Legal
Privacy Policy
1. Who we are
Salude Vitale is a personal wellness journaling application developed and operated by Salude Vitale Inc. ("Vitale", "we", "us", or "our"). Our app helps you log your symptoms, mood, sleep, and food, and organize that information into summaries you can share with your healthcare team.
Registered address: To be added upon entity formation
Privacy contact: privacy@saludevitale.com
Website: saludevitale.com
2. What we collect and why
We only collect information that is necessary to provide the Vitale service. We do not collect information we do not need. Here is everything we collect, why we collect it, and how long we keep it.
2.1 Health and wellness data
This is the core data you log in the app. It includes:
- Symptoms you log — name, severity, date, and any notes you add
- Mood ratings — numeric scale you select each day
- Sleep duration — the range you select each day
- Food and drink categories — the chips you select each day
- Condition names — the health concerns you create to organize your tracking
- Daily journal notes — free text you type or speak
- Voice recordings — audio you record for logging (transcribed and then deleted within 24 hours)
2.2 Account information
We collect the minimum information needed to create and manage your account.
2.3 Usage and analytics data
We collect anonymized data about how the app is used so we can fix problems and improve the experience. This data is never linked to your identity or your health data.
2.4 Consent records
We record when you accepted this privacy policy and our terms of service, including the date, time, and version you accepted. This is a legal requirement under HIPAA and GDPR and protects both you and us.
2.5 What we do NOT collect
We want to be explicit about what we never collect:
- We do not collect your location
- We do not collect your contacts
- We do not access your camera
- We do not collect your browsing history
- We do not collect payment card information (processed entirely by RevenueCat and Stripe — we never see your card details)
- We do not collect race or ethnicity
- We do not collect political or religious beliefs
- We do not track you across other apps or websites
- We do not sell your data — ever
3. How we protect your data
Your health data deserves the strongest protection available. Here is what we do:
3.1 Encryption
- All data is encrypted in transit using TLS 1.3 — the current industry standard for secure data transmission
- All data is encrypted at rest using AES-256 — the same standard used by banks and governments
- Medical summaries are additionally encrypted end-to-end using AES-256-GCM before storage — this means even our own team cannot read the contents of your medical summaries
- Voice recordings are encrypted during transcription and deleted within 24 hours
3.2 Infrastructure
- We use Supabase as our database provider — a HIPAA-eligible infrastructure platform
- We have signed a Business Associate Agreement (BAA) with Supabase as required by HIPAA
- Row-level security is enabled on every database table — your data is technically isolated from every other user's data at the database level
- No direct database access is ever exposed to the internet
3.3 Access controls
- Only you can access your health data
- Our team can see aggregate, anonymized usage statistics — never individual health records
- All admin access to infrastructure requires multi-factor authentication
- All access to any system containing user data is logged and auditable
3.4 Sharing controls
- Medical summaries shared with other people use time-limited links that expire after 48 hours by default
- You can revoke any shared link at any time from your settings
- Shared links require you to name the recipient before they are generated
- Summaries are never shared without your explicit action
4. Who we share your data with
We share data only with vendors who are necessary to operate Vitale. We never sell your data. We never share your data with advertisers. Every vendor who handles health data has signed a Business Associate Agreement (BAA) with us as required by HIPAA.
*RevenueCat, PostHog, and Stripe never receive health data. A BAA is not required for vendors who do not handle protected health information.
4.1 AI processing disclosure
When you use AI features in Vitale, your logged wellness data patterns are processed by Anthropic's Claude API to generate organized summaries and insights. Before any data is sent to Anthropic:
- All personally identifiable information is removed
- Data is sanitized to remove any content that could identify you
- Only pattern data is transmitted — for example, symptom frequency and severity, not your name or account details
- Anthropic has signed a Business Associate Agreement with us
- Anthropic does not use your health data to train their models
4.2 Legal disclosures
We may disclose your information if required by law, court order, or government regulation. If we are legally required to disclose your data, we will notify you unless we are legally prohibited from doing so. We will always disclose the minimum information required by the legal request and nothing more.
4.3 Business transfers
If Salude Vitale is acquired, merged, or its assets are transferred, your data may be transferred as part of that transaction. If this happens, we will notify you at least 30 days in advance by email and in-app notification. You will have the option to delete your account and all associated data before any transfer takes effect.
5. Your rights
You have meaningful control over your data. Here are your rights and exactly how to exercise them.
5.1 Account deletion
You can delete your account with a single tap in Settings > Account > Delete my account. When you delete your account:
- Your account is immediately deactivated and you are signed out of all devices
- Your personal information is anonymized immediately — your name and email are replaced with randomized values
- All your health logs, conditions, symptoms, and notes are scheduled for permanent deletion
- All data is permanently and irreversibly deleted within 30 days
- Anonymized, non-identifiable analytics data may be retained for up to 24 months
- We will send you a confirmation email when deletion is complete
If you prefer to request deletion by email, contact privacy@saludevitale.com. We will process your request within 5 business days and confirm when complete.
6. HIPAA compliance (United States)
For users in the United States, the health information you log in Vitale may constitute Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).
Salude Vitale operates on HIPAA-eligible infrastructure. We have implemented the following safeguards required by the HIPAA Security Rule:
- Administrative safeguards — access controls, workforce training, and incident response procedures
- Physical safeguards — HIPAA-eligible data centers with physical access controls
- Technical safeguards — encryption, audit logging, automatic session timeout, and unique user identification
- Business Associate Agreements — signed with all vendors who handle PHI
You have the following rights with respect to your PHI:
- Right to access — you can access your PHI through the app or by requesting it from us
- Right to amendment — you can correct or update your PHI by editing entries in the app
- Right to an accounting of disclosures — you can request a record of how your PHI has been disclosed
- Right to restriction — you can request restrictions on how we use or disclose your PHI
- Right to confidential communications — you can request we communicate with you in a specific way
To exercise any HIPAA rights, contact us at privacy@saludevitale.com. We will respond within 30 days as required by law.
7. GDPR compliance (European Union and UK)
For users in the European Union and United Kingdom, this section describes our compliance with the General Data Protection Regulation (GDPR) and the UK GDPR.
7.1 Legal basis for processing
We process your personal data on the following legal bases:
7.2 Data transfers outside the EU
Some of our vendors process data in the United States. Where this involves transferring your personal data outside the European Economic Area, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Supplementary technical measures including encryption and pseudonymization
- Data Processing Agreements with each vendor confirming GDPR compliance
7.3 Data retention
We keep your personal data only for as long as necessary. Specific retention periods are documented in Section 2. When data is no longer needed, it is permanently and securely deleted. We do not retain data for speculative future purposes.
7.4 Automated decision-making
Vitale uses AI to organize and summarize your logged data. This processing does not constitute automated decision-making that produces legal effects or similarly significant effects on you. The AI organizes your data for your review — all decisions about your health remain entirely with you and your healthcare provider.
7.5 Your GDPR rights
In addition to the rights described in Section 5, GDPR gives you the following additional rights:
- Right to data portability — receive your data in JSON or CSV format
- Right to object — object to processing based on legitimate interests
- Right not to be subject to automated decision-making — not applicable as described in 7.4 above
- Right to lodge a complaint — with your national data protection authority
To contact your national data protection authority:
- EU: Find your authority at edpb.europa.eu/about-edpb/board/members
- UK: Information Commissioner's Office at ico.org.uk
8. Children's privacy
Vitale is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. Users must be at least 13 years old to create an account.
If you are between 13 and 18, we encourage you to review this policy with a parent or guardian before creating an account. Depending on your country, your parent or guardian may need to provide consent on your behalf.
If we become aware that we have collected personal information from a child under 13 without verification of parental consent, we will delete that information immediately. If you believe we may have collected information from a child under 13, please contact us at privacy@saludevitale.com.
9. Data breach notification
Despite our best efforts, no security system is impenetrable. If a data breach occurs that affects your personal information, we will:
- Notify affected users by email within 24 hours of confirming the breach
- Describe what happened, what data was involved, and what we are doing about it
- Tell you specifically what steps you should take to protect yourself
- Notify the relevant supervisory authority within 72 hours as required by GDPR
- Notify affected users within 60 days as required by HIPAA
- Provide free credit monitoring services if financial information was involved
We maintain a documented incident response plan that is tested regularly. Our goal is to detect, contain, and communicate any breach as quickly as possible.
10. Cookies and tracking
The Vitale mobile app does not use cookies. The Vitale website (saludevitale.com) uses the following:
You can control cookies through your browser settings. Disabling essential cookies may prevent you from accessing account features on the website.
11. Changes to this policy
We will update this policy when our practices change. Here is how we handle updates:
- Material changes — changes that affect your rights or how we use your health data — will be communicated by email and in-app notification at least 30 days before they take effect
- Minor changes — corrections, clarifications, or administrative updates — will be posted with an updated effective date and noted in the app
- Your continued use of Vitale after the effective date of material changes constitutes acceptance of the updated policy
- If you do not accept material changes, you may delete your account before the effective date
Previous versions of this policy are available by contacting privacy@saludevitale.com.
12. Contact us
If you have any questions, concerns, or requests regarding this privacy policy or how we handle your data, please contact us:
Vitale notices trends. Your doctor makes the diagnosis.
"Vitale notices trends. Your doctor makes the diagnosis."