Privacy Policy

1. Introduction

VitaDash ("we," "us," or "our") operates the website and application located at vitadash.app (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By accessing or using VitaDash, you agree to the practices described in this policy.

2. Information We Collect

We collect the following categories of information:

2.1 Account Information

When you create an account, we collect your name, email address, and authentication credentials. If you sign up through a third-party provider (e.g., Google), we receive basic profile information from that provider.

2.2 Health & Biomarker Data

When you upload blood test results (PDFs, images, CSV, or Excel files), we process and store the extracted biomarker values, test dates, reference ranges, and any associated metadata. This data is considered sensitive personal information.

2.3 Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, browser type, device information, IP address, and referring URLs.

2.4 Payment Information

When you subscribe to a paid plan, payment details (credit card number, billing address) are collected and processed directly by our payment processor, Stripe. We do not store your full payment card details on our servers.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service, including biomarker tracking, biological age calculation, and AI-powered insights.
• Process your uploaded lab results and generate personalized health analytics and supplement recommendations.
• Process payments and manage your subscription.
• Send transactional emails (account confirmation, password resets, billing notifications).
• Respond to your inquiries and provide customer support.
• Analyze usage patterns to improve the user experience and develop new features.
• Detect, prevent, and address fraud, abuse, or technical issues.

4. Third-Party Service Providers

We share data with the following third-party providers solely to operate and improve the Service:

• Supabase — Provides our database, authentication, and file storage infrastructure. Your account data, biomarker records, and uploaded files are stored in Supabase with row-level security enabled. Supabase processes data in accordance with their privacy policy and applicable data protection regulations.
• Stripe — Processes all subscription payments. Stripe receives your payment card details, billing address, and email to complete transactions. VitaDash does not have access to your full card number. Stripe is PCI DSS Level 1 certified.
• Anthropic — Powers our AI features, including biomarker extraction from uploaded files, health insights, and the AI health assistant. When you use these features, relevant data (e.g., uploaded file contents, biomarker context) is sent to Anthropic's API for processing. Anthropic does not use your data to train its models.

We do not sell, rent, or trade your personal or health data to any third party for marketing or advertising purposes.

5. Cookies & Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Essential Cookies — Required for authentication, session management, and security. These cannot be disabled.
• Analytics Cookies — Help us understand how visitors interact with the Service so we can improve functionality and performance. You may opt out of analytics cookies through your browser settings.

We do not use third-party advertising cookies or tracking pixels.

6. Data Storage & Security

Your data is stored in secure, encrypted databases hosted by Supabase. We implement the following security measures:

• Encryption in transit (TLS/SSL) and at rest for all stored data.
• Row-level security (RLS) policies ensuring users can only access their own data.
• Secure authentication with hashed passwords and support for multi-factor authentication.
• Regular security reviews and dependency auditing.

While we take reasonable steps to protect your information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal and health data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete your personal data, biomarker records, and uploaded files within 30 days. Certain data may be retained longer if required by law or for legitimate business purposes (e.g., billing records, fraud prevention).

8. Your Rights

You have the following rights regarding your personal data:

• Access & Export — You can view all your data within the Service at any time. You may export your biomarker data and account information in a machine-readable format from your account settings.
• Correction — You can update or correct your account information and biomarker records directly within the Service.
• Deletion — You can request deletion of your account and all associated data from your account settings or by contacting us at privacy@vitadash.app. We will process deletion requests within 30 days.
• Data Portability — You may request a copy of all personal data we hold about you in a structured, commonly used format.
• Withdraw Consent — Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing performed prior to withdrawal.

9. GDPR Compliance (European Economic Area Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply:

• Legal Basis for Processing — We process your personal data based on: (a) your consent (e.g., when you upload health data); (b) performance of a contract (e.g., providing the Service); (c) compliance with legal obligations; or (d) our legitimate interests (e.g., improving the Service, preventing fraud), provided these do not override your rights.
• International Transfers — Your data may be transferred to and processed in countries outside the EEA. Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.
• Right to Lodge a Complaint — You have the right to lodge a complaint with your local data protection authority if you believe your data has been processed unlawfully.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete that information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last Updated" date and, where appropriate, by sending you an email notification. Your continued use of the Service after such changes constitutes your acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise any of your rights, please contact us at: