Privacy

Last updated : 3rd July 2026

PRIVACY POLICY
Updated: July 2026
Vita OS Ltd (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy
explains how we collect, use, and protect your personal information when you use our
website and app (together, the “Service”).
By using the Service, you confirm that you have read and understood this Privacy Policy.

  1. Who we are
    Company name: Vita OS Ltd
    Company number: 16629540
    Registered office: 20 Wenlock Road, London, England, N1 7GU
    ICO registration number: ZC106524
    Vita OS Ltd is the data controller responsible for your personal information.

  2. Key definitions
    Personal Data: information that relates to an identified or identifiable individual
    Special Category Data: sensitive personal data (including health related data) requiring
    additional protection under UK GDPR
    Service: our website, app, and related services
    You/User: any individual who accesses or uses the Service

  3. Information we collect
    3.1 Information you provide
    We may collect:
    • Name or username
    • Email address
    • Phone number
    • Delivery and billing address
    • Account credentials
    • Customer support communications
    • Health and lifestyle information you choose to provide (such as goals, preferences,
    nutrition, training, sleep, recovery, stress and wellbeing inputs)
    3.2 Information we collect automatically
    We collect limited data automatically, including:
    • Usage data (pages/screens viewed, feature usage, session activity)
    • IP address and device information
    • Approximate location inferred from IP address
    • Cookie and similar technology data (where applicable)
    We do not collect precise GPS location unless we clearly ask for it.

3.3 Payments
Payments are processed by Stripe. We do not store full payment card details. Stripe
processes payment data in accordance with its own privacy policy.
3.4 Connected devices and wearables
You can choose to connect a wearable device or health platform to the Service (for example
a Fitbit connected through the Google Health API, and in future Apple Health or Garmin).
This is entirely optional.
If you connect a device, we receive health and fitness data from the relevant platform with
your permission. Depending on your device, this may include:
• Steps, distance and floors climbed
• Calories burned and active minutes
• Heart rate data, including resting heart rate
• Sleep duration and sleep patterns
• Recorded exercise sessions (such as runs)
Our access is read only. We can never change, add to, or delete anything on your device or
in your device account.
We use this data solely to display your metrics within the Service and to personalise your
plans, targets and recovery guidance. We do not use it for advertising, we do not sell it, and
we do not share it with third parties except with the service providers who host and operate
the Service as described in this Policy.
You can disconnect a device at any time in the app (Settings, then Devices). Disconnecting
stops all further collection immediately.
4. How we use your information
We use your personal data to:
• Create and manage your account
• Provide the Service and generate personalised outputs (such as meal plans, workouts,
and tracking insights)
• Display and analyse data from wearables you choose to connect, and use it to
personalise your plans
• Process purchases and deliver care packages
• Provide customer support
• Improve and maintain the Service (including analytics and troubleshooting)
• Protect the Service from fraud, misuse, and security risks
• Send service related communications
• Send marketing communications where permitted
• Comply with legal obligations
Some features of the Service involve automated processing, including artificial intelligence
systems, to generate personalised recommendations and insights based on the information
you provide and the data from any device you connect. This does not involve solely
automated decision making that produces legal or similarly significant effects.
5. Legal bases for processing
We rely on the following legal bases under UK GDPR:

• Contract: where processing is necessary to provide the Service
• Legitimate interests: for improving the Service, analytics, and security, where your
rights do not override those interests
• Consent: where required (for example, marketing, non essential cookies, and
connecting a wearable device)
• Legal obligation: where required by law
• Vital interests: in rare circumstances to protect life
6. Health and lifestyle data (special category data)
Some information you provide, and data received from connected devices (such as health,
wellbeing, or lifestyle data), may constitute special category data.
We process this data solely to provide personalised features within the Service.
Where required, we rely on your explicit consent to process this data. For connected
devices, you give this consent through the device platform’s permission screen when you
connect. You may withdraw your consent at any time, including by disconnecting your
device, although this may limit your ability to use certain features.
We do not use special category data for advertising or marketing purposes.
7. Google API Services and Limited Use
Where you connect a device through Google (including Fitbit), our use and transfer of
information received from Google APIs will adhere to the Google API Services User Data
Policy, including the Limited Use requirements, and to the Google Health API User Data
Policies.
In particular:
• We only request read access to the data types needed to provide the features
described in this Policy
• We use Google user data only to provide and improve user facing features of the
Service
• We do not use Google user data for advertising, and we do not sell it
• We do not allow humans to read this data except with your explicit consent, where
necessary for security or to comply with law, or where the data has been aggregated
and anonymised
You can review and revoke the Service’s access to your Google data at any time at
myaccount.google.com/permissions, or by disconnecting your device within the app.
8. Sharing your information
We only share personal data where necessary to operate the Service or comply with legal
obligations.
We may share data with:
• Payment processors (Stripe)
• Hosting and infrastructure providers (Supabase, which hosts our database and
backend, and Netlify, which hosts the app)
• Artificial intelligence providers (Anthropic) that process the information needed to
generate your personalised plans; our AI providers are contractually restricted from
using your data for their own purposes, including training their models

• Device and health platforms you choose to connect (such as Google), solely to operate
the connection you have authorised
• Delivery partners (e.g. Royal Mail, Evri)
• Analytics providers
• Advertising and marketing platforms (such as Meta, Google, TikTok, YouTube), where
permitted and subject to consent where required; this never includes your health,
wellbeing or connected device data
• Professional advisers
• Regulators and authorities where required by law
We ensure that third party service providers process personal data in accordance with
appropriate contractual and data protection obligations.
We do not sell your personal data.
9. Cookies and similar technologies
We use cookies and similar technologies to:
• Operate the Service
• Maintain sessions and preferences
• Analyse usage
• Support marketing and advertising (where applicable)
Where required, we obtain your consent for non essential cookies. You can manage cookie
preferences through your browser or our cookie settings.
10. Marketing communications
You can opt out of marketing communications at any time using the unsubscribe link or by
contacting us.
11. International transfers
Some service providers may process data outside the UK.
Where this occurs, we ensure appropriate safeguards are in place, such as UK adequacy
regulations or approved contractual safeguards (including the UK International Data Transfer
Agreement or equivalent measures).
12. Data retention
We retain personal data only for as long as necessary for the purposes described in this
Policy.
Typical retention periods include:
• Deleted accounts: retained until the end of the next calendar month, then deleted or
anonymised (unless legally required otherwise)
• Support communications: retained until the end of the next calendar month
• Analytics data: retained for up to 3 months
• Health and lifestyle data: retained only as long as necessary to provide the Service and
typically no longer than 3 months after inactivity
• Connected device data: collection stops immediately when you disconnect your device;
stored device data is deleted on the same schedule as deleted accounts, and earlier
on request
• Purchase and invoice data: retained for 6 years

Where data cannot be immediately deleted (e.g. backups), it will be securely isolated and
deleted as soon as practicable.
13. Security
We implement appropriate technical and organisational measures to protect personal data,
including access controls, encryption where appropriate, and monitoring systems designed
to prevent unauthorised access, loss, or misuse. Credentials for connected devices are
stored server side and are never exposed to your browser or to other users.
However, no system is completely secure and we cannot guarantee absolute security.
14. Your rights
You may have rights under UK data protection law to:
• Access your personal data
• Correct inaccurate data
• Request deletion
• Restrict processing
• Object to processing
• Request data portability
• Withdraw consent (including by disconnecting a connected device, or via
myaccount.google.com/permissions for Google connections)
You may also lodge a complaint with the UK Information Commissioner’s Office (ICO).
To exercise your rights, contact: support@vitaos.com
15. Under 18s
The Service is not intended for individuals under 18. We do not knowingly collect personal
data from children. If this occurs, we will take steps to delete it.
16. Third party services
Our Service may link to third party services. We are not responsible for their privacy
practices.
17. Changes to this policy
We may update this Privacy Policy from time to time. The latest version will always be
available on the Service. Where changes are material, we will take reasonable steps to
notify you.
18. Contact us
Email: support@vitaos.com
Post: Vita OS Ltd, 20 Wenlock Road, London, England, N1 7GU


PRIVACY POLICY
Updated: July 2026
Vita OS Ltd ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy
explains how we collect, use, and protect your personal information when you use our
website and app (together, the "Service").
By using the Service, you confirm that you have read and understood this Privacy Policy.

  1. Who we are
    Company name: Vita OS Ltd
    Company number: 16629540
    Registered office: 20 Wenlock Road, London, England, N1 7GU
    ICO registration number: ZC106524
    Vita OS Ltd is the data controller responsible for your personal information.

  2. Key definitions
    Personal Data: information that relates to an identified or identifiable individual
    Special Category Data: sensitive personal data (including health related data) requiring
    additional protection under UK GDPR
    Service: our website, app, and related services
    You/User: any individual who accesses or uses the Service

  3. Information we collect
    3.1 Information you provide
    We may collect:
    • Name or username
    • Email address
    • Phone number
    • Delivery and billing address
    • Account credentials
    • Customer support communications
    • Health and lifestyle information you choose to provide (such as goals, preferences,
    nutrition, training, sleep, recovery, stress and wellbeing inputs)
    3.2 Information we collect automatically
    We collect limited data automatically, including:
    • Usage data (pages/screens viewed, feature usage, session activity)
    • IP address and device information
    • Approximate location inferred from IP address
    • Cookie and similar technology data (where applicable)
    We do not collect precise GPS location unless we clearly ask for it.

3.3 Payments
Payments are processed by Stripe. We do not store full payment card details. Stripe
processes payment data in accordance with its own privacy policy.
3.4 Connected devices and wearables
You can choose to connect a wearable device or health platform to the Service (for example
a Fitbit connected through the Google Health API, and in future Apple Health or Garmin).
This is entirely optional.
If you connect a device, we receive health and fitness data from the relevant platform with
your permission. Depending on your device, this may include:
• Steps, distance and floors climbed
• Calories burned and active minutes
• Heart rate data, including resting heart rate
• Sleep duration and sleep patterns
• Recorded exercise sessions (such as runs)
Our access is read only. We can never change, add to, or delete anything on your device or
in your device account.
We use this data solely to display your metrics within the Service and to personalise your
plans, targets and recovery guidance. We do not use it for advertising, we do not sell it, and
we do not share it with third parties except with the service providers who host and operate
the Service as described in this Policy.
You can disconnect a device at any time in the app (Settings, then Devices). Disconnecting
stops all further collection immediately.
4. How we use your information
We use your personal data to:
• Create and manage your account
• Provide the Service and generate personalised outputs (such as meal plans, workouts,
and tracking insights)
• Display and analyse data from wearables you choose to connect, and use it to
personalise your plans
• Process purchases and deliver care packages
• Provide customer support
• Improve and maintain the Service (including analytics and troubleshooting)
• Protect the Service from fraud, misuse, and security risks
• Send service related communications
• Send marketing communications where permitted
• Comply with legal obligations
Some features of the Service involve automated processing, including artificial intelligence
systems, to generate personalised recommendations and insights based on the information
you provide and the data from any device you connect. This does not involve solely
automated decision making that produces legal or similarly significant effects.
5. Legal bases for processing
We rely on the following legal bases under UK GDPR:

• Contract: where processing is necessary to provide the Service
• Legitimate interests: for improving the Service, analytics, and security, where your
rights do not override those interests
• Consent: where required (for example, marketing, non essential cookies, and
connecting a wearable device)
• Legal obligation: where required by law
• Vital interests: in rare circumstances to protect life
6. Health and lifestyle data (special category data)
Some information you provide, and data received from connected devices (such as health,
wellbeing, or lifestyle data), may constitute special category data.
We process this data solely to provide personalised features within the Service.
Where required, we rely on your explicit consent to process this data. For connected
devices, you give this consent through the device platform's permission screen when you
connect. You may withdraw your consent at any time, including by disconnecting your
device, although this may limit your ability to use certain features.
We do not use special category data for advertising or marketing purposes.
7. Google API Services and Limited Use
Where you connect a device through Google (including Fitbit), our use and transfer of
information received from Google APIs will adhere to the Google API Services User Data
Policy, including the Limited Use requirements, and to the Google Health API User Data
Policies.
In particular:
• We only request read access to the data types needed to provide the features
described in this Policy
• We use Google user data only to provide and improve user facing features of the
Service
• We do not use Google user data for advertising, and we do not sell it
• We do not allow humans to read this data except with your explicit consent, where
necessary for security or to comply with law, or where the data has been aggregated
and anonymised
You can review and revoke the Service's access to your Google data at any time at
myaccount.google.com/permissions, or by disconnecting your device within the app.
8. Sharing your information
We only share personal data where necessary to operate the Service or comply with legal
obligations.
We may share data with:
• Payment processors (Stripe)
• Hosting and infrastructure providers (Supabase, which hosts our database and
backend, and Netlify, which hosts the app)
• Artificial intelligence providers (Anthropic) that process the information needed to
generate your personalised plans; our AI providers are contractually restricted from
using your data for their own purposes, including training their models

• Device and health platforms you choose to connect (such as Google), solely to operate
the connection you have authorised
• Delivery partners (e.g. Royal Mail, Evri)
• Analytics providers
• Advertising and marketing platforms (such as Meta, Google, TikTok, YouTube), where
permitted and subject to consent where required; this never includes your health,
wellbeing or connected device data
• Professional advisers
• Regulators and authorities where required by law
We ensure that third party service providers process personal data in accordance with
appropriate contractual and data protection obligations.
We do not sell your personal data.
9. Cookies and similar technologies
We use cookies and similar technologies to:
• Operate the Service
• Maintain sessions and preferences
• Analyse usage
• Support marketing and advertising (where applicable)
Where required, we obtain your consent for non essential cookies. You can manage cookie
preferences through your browser or our cookie settings.
10. Marketing communications
You can opt out of marketing communications at any time using the unsubscribe link or by
contacting us.
11. International transfers
Some service providers may process data outside the UK.
Where this occurs, we ensure appropriate safeguards are in place, such as UK adequacy
regulations or approved contractual safeguards (including the UK International Data Transfer
Agreement or equivalent measures).
12. Data retention
We retain personal data only for as long as necessary for the purposes described in this
Policy.
Typical retention periods include:
• Deleted accounts: retained until the end of the next calendar month, then deleted or
anonymised (unless legally required otherwise)
• Support communications: retained until the end of the next calendar month
• Analytics data: retained for up to 3 months
• Health and lifestyle data: retained only as long as necessary to provide the Service and
typically no longer than 3 months after inactivity
• Connected device data: collection stops immediately when you disconnect your device;
stored device data is deleted on the same schedule as deleted accounts, and earlier
on request
• Purchase and invoice data: retained for 6 years

Where data cannot be immediately deleted (e.g. backups), it will be securely isolated and
deleted as soon as practicable.
13. Security
We implement appropriate technical and organisational measures to protect personal data,
including access controls, encryption where appropriate, and monitoring systems designed
to prevent unauthorised access, loss, or misuse. Credentials for connected devices are
stored server side and are never exposed to your browser or to other users.
However, no system is completely secure and we cannot guarantee absolute security.
14. Your rights
You may have rights under UK data protection law to:
• Access your personal data
• Correct inaccurate data
• Request deletion
• Restrict processing
• Object to processing
• Request data portability
• Withdraw consent (including by disconnecting a connected device, or via
myaccount.google.com/permissions for Google connections)
You may also lodge a complaint with the UK Information Commissioner's Office (ICO).
To exercise your rights, contact: support@vitaos.com
15. Under 18s
The Service is not intended for individuals under 18. We do not knowingly collect personal
data from children. If this occurs, we will take steps to delete it.
16. Third party services
Our Service may link to third party services. We are not responsible for their privacy
practices.
17. Changes to this policy
We may update this Privacy Policy from time to time. The latest version will always be
available on the Service. Where changes are material, we will take reasonable steps to
notify you.
18. Contact us
Email: support@vitaos.com
Post: Vita OS Ltd, 20 Wenlock Road, London, England, N1 7GU

PRIVACY POLICY
Updated: July 2026
Vita OS Ltd (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy
explains how we collect, use, and protect your personal information when you use our
website and app (together, the “Service”).
By using the Service, you confirm that you have read and understood this Privacy Policy.

  1. Who we are
    Company name: Vita OS Ltd
    Company number: 16629540
    Registered office: 20 Wenlock Road, London, England, N1 7GU
    ICO registration number: ZC106524
    Vita OS Ltd is the data controller responsible for your personal information.

  2. Key definitions
    Personal Data: information that relates to an identified or identifiable individual
    Special Category Data: sensitive personal data (including health related data) requiring
    additional protection under UK GDPR
    Service: our website, app, and related services
    You/User: any individual who accesses or uses the Service

  3. Information we collect
    3.1 Information you provide
    We may collect:
    • Name or username
    • Email address
    • Phone number
    • Delivery and billing address
    • Account credentials
    • Customer support communications
    • Health and lifestyle information you choose to provide (such as goals, preferences,
    nutrition, training, sleep, recovery, stress and wellbeing inputs)
    3.2 Information we collect automatically
    We collect limited data automatically, including:
    • Usage data (pages/screens viewed, feature usage, session activity)
    • IP address and device information
    • Approximate location inferred from IP address
    • Cookie and similar technology data (where applicable)
    We do not collect precise GPS location unless we clearly ask for it.

3.3 Payments
Payments are processed by Stripe. We do not store full payment card details. Stripe
processes payment data in accordance with its own privacy policy.
3.4 Connected devices and wearables
You can choose to connect a wearable device or health platform to the Service (for example
a Fitbit connected through the Google Health API, and in future Apple Health or Garmin).
This is entirely optional.
If you connect a device, we receive health and fitness data from the relevant platform with
your permission. Depending on your device, this may include:
• Steps, distance and floors climbed
• Calories burned and active minutes
• Heart rate data, including resting heart rate
• Sleep duration and sleep patterns
• Recorded exercise sessions (such as runs)
Our access is read only. We can never change, add to, or delete anything on your device or
in your device account.
We use this data solely to display your metrics within the Service and to personalise your
plans, targets and recovery guidance. We do not use it for advertising, we do not sell it, and
we do not share it with third parties except with the service providers who host and operate
the Service as described in this Policy.
You can disconnect a device at any time in the app (Settings, then Devices). Disconnecting
stops all further collection immediately.
4. How we use your information
We use your personal data to:
• Create and manage your account
• Provide the Service and generate personalised outputs (such as meal plans, workouts,
and tracking insights)
• Display and analyse data from wearables you choose to connect, and use it to
personalise your plans
• Process purchases and deliver care packages
• Provide customer support
• Improve and maintain the Service (including analytics and troubleshooting)
• Protect the Service from fraud, misuse, and security risks
• Send service related communications
• Send marketing communications where permitted
• Comply with legal obligations
Some features of the Service involve automated processing, including artificial intelligence
systems, to generate personalised recommendations and insights based on the information
you provide and the data from any device you connect. This does not involve solely
automated decision making that produces legal or similarly significant effects.
5. Legal bases for processing
We rely on the following legal bases under UK GDPR:

• Contract: where processing is necessary to provide the Service
• Legitimate interests: for improving the Service, analytics, and security, where your
rights do not override those interests
• Consent: where required (for example, marketing, non essential cookies, and
connecting a wearable device)
• Legal obligation: where required by law
• Vital interests: in rare circumstances to protect life
6. Health and lifestyle data (special category data)
Some information you provide, and data received from connected devices (such as health,
wellbeing, or lifestyle data), may constitute special category data.
We process this data solely to provide personalised features within the Service.
Where required, we rely on your explicit consent to process this data. For connected
devices, you give this consent through the device platform’s permission screen when you
connect. You may withdraw your consent at any time, including by disconnecting your
device, although this may limit your ability to use certain features.
We do not use special category data for advertising or marketing purposes.
7. Google API Services and Limited Use
Where you connect a device through Google (including Fitbit), our use and transfer of
information received from Google APIs will adhere to the Google API Services User Data
Policy, including the Limited Use requirements, and to the Google Health API User Data
Policies.
In particular:
• We only request read access to the data types needed to provide the features
described in this Policy
• We use Google user data only to provide and improve user facing features of the
Service
• We do not use Google user data for advertising, and we do not sell it
• We do not allow humans to read this data except with your explicit consent, where
necessary for security or to comply with law, or where the data has been aggregated
and anonymised
You can review and revoke the Service’s access to your Google data at any time at
myaccount.google.com/permissions, or by disconnecting your device within the app.
8. Sharing your information
We only share personal data where necessary to operate the Service or comply with legal
obligations.
We may share data with:
• Payment processors (Stripe)
• Hosting and infrastructure providers (Supabase, which hosts our database and
backend, and Netlify, which hosts the app)
• Artificial intelligence providers (Anthropic) that process the information needed to
generate your personalised plans; our AI providers are contractually restricted from
using your data for their own purposes, including training their models

• Device and health platforms you choose to connect (such as Google), solely to operate
the connection you have authorised
• Delivery partners (e.g. Royal Mail, Evri)
• Analytics providers
• Advertising and marketing platforms (such as Meta, Google, TikTok, YouTube), where
permitted and subject to consent where required; this never includes your health,
wellbeing or connected device data
• Professional advisers
• Regulators and authorities where required by law
We ensure that third party service providers process personal data in accordance with
appropriate contractual and data protection obligations.
We do not sell your personal data.
9. Cookies and similar technologies
We use cookies and similar technologies to:
• Operate the Service
• Maintain sessions and preferences
• Analyse usage
• Support marketing and advertising (where applicable)
Where required, we obtain your consent for non essential cookies. You can manage cookie
preferences through your browser or our cookie settings.
10. Marketing communications
You can opt out of marketing communications at any time using the unsubscribe link or by
contacting us.
11. International transfers
Some service providers may process data outside the UK.
Where this occurs, we ensure appropriate safeguards are in place, such as UK adequacy
regulations or approved contractual safeguards (including the UK International Data Transfer
Agreement or equivalent measures).
12. Data retention
We retain personal data only for as long as necessary for the purposes described in this
Policy.
Typical retention periods include:
• Deleted accounts: retained until the end of the next calendar month, then deleted or
anonymised (unless legally required otherwise)
• Support communications: retained until the end of the next calendar month
• Analytics data: retained for up to 3 months
• Health and lifestyle data: retained only as long as necessary to provide the Service and
typically no longer than 3 months after inactivity
• Connected device data: collection stops immediately when you disconnect your device;
stored device data is deleted on the same schedule as deleted accounts, and earlier
on request
• Purchase and invoice data: retained for 6 years

Where data cannot be immediately deleted (e.g. backups), it will be securely isolated and
deleted as soon as practicable.
13. Security
We implement appropriate technical and organisational measures to protect personal data,
including access controls, encryption where appropriate, and monitoring systems designed
to prevent unauthorised access, loss, or misuse. Credentials for connected devices are
stored server side and are never exposed to your browser or to other users.
However, no system is completely secure and we cannot guarantee absolute security.
14. Your rights
You may have rights under UK data protection law to:
• Access your personal data
• Correct inaccurate data
• Request deletion
• Restrict processing
• Object to processing
• Request data portability
• Withdraw consent (including by disconnecting a connected device, or via
myaccount.google.com/permissions for Google connections)
You may also lodge a complaint with the UK Information Commissioner’s Office (ICO).
To exercise your rights, contact: support@vitaos.com
15. Under 18s
The Service is not intended for individuals under 18. We do not knowingly collect personal
data from children. If this occurs, we will take steps to delete it.
16. Third party services
Our Service may link to third party services. We are not responsible for their privacy
practices.
17. Changes to this policy
We may update this Privacy Policy from time to time. The latest version will always be
available on the Service. Where changes are material, we will take reasonable steps to
notify you.
18. Contact us
Email: support@vitaos.com
Post: Vita OS Ltd, 20 Wenlock Road, London, England, N1 7GU

PRIVACY POLICY
Updated: July 2026
Vita OS Ltd ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy
explains how we collect, use, and protect your personal information when you use our
website and app (together, the "Service").
By using the Service, you confirm that you have read and understood this Privacy Policy.

  1. Who we are
    Company name: Vita OS Ltd
    Company number: 16629540
    Registered office: 20 Wenlock Road, London, England, N1 7GU
    ICO registration number: ZC106524
    Vita OS Ltd is the data controller responsible for your personal information.

  2. Key definitions
    Personal Data: information that relates to an identified or identifiable individual
    Special Category Data: sensitive personal data (including health related data) requiring
    additional protection under UK GDPR
    Service: our website, app, and related services
    You/User: any individual who accesses or uses the Service

  3. Information we collect
    3.1 Information you provide
    We may collect:
    • Name or username
    • Email address
    • Phone number
    • Delivery and billing address
    • Account credentials
    • Customer support communications
    • Health and lifestyle information you choose to provide (such as goals, preferences,
    nutrition, training, sleep, recovery, stress and wellbeing inputs)
    3.2 Information we collect automatically
    We collect limited data automatically, including:
    • Usage data (pages/screens viewed, feature usage, session activity)
    • IP address and device information
    • Approximate location inferred from IP address
    • Cookie and similar technology data (where applicable)
    We do not collect precise GPS location unless we clearly ask for it.

3.3 Payments
Payments are processed by Stripe. We do not store full payment card details. Stripe
processes payment data in accordance with its own privacy policy.
3.4 Connected devices and wearables
You can choose to connect a wearable device or health platform to the Service (for example
a Fitbit connected through the Google Health API, and in future Apple Health or Garmin).
This is entirely optional.
If you connect a device, we receive health and fitness data from the relevant platform with
your permission. Depending on your device, this may include:
• Steps, distance and floors climbed
• Calories burned and active minutes
• Heart rate data, including resting heart rate
• Sleep duration and sleep patterns
• Recorded exercise sessions (such as runs)
Our access is read only. We can never change, add to, or delete anything on your device or
in your device account.
We use this data solely to display your metrics within the Service and to personalise your
plans, targets and recovery guidance. We do not use it for advertising, we do not sell it, and
we do not share it with third parties except with the service providers who host and operate
the Service as described in this Policy.
You can disconnect a device at any time in the app (Settings, then Devices). Disconnecting
stops all further collection immediately.
4. How we use your information
We use your personal data to:
• Create and manage your account
• Provide the Service and generate personalised outputs (such as meal plans, workouts,
and tracking insights)
• Display and analyse data from wearables you choose to connect, and use it to
personalise your plans
• Process purchases and deliver care packages
• Provide customer support
• Improve and maintain the Service (including analytics and troubleshooting)
• Protect the Service from fraud, misuse, and security risks
• Send service related communications
• Send marketing communications where permitted
• Comply with legal obligations
Some features of the Service involve automated processing, including artificial intelligence
systems, to generate personalised recommendations and insights based on the information
you provide and the data from any device you connect. This does not involve solely
automated decision making that produces legal or similarly significant effects.
5. Legal bases for processing
We rely on the following legal bases under UK GDPR:

• Contract: where processing is necessary to provide the Service
• Legitimate interests: for improving the Service, analytics, and security, where your
rights do not override those interests
• Consent: where required (for example, marketing, non essential cookies, and
connecting a wearable device)
• Legal obligation: where required by law
• Vital interests: in rare circumstances to protect life
6. Health and lifestyle data (special category data)
Some information you provide, and data received from connected devices (such as health,
wellbeing, or lifestyle data), may constitute special category data.
We process this data solely to provide personalised features within the Service.
Where required, we rely on your explicit consent to process this data. For connected
devices, you give this consent through the device platform's permission screen when you
connect. You may withdraw your consent at any time, including by disconnecting your
device, although this may limit your ability to use certain features.
We do not use special category data for advertising or marketing purposes.
7. Google API Services and Limited Use
Where you connect a device through Google (including Fitbit), our use and transfer of
information received from Google APIs will adhere to the Google API Services User Data
Policy, including the Limited Use requirements, and to the Google Health API User Data
Policies.
In particular:
• We only request read access to the data types needed to provide the features
described in this Policy
• We use Google user data only to provide and improve user facing features of the
Service
• We do not use Google user data for advertising, and we do not sell it
• We do not allow humans to read this data except with your explicit consent, where
necessary for security or to comply with law, or where the data has been aggregated
and anonymised
You can review and revoke the Service's access to your Google data at any time at
myaccount.google.com/permissions, or by disconnecting your device within the app.
8. Sharing your information
We only share personal data where necessary to operate the Service or comply with legal
obligations.
We may share data with:
• Payment processors (Stripe)
• Hosting and infrastructure providers (Supabase, which hosts our database and
backend, and Netlify, which hosts the app)
• Artificial intelligence providers (Anthropic) that process the information needed to
generate your personalised plans; our AI providers are contractually restricted from
using your data for their own purposes, including training their models

• Device and health platforms you choose to connect (such as Google), solely to operate
the connection you have authorised
• Delivery partners (e.g. Royal Mail, Evri)
• Analytics providers
• Advertising and marketing platforms (such as Meta, Google, TikTok, YouTube), where
permitted and subject to consent where required; this never includes your health,
wellbeing or connected device data
• Professional advisers
• Regulators and authorities where required by law
We ensure that third party service providers process personal data in accordance with
appropriate contractual and data protection obligations.
We do not sell your personal data.
9. Cookies and similar technologies
We use cookies and similar technologies to:
• Operate the Service
• Maintain sessions and preferences
• Analyse usage
• Support marketing and advertising (where applicable)
Where required, we obtain your consent for non essential cookies. You can manage cookie
preferences through your browser or our cookie settings.
10. Marketing communications
You can opt out of marketing communications at any time using the unsubscribe link or by
contacting us.
11. International transfers
Some service providers may process data outside the UK.
Where this occurs, we ensure appropriate safeguards are in place, such as UK adequacy
regulations or approved contractual safeguards (including the UK International Data Transfer
Agreement or equivalent measures).
12. Data retention
We retain personal data only for as long as necessary for the purposes described in this
Policy.
Typical retention periods include:
• Deleted accounts: retained until the end of the next calendar month, then deleted or
anonymised (unless legally required otherwise)
• Support communications: retained until the end of the next calendar month
• Analytics data: retained for up to 3 months
• Health and lifestyle data: retained only as long as necessary to provide the Service and
typically no longer than 3 months after inactivity
• Connected device data: collection stops immediately when you disconnect your device;
stored device data is deleted on the same schedule as deleted accounts, and earlier
on request
• Purchase and invoice data: retained for 6 years

Where data cannot be immediately deleted (e.g. backups), it will be securely isolated and
deleted as soon as practicable.
13. Security
We implement appropriate technical and organisational measures to protect personal data,
including access controls, encryption where appropriate, and monitoring systems designed
to prevent unauthorised access, loss, or misuse. Credentials for connected devices are
stored server side and are never exposed to your browser or to other users.
However, no system is completely secure and we cannot guarantee absolute security.
14. Your rights
You may have rights under UK data protection law to:
• Access your personal data
• Correct inaccurate data
• Request deletion
• Restrict processing
• Object to processing
• Request data portability
• Withdraw consent (including by disconnecting a connected device, or via
myaccount.google.com/permissions for Google connections)
You may also lodge a complaint with the UK Information Commissioner's Office (ICO).
To exercise your rights, contact: support@vitaos.com
15. Under 18s
The Service is not intended for individuals under 18. We do not knowingly collect personal
data from children. If this occurs, we will take steps to delete it.
16. Third party services
Our Service may link to third party services. We are not responsible for their privacy
practices.
17. Changes to this policy
We may update this Privacy Policy from time to time. The latest version will always be
available on the Service. Where changes are material, we will take reasonable steps to
notify you.
18. Contact us
Email: support@vitaos.com
Post: Vita OS Ltd, 20 Wenlock Road, London, England, N1 7GU

PRIVACY POLICY
Updated: July 2026
Vita OS Ltd (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy
explains how we collect, use, and protect your personal information when you use our
website and app (together, the “Service”).
By using the Service, you confirm that you have read and understood this Privacy Policy.

  1. Who we are
    Company name: Vita OS Ltd
    Company number: 16629540
    Registered office: 20 Wenlock Road, London, England, N1 7GU
    ICO registration number: ZC106524
    Vita OS Ltd is the data controller responsible for your personal information.

  2. Key definitions
    Personal Data: information that relates to an identified or identifiable individual
    Special Category Data: sensitive personal data (including health related data) requiring
    additional protection under UK GDPR
    Service: our website, app, and related services
    You/User: any individual who accesses or uses the Service

  3. Information we collect
    3.1 Information you provide
    We may collect:
    • Name or username
    • Email address
    • Phone number
    • Delivery and billing address
    • Account credentials
    • Customer support communications
    • Health and lifestyle information you choose to provide (such as goals, preferences,
    nutrition, training, sleep, recovery, stress and wellbeing inputs)
    3.2 Information we collect automatically
    We collect limited data automatically, including:
    • Usage data (pages/screens viewed, feature usage, session activity)
    • IP address and device information
    • Approximate location inferred from IP address
    • Cookie and similar technology data (where applicable)
    We do not collect precise GPS location unless we clearly ask for it.

3.3 Payments
Payments are processed by Stripe. We do not store full payment card details. Stripe
processes payment data in accordance with its own privacy policy.
3.4 Connected devices and wearables
You can choose to connect a wearable device or health platform to the Service (for example
a Fitbit connected through the Google Health API, and in future Apple Health or Garmin).
This is entirely optional.
If you connect a device, we receive health and fitness data from the relevant platform with
your permission. Depending on your device, this may include:
• Steps, distance and floors climbed
• Calories burned and active minutes
• Heart rate data, including resting heart rate
• Sleep duration and sleep patterns
• Recorded exercise sessions (such as runs)
Our access is read only. We can never change, add to, or delete anything on your device or
in your device account.
We use this data solely to display your metrics within the Service and to personalise your
plans, targets and recovery guidance. We do not use it for advertising, we do not sell it, and
we do not share it with third parties except with the service providers who host and operate
the Service as described in this Policy.
You can disconnect a device at any time in the app (Settings, then Devices). Disconnecting
stops all further collection immediately.
4. How we use your information
We use your personal data to:
• Create and manage your account
• Provide the Service and generate personalised outputs (such as meal plans, workouts,
and tracking insights)
• Display and analyse data from wearables you choose to connect, and use it to
personalise your plans
• Process purchases and deliver care packages
• Provide customer support
• Improve and maintain the Service (including analytics and troubleshooting)
• Protect the Service from fraud, misuse, and security risks
• Send service related communications
• Send marketing communications where permitted
• Comply with legal obligations
Some features of the Service involve automated processing, including artificial intelligence
systems, to generate personalised recommendations and insights based on the information
you provide and the data from any device you connect. This does not involve solely
automated decision making that produces legal or similarly significant effects.
5. Legal bases for processing
We rely on the following legal bases under UK GDPR:

• Contract: where processing is necessary to provide the Service
• Legitimate interests: for improving the Service, analytics, and security, where your
rights do not override those interests
• Consent: where required (for example, marketing, non essential cookies, and
connecting a wearable device)
• Legal obligation: where required by law
• Vital interests: in rare circumstances to protect life
6. Health and lifestyle data (special category data)
Some information you provide, and data received from connected devices (such as health,
wellbeing, or lifestyle data), may constitute special category data.
We process this data solely to provide personalised features within the Service.
Where required, we rely on your explicit consent to process this data. For connected
devices, you give this consent through the device platform’s permission screen when you
connect. You may withdraw your consent at any time, including by disconnecting your
device, although this may limit your ability to use certain features.
We do not use special category data for advertising or marketing purposes.
7. Google API Services and Limited Use
Where you connect a device through Google (including Fitbit), our use and transfer of
information received from Google APIs will adhere to the Google API Services User Data
Policy, including the Limited Use requirements, and to the Google Health API User Data
Policies.
In particular:
• We only request read access to the data types needed to provide the features
described in this Policy
• We use Google user data only to provide and improve user facing features of the
Service
• We do not use Google user data for advertising, and we do not sell it
• We do not allow humans to read this data except with your explicit consent, where
necessary for security or to comply with law, or where the data has been aggregated
and anonymised
You can review and revoke the Service’s access to your Google data at any time at
myaccount.google.com/permissions, or by disconnecting your device within the app.
8. Sharing your information
We only share personal data where necessary to operate the Service or comply with legal
obligations.
We may share data with:
• Payment processors (Stripe)
• Hosting and infrastructure providers (Supabase, which hosts our database and
backend, and Netlify, which hosts the app)
• Artificial intelligence providers (Anthropic) that process the information needed to
generate your personalised plans; our AI providers are contractually restricted from
using your data for their own purposes, including training their models

• Device and health platforms you choose to connect (such as Google), solely to operate
the connection you have authorised
• Delivery partners (e.g. Royal Mail, Evri)
• Analytics providers
• Advertising and marketing platforms (such as Meta, Google, TikTok, YouTube), where
permitted and subject to consent where required; this never includes your health,
wellbeing or connected device data
• Professional advisers
• Regulators and authorities where required by law
We ensure that third party service providers process personal data in accordance with
appropriate contractual and data protection obligations.
We do not sell your personal data.
9. Cookies and similar technologies
We use cookies and similar technologies to:
• Operate the Service
• Maintain sessions and preferences
• Analyse usage
• Support marketing and advertising (where applicable)
Where required, we obtain your consent for non essential cookies. You can manage cookie
preferences through your browser or our cookie settings.
10. Marketing communications
You can opt out of marketing communications at any time using the unsubscribe link or by
contacting us.
11. International transfers
Some service providers may process data outside the UK.
Where this occurs, we ensure appropriate safeguards are in place, such as UK adequacy
regulations or approved contractual safeguards (including the UK International Data Transfer
Agreement or equivalent measures).
12. Data retention
We retain personal data only for as long as necessary for the purposes described in this
Policy.
Typical retention periods include:
• Deleted accounts: retained until the end of the next calendar month, then deleted or
anonymised (unless legally required otherwise)
• Support communications: retained until the end of the next calendar month
• Analytics data: retained for up to 3 months
• Health and lifestyle data: retained only as long as necessary to provide the Service and
typically no longer than 3 months after inactivity
• Connected device data: collection stops immediately when you disconnect your device;
stored device data is deleted on the same schedule as deleted accounts, and earlier
on request
• Purchase and invoice data: retained for 6 years

Where data cannot be immediately deleted (e.g. backups), it will be securely isolated and
deleted as soon as practicable.
13. Security
We implement appropriate technical and organisational measures to protect personal data,
including access controls, encryption where appropriate, and monitoring systems designed
to prevent unauthorised access, loss, or misuse. Credentials for connected devices are
stored server side and are never exposed to your browser or to other users.
However, no system is completely secure and we cannot guarantee absolute security.
14. Your rights
You may have rights under UK data protection law to:
• Access your personal data
• Correct inaccurate data
• Request deletion
• Restrict processing
• Object to processing
• Request data portability
• Withdraw consent (including by disconnecting a connected device, or via
myaccount.google.com/permissions for Google connections)
You may also lodge a complaint with the UK Information Commissioner’s Office (ICO).
To exercise your rights, contact: support@vitaos.com
15. Under 18s
The Service is not intended for individuals under 18. We do not knowingly collect personal
data from children. If this occurs, we will take steps to delete it.
16. Third party services
Our Service may link to third party services. We are not responsible for their privacy
practices.
17. Changes to this policy
We may update this Privacy Policy from time to time. The latest version will always be
available on the Service. Where changes are material, we will take reasonable steps to
notify you.
18. Contact us
Email: support@vitaos.com
Post: Vita OS Ltd, 20 Wenlock Road, London, England, N1 7GU