Privacy Policy

How we handle your health data

Last updated: April 16, 2026 · Effective since: September 11, 2025

Data Controller

The data controller for the vytalLink application and website is:

Overview

At vytalLink, we believe your health data belongs to you. This Privacy Policy explains how we collect, use, and protect your information when you use our mobile application and website.

Key principle: Your health data stays on your device. vytalLink reads health data from your device and makes it available to AI tools through the MCP (Model Context Protocol). Data is processed locally on your phone and relayed through our server to the AI service you connect. We never store it.

Information We Collect

Health Data

  • Device Storage: All health data (steps, heart rate, sleep, workouts) is stored locally on your device via Apple HealthKit or Google Health Connect
  • On-demand Access: Health data is only read from your device when you make a specific request through an AI assistant
  • Relay, Not Storage: When an AI service requests your health data, it passes through our server as a stateless relay. The server routes the request to your phone and forwards the response back to the AI service. We do not store, cache, or log health data on our servers at any point
  • Local Processing: All filtering, aggregation, and normalization of health data happens on your device before it leaves

Authentication Data (stored on device)

  • Local MCP server word + PIN for AI integration
  • Session tokens for device-to-AI communication (stored temporarily on your device)

Technical and Analytics Data

We collect limited technical data to maintain and improve the app. Under applicable privacy laws (including GDPR), some of this data may qualify as personal data:

  • Device type and operating system version
  • App version and crash reports
  • Anonymized app usage patterns (e.g., screens visited, feature usage)
  • Network connectivity status
  • Approximate location (country and city level, inferred from IP address by Firebase Analytics). We do not collect precise GPS or fine-grained location data

We do not collect your name, email address, physical address, or other direct identifiers through the app.

Website Analytics

Our website (vytallink.com) uses Google Analytics 4 (via Google Tag Manager) to understand how visitors use the site. This service may set cookies on your browser and collect:

  • Pages visited, time on page, and referral source
  • Browser type, screen resolution, and general location (country/city level)
  • A randomly generated client identifier (not linked to your identity)

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

Legal Basis for Processing

We process the limited data described above based on the following legal grounds (as defined under GDPR and similar laws):

  • Consent: You grant explicit permission to access health data through your device's system health permissions (HealthKit / Health Connect)
  • Legitimate interest: We collect anonymized analytics and crash reports to maintain, secure, and improve the app. This processing is minimal and does not override your privacy rights
  • Contract performance: Processing necessary to provide the core vytalLink service (e.g., running the local MCP server)

How We Use Your Information

  • Local MCP Server: Create a secure local server on your device that AI tools can query for your health data
  • AI Integration: Enable secure communication between your device and the AI assistants you choose
  • Service Improvement: Analyze anonymized usage patterns and crash data to improve app functionality and stability
  • Approximate Location: Firebase Analytics infers your general location (country/city) from your IP address to help us understand where our users are and prioritize language and regional support. We do not request GPS permissions or collect precise location

Data Sharing and Third Parties

AI Services

When you connect an AI tool to vytalLink, it sends requests to our server, which relays them to your phone via a secure WebSocket connection. Your phone reads the requested health data locally, and the response travels back through our server to the AI service. Our server acts only as a stateless pass-through and does not store, cache, or inspect the health data in transit.

You decide which AI service to connect and what data categories to share. Once your data reaches that service, its own privacy policy and terms apply. vytalLink has no control over how third-party AI services process, store, or use your data, and we are not responsible for their data practices. We recommend reviewing the privacy policy of any AI service before connecting it.

Firebase (Google)

We use the following Firebase services, operated by Google LLC:

  • Firebase Analytics: Collects anonymized usage metrics (events, screen views, user properties). Does not include health data or direct personal identifiers.
  • Firebase Crashlytics: Collects crash reports including device model, OS version, and stack traces to help us fix bugs. Does not include health data.

Firebase may process this data on servers located outside your country of residence (including the United States). Google acts as a data processor on our behalf and is bound by its Firebase Data Processing Terms.

What We Never Do

  • We never store, cache, or log your health data on our servers. Our server relays it in transit only at your request
  • We never sell, rent, or share any data with third parties for advertising, marketing, or data brokering purposes
  • We never send your data to any service you have not explicitly chosen to connect

International Data Transfers

Xmartlabs is based in Uruguay, which has been recognized by the European Commission as providing an adequate level of data protection. Anonymized analytics and crash data processed by Firebase may be transferred to Google servers in the United States and other countries. These transfers are covered by Google's data processing terms and Standard Contractual Clauses.

Security Measures

  • Local Processing: All health data filtering and aggregation happens on your device before anything is sent
  • No Cloud Storage: Health data passes through our server as a relay but is never stored, cached, or logged
  • Secure MCP Protocol: Industry-standard MCP (Model Context Protocol) for AI communication
  • Device-level Security: Relies on your device's built-in security features (iOS/Android encryption, biometrics)
  • Encrypted Connections: All communications between your device and AI services are encrypted in transit (TLS)
  • No Persistent Sessions: Connection data is cleared after each session

No security system is perfect. While we take reasonable measures to protect data in transit and rely on your device's built-in protections for data at rest, we cannot guarantee absolute security.

Your Rights and Control

Depending on your jurisdiction, you may have the following rights:

  • Selective Sharing: Choose exactly what health data categories to share with AI assistants
  • Revoke Access: Disconnect AI services or revoke health data permissions at any time through your device settings
  • Total Deletion: Since vytalLink does not store personal or health data on its servers, uninstalling the app removes all locally stored information
  • Right of Access and Portability: For the limited analytics data we process via Firebase, you may request access or a copy by contacting us
  • Right to Erasure: You may request deletion of any analytics data associated with your device by contacting us
  • Right to Object: You may object to processing based on legitimate interest by contacting us
  • Opt Out of Analytics: You can disable analytics collection within the app settings or by using the Google Analytics opt-out tools
  • Lodge a Complaint: If you believe your privacy rights have been violated, you may lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request the categories and specific pieces of personal information we have collected
  • Right to Delete: You may request deletion of your personal information
  • Right to Opt Out of Sale: We do not sell or share your personal information for cross-context behavioral advertising
  • Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

Data Retention

  • Health Data: Never stored on our servers; remains on your device until you delete it or uninstall the app
  • Session Data: Cleared immediately after AI communication sessions end
  • Authentication Tokens: Expire and are deleted after 24 hours
  • Analytics Data: Anonymized analytics data is retained by Firebase for up to 14 months, then automatically deleted
  • Crash Reports: Retained for up to 90 days, then automatically deleted

Children's Privacy

vytalLink is intended for users aged 18 and older. Users between 13 and 17 may use the app with parental or guardian consent. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has used the app without appropriate consent, please contact us and we will take steps to address the situation.

Compliance

vytalLink follows these privacy frameworks:

  • GDPR (EU): We provide a legal basis for all processing, honor data subject rights, and ensure adequate safeguards for international transfers
  • CCPA/CPRA (California): We disclose data practices, honor opt-out and deletion requests, and do not sell personal information
  • Apple App Tracking Transparency: We comply with Apple's ATT framework and do not track users across apps or websites owned by other companies
  • Google Play Data Safety: Our data safety disclosures accurately reflect the data practices described in this policy

vytalLink is a consumer wellness application and is not a HIPAA-covered entity or business associate. We do not provide medical services and do not access, store, or transmit protected health information (PHI) on our servers.

The app and website may contain links to third-party services (AI assistants, app stores, etc.). We are not responsible for the privacy practices of those services. We recommend reading their privacy policies before sharing data with them.

Governing Law

This Privacy Policy is governed by the laws of Uruguay. If you are located in the European Union, you also retain any mandatory rights granted under the laws of your country of residence, including the right to lodge a complaint with your local data protection authority.

Changes to This Policy

We may update this Privacy Policy. When we make material changes, we will post the updated version in the app and on our website and update the "Last updated" date above.

Contact Us

Questions about this policy or want to exercise your privacy rights? Reach out:

We do not have a formal Data Protection Officer (DPO). For any privacy-related inquiries, including GDPR data subject requests, please write to the email address above.