Last updated: June 3, 2026
VibeGroup Studio ("we", "us", "our"), based in Kyiv, Ukraine, operates the VitaRun mobile application and this promotional website. This Privacy Policy explains how we collect, use, store, and protect personal data when you use VitaRun, optionally sync data with our servers, or browse this site. Data controller: VibeGroup Studio, Kyiv, Ukraine. For privacy requests or to contact our Data Protection Officer (DPO): privacy@vibegroup.com. General support: support@vibegroup.com.
The VitaRun app (iOS/Android) and related services. Optional cloud sync when you sign in and synchronize data with our backend. This website (product information, download links, legal pages). The contact form on this site does not transmit your fields to our servers; it is for display only—if you need support, use the email addresses shown. If you email us, we process your address and message to respond.
Depending on how you use VitaRun, we may process the following categories of data:
| Category | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Account & authentication (email, name, identifiers, Sign in with Apple/Google) | Account creation, sign-in, identity verification | Contract performance | Until account deletion + 30 days |
| Health & wellness content (mood, energy, pain, symptoms, sleep, notes, medications, supplements, habits, bioprotocol data) | Provide wellness tracking, analytics, sync | Explicit consent (Art. 9 GDPR — special category data) | Until account deletion + 30 days; backups up to 90 days |
| Data from Apple Health / Health Connect (activity, sleep, heart rate where applicable) | Import health data for unified tracking | Explicit consent (OS permission + in-app) | Until account deletion |
| Family & sharing features (relationship data, linked account identifiers) | Enable family account connections | Consent / contract performance | Until account deletion or family link removed |
| Technical & diagnostics (device type, OS/app version, error logs) | Troubleshooting, stability, performance monitoring | Legitimate interest (Art. 6(1)(f) GDPR) | 90 days rolling |
| Subscriptions & purchases (subscription status, transaction IDs via Apple/Google/RevenueCat) | Manage entitlements, verify Premium status | Contract performance / legal obligation | Duration of subscription + tax retention period |
| AI wellness insights (Premium, optional — structured summary sent to OpenAI) | Generate AI text insights at your request | Explicit consent (pre-first-request acknowledgment) | Until account deletion; OpenAI: zero retention (API) |
| Website & communications (technical logs, support emails) | Deliver website, respond to inquiries | Legitimate interest / consent | Website logs: 30 days; emails: 1 year |
We process data to provide the service, maintain your account, sync data you request, improve reliability, process subscriptions, send service-related notices where applicable, and comply with law. Where required, we rely on your consent (e.g. health integrations, certain optional features), on performing a contract with you, or on our legitimate interests (e.g. security and product improvement), balanced against your rights.
We do not sell your personal data. We do not share personal data for cross-context behavioral advertising. We share data only with processors strictly necessary to operate VitaRun:
Important: VitaRun does not integrate any third-party analytics SDKs, advertising trackers, behavioral profiling tools, or crash-reporting services (such as Google Analytics, Facebook SDK, Sentry, or Crashlytics). All error logging and diagnostics are handled by our own backend on Railway.
Your data may be transferred to and processed in countries outside your country of residence. Specifically:
We keep data while your account is active and for the periods specified in the table in Section 3 above. After you request account deletion:
For the full deletion process, see our Account Deletion page.
Depending on your jurisdiction, you may have rights to access, correct, delete, restrict or object to processing, or export your data. To delete your account, follow the Account Deletion Page. For other privacy requests, contact privacy@vibegroup.com. We will respond within 30 days (or sooner as required by law).
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:
You have the right to lodge a complaint with a data protection supervisory authority. For Ukraine, this is the Ukrainian Parliament Commissioner for Human Rights (Уповноважений Верховної Ради з прав людини). For EEA/UK residents, contact your local Data Protection Authority (DPA) or the UK Information Commissioner's Office (ICO).
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:
To exercise your rights, contact us at privacy@vibegroup.com. We will verify your identity and respond within 45 days.
If you are a UK resident, you have the same rights as described in Section 8a under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The supervisory authority for the UK is the Information Commissioner's Office (ICO): ico.org.uk.
In transit: Communications between the VitaRun app and our servers use HTTPS (TLS). Third-party services we integrate with (such as Firebase Authentication, Apple/Google sign-in, RevenueCat, and OpenAI for optional AI features) also use encrypted connections as provided by those services.
On your device: Wellness data you enter is stored locally in a SQLite database and in the app's preferences storage (SharedPreferences / iOS UserDefaults). We do not implement separate application-level encryption (such as SQLCipher or a secure enclave/keychain wrapper) for this local cache; protection relies on your device's operating-system safeguards (including device passcode/biometrics and platform file encryption where enabled).
Authentication: Sign-in credentials for email/password and Google are handled by Firebase Authentication (Google). Apple Sign-In is handled through Apple's authentication service. Our backend issues short-lived session tokens (JWT, HS256) after verifying your identity; these tokens are stored on your device in app preferences.
On our servers: Account passwords for legacy accounts may be stored using one-way hashing (bcrypt). Server access is protected by HTTPS, security headers, rate limiting, and authenticated API requests. Health and wellness content you sync is stored in our database (PostgreSQL) on cloud infrastructure (Railway). We do not encrypt individual health fields at the application level; database and disk encryption at rest depend on our hosting provider's infrastructure.
Limitations: No method of transmission or electronic storage is 100% secure. We work to protect your information using reasonable industry practices, but we cannot guarantee absolute security.
VitaRun is intended for users aged 18 and above. We do not knowingly collect or process personal data from individuals under 18. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that information promptly. If you believe a minor has provided us with personal data, please contact us at privacy@vibegroup.com.
VitaRun is a wellness and self-tracking tool, not a medical device. It does not replace professional medical advice, diagnosis, or treatment.
Some VitaRun features use automated analysis to generate wellness-related text (for example, analytics summaries and Wake Insight). To provide these features, VitaRun transmits a compact summary derived from information you enter in the app (such as recent check‑ins and related notes) to VitaRun-controlled servers hosted on Railway.
VitaRun's servers then send that content to OpenAI, Inc. (United States) via the OpenAI API to generate responses. Processing may occur in the United States. OpenAI processes the content as a service provider/subprocessor according to OpenAI's terms and policies applicable to API customers. OpenAI does not use API customer data to train its models.
Data categories that may be included in AI requests include, where applicable: check‑in timestamps; mood and energy ratings; sleep duration and quality; symptoms and short text notes; optional metrics such as weight; app language preference; and any other fields you voluntarily log that are reasonably needed to create the wellness summary requested by the feature you use.
We do not transmit passwords, authorization tokens, or your direct contact information (such as email or name) to OpenAI.
Important: The basic/local supplement dosage calculator performs all evaluations and computations entirely on your device. No prompts, logs, or personal data are sent to any third-party Large Language Models (LLMs) or external servers for the supplement calculator feature. Only the optional Premium AI analysis features transmit data as described above.
All AI analysis requests are user-initiated only — we never send your data to AI providers automatically or in the background.
Before the first AI request, the app asks for your explicit acknowledgment of this sharing where required.
For more detail about OpenAI's practices, see: OpenAI Enterprise Privacy and the OpenAI Data Processing Addendum.
We may update this Privacy Policy from time to time. The "Last updated" date at the top will change. For material changes, we will notify you via email (if you have an account) or by prominent notice on this website. Continued use after updates means you acknowledge the revised Policy where permitted by law.
VitaRun and this website do not contain any third-party advertising SDKs, analytics trackers, behavioral profiling tools, or cross-app tracking technologies. We do not use Google Analytics, Facebook Pixel, Adjust, AppsFlyer, Sentry, Crashlytics, or similar services. All error logging and diagnostic data collection is handled exclusively through our own backend infrastructure hosted on Railway. This is a deliberate design choice to maximize your privacy. Furthermore, in strict compliance with App Store guidelines, data collected from Apple HealthKit and Google Health Connect is never used for advertising, marketing, or use-based data mining.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in compliance with Article 33 of the GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users directly via email or in-app notification without undue delay, in accordance with Article 34 of the GDPR.
This Privacy Policy shall be governed by and construed in accordance with the laws of Ukraine, without regard to conflict of law provisions. If you are a consumer in the European Union or the United Kingdom, nothing in this clause limits your rights under mandatory consumer protection laws of your country of residence, including the GDPR and UK GDPR.
