VITALOG

Privacy Policy

Effective: March 25, 2026

Your health data is yours. We do not sell it, share it for marketing, or use it to identify you in anonymized research without your consent.

1. Data Controller

The data controller for VitaLog is [LEGAL ENTITY NAME], located at [ADDRESS]. For privacy inquiries, contact [CONTACT_EMAIL].

2. What We Collect

When you create an account, we collect:

Email address
Display name (chosen by you)
A securely hashed password (we never store your plaintext password)

When you use VitaLog, you may choose to store the following health-tracking data:

Compound protocols and dosing logs
Journal entries (weight, mood, notes)
Bloodwork results and biomarker history
Workout sessions and exercise data
Nutrition logs and meal data

All of this data is stored against your account only when you are signed in and have enabled cloud sync. Without an account, all data remains solely on your device.

3. How We Use Your Data

Your data is used solely to provide the VitaLog service: storing your health-tracking information, syncing it across your devices, and generating personal analytics visible only to you. We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Anonymized Research Data

We may use anonymized, aggregated data (with no personally identifiable information) for population-level research and to improve the service. No individual can be identified from this data. You can opt out of anonymized data contributions at any time via Settings → Privacy.

5. Data Storage & Security

Your data is stored in encrypted PostgreSQL databases hosted by Neon (neon.tech), a cloud database provider. Key security measures:

Passwords are hashed using PBKDF2 with 100,000 iterations — never stored in plaintext
All connections use TLS/HTTPS
Daily encrypted backups are maintained automatically
API access is protected by rate limiting and JWT authentication

6. International Data Transfers

VitaLog's infrastructure is primarily hosted in the United States. If you are located in the European Economic Area (EEA) or United Kingdom, your data is transferred to and processed in the US. We rely on [TRANSFER MECHANISM — e.g. Standard Contractual Clauses] as the legal basis for these transfers.

7. Data Retention

Your data is retained for as long as your account is active. When you delete your account (Settings → Account → Delete Account), all associated personal data is permanently removed within 30 days. Anonymized aggregate data may be retained indefinitely.

8. Your Rights

Regardless of your location, you have the following rights over your data:

Access — Export all your data as JSON via Settings → Export
Correction — Edit any entry directly within the app
Deletion — Delete your account and all data via Settings → Account
Portability — Download a machine-readable copy of your data at any time
Objection — Opt out of anonymized research via Settings → Privacy

If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection supervisory authority.

9. Legal Basis for Processing (EEA/UK Users)

We process your personal data under the following legal bases:

Contract performance — to provide the VitaLog service you signed up for
Consent — for optional cloud sync and anonymized research (you can withdraw consent at any time)
Legitimate interests — for security monitoring and service improvement

10. Cookies & Local Storage

VitaLog uses browser localStorage to store your data locally for offline access. We do not use third-party tracking cookies or advertising analytics. No cookies are set by VitaLog.

11. Third-Party Services

VitaLog may connect to the following external services, none of which receive your personal data:

USDA FoodData Central — for food nutrition lookups (only if you provide your own API key)
OpenStreetMap / OpenFoodFacts — for optional map and food search features

12. Children

VitaLog is not intended for anyone under 18 years of age. We do not knowingly collect data from minors.

13. Changes

We may update this Privacy Policy. Material changes will be communicated via the app. Continued use of the service after changes constitutes acceptance of the updated policy.

14. Contact & Complaints

For privacy questions or to exercise your rights, contact us at [CONTACT_EMAIL] or use the in-app feedback channel in Settings. We aim to respond within 30 days.