Privacy Policy

1. Information We Collect

We collect information in three categories: information you provide directly, information collected automatically, and information from third-party sources.

1.1 Information You Provide Directly

Account Information

When you create an account, we collect:

• Email address
• Phone number (if provided for verification)
• Name (first and last)
• Username
• Profile photo (optional)

Health and Fitness Data

When you use the Service's health and wellness features, you may provide:

• Nutrition data: Food entries, meal descriptions, calorie intake, macronutrients (carbohydrates, protein, fat), micronutrients (fiber, sugar, sodium, cholesterol, vitamins, minerals), serving sizes, brand names, meal categories, dietary preferences (vegan, vegetarian, gluten-free, etc.), food allergens, ingredient information, and food scores
• Physical measurements: Height, weight, date of birth, biological sex, target weight, weekly weight change rate
• Weight history: Weight measurements over time, associated notes
• Progress photos: Photographs you upload to track physical progress
• Goals and preferences: Nutrition goals, current health objectives

Communications

• Support requests, feedback, and correspondence you send to us
• Referral codes and referral participation

1.2 Information Collected Automatically

When you use the Service, we automatically collect:

Device Information

• Device type, model, and operating system version
• Device identifier and device fingerprint
• Application version
• Platform (iOS, Android, or web)

Usage and Performance Data

• Features accessed and actions taken within the Service
• Session timestamps and duration
• Error and crash reports
• Performance metrics

Network Information

• Internet Protocol (IP) address
• General geographic location (derived from IP address, not precise GPS)

Location Data

• We do not collect precise GPS or route data. General geographic location may be derived from your IP address as noted above.

1.3 Information from Third-Party Sources

Third-party health and fitness integrations are planned for future versions. When available, with your explicit authorization, we may receive Health Data from connected third-party services. We will update this Privacy Policy to reflect specific integrations as they are added.

We will only access data from third-party services that you explicitly authorize. You will be able to disconnect any third-party service at any time through the Service settings.

2. How We Use Your Information

2.1 Providing and Operating the Service

• Creating and managing your account
• Processing, storing, and displaying your Health Data
• Calculating food scores and nutrition insights
• Enabling nutrition tracking and goal management
• Displaying your progress, trends, and historical data
• Storing and managing progress photos
• Processing subscription entitlements

2.2 AI-Powered Features

• Analyzing food photographs to identify foods and estimate nutritional content
• Processing text-based food descriptions for nutritional analysis
• Generating personalized health insights and recommendations
• Providing AI-powered chat functionality for health and wellness questions
• Calibrating your personalized wellness scores
• Providing ingredient analysis and explanations

2.3 Personalization

• Tailoring insights and recommendations to your individual health profile
• Customizing the Service experience based on your goals and preferences
• Adapting nutrition recommendations based on your goals and preferences

2.4 Service Improvement and Analytics

• Analyzing aggregated, de-identified usage patterns to improve the Service
• Identifying and fixing technical issues, bugs, and errors
• Developing new features and functionality

2.5 Communication

• Sending transactional emails (account verification, password resets)
• Delivering important Service updates and announcements
• Responding to your support inquiries and feedback

2.6 Security and Integrity

• Authenticating users and preventing unauthorized access
• Detecting and preventing fraud, abuse, and security threats
• Enforcing rate limits and usage policies to maintain service quality
• Maintaining audit logs for security and compliance purposes

2.7 Legal Compliance

• Complying with applicable laws, regulations, and legal obligations
• Responding to lawful requests from government authorities
• Establishing, exercising, or defending legal claims

3. How We Protect Your Information

We implement comprehensive technical and organizational security measures to protect your personal information, with particular emphasis on safeguarding your sensitive Health Data.

3.1 Encryption at Rest

Sensitive Health Data is encrypted at rest using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode), an industry-leading encryption standard. The following categories of data are encrypted in our database:

• Nutrition data (detailed macronutrient and micronutrient information)
• Food ingredients and allergen information
• Food scores and analysis data
• Weight measurements and notes
• Nutrition goals

3.2 Encryption in Transit

All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security) / HTTPS protocols.

3.3 Authentication and Access Control

• Industry-standard JWT (JSON Web Token) authentication
• Role-based access controls limiting data access to authorized personnel and systems
• User-scoped data access ensuring you can only access your own data
• Multi-factor authentication support via email and phone verification

3.4 Abuse Prevention

• Multi-layered rate limiting (IP-based, user-based, and device-based) to prevent abuse
• Device trust scoring to detect and prevent suspicious activity
• Automated abuse detection and response

3.5 Audit Logging

• Comprehensive audit trails recording access to and modifications of Health Data
• Encryption failure monitoring and logging
• Separate audit logging for AI-related data processing
• Audit logs are maintained for security and compliance purposes

3.6 Infrastructure Security

• Database hosted on secure cloud infrastructure with network-level protections
• Application-level input validation and parameterized database queries to prevent injection attacks
• Cross-Origin Resource Sharing (CORS) restrictions
• Connection timeout and resource management controls

3.7 Security Limitations

Despite our robust security measures, no method of electronic storage or transmission over the Internet is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. We encourage you to use strong, unique passwords and to keep your account credentials confidential.

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data

4.2 Third-Party Service Providers

We share limited data with the following categories of service providers, solely as necessary to operate the Service:

Authentication, Storage, and Product Analytics

Firebase (Google): Processes authentication data (email, phone number, account identifiers) for user authentication and account management, provides cloud storage for user-uploaded files such as progress photos, and may receive limited product analytics data such as app interactions, device/app metadata, and diagnostics when analytics is enabled in the active app configuration.

AI Processing

Google AI services: Receive food images, food descriptions, and limited health context data for AI-powered nutritional analysis, insights, and recommendations. We apply data minimization practices, transmitting only the specific data necessary for each AI request. Your full health profile is never sent to AI providers.

Subscription and Payment Management

RevenueCat: Receives subscription-related data (customer identifiers, purchase events, subscription status, platform information) for managing premium subscriptions. RevenueCat does not receive any Health Data.

Email Services

Resend: Receives email addresses and verification codes for transactional email delivery (account verification). Resend does not receive Health Data.

Website Services (powrhealth.com only)

• ConvertKit: Receives email addresses submitted through the waitlist form on our website for email communication purposes.
• Vercel: Hosts our website; may process IP addresses and standard web request logs.
• Google Fonts: Serves font files to our website; may collect standard web request data.

4.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to:

• Comply with a legal obligation;
• Protect and defend the rights or property of the Company;
• Prevent or investigate possible wrongdoing in connection with the Service;
• Protect the personal safety of users of the Service or the public;
• Protect against legal liability.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

4.5 With Your Consent

We may share your information with third parties when you have given us your explicit consent to do so.

4.6 Aggregated and De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you for research, analytics, business intelligence, or other purposes.

5. Your Rights and Choices

5.1 Access Your Data

You have the right to access the personal information we hold about you. You can view most of your data directly through the Service. For a more comprehensive data access request, contact us at admin@vitalitywellness.app.

5.2 Correct Your Data

You can update or correct your account information and Health Data directly through the Service at any time.

5.3 Delete Your Data

You have the right to request deletion of your personal data. You can:

• Use the in-app account deletion feature—this initiates deletion of your account and associated data from our active systems, including:
  • Your account and profile information
  • All Health Data (nutrition logs, weight entries, food scores)
  • Progress photos and uploaded files
  • Subscription records and device information
  • Associated rate limiting records
• Contact us at admin@vitalitywellness.app to request account and data deletion.

When account deletion is requested, we immediately begin the deletion workflow and block further access to the account. Deletion from our active systems completes after required processor cleanup steps finish. Certain data may remain in backup systems for a limited period under our backup retention schedule, after which it is permanently deleted. Audit log entries and limited operational records that do not contain your Health Data may be retained for compliance, security, or dispute-resolution purposes.

5.4 Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Contact us at admin@vitalitywellness.app to request a data export. Export availability may vary by data category, and certain operational, security, billing, or backup records may be excluded or provided separately where permitted by law.

5.5 Withdraw Consent

Where we rely on your consent to process personal information, you have the right to withdraw that consent at any time. This includes:

• Disconnecting third-party health services through the Service settings;
• Revoking permissions for health data access on your device;
• Contacting us to withdraw consent for specific processing activities.

Withdrawal of consent does not affect the lawfulness of processing conducted prior to the withdrawal.

5.6 Opt Out of Communications

You may opt out of non-essential communications by:

• Following the unsubscribe instructions in any marketing email;
• Adjusting your notification preferences in the Service settings;
• Contacting us at admin@vitalitywellness.app.

Note that you may not opt out of transactional communications necessary for the operation of the Service (e.g., account verification, security alerts).

5.7 Manage Device Permissions

You can control the Service's access to device features (camera, photo library, health data, notifications) through your device's operating system settings at any time.

6. Data Retention

6.1 Active Account

We retain your personal information and Health Data for as long as your account is active and as needed to provide you with the Service.

6.2 After Account Deletion

Upon account deletion:

• Access to the account is blocked while deletion is in progress;
• Personal information and Health Data are removed from our active database systems once the deletion workflow completes;
• Uploaded files (such as progress photos) are removed from cloud storage as part of the deletion workflow;
• Authentication records are removed from our authentication provider as part of the deletion workflow;
• Backup copies may persist for a limited period consistent with our backup retention schedule, after which they are permanently deleted;
• Audit log entries and limited operational records (without Health Data content) may be retained for compliance, security, and dispute-resolution purposes.

6.3 Subscription Records

Subscription event records may be retained for financial reporting and dispute resolution purposes in accordance with applicable legal requirements.

6.4 Aggregated Data

Aggregated, de-identified data that cannot be used to identify you may be retained indefinitely for analytical and research purposes.

7. Cookies and Tracking Technologies

7.1 Mobile Application

The POWR mobile application does not use browser cookies. We use stateless JWT-based authentication, meaning no session cookies or tracking cookies are stored on your device by the application. When enabled in the active app configuration, the mobile application may also send limited product analytics and diagnostics events through our mobile analytics providers.

7.2 Website (powrhealth.com)

Our website is a static site that uses minimal tracking technologies:

• No analytics cookies: We do not currently deploy analytics tracking cookies on our website;
• Third-party fonts: Google Fonts may set standard HTTP cookies when serving font files;
• Email service: ConvertKit may set cookies in connection with waitlist form submissions;
• Hosting provider: Vercel may use standard cookies for site performance and security.

7.3 Do Not Track

We do not currently respond to "Do Not Track" browser signals. If we adopt this practice in the future, we will update this Privacy Policy accordingly.

8. Children's Privacy

The Service is not intended for use by children under the age of thirteen (13). We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us immediately at admin@vitalitywellness.app. If we become aware that we have collected personal information from a child under 13 without parental consent, we will take prompt steps to delete such information from our systems.

If you are between the ages of 13 and 18, you may use the Service only with the involvement and consent of a parent or legal guardian.

9. Health Data—Special Considerations

9.1 Sensitivity of Health Data

We recognize that Health Data is among the most sensitive categories of personal information. We handle all Health Data with heightened care and security protections, including encryption at rest, access controls, and audit logging.

9.2 Health Data Is Yours

Your Health Data belongs to you. We process it solely to provide the Service to you and do not use it for advertising, marketing to third parties, or any purpose unrelated to providing and improving the Service for your benefit.

9.3 Data Minimization

We practice data minimization by:

• Collecting only the Health Data necessary to provide the features you use;
• Transmitting only the minimum necessary data to third-party service providers (particularly AI services);
• Encrypting sensitive Health Data fields individually rather than in bulk;
• Providing granular control over which third-party health services you connect.

9.4 No Sale of Health Data

9.5 AI Processing of Health Data

When Health Data is processed through AI features:

• Data minimization is applied—only the specific data needed for the analysis is transmitted;
• AI processing is used to generate insights and recommendations for your personal use;
• AI-generated outputs are returned to you and stored in your encrypted account;
• We maintain separate audit logs for AI data processing activities;
• AI features are subject to rate limiting to prevent excessive data processing.

9.6 HIPAA Awareness

While POWR is a consumer wellness application and not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), we voluntarily adopt many HIPAA-aligned security practices, including:

• Encryption of protected health information (PHI) at rest using AES-256-GCM;
• Comprehensive audit logging of data access and modifications;
• Access controls and authentication requirements;
• Encryption failure monitoring;
• Complete data deletion upon account removal.

10. International Data Transfers

10.1 Data Processing Location

The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers maintain facilities.

10.2 Your Consent to Transfer

By using the Service, you consent to the transfer of your information to the United States and other jurisdictions that may have different data protection laws than your country of residence. We take steps to ensure that your information receives an adequate level of protection in the jurisdictions in which we process it.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

11.1 Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which your information was collected, the business or commercial purposes for collection, and the categories of third parties with whom we share your information.

11.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions provided by law.

11.3 Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

11.4 Right to Opt-Out of Sale or Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.

11.5 Right to Limit Use of Sensitive Personal Information

You have the right to limit our use of sensitive personal information (including Health Data) to purposes necessary to provide the Service.

11.6 Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights.

11.7 How to Exercise Your Rights

To exercise your California privacy rights, contact us at admin@vitalitywellness.app. We will verify your identity before processing your request.

12. EEA / UK Privacy Rights (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR:

12.1 Legal Bases for Processing

We process your personal data on the following legal bases:

• Contract: Processing necessary to perform our contract with you (providing the Service);
• Consent: Processing based on your explicit consent (e.g., health data collection, third-party integrations);
• Legitimate Interests: Processing necessary for our legitimate interests (e.g., security, fraud prevention, service improvement), balanced against your rights and freedoms;
• Legal Obligation: Processing necessary to comply with applicable legal obligations.

12.2 Your GDPR Rights

In addition to the rights described in Section 5, you have the right to:

• Object to processing based on legitimate interests;
• Restrict processing of your personal data in certain circumstances;
• Lodge a complaint with your local data protection supervisory authority;
• Withdraw consent at any time where processing is based on consent.

12.3 Data Protection Contact

For GDPR-related inquiries, contact us at admin@vitalitywellness.app.

13. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Service. We are not responsible for the privacy practices or content of third-party services.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes:

• We will update the "Last updated" date at the top of this Privacy Policy;
• We will notify you through the Service, by email, or by other appropriate means;
• We may request your renewed consent where required by applicable law.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the revised Privacy Policy, you should discontinue use of the Service.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us: