VitalSync

Privacy Policy

Last Updated: January 2, 2026

1. Introduction

VitalSync (operated by TOTAL HEALTH AI LLC, "we", "our", or "us") provides health data infrastructure services through our API platform. This Privacy Policy describes how we collect, use, share, and protect information when you use our services.

By using VitalSync, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

Information You Provide

  • Account Information: Name, email address, company name, phone number, and password when you create an account.

  • Integration Credentials: OAuth tokens, API keys, and connection credentials for third-party health data providers (e.g., Fitbit, Oura, Apple Health, EHR systems).

  • Communication Data: Information you provide when contacting our support team or participating in surveys.

  • Payment Information: Billing details and payment card information (processed securely through third-party payment processors).

Health Data

When you connect your end users' health data sources through our API, we process health and wellness data on your behalf. This may include activity metrics, sleep data, heart rate, nutrition information, lab results, and clinical records depending on which data sources you integrate.

We act as a data processor for this health information. You remain the data controller and are responsible for obtaining appropriate consent from your users and complying with applicable privacy laws.

Automatically Collected Information

  • Usage Data: API calls, request/response data, error logs, feature usage, and interaction patterns with our dashboard.

  • Device Information: IP address, browser type and version, operating system, device identifiers, and network information.

  • Analytics Data: Performance metrics, crash reports, and service diagnostics to improve our platform.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To provide, maintain, and improve our API infrastructure and data integration services.

  • Data Processing: To normalize, transform, and aggregate health data from multiple sources according to your API requests.

  • Account Management: To create and manage your account, process payments, and provide customer support.

  • Security: To detect, prevent, and respond to fraud, security threats, and violations of our Terms of Service.

  • Communication: To send service updates, technical notices, security alerts, and support messages.

  • Analytics and Improvement: To analyze usage patterns and improve our platform features and performance.

  • Legal Compliance: To comply with applicable laws, regulations, and legal processes.

4. How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

  • Service Providers: With third-party vendors who perform services on our behalf, such as cloud hosting (AWS), database management (Supabase), payment processing, and email delivery. These providers are contractually obligated to protect your information and use it only for authorized purposes.

  • Health Data Providers: With the third-party health platforms (e.g., Fitbit, Oura, EHR systems) that you choose to connect through our API, strictly as necessary to authenticate and retrieve data.

  • Business Transfers: In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.

  • Legal Requirements: When required by law, subpoena, court order, or other legal process, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

  • With Your Consent: When you explicitly authorize us to share specific information with third parties.

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your browsing activities and to distinguish you from other users. This helps us provide a better experience and improve our services.

Types of Cookies We Use

  • Essential Cookies: Necessary for the website to function properly, including authentication and security.

  • Analytics Cookies: Help us understand how visitors interact with our website by collecting anonymous information.

  • Functional Cookies: Enable personalized features and remember your preferences.

You can control cookies through your browser settings. However, disabling certain cookies may limit your ability to use some features of our platform.

6. Data Security

We implement comprehensive security measures to protect your information from unauthorized access, alteration, disclosure, or destruction:

  • Encryption: All data in transit is protected using TLS 1.3 encryption. Sensitive data at rest is encrypted using AES-256 encryption.

  • Access Controls: Strict role-based access controls with multi-factor authentication for administrative access.

  • Infrastructure Security: Our services run on SOC 2 Type II certified infrastructure with regular security audits.

  • Monitoring: Continuous monitoring for security threats and unauthorized access attempts.

  • Incident Response: Documented procedures for detecting, responding to, and reporting security incidents.

While we use industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information.

7. Data Retention

We retain your information for as long as necessary to provide our services and fulfill the purposes outlined in this policy. Specific retention periods depend on the type of data:

  • Account Information: Retained while your account is active and for up to 90 days after account closure, unless longer retention is required by law.

  • Health Data: Processed on your behalf and retained according to your instructions. You control the retention period and can request deletion at any time.

  • Usage Logs: Retained for up to 12 months for security monitoring and service improvement.

  • Financial Records: Retained for 7 years as required by applicable tax and financial regulations.

8. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

General Rights

  • Access: Request access to the personal information we hold about you.

  • Correction: Request correction of inaccurate or incomplete information.

  • Deletion: Request deletion of your personal information, subject to legal and contractual obligations.

  • Data Portability: Request a copy of your data in a structured, machine-readable format.

  • Objection: Object to processing of your information for certain purposes.

California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete personal information, and the right to opt-out of the sale of personal information. We do not sell personal information.

European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including the right to restrict processing and the right to lodge a complaint with a supervisory authority.

To exercise any of these rights, please contact us at privacy@vitalsync.tech. We will respond to your request within 30 days.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.

When we transfer personal information from the EEA to other countries, we use approved data transfer mechanisms, such as Standard Contractual Clauses, to ensure your data receives an adequate level of protection.

10. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us, and we will take steps to delete such information.

11. Third-Party Links

Our platform may contain links to third-party websites and services. We are not responsible for the privacy practices or content of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. We will notify you of any material changes by:

  • Posting the updated policy on our website with a new "Last Updated" date

  • Sending you an email notification if you have an account with us

Your continued use of our services after any changes indicates your acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

TOTAL HEALTH AI LLC

Email: privacy@vitalsync.tech

Data Protection Officer: bradley@vitalsync.tech

Support: support@vitalsync.tech