Privacy Policy
Introduction
Welcome to Vital IQ. We understand that your health data is among the most personal information you possess, and we take its protection seriously.
This Privacy Policy describes how [ENTITY_NAME], LLC, a Florida limited liability company, collects, uses, shares, retains, and protects your personal information and health data when you use the Vital IQ mobile application, website, and related services (collectively, the "Service"). It also describes your rights and choices regarding your information.
Vital IQ voluntarily adheres to the privacy and security standards set forth by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), even where not required by law to do so. Our AI processing pipeline operates through Google Cloud's Vertex AI under an active Business Associate Agreement ("BAA") with Google, ensuring that your health data is processed through HIPAA-compliant infrastructure.
We do not sell your health data. We never have and we never will.
This Privacy Policy should be read together with our Terms of Service, Medical Disclaimer, Consumer Health Data Privacy Policy, HIPAA Notice of Privacy Practices, and Cookie Policy.
1. Who We Are
Vital IQ is a health and wellness analytics platform operated by [ENTITY_NAME], LLC, a Florida limited liability company. Vital IQ provides AI-powered analysis of laboratory blood work, wearable health data integration, medication and supplement tracking, health journaling, and related wellness features.
Vital IQ is not a healthcare provider. We are a wellness technology company. We do not provide medical advice, diagnosis, or treatment. For important information about the limitations of our Service, please review our Medical Disclaimer.
Our HIPAA status: Vital IQ voluntarily adopts HIPAA privacy and security standards for the protection of your health data. We maintain a Business Associate Agreement with Google Cloud for our infrastructure and AI processing services. Our voluntary adoption of these standards reflects our commitment to protecting your health data at the highest standard — not a legal obligation as a covered entity. For details on how we handle protected health information, see our HIPAA Notice of Privacy Practices.
Data storage location: All user data is stored on servers physically located within the United States, operated by Google Cloud Platform (Firebase). We do not store your data outside the United States.
2. Eligibility
The Service is intended for use by adults aged 18 and older only. We do not knowingly collect or process personal information or health data from individuals under the age of 18. If you are under 18, you may not use the Service. See Section 12: Children's Privacy for more information.
3. Information We Collect
We collect information in four categories: information you provide directly, information collected from connected platforms, information collected automatically, and information generated by our systems.
3.1 Information You Provide Directly
Account Information
- Name, email address
- Age, biological sex, weight
- Country and language preferences
- Authentication credentials (managed by Firebase Authentication)
Health Questionnaire Responses
- Pre-existing health conditions
- Health goals and priorities
- Lifestyle information provided during onboarding and personalization
Lab Report Uploads
- Laboratory blood work results (PDF, images)
- Provider documents (medical records, clinical notes)
- The biomarker values, laboratory names, dates, and other data contained within these documents
Medication and Supplement Information
- Medication names, dosages, frequencies, and schedules
- Supplement names, dosages, and protocols
- Adherence logs (whether you took medications on a given day)
- Medication photos uploaded for AI identification
Journal Entries and Voice Check-Ins
- Text entries describing symptoms, moods, health observations
- Voice transcripts from voice check-in feature (processed on-device via speech-to-text, then transmitted as text — we do not store audio recordings)
- Quick log entries (mood, energy, stress, sleep quality, digestive status, cognitive function, soreness, fasting status)
Health Goals
- Goals you set within the Service
- Progress tracking data
Other User-Provided Content
- Lab location ratings and reviews
- Support inquiries
- Feedback and communications with us
3.2 Information from Connected Platforms
Wearable Health Data (with your explicit consent)
When you connect Apple HealthKit (iOS) or Google Health Connect (Android), we may collect:
- Heart rate measurements
- Heart rate variability (HRV)
- Sleep duration and sleep stage data
- Step count
- Blood glucose readings (if available)
- Other biometric data available through these platforms
This data is synced periodically (approximately every 4 hours and daily) via background processes on your device. You control which data types are shared through your device's health platform settings, and you may disconnect at any time.
Important: Wearable health data collected by Vital IQ is wellness data. It is not protected by HIPAA when collected from your consumer device, though we voluntarily apply HIPAA-level protections to it. See our Medical Disclaimer for limitations of wearable data.
Payment Platforms
We receive limited information from our payment processors:
- RevenueCat: Subscription status, entitlements, transaction identifiers. RevenueCat does not send us your payment card details.
- Stripe: Payment confirmation status, transaction identifiers for one-time purchases. Stripe does not send us your full payment card number.
We do not store credit card numbers, bank account numbers, or other financial account details in our systems.
3.3 Information Collected Automatically
Device and Usage Information
- Device model, operating system, and version
- App version and build number
- General usage analytics (features accessed, session duration) via Firebase Analytics (Google Analytics 4)
- Crash reports and error logs via Firebase Crashlytics
- Push notification tokens (Firebase Cloud Messaging)
Location Information
- Approximate location (when you use the lab/health resource finder feature, with your permission)
- Precise GPS location (when you register a gym for the Workout Tracking feature, with your explicit consent), used to define a geofence around your registered gym location for automated workout session detection
- We do not build persistent location profiles, share your location data with third parties for advertising, or use geofencing near healthcare facilities
Workout Location Tracking (Geofencing)
If you choose to enable the Workout Tracking feature:
- You must explicitly grant permission and review and accept a geofencing-specific consent screen before any location data is used for this purpose
- We collect your gym's precise coordinates at registration to define a geofence (a virtual boundary around your gym). This is stored as latitude/longitude coordinates associated with your account.
- We detect entry and exit from that geofence to automatically log workout sessions. Location data is processed locally on your device; only the workout event (start time, end time, duration) is stored on our servers — not a continuous location stream.
- Your geofencing consent can be revoked at any time in Settings. Revoking consent stops all geofence monitoring. Deleting a gym removes its geofence.
- The Workout Tracking feature is not available in all states. In states where applicable consumer health data privacy laws impose restrictions on location-based health data collection, the feature is restricted or unavailable (see our Consumer Health Data Privacy Policy).
- We do not use workout location data to infer health conditions, share it with advertisers, or use it for any purpose other than calculating workout sessions and recovery context within the app.
3.4 Information Generated by Our Systems
AI-Generated Health Insights
- Biomarker interpretations and analysis
- Biological age calculations (PhenoAge, Klemera-Doubal Method, Homeostatic Dysregulation)
- Health scores and projected health scores
- Correlation insights (patterns detected across your health data)
- Daily health briefings
- Personalized recommendations and contextual questions
- AI Health Companion chat responses
- Journal topic tags and sentiment analysis
Behavioral Signals (used to personalize your experience)
- Feature usage patterns (e.g., which finder categories you use most)
- Engagement classification (to tailor notifications and content)
- These signals are used internally to improve your experience and are not shared with third parties
4. How We Use Your Information
We use your information for the following purposes:
4.1 Providing and Operating the Service
- Processing and analyzing your uploaded lab reports through our AI pipeline
- Calculating biological age and health scores
- Generating personalized biomarker interpretations with your health context
- Tracking your medications and supplements, including interaction checking
- Syncing and displaying your wearable health data
- Generating daily health briefings and correlation insights
- Powering the AI Health Companion
- Processing your journal entries and voice check-ins
- Facilitating doctor visit preparation features
- Processing your subscription and payments
4.2 Personalization
- Tailoring health insights based on your conditions, medications, and history
- Generating contextual follow-up questions about your biomarker results
- Personalizing engagement content and notification timing
- Ordering health resource categories based on your usage patterns
- Re-analyzing biomarker results when your health context changes
4.3 Safety and Security
- Detecting wellness concerns in journal entries to display appropriate support resources (this processing is handled with strict privacy protections — see Section 6.4)
- Detecting anomalous account access patterns
- Enforcing rate limits and abuse prevention
- Securing your account through authentication and optional biometric verification
4.4 Service Improvement
- Analyzing de-identified, aggregated data to identify emerging health topics and improve our AI models
- Quality assurance auditing of AI-generated outputs (using independent audit agents)
- Monitoring system performance and reliability
- Identifying and resolving technical issues
4.5 Communications
- Sending you service-related notifications (report completion, medication reminders, subscription status)
- Sending you health check-in reminders and daily briefings (per your notification preferences)
- Responding to your support inquiries
- With your separate marketing consent, sending you promotional communications about Vital IQ (see Section 13)
4.6 Legal and Compliance
- Complying with applicable laws, regulations, and legal processes
- Enforcing our Terms of Service
- Responding to lawful data requests from government authorities
- Generating compliance evidence and audit reports
5. How We Share Your Information
5.1 We Do Not Sell Your Health Data
We do not sell, rent, lease, or trade your Consumer Health Data, health information, medical information, biomarker results, medication data, journal entries, wearable data, AI-generated health insights, or any other health-related information to any third party, for any purpose, under any circumstances.
We do not share your health data with advertisers, data brokers, or marketing companies.
5.2 Contact Information and Marketing
With your separate, explicit marketing consent, we may use your name and email address to send you promotional communications about Vital IQ's products and services. You may opt out of marketing communications at any time (see Section 13). We do not sell your contact information to third parties for their own marketing purposes.
5.3 Service Providers (Data Processors)
We share information with the following categories of service providers, strictly for the purpose of operating the Service. Each service provider is bound by contractual obligations to protect your data and use it only as directed by us.
AI Processing
| Provider | Data Shared | Purpose | Agreement |
|---|---|---|---|
| Anthropic (via Google Vertex AI) | Lab report content, health context (medications, conditions, wearable data, journal entries — stripped of wellness-flagged content), user questionnaire answers | AI-powered biomarker extraction, interpretation, personalization, companion chat, journal analysis, medication parsing | Google BAA covers Vertex AI processing |
Important: When your health data is processed by AI:
- Data is transmitted encrypted via TLS
- AI providers do not retain your data after processing your request
- AI providers do not use your data to train their models
- Processing occurs through HIPAA-compliant infrastructure under our Google BAA
Cloud Infrastructure
| Provider | Data Shared | Purpose | Agreement |
|---|---|---|---|
| Google Cloud Platform / Firebase | All user data (stored in Firestore, Cloud Storage) | Database, file storage, authentication, cloud functions, analytics, crash reporting, push notifications, remote configuration | Google BAA active |
| Google Document AI | Uploaded provider documents | Optical character recognition (OCR) text extraction | Covered under Google BAA |
| Google Cloud Tasks | Pipeline job metadata | Asynchronous task orchestration | Covered under Google BAA |
Payments
| Provider | Data Shared | Purpose | Agreement |
|---|---|---|---|
| RevenueCat | User identifier, subscription events | Subscription lifecycle management | No health data shared |
| Stripe | User identifier, payment amounts | One-time payment processing | PCI-DSS compliant; no health data shared |
Communications
| Provider | Data Shared | Purpose | Agreement |
|---|---|---|---|
| SendGrid | Email addresses, non-health notification content | Email delivery (reminders, alerts, admin digests) | No protected health information transmitted via email |
Monitoring
| Provider | Data Shared | Purpose | Agreement |
|---|---|---|---|
| Better Stack | System status data only | Uptime monitoring | No user data shared |
Health Platform APIs (user-initiated, on-device)
| Provider | Data Shared | Purpose | Agreement |
|---|---|---|---|
| Apple HealthKit | Read-only access to health metrics you authorize | Wearable data sync | On-device processing; governed by Apple's privacy policies |
| Google Health Connect | Read-only access to health metrics you authorize | Wearable data sync | On-device processing; governed by Google's privacy policies |
External Data APIs (no user data transmitted)
| Provider | Data Shared | Purpose | Agreement |
|---|---|---|---|
| OpenFDA | Drug name queries only (no user identifiers) | Medication information lookup | Public API; no user data sent |
| Google Places | Location-based search queries | Health resource finder | No health data sent; only location and search terms |
5.4 Legal Requirements
We may disclose your information if required to do so by law or in response to valid legal process, including:
- Court orders, subpoenas, or warrants
- Requests from law enforcement or government agencies as required by applicable law
- To protect the rights, property, or safety of Vital IQ, our users, or the public
Our commitment: We will evaluate every legal request we receive for validity and scope. When legally permitted, we will notify you before disclosing your information in response to legal process. We will oppose requests we believe are overly broad, vague, or otherwise improper. We will not voluntarily provide user health data to law enforcement absent a valid legal requirement.
5.5 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your information.
5.6 De-Identified and Aggregated Data
We may use and share de-identified, aggregated data that cannot reasonably be used to identify you. For example, we may analyze aggregate trends in biomarker results across our user population to improve our Service. Our de-identification practices follow HIPAA Safe Harbor standards, removing all 18 categories of identifiers specified by HIPAA. We contractually prohibit any recipient of de-identified data from attempting to re-identify individuals.
5.7 With Your Consent
We may share your information in ways not described in this Privacy Policy if we have obtained your specific, informed consent to do so.
6. AI Processing and Transparency
Vital IQ relies on artificial intelligence to deliver its core features. We believe you have a right to understand how AI processes your data.
6.1 AI Models and Their Purposes
We use a three-tier AI architecture designed around the principle of minimum necessary access — each task uses the least powerful (and least data-intensive) model appropriate for the job:
Tier 1 — Lightweight Processing (Claude Haiku)
Used for: Document type classification, daily health briefings, journal prompts, journal topic tagging, voice check-in extraction, supplement stack parsing, routine companion chat responses.
These tasks require less data context and are processed by a smaller, faster model.
Tier 2 — Standard Processing (Claude Sonnet)
Used for: Biomarker extraction from lab reports, reference range standardization, result interpretation with your full health context, personalized follow-up questions, medication label parsing, complex companion chat responses.
These tasks require your broader health context for accuracy.
Tier 3 — Audit Processing (Claude Opus)
Used for: Independent quality verification of extraction, classification, and interpretation results.
These audit agents review AI outputs for accuracy and safety, operating as an independent check.
6.2 What Data Is Sent to AI
When your data is processed by AI, the following information may be included depending on the specific task:
- Lab report content (biomarker names, values, units, reference ranges)
- Active medications and supplements (names, dosages)
- Health conditions (from your onboarding questionnaire)
- Recent wearable data (heart rate trends, sleep patterns, HRV)
- Recent journal entries (with safety protections — see Section 6.4)
- Your age, biological sex, and weight (for reference range calibration)
- Previous biomarker results (for trend analysis)
6.3 What Is NOT Sent to AI
- Your name, email address, or account credentials
- Your payment information
- Your device identifiers
- Your location data
- Your push notification tokens
- Content from journal entries flagged for wellness concerns (see Section 6.4)
6.4 Wellness Alert Safety Rails
Vital IQ's journal feature includes automated detection of language that may indicate a user is experiencing a mental health crisis. This detection operates with strict privacy protections:
- If a journal entry is flagged for wellness concerns, the text content of that entry is excluded from all AI processing contexts (health interpretations, daily briefings, companion context, doctor visit reports)
- Flagged entries are never included in aggregate analytics or de-identified data sets
- The wellness flag is never displayed to you in the app's "Detected Patterns" interface — it is used solely to trigger the display of wellness and crisis resources
- The only visible effect is the presentation of crisis support resources (such as the 988 Suicide and Crisis Lifeline) when appropriate
- No human at Vital IQ reviews individually flagged entries; the process is fully automated
6.5 AI Data Retention by Providers
Our AI provider (Anthropic, accessed through Google Vertex AI) processes your data in real-time and does not retain your input data or generated outputs after completing each request. Your data is not used to train AI models. This is contractually guaranteed through our infrastructure agreements.
7. Data Security
We implement comprehensive security measures to protect your information:
7.1 Encryption
- In transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security)
- At rest: All data stored in our database (Cloud Firestore) and file storage (Cloud Storage) is encrypted at rest using AES-256 encryption, managed by Google Cloud Platform
- Sensitive local storage: Authentication tokens and credentials stored on your device are encrypted using platform-native secure storage (iOS Keychain, Android Keystore)
7.2 Access Controls
- Administrative access to user data is restricted to authorized personnel with a documented need
- Admin functions are role-gated (requiring
role: admindesignation) - All administrative access is logged in an immutable audit trail
- Automated anomaly detection monitors for unusual access patterns
7.3 Infrastructure Security
- Our infrastructure runs entirely on Google Cloud Platform, which maintains SOC 1/2/3, ISO 27001, HIPAA, and FedRAMP certifications
- Cloud Functions execute in isolated, stateless environments
- Firestore security rules enforce document-level access control (users can only access their own data)
- Storage security rules restrict file access to authenticated document owners
7.4 Monitoring and Incident Response
- Automated system health monitoring runs continuously (including 5-minute status polling and 30-minute functional health checks)
- Scheduled anomaly detection scans for unusual account access patterns
- Incident response infrastructure includes automated containment capabilities, forensic snapshot tools, and notification generation
- See our HIPAA Notice for our breach notification procedures
7.5 Vendor Security
- All service providers processing health data operate under contractual data protection obligations
- Google Cloud Platform operates under an active Business Associate Agreement
- Email communications (SendGrid) are structured to contain no protected health information
- Payment processors (Stripe, RevenueCat) are PCI-DSS compliant and do not receive health data
8. Data Retention and Deletion
8.1 Active Account Data
While your account is active, we retain your data to provide the Service. Specific retention periods:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of active account |
| Lab reports and biomarker results | Duration of active account |
| Medication records | Duration of active account |
| Journal entries | Duration of active account |
| Wearable health snapshots | Duration of active account |
| AI companion chat sessions | Duration of active account |
| Notification history | Automatically cleaned after expiration |
| Analytics and engagement data | Aggregated: daily (90 days), weekly (1 year), monthly (indefinite while account active) |
| Audit logs | Per compliance retention schedule |
| Consent records | Duration of active account plus legally required retention period |
8.2 Account Deletion
When you request account deletion (available in the app under Settings, or by contacting us):
- All personal data, health data, reports, medications, journal entries, wearable data, companion sessions, and AI-generated insights are permanently deleted
- Lab reviews are anonymized (disassociated from your identity)
- RevenueCat subscription records and Firebase Authentication records are deleted
- Deletion is cascading and comprehensive
- We aim to complete deletion within 30 days of your verified request
- Certain data may be retained beyond 30 days only where required by law (e.g., financial transaction records for tax compliance, audit logs for regulatory compliance)
- We will notify our service providers to delete your data from their systems as required
8.3 Inactive Accounts
Our data retention policy includes provisions for inactive accounts. If your account becomes inactive (no login activity for an extended period) and your subscription has expired, we may initiate a data retention process that includes notification before any data action is taken. You will always be given the opportunity to reactivate your account before data is affected.
8.4 Reports Stuck in Processing
Lab reports that become stuck in our processing pipeline for more than 30 minutes are automatically marked as failed, and any credits deducted for that upload are refunded to your account. The uploaded file is retained for your re-upload convenience but can be deleted upon request.
9. Your Rights and Choices
Regardless of where you live, Vital IQ provides all users with the following rights:
9.1 Right to Access
You have the right to access the personal information and health data we hold about you. You can:
- View most of your data directly within the app (reports, medications, journal entries, wearable data, companion sessions)
- Request a comprehensive data export (available in the app under Settings), which generates a downloadable file containing all of your data
- Request a list of the categories of third parties with whom we have shared your data
9.2 Right to Correction
You have the right to request correction of inaccurate personal information. You can update most account information directly in the app. For corrections to data that cannot be edited in-app, contact us using the information in Section 16.
9.3 Right to Deletion
You have the right to request deletion of your personal information and health data. You can:
- Delete individual items within the app (journal entries, medications, etc.)
- Request full account deletion (see Section 8.2)
- We will process deletion requests within 30 days
9.4 Right to Data Portability
You have the right to receive a copy of your data in a structured, commonly used, machine-readable format. Our data export feature provides your data in JSON format.
9.5 Right to Withdraw Consent
Where we process your data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred before withdrawal. You can manage your consents in the app under Settings > Privacy.
Specifically, you may withdraw:
- Health data collection consent: This will prevent the collection of new health data but will not delete previously collected data (use your deletion right for that)
- Health data sharing consent: This will prevent your health data from being sent to AI processors for analysis, which means features like lab report interpretation, companion chat, and daily briefings will not function
- Wearable data sync consent: This will stop the sync of health data from Apple HealthKit or Google Health Connect
- Marketing consent: This will stop promotional communications (see Section 13)
9.6 Right to Non-Discrimination
We will not discriminate against you for exercising any of your privacy rights. You will not receive a different level of service, different pricing, or reduced quality for exercising your rights under this policy or any applicable privacy law.
9.7 How to Exercise Your Rights
You may exercise your rights by:
- Using the self-service features in the app (Settings > Privacy)
- Emailing us at [PRIVACY_EMAIL]
- Writing to us at the address in Section 16
We will verify your identity before processing any rights request. We will respond to verified requests within 30 days (or within the timeframe required by applicable law). If we need additional time, we will notify you of the extension and the reason.
10. State-Specific Privacy Rights
10.1 California Residents (CCPA/CPRA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share your information.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions permitted by law.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Because we do not engage in these activities, there is no need to opt out, but we honor any opt-out signals we receive, including Global Privacy Control (GPC) browser signals.
Right to Limit Use of Sensitive Personal Information: Your health data is sensitive personal information under CCPA/CPRA. We use sensitive personal information only to provide the Service you requested and for the purposes disclosed in this Privacy Policy. You may request that we limit our use of sensitive personal information to these purposes.
Categories collected in the preceding 12 months: Identifiers (name, email), health information (biomarkers, medications, journal entries, wearable data), biometric information (heart rate, HRV from wearables), geolocation (approximate, for finder feature), internet activity information (usage analytics), and inferences (AI-generated health insights, engagement profiles).
Financial incentives: We do not offer financial incentives or price differences based on your personal information.
Authorized agents: You may designate an authorized agent to make requests on your behalf. We will require verification of the agent's authority and your identity.
Do Not Sell or Share My Personal Information: As stated above, we do not sell or share your personal information. For questions or to exercise your rights, contact us at [PRIVACY_EMAIL].
10.2 Washington Residents
If you are a Washington resident, please see our separate Consumer Health Data Privacy Policy, which provides the disclosures required by Washington's My Health My Data Act. That document is maintained as a standalone policy as required by the Act.
Your additional rights under Washington law include:
- Right to confirm whether we are collecting or sharing your Consumer Health Data
- Right to access your Consumer Health Data
- Right to delete your Consumer Health Data (including from archives and backups), with completion within 30 days
- Right to withdraw consent for collection and/or sharing of your Consumer Health Data
- Right to a list of all third parties and affiliates who have received your Consumer Health Data
10.3 Nevada Residents
If you are a Nevada resident, you have the right to opt out of the sale of your covered information under Nevada SB 370. We do not sell your covered information or consumer health data. For questions, contact us at [PRIVACY_EMAIL].
10.4 Florida Residents
Under Florida law (Florida Information Protection Act, as amended by SB 262):
- We will not sell your sensitive data (including mental or physical health diagnosis data) without your prior consent
- We do not process sensitive data of individuals under 18
- In the event of a data breach affecting your personal information, we will notify you within 30 days of determination of the breach, as required by Florida law
10.5 Connecticut Residents
If you are a Connecticut resident, you have the right to access, correct, delete, and obtain a copy of your personal data. Health data is considered sensitive data under the Connecticut Data Privacy Act, and we obtain your consent before processing it.
10.6 Colorado, Virginia, Oregon, Texas, Montana, Indiana, Kentucky, Rhode Island, and Other States with Comprehensive Privacy Laws
If you reside in a state with a comprehensive privacy law that treats health data as sensitive personal information, we honor the rights provided by your state's law, including rights to access, delete, correct, and opt out of certain processing activities. We obtain consent before processing your health data as required by applicable law. To exercise your rights, contact us at [PRIVACY_EMAIL].
11. International Users
11.1 Brazil (Lei Geral de Proteção de Dados — LGPD)
If you are a resident of Brazil, the following additional provisions apply:
Legal basis for processing: We process your personal data based on your consent, which you provide when creating your account and accepting our terms. For health data (dados sensíveis), we obtain your explicit, specific, and informed consent.
Your rights under LGPD: You have the right to confirmation of data processing, access to your data, correction of inaccurate data, anonymization or blocking of unnecessary data, data portability, deletion of data processed with consent, information about shared data, information about the possibility of denying consent and its consequences, and revocation of consent.
Data Protection Officer: For inquiries related to LGPD compliance, contact our designated representative at [PRIVACY_EMAIL].
International data transfer: Your data is stored in the United States. By using the Service, you consent to the transfer of your data to the United States, where data protection laws may differ from those in Brazil. We apply safeguards consistent with LGPD requirements to protect your data regardless of where it is processed.
11.2 Colombia (Ley 1581 de 2012)
If you are a resident of Colombia, we process your personal data in accordance with Colombian data protection law. Your health data is treated as sensitive data (dato sensible), and we obtain your explicit authorization before processing it. You have rights of access, correction, deletion, and revocation of authorization. Contact us at [PRIVACY_EMAIL] to exercise your rights.
11.3 Argentina (Ley 25.326 — Protección de Datos Personales)
If you are a resident of Argentina, we process your personal data in accordance with Argentine data protection law. Health data is treated as sensitive data, requiring your explicit consent. You have rights of access, rectification, suppression, and confidentiality. Contact us at [PRIVACY_EMAIL] to exercise your rights.
11.4 Chile (Ley 19.628 sobre Protección de la Vida Privada)
If you are a resident of Chile, we process your personal data in accordance with Chilean data protection law. You have the right to access, modify, cancel, and block your personal data. Health data requires your express consent for processing. Contact us at [PRIVACY_EMAIL] to exercise your rights.
11.5 Mexico (Ley Federal de Protección de Datos Personales — LFPDPPP)
If you are a resident of Mexico, we process your personal data in accordance with Mexican data protection law. Health data is classified as sensitive personal data requiring your express written consent. You have ARCO rights (Access, Rectification, Cancellation, and Opposition). Contact us at [PRIVACY_EMAIL] to exercise your rights.
12. Children's Privacy
Vital IQ is not directed to individuals under the age of 18. We do not knowingly collect personal information or health data from children under 18. We do not have a version of the Service designed for children.
If we become aware that we have collected information from an individual under 18, we will take immediate steps to delete that information from our systems. If you believe a child under 18 has provided us with personal information, please contact us at [PRIVACY_EMAIL].
Our age requirement of 18+ is enforced through our Terms of Service. By creating an account, you represent and warrant that you are at least 18 years of age.
13. Marketing Communications
13.1 Service Communications (Non-Marketing)
We will send you communications necessary to operate the Service, including: report processing notifications, medication reminders, subscription status updates, security alerts, and required legal notices. These are transactional communications, not marketing, and you cannot opt out of them while maintaining an active account.
13.2 Marketing Communications (Opt-In Only)
We will only send you promotional or marketing communications about Vital IQ if you have given us your separate, explicit consent to do so. Marketing communications may include information about new features, special offers, or Vital IQ news.
What we use for marketing: Your name and email address only. We never include or reference your health data, biomarker results, medication information, or any health-related information in marketing communications.
How to opt out: You may withdraw your marketing consent at any time by:
- Using the unsubscribe link in any marketing email
- Adjusting your notification preferences in the app (Settings > Notifications)
- Contacting us at [PRIVACY_EMAIL]
Opt-out requests for marketing communications will be processed promptly. Opting out of marketing will not affect your receipt of transactional service communications.
13.3 What We Do NOT Do
- We do not sell, rent, or share your contact information with third parties for their marketing purposes
- We do not use your health data to target marketing communications
- We do not share your health data with advertisers
- We do not display third-party advertisements within the Service
14. Third-Party Links and Services
The Service may contain links to third-party websites or services (such as lab websites, health resource providers, or app store pages). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through or in connection with Vital IQ.
When you connect third-party services (such as Apple HealthKit or Google Health Connect), your use of those services is governed by their respective privacy policies in addition to ours.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable laws. When we make material changes:
- We will update the "Last Updated" date at the top of this policy
- We will notify you through the Service (such as an in-app notification or banner)
- For significant changes affecting how we use your health data, we may require you to review and accept the updated policy before continuing to use the Service
- Previous versions of this Privacy Policy are maintained in our records and available upon request
We encourage you to review this Privacy Policy periodically.
16. Contact Us
If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how we handle your data, please contact us:
[ENTITY_NAME], LLC
Attn: Privacy Officer
[ADDRESS_LINE_1]
[CITY], Florida [ZIP]
Email: [PRIVACY_EMAIL]
For privacy rights requests: [PRIVACY_EMAIL]
Response time: We will acknowledge receipt of your inquiry within 5 business days and provide a substantive response within 30 days (or within the timeframe required by applicable law in your jurisdiction).
If you are not satisfied with our response to your privacy concern, you may have the right to lodge a complaint with a supervisory authority in your jurisdiction.
This Privacy Policy is part of Vital IQ's legal documentation, which also includes our Terms of Service, Medical Disclaimer, Consumer Health Data Privacy Policy, HIPAA Notice of Privacy Practices, and Cookie Policy.