKit framework. You choose exactly which data types to share through the standard iOS permissions dialog. The app may read workouts, heart rate, HRV, sleep, blood pressure, blood glucose, respiratory rate, oxygen saturation, body metrics, activity rings, and other types you authorize. It may write mindfulness sessions and body mass if you grant permission. All HealthKit data stays on your device and is never uploaded to any server.

Oura

Connects via OAuth 2.0 to the Oura API v2. After you authorize access through Oura, the app retrieves sleep sessions, readiness scores, daily activity, workouts, heart rate, HRV, VO2Max, SpO2, stress, and resilience data. OAuth tokens are stored in your device's Keychain (encrypted, device-locked). Health data is cached locally on your device.

Garmin

Connects via OAuth 2.0 through the Vitalstat website. Your Garmin OAuth tokens are stored securely in Firebase Firestore (server-side), not on your device. Garmin uses a push-based model: health data (dailies, sleep, activities, HRV, body battery, pulse ox, respiration) is sent by Garmin to our server via webhooks and stored in Firebase Firestore under your anonymous user ID. The app reads this data from Firestore.

Data retention: Garmin health data older than 180 days (6 months) is automatically deleted from our servers via a weekly cleanup process.

Data deletion: You can delete all your stored Garmin data at any time using the "Delete My Garmin Data" button in the app's settings. This removes all health data from our servers while keeping your Garmin connection active (new data will continue to sync). Alternatively, disconnecting Garmin permanently deletes all stored health data, OAuth tokens, and account mappings from our servers.

Withings

Connects via OAuth 2.0 to the Withings API. After you authorize access through Withings, the app retrieves body composition measurements (weight, body fat, muscle mass), activity data, and sleep data. OAuth tokens are stored in your device's Keychain (encrypted, device-locked). Health data is cached locally on your device.

Food log entries (product name, brand, barcode, amounts, calories, macros, and optional micronutrients), liquid intake, your nutrition profile (weight, height, age, sex, activity level, goals), recent products, and custom liquids are all stored exclusively on your device. None of this data is sent to our servers.

The following external services are used for food features:

• Open Food Facts — receives your barcode scans and search queries to return product data. No login is required.
• Edamam — receives food search queries and barcode scans to return nutrition data.
• Spoonacular — receives recipe search queries and ingredient lookups.
• USDA FoodData Central — receives nutrition database queries.

These services receive only the search terms or barcodes you enter. No personal, health, or account data is sent to them.

Vitalstat includes AI-powered features that use OpenAI to generate personalized health insights. During onboarding, you are shown a consent screen explaining that certain features send health data to OpenAI for processing. You can review this consent at any time in Settings.

AI Food Analysis

When you use AI food analysis, the text description you enter and/or the photo you take is sent to OpenAI to estimate nutritional content. Photos are scaled down before transmission. Image analyses are limited to 6 per day; text analyses are unlimited. We do not store these descriptions or photos on our servers.

AI Recipes

When you generate AI recipes, your remaining calorie and macro budget, dietary preferences, cuisine, cooking time, difficulty, servings, and any ingredients or taste preferences you enter are sent to OpenAI. Generated recipes are stored locally on your device.

AI Health Chat

The conversational AI health chat sends a snapshot of your recent health data (sleep, HRV, recovery, activity, strain, body battery, and nutrition summaries) along with your messages to OpenAI to generate personalized responses. Chat history is stored locally on your device. Usage is limited to 20 messages per day.

AI Morning Briefing

The daily morning briefing sends a snapshot of your recent health metrics (last night's sleep, HRV trends, recovery status, upcoming activity context) to OpenAI to generate a personalized daily summary. The generated briefing is cached locally on your device.

AI Weekly Narrative

The weekly narrative sends a summary of your past week's health data (sleep trends, activity patterns, recovery scores, HRV changes) to OpenAI to generate a personalized weekly review. The generated narrative is cached locally on your device.

AI Sleep Optimizer

The sleep optimizer sends your recent sleep patterns, HRV data, activity timing, and recovery trends to OpenAI to generate personalized evening sleep recommendations. Results are cached locally on your device.

AI Insights

Vitalstat generates AI-powered health insights by sending relevant health metric snapshots to OpenAI. These include cross-metric correlations, trend observations, and actionable recommendations. Generated insights are cached locally on your device.

AI Feedback

You may optionally provide feedback (helpful/not helpful) on AI-generated content such as morning briefings, weekly narratives, chat responses, and insights. This feedback is stored locally on your device to help improve your experience. It is not sent to any external server.

On-Device Analysis

Some analytical features run entirely on your device without sending data externally. These include behavioral nudges, trend anomaly detection, cross-metric correlation analysis, workout readiness scoring, and personalized baseline calculations.

OpenAI as Data Processor

OpenAI acts as a data processor within the meaning of Article 28 GDPR. A Data Processing Agreement (DPA) is in place with OpenAI in accordance with GDPR requirements. Key safeguards include:

• Data sent through the OpenAI API is not used to train OpenAI's models.
• OpenAI retains API input and output data for up to 30 days solely for abuse and misuse monitoring, after which it is deleted.
• Health data constitutes special category data under Article 9 GDPR and is only sent to OpenAI with your explicit consent, given during onboarding.
• You can withdraw your AI consent at any time in Settings, which immediately stops all data transmission to OpenAI.

When data is processed by OpenAI, it is subject to both this policy and OpenAI's own privacy practices. We have taken contractual and technical measures to protect your data, but we encourage you to also review OpenAI's privacy policy and Data Processing Addendum.

On-Device Storage

The following data is stored locally on your device only and is removed when you delete the app:

• Health data from all sources (Polar, Apple Health, Oura, Withings, Garmin cache)
• Food log entries, liquid log, and nutrition profile
• Journal entries and habit tracking data
• Gym workout logs and personal records
• User preferences, settings, and notification history
• AI-generated recipes, briefings, narratives, insights, and chat history
• AI feedback ratings (helpful/not helpful)
• Personalized baselines, trend data, and metric configurations
• Workout readiness scores and precomputed daily summaries

Keychain (Encrypted)

OAuth tokens for Polar, Oura, and Withings are stored in your device's encrypted Keychain, accessible only when the device is unlocked and only on the device where they were created.

App Group (Shared On-Device)

Some data is shared between the main app, widget extension, and watch app via an on-device App Group container. This includes subscription status, selected health source, and health metric snapshots for widget display. This data never leaves your device.

Firebase Firestore (Cloud)

The following data is stored in Firebase Firestore:

• Anonymous user ID and signup date (aggregate statistics)
• Email address and subscription status (if you provide your email)
• Garmin OAuth tokens and Garmin health data (if you connect Garmin)
• Leaderboard group data: group name, members, display names, and shared metric scores (if you join a leaderboard)
• Referral program data: referral codes, referral credits, and redemption records (if you participate in the referral program)

The app interacts with the following external services:

• Polar AccessLink API — retrieves your authorized fitness and health data.
• Apple HealthKit — reads and writes health data you authorize via the iOS permissions system.
• Oura API — retrieves your authorized health and sleep data.
• Garmin Health API — receives your health data via webhooks; stored in Firebase Firestore.
• Withings API — retrieves your authorized body composition and health data.
• OpenAI API — receives health data snapshots, food descriptions, food photos, chat messages, and recipe inputs for AI-powered features (see section 6). OpenAI acts as a data processor under GDPR with a DPA in place.
• Open Food Facts, Edamam, Spoonacular, USDA — receive food search queries and barcodes (see section 5).
• Firebase — used for anonymous authentication, Analytics (see section 8a), Remote Config (API key delivery), and Firestore data storage as described in section 7.
• Apple StoreKit — processes in-app purchases and subscription management through the App Store.

8a. Analytics

Vitalstat uses Firebase Analytics (powered by Google Analytics) to collect anonymous, aggregated usage data. This helps us understand which features are used, identify issues, and improve the app. We rely on our legitimate interest under Art. 6(1)(f) GDPR for this processing. The data collected includes:

• Feature usage events (e.g. which screens are visited, which health source is selected, whether AI features or food tracking are used)
• Subscription and trial status (to understand conversion rates)
• Onboarding completion steps
• Error events (to diagnose and fix bugs)

Analytics data is associated with your anonymous Firebase user ID — not with any personally identifiable information. We do not collect or log the content of your health data, food logs, journal entries, or AI conversations in analytics. In accordance with Apple's HealthKit guidelines, no HealthKit data is ever sent to analytics services, advertising networks, or data brokers. Health data is never used for advertising, marketing, or sale to third parties. We do not use advertising or tracking SDKs. You have the right to object to analytics processing — see "Your Rights" below.

Some of the third-party services we use are operated by companies based outside the European Economic Area (EEA), primarily in the United States. When your data is transferred outside the EEA, we ensure appropriate safeguards are in place as required by Chapter V of the GDPR:

• Firebase / Google (USA) — Google LLC is certified under the EU-US Data Privacy Framework and additionally employs Standard Contractual Clauses (SCCs) for international data transfers.
• OpenAI (USA) — A Data Processing Agreement (DPA) including Standard Contractual Clauses is in place. Data is processed in the United States.
• Food APIs (Edamam, Spoonacular, USDA) — These services are US-based but only receive minimal data (food search terms and barcodes). No personal or health data is transmitted to these services.
• Health data sources (Polar, Oura, Garmin, Withings) — Data flows to and from these providers' servers according to their own privacy policies, which you accept when authorizing the connection via OAuth.

Vitalstat may request the following device permissions. Each is optional and only requested when needed:

• HealthKit — to read and write health data when Apple Health is your selected source.
• Camera — to scan food barcodes and photograph meals for AI nutrition analysis.
• Photo Library — to select food photos for AI nutrition analysis.
• Bluetooth — to connect to compatible health devices (e.g. reading your Polar device's battery level).
• Notifications — to send journal reminders, daily health summaries, and personalized health tips based on your sleep, recovery, and activity data.
• Background App Refresh — to periodically sync new health data and update widgets while the app is in the background.

You can revoke any permission at any time through iOS Settings.

With Background App Refresh enabled, the app periodically fetches updated health data from your selected source (approximately every 15-30 minutes, as managed by iOS). This keeps your dashboard, widgets, and notifications current. All fetched data is stored locally on your device, except for Garmin data which is read from Firebase Firestore.

The widget extension and Apple Watch app display health metric summaries (sleep score, recovery, body battery, strain, etc.) using data shared via the on-device App Group. This data never leaves your device. The widget also checks your subscription status to determine which features to display.

Vitalstat offers optional leaderboard groups where you can compare health metrics with others. Before joining a group, you must provide explicit consent acknowledging that your selected metrics will be shared with group members.

Leaderboard data (group name, your display name, and shared metric scores) is stored in Firebase Firestore and visible to other members of the group. You can leave a group at any time to stop sharing.

Vitalstat offers an optional referral program that lets you share a referral code with others. If you participate, the following data is stored in Firebase Firestore:

• Your unique referral code
• Referral credit balance and redemption history
• Anonymous user IDs of referrer and referred users (no personal information)

No personal information (name, email, or health data) is shared between referrer and referred users. To stop participating, you can simply stop sharing your code. To request deletion of your referral data, contact us at the address below.

We take reasonable measures to protect your data:

• OAuth tokens are stored in the iOS Keychain with device-locked encryption, accessible only when the device is unlocked.
• Garmin tokens and data are stored in Firebase Firestore, protected by Firebase security rules tied to your anonymous authentication.
• API keys are delivered via Firebase Remote Config and are never hardcoded in publicly accessible locations.
• All network communication uses HTTPS/TLS encryption.

We recommend enabling a passcode, Face ID, or Touch ID on your device and keeping your health service credentials private.

We retain your data only for as long as necessary for the purposes described in this policy. The following table summarizes our retention periods:

For Garmin data, you can delete your data yourself at any time using the "Delete My Garmin Data" button in the app's settings, or by disconnecting Garmin (which automatically deletes all stored data). For all other cloud-stored data, contact us at the address below. We will process your request within 30 days.

Vitalstat offers auto-renewing subscriptions that unlock premium features and insights.

Payment is charged to your Apple ID account upon purchase. Subscriptions renew automatically unless canceled at least twenty-four hours before the renewal date. You can manage or cancel your subscription at any time through App Store account settings.

Vitalstat may offer a free trial period for premium features. Trial eligibility and status are tracked locally on your device and via your anonymous Firebase user ID. No additional personal information is collected during the trial. If the trial expires without a subscription, premium features are disabled but no data is deleted.

Vitalstat does not make automated decisions that produce legal effects or similarly significantly affect you within the meaning of Article 22 GDPR. All AI-generated insights, recommendations, health scores, and coaching suggestions are informational only and do not constitute medical advice, diagnoses, or legally binding decisions. You are always free to disregard any recommendation.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — request a copy of any personal data we store about you and information about how it is processed.
• Right to rectification (Art. 16) — request correction of inaccurate personal data we hold about you.
• Right to erasure ("right to be forgotten") (Art. 17) — request deletion of your personal data, including cloud-stored data (email, Garmin data, leaderboard data, referral data, Firebase anonymous ID, and analytics data associated with your account).
• Right to restriction of processing (Art. 18) — request that we limit the processing of your personal data under certain circumstances.
• Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, and machine-readable format, and transmit that data to another controller.
• Right to object (Art. 21) — object to processing based on our legitimate interest, in particular analytics. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds.
• Right to withdraw consent (Art. 7(3)) — withdraw any consent you have given (e.g. for AI features, leaderboard sharing, or email collection) at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Revoke health source access — disconnect any health source at any time in Settings.
• Opt out of analytics — you can limit analytics data collection through iOS Settings > Privacy & Security > Analytics & Improvements.

To exercise any of these rights, contact us at support@vital-stat.com. We will respond to your request within 30 days. There is no fee for exercising your rights.

Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement (Art. 77 GDPR). The supervisory authority responsible for our operations is:

We may update this Privacy Policy as needed. The most recent version will always be available in the app and on our website. Each update will include a clear "Last Updated" date.

For material changes that affect your rights or the scope of data processing, we will notify you via the app or by email (if you have provided one) at least 30 days before the changes take effect.