VitaLog Privacy Policy

Plain-English summary

Your health data is yours. We do not run advertising, embed third-party advertising or analytics SDKs, or share your personal data with advertising networks or data brokers. If you opt into the Research Program, anonymized aggregates may be licensed to academic researchers, contract research organizations, and pharmaceutical sponsors; opt-in only and revocable at any time.

1. Data Controller

The data controller for VitaLog is the operator named on the Imprint (Sweden). For privacy inquiries, contact [email protected].

2. What We Collect

When you create an account, we collect:

Email address
Display name (chosen by you)
A securely hashed password (we never store your plaintext password)

When you use VitaLog, you may choose to store the following health-tracking data:

Compound protocols and dosing logs
Journal entries (weight, mood, notes)
Bloodwork results and biomarker history
Workout sessions and exercise data
Nutrition logs and meal data
Progress photos (only if you opt in to cloud photo sync, see section 2a below)

All of this data is stored against your account only when you are signed in and have enabled cloud sync. Without an account, all data remains solely on your device.

2a. Sensitive / Special-Category Data

We want to be explicit about data types that receive extra protection under the GDPR (EU/UK) and the CPRA (California):

Progress photos: Images of your body may qualify as biometric data under GDPR Art. 9 and sensitive personal information under CPRA §1798.140(ae). We process progress photos only with your explicit, separate opt-in consent (surfaced the first time you upload a photo) and you can withdraw that consent at any time in Settings → Privacy → Photo sync. Withdrawal stops further uploads; previously-uploaded photos remain available to you and can be deleted individually.
Bloodwork & health metrics: Biomarker results and health tracking data are personal information relating to health. We process them under the lawful basis of contract performance (GDPR Art. 6(1)(b)) and, where they constitute health data, your explicit consent (GDPR Art. 9(2)(a)) given when you create an account.

Our photo sync is a zero-knowledge system: photos are encrypted on your device with a 256-bit AES-GCM key before upload. The key is generated on your device and is never transmitted to our servers. This means:

We cannot see, decrypt, or share your photos even if legally compelled to do so. We can only produce the encrypted ciphertext.
If you lose access to all your devices (e.g. reinstall without a prior cross-device sync) before cross-device key roaming becomes available, your uploaded photos will become permanently inaccessible. We recommend keeping local backups until key roaming ships.

Sub-processor for encrypted photo storage: Cloudflare, Inc. (R2 object storage, US). See section 11.

3. How We Use Your Data

Your data is used solely to provide the VitaLog service: storing your health-tracking information, syncing it across your devices, and generating personal analytics visible only to you. We do not share your personal data with advertising networks, data brokers, or marketing platforms, and we do not embed third-party advertising or analytics SDKs in the app or on this site. The opt-in Research Program (Section 4 below) is the only path under which any data derived from your account may be used commercially, and only as anonymized aggregates with k-anonymity ≥ 5.

4. Anonymized Research Data & Licensing

Opt-in only. If, and only if, you affirmatively opt into the Research Program, anonymized aggregate datasets derived from your contributions may be used for population-level research and licensed to academic researchers, contract research organizations (CROs), and pharmaceutical sponsors. The legal basis for this processing is your explicit consent under GDPR Art. 9(2)(a), captured granularly in Settings → Privacy → Research Program. The Research Program is opt-in by default; if you have not enabled it, no data derived from your account leaves the personal-analytics path.

What recipients receive. Aggregate query results only, with k-anonymity ≥ 5 enforced at the query layer. No individual rows, no journal entries, no progress photos, no email addresses, no device identifiers, no location data, and no information capable of re-identifying any participant. Every recipient signs a Data Access Agreement that prohibits re-identification attempts and downstream redistribution.

Withdrawal. You can withdraw at any time via Settings → Privacy → Research Program. Future contributions stop immediately on withdrawal. Past contributions can be excluded from new aggregate queries on request to [email protected] (existing aggregate results delivered to past recipients are not recallable).

Granular categories. Within the Research Program you can independently enable or disable each data category (protocols, bloodwork, training, nutrition, outcomes). Categories you do not enable are excluded from every query, including ones run after you opted in to other categories.

See Research at VitaLog for the public study list and For Researchers for the academic-access process. For California residents: this Research Program path may constitute a "sale" or "share" of personal information under CCPA/CPRA depending on the recipient and purpose; you can decline by not opting in, or withdraw at any time as described above.

5. Data Storage & Security

Your data is stored in encrypted PostgreSQL databases hosted by Neon (neon.tech), a cloud database provider, in the EU region (eu-central-1, Frankfurt). Key security measures:

Passwords are hashed using PBKDF2-SHA256 with 100,000 iterations, never stored in plaintext
All connections use TLS/HTTPS (TLS 1.3 + HSTS preloaded)
Daily encrypted backups are maintained automatically
API access is protected by rate limiting and JWT authentication

Full architecture and sub-processor disclosure: Security & Compliance.

6. International Data Transfers

VitaLog's primary database (Neon) and edge runtime (Cloudflare) are hosted in the EU. Where data is processed by sub-processors located outside the EU/EEA, we rely on the 2021 EU Standard Contractual Clauses (SCCs) and supplemental measures as the legal basis for transfers, in line with the Schrems II requirements. The full sub-processor list is in section 11 and on the public Security & Compliance page.

7. Data Retention

Your data is retained for as long as your account is active. When you delete your account (Settings → Account → Delete Account), all associated personal data is permanently removed within 30 days (the retention window covers our backup snapshots). Anonymized aggregate data may be retained indefinitely.

8. Your Rights

Regardless of your location, you have the following rights over your data:

Access: Export all your data as JSON via Settings → Export
Correction: Edit any entry directly within the app
Deletion: Delete your account and all data via Settings → Account
Portability: Download a machine-readable copy of your data at any time
Objection: Opt out of anonymized research via Settings → Privacy

If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection supervisory authority. We invite you to contact us first at [email protected] so we can address concerns directly, but you are not required to.

If you are in Sweden, the supervisory authority is Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm, +46 8 657 61 00, imy.se. IMY accepts complaints in Swedish or English. The complaint form is at imy.se/privatperson/utfora-arenden/lamna-in-klagomal/.

For users in other EEA member states, see the European Data Protection Board's list of national supervisory authorities at edpb.europa.eu/about-edpb/about-edpb/members_en.

9. Legal Basis for Processing (EEA/UK Users)

We process your personal data under the following legal bases:

Contract performance: to provide the VitaLog service you signed up for
Consent: for optional cloud sync and anonymized research (you can withdraw consent at any time)
Legitimate interests: for security monitoring and service improvement

10. Cookies & Local Storage

VitaLog uses three categories of browser storage. We do not use third-party tracking cookies, advertising analytics, or any cross-site identifiers.

Strictly-necessary cookies (set when you sign in to cloud sync). These are required for the service to function and do not require separate consent under the ePrivacy Directive / Sweden's Lag om elektronisk kommunikation:
- vitalog-auth, HttpOnly session token. Carries your authenticated session. Cleared on logout. Not readable by JavaScript.
- vitalog-csrf, anti-CSRF token (a 256-bit random value). Read by your browser to prove the request originated from VitaLog itself. Cleared on logout.
- vitalog-logged-in, a non-sensitive flag readable by JavaScript so the front-end knows you're signed in without making an API call.
Strictly-necessary local storage. The browser's localStorage stores your tracked data on your device, it is required for the offline-first experience and is the primary data store when you are not signed in to cloud sync. No consent banner gates this storage because it is necessary for the service you requested.
Optional / consent-gated processing. Anonymised aggregate research contributions (Settings → Privacy → Research) and error reports (Settings → Privacy → Send error reports) are off by default and only run with your affirmative opt-in.

Granular disclosure of every storage key, including localStorage, sessionStorage, and IndexedDB, is on the dedicated Cookie Policy.

11. Sub-Processors & Third-Party Services

We engage the following sub-processors to operate VitaLog. Each is bound by a Data Processing Agreement that includes the 2021 EU Standard Contractual Clauses (with the UK International Data Transfer Addendum where applicable):

Neon, Inc. (US company, EU region), managed PostgreSQL database. Stores account data, journal entries, bloodwork, protocols, and photo metadata (but not the photo bytes themselves).
Cloudflare, Inc. (US company, EU edge), Workers (API), Pages (web app), R2 (encrypted photo storage), Durable Objects (real-time multi-device sync), KV (rate-limit state). Cloudflare Workers process API requests; R2 stores only client-side-encrypted photo ciphertext; Durable Objects fan out state-update notifications between your own devices (metadata only, no state payload).
Resend, Inc. (US), transactional email delivery (account verification, password reset).
Anthropic, PBC (US), Claude Vision API for bloodwork-image OCR. When you upload a lab-report image to extract values, the image bytes are POSTed to api.anthropic.com for text-extraction only and are not retained by Anthropic past the request lifecycle. SCC + Anthropic Zero-Data-Retention DPA in place. You can decline OCR by entering values manually instead.

The following services are accessed directly by your browser, with no personal data routed through our servers:

USDA FoodData Central: food nutrition lookups (only if you provide your own API key)
OpenStreetMap / OpenFoodFacts: optional map and food search features

For the latest list of sub-processors and a downloadable DPA template, email [email protected]. We notify active users at least 30 days in advance of any sub-processor addition or change.

12. Children & Minors

VitaLog enforces a minimum age of 15 for account creation. Accounts attempted by anyone under 15 are rejected at signup; if discovered after the fact (e.g., through age verification), the account and all associated data are deleted.

Users aged 15 to 17 are admitted but automatically placed in Clean Mode, which removes recovery / TRT / hormone optimisation goals from onboarding and hides protocol fields that aren't age-appropriate. The Clean Mode flag is stamped at signup based on the date of birth you provide and cannot be turned off until you reach 18. Parental or guardian awareness is recommended for users under 18.

The minimum age (15) is stricter than what most EU GDPR implementations allow for digital consent (Sweden's IMY recognises 13+ as the digital age of consent). The stricter floor reflects that VitaLog tracks substances and protocols whose underlying use isn't appropriate for younger teens regardless of consent.

13. Changes

May 6, 2026: Added /research/, /about/researchers/, /about/security/ public references; updated retention & sub-processor links; added /cookies/ as the canonical cookie disclosure.

April 21, 2026: Added progress photo sync (opt-in), biometric-data disclosure (section 2a), sub-processor list (section 11), CPRA notice (section 14), and FTC Health Breach Notification commitment (section 15).

We may update this Privacy Policy. Material changes will be communicated via the app at least 30 days before they take effect. Continued use of the service after changes constitutes acceptance of the updated policy.

14. California Residents, CPRA / CCPA Notice

Do Not Sell or Share My Personal Information

VitaLog does not sell or share personal information for cross-context behavioral advertising. We do not embed advertising or analytics SDKs. We do not transmit personal information to data brokers or marketing platforms.

The opt-in Research Program is the only path under which any data derived from your account may be commercially licensed (anonymized aggregates, k-anonymity ≥ 5, to academic researchers, contract research organizations, and pharmaceutical sponsors). Depending on recipient and purpose, this may constitute a "sale" or "share" under CCPA/CPRA §1798.140(ad)/(ah).

How to opt out / opt in: The Research Program is opt-in by default: if you have not enabled it in Settings → Privacy → Research Program, you are not contributing. To exercise the CPRA right to opt out at any time after enabling, toggle the per-category controls off in the same place, or email [email protected] with the subject line "CPRA opt-out". We will not require account verification beyond what's needed to find your account, and we will respond within 15 business days. We honor Global Privacy Control (GPC) signals as opt-out requests.

If you are a California resident, you have the rights described in section 8 above, plus:

Right to Limit Use of Sensitive Personal Information: You can direct us to limit our use of your sensitive personal information (bloodwork results, progress photos) to only the purposes necessary to provide the VitaLog service. Exercise this right via Settings → Privacy → Limit sensitive data use. We do not share sensitive personal information with advertising networks or data brokers; the only path under which derived data may be commercially used is the opt-in Research Program (anonymized aggregates only, see Section 4).
Notice of Sensitive Personal Information: We collect the following categories of SPI: (a) health information (bloodwork, protocols), (b) biometric/body-image information (progress photos, only if opted in). We use SPI solely to provide the service you requested.
Non-discrimination: We will not deny service, charge a different price, or provide a different level of quality to California residents who exercise their privacy rights.
Response timing: We acknowledge rights requests within 10 business days and respond substantively within 45 calendar days (extendable by 45 days with notice).

15. Security Incident Notification (US)

If we become aware of a breach of security involving your unsecured personal health information, we will notify you without unreasonable delay and within 60 days of discovery, in accordance with the FTC Health Breach Notification Rule (16 CFR Part 318). Encrypted photo ciphertext with keys held only by you is not considered "unsecured" for this purpose.

16. Contact & Complaints

For privacy questions or to exercise your rights, contact us at [email protected] or use the in-app feedback channel in Settings. We aim to respond within 30 days (GDPR) or 45 days (CCPA/CPRA).

EEA/UK users: you have the right to lodge a complaint with your local data protection supervisory authority (Sweden: IMY).

California residents: you may also lodge a complaint with the California Privacy Protection Agency at cppa.ca.gov.