Back
Privacy

Privacy Policy

Effective: December 1, 2025

Last updated: December 1, 2025

Version: 1.0

Vitanovai respects your privacy. In this policy we explain what personal data we process, for what purposes, what legal bases we use, with whom we share data, how long we retain data, and what rights you have. This policy applies to our websites, apps and services (the "Service").

Summary (not legally binding)

  • We process account and usage data to deliver the Service.
  • AI features send prompts/messages (if relevant with transcripts) via OpenRouter to models from Anthropic (Claude) and Google (Gemini).
  • For health-related data we ask for explicit consent (checkbox).
  • You can delete your account and exercise privacy rights; contact us at info@vitanovai.nl.

Table of Contents

  1. Who we are and contact
  2. What data we process
  3. Purposes and legal bases
  4. Health data and explicit consent
  5. Processors and data recipients
  6. International transfers
  7. Retention periods
  8. Your rights
  9. Security
  10. Cookies
  11. Minors
  12. Changes to this policy

1. Who we are and contact

Data controller: Vitanovai Address: [Address to be added] Privacy contact email: info@vitanovai.nl DPO/FG: not appointed.

2. What data we process

Depending on your use, we may process the following categories:

  1. Account data: name, email address, authentication and verification data.
  2. Usage data: session and device data, settings, interactions with the Service.
  3. Content and communication: chat messages, prompts to AI, notes, (optional) transcripts/recordings of sessions, uploaded files (e.g. evidence for challenges).
  4. Subscription/payment: limited billing/subscription data (via payment/subscription provider; we do not store complete card details ourselves).
  5. Support: content of support requests and logs.

3. Purposes and legal bases

We process data for:

  • Service delivery and account management (performance of contract).
  • Improvement and security of the Service (legitimate interest).
  • Communication, service emails (performance of contract/legitimate interest).
  • Legal obligations (e.g. tax retention requirements).
  • AI functionalities (performance of contract); for health-related data we ask for explicit consent.

You can withdraw consent without adverse consequences for previously lawfully performed processing; withdrawal does not have retroactive effect.

4. Health data and explicit consent

Some features may imply health-related information (e.g. mental wellness routines, nutrition, sleep, fitness). To the extent such data qualifies as health data, we process it only with your explicit consent. In the UI we provide a clear consent checkbox. Without your consent, health-related features may be limited or unavailable. You can withdraw your consent at any time in settings or by emailing us.

5. Processors and data recipients

We share personal data only where necessary with service providers who process data on our behalf or with parties who provide data for functionality:

  • OpenRouter (intermediary for AI models) → models from Anthropic (Claude) and Google (Gemini): processing of prompts/messages and relevant context (e.g. transcripts) to generate AI responses.
  • Resend: sending transactional emails (verification, notifications).
  • GetStream: chat, video, transcripts and (if applicable) recordings.
  • UploadThing: storage/handling of uploaded files (e.g. challenge evidence).
  • Spoonacular: recipe and nutrition data for nutrition features.
  • YouTube Data API: video metadata/searches related to exercises or content.
  • Inngest: asynchronous background tasks and processing workflows.

These parties have their own terms and privacy policies. Where necessary we conclude data processing agreements.

6. International transfers

Some parties may be established outside the EU/EEA or process data there. In that case we use appropriate safeguards, such as the European Commission-approved Standard Contractual Clauses (SCCs), unless an adequacy decision exists or you expressly consent to the transfer.

7. Retention periods

  • Account data: until account deletion + 30 days (backup/administrative purposes).
  • Chat messages and transcripts: until end of program or account deletion.
  • Recordings (GetStream): default 30 days, unless otherwise specified or legally required.
  • Uploaded files (UploadThing): until end of challenge or account deletion.
  • Technical/log data: 90 days.
  • Deleted account: remaining backups maximum 30 days, then permanent deletion, subject to legal retention obligations.

8. Your rights

Within the legal framework, you have the right to: access, rectification, deletion, restriction, data portability, and objection to certain processing. You can delete your account in the app (if available) or submit a request via info@vitanovai.nl. We may ask you to verify your identity. You also have the right to file a complaint with the Dutch Data Protection Authority.

9. Security

We take appropriate technical and organizational measures to protect personal data against loss or unlawful processing. However, no system is 100% secure; we cannot guarantee absolute security.

10. Cookies

We use only essential cookies necessary for authentication and language preferences. We do not currently use analytics cookies. If this changes, we will update this policy and, if required, ask for consent.

11. Minors

The Service is intended for users aged 16 and older. For users under 16, parental/guardian consent is required. We delete accounts that we know were created without required consent.

12. Changes to this policy

We may update this policy. For material changes we will inform you via the Service or by email, stating the effective date. If you continue to use the Service after the effective date, the updated policy applies.

Back to Home