Privacy Policy
Effective 2 June 2026
Vitamo (“Vitamo”, “we”, “us”) is an AI health companion you talk to over WhatsApp or through an AI assistant of your choice. You connect your wearables once, and Vitamo answers questions and surfaces trends about your sleep, recovery, heart rate and activity. Because that means handling some of your most personal information, this policy explains exactly what we collect, why, who it’s shared with, and the control you have over it. Plain-English summaries sit alongside the detail.
The short version: we only use your data to provide the service you asked for. We never sell it, never use it for advertising, and never use your personal health data to train public AI models. You can disconnect any provider, export your data, or delete everything at any time.
1. Who we are & how to reach us
Vitamo is the data controller for the personal data described here. For any privacy question or to exercise your rights, email hello@vitamo.health. We aim to respond within 30 days.
2. Information we collect
We collect only what we need to run the service:
- Identity & account. Your mobile number (used as your WhatsApp identity and login), the name you tell us to call you, and — if you subscribe — your email address (collected at checkout for receipts and trial reminders).
- Wearable & health data. When you connect a provider (e.g. Oura, Strava, Whoop, Garmin, Fitbit, Polar, Suunto, Ultrahuman, or Apple Health via our companion app), we receive the data you authorize — which may include sleep, readiness and recovery scores, heart rate and heart-rate variability, workouts and activities, steps, and related metrics. We only ever request read-only access, and only to the scopes needed to answer your questions.
- Your messages. The questions you send Vitamo over WhatsApp or MCP, and our replies, so we can maintain conversation context and improve reliability.
- Payment information. Subscriptions are processed by Stripe. We do not see or store your full card number — Stripe handles it and shares only limited details (e.g. card brand, last four digits, billing status) with us.
- Technical data. Basic logs (timestamps, error traces, coarse request metadata) needed to operate and secure the service. We do not use advertising or cross-site tracking cookies.
3. How we use your information
- To answer your questions and generate the insights you request.
- To connect and sync your chosen wearable accounts and keep your data current.
- To operate your account, process your subscription, and send service messages (e.g. trial reminders).
- To secure the service, prevent abuse, and debug problems.
- To comply with our legal obligations.
What we never do: we never sell or rent your personal data; we never use your health data for advertising, marketing profiling, or data mining; and we never use your personal data to train publicly available or third-party AI models.
4. Legal bases (GDPR/UK GDPR)
Where the GDPR or UK GDPR applies, we rely on: your explicit consent to process health data (a special category of personal data), which you give when you connect a provider and may withdraw at any time; performance of a contract to provide the service you signed up for; and our legitimate interests in securing and improving the service, balanced against your rights.
5. How your data is shared
We do not sell your data. We share it only with the service providers (sub-processors) that make Vitamo work, each bound to use it solely on our instructions:
- Anthropic — runs the AI model that answers your questions (see §6).
- Twilio — delivers and receives your WhatsApp messages.
- Stripe — processes subscription payments.
- Resend — sends transactional email (e.g. trial reminders).
- Cloud hosting (Amazon Web Services) — where the Vitamo application and your data are stored. Your wearable data is unified by the open-source Open Wearables engine running on our own infrastructure — not a third-party black box.
We may also disclose data if required by law, to protect our rights or users’ safety, or in connection with a corporate transaction (in which case this policy will continue to govern your data, or you will be notified of any change).
6. How your data is used with AI
To answer a question, Vitamo sends the relevant portion of your health data and your message to Anthropic’s API to generate a response. Anthropic processes this data as our service provider and, under its commercial API terms, does not use it to train its models and retains it only briefly for abuse-monitoring before deletion. We send only what is needed to answer you, and we do not use your data to train any model of our own that is exposed to other users.
7. Connected services & provider terms
Connecting a wearable is optional and entirely your choice; you can disconnect any provider at any time from your account or by asking Vitamo. When you disconnect, we stop syncing and delete the data we hold from that provider (subject to short backup-retention windows). The following provider-specific commitments apply:
- Apple Health (HealthKit). Data obtained through the Vitamo iOS companion app via Apple HealthKit is used solely to provide the health insights you request. We do not use Apple Health data for advertising, marketing, or data mining, and we do not share it with third parties for those purposes. It is stored only with your consent and removed when you disconnect or delete your account.
- Strava. Our use of Strava data complies with the Strava API Agreement. We access it only to provide your insights, never redistribute or sell it, and delete it when you disconnect Strava or delete your account.
- Google & Fitbit (Google API Services / Health Connect). Vitamo’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use this data only to provide user-facing features and never for advertising.
- Oura, Whoop, Garmin, Polar, Suunto, Ultrahuman. Data from these providers is used solely to deliver the insights you request, in line with each provider’s developer terms, and is deleted when you disconnect or close your account.
Each provider also processes your data under its own privacy policy; we encourage you to review the policy of any service you connect.
8. Data retention
We keep your data only as long as your account is active or as needed to provide the service. When you disconnect a provider we delete the data synced from it; when you delete your account we delete your personal data, including health data and message history, typically within 30 days, except where we must retain limited records to meet legal obligations (e.g. billing records). Routine encrypted backups are purged on a rolling schedule.
9. Your rights & choices
Wherever you live, you can ask us to access, correct, export, or delete your data, and you can disconnect any provider or withdraw consent at any time. Depending on your location (e.g. the EU/UK under GDPR, or California under the CCPA/CPRA) you may also have rights to data portability, to object to or restrict processing, to non-discrimination for exercising your rights, and to lodge a complaint with your data protection authority. We do not sell or “share” personal information as those terms are defined under California law.
- Disconnect a provider: from your account dashboard, or just ask Vitamo to disconnect it.
- Export or delete: email hello@vitamo.health and we’ll action your request and verify it’s really you.
10. Security
Your data is encrypted in transit (TLS) and at rest. Access is restricted to the systems and personnel that need it, secrets are held in protected stores, and services are isolated and bound to private networks. No system is perfectly secure, but we work to protect your data using industry-standard safeguards and will notify you and the relevant authorities of a breach where the law requires.
11. International transfers
We and our service providers may process your data in countries other than your own. Where we transfer personal data internationally, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (or equivalent mechanisms) to protect it.
12. Children
Vitamo is not intended for anyone under 16, and we do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.
13. Changes to this policy
We may update this policy as the service evolves. We’ll change the effective date above and, for material changes, give you reasonable notice (for example, in-app or by message) before they take effect.
14. Contact
Questions, requests, or concerns? Email hello@vitamo.health.
Vitamo provides wellness insights, not medical advice or diagnosis. Always talk to a qualified clinician about health decisions.