1. Introduction
VitaSum ("VitaSum," "we," "our," "us") provides a mobile application that enables users to scan dietary supplements, track nutrient intake, and generate health-related insights and reports that can be shared with healthcare providers.
We are committed to protecting your personal data and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This Privacy Policy explains what data we collect, why we collect it, and how we protect it.
2. Data Controller
| Field | Detail |
|---|---|
| Company | VitaSum LLC |
| Registered Address | 100 East Easy Street, Unit 5383, Carefree, Arizona 85377, United States |
| Contact Email | hello@vitasum.health |
3. Personal Data We Collect
3.1 Account Information
- Email address
- Name (optional)
- Authentication credentials
3.2 Health and Usage Data (Sensitive Data)
- Scanned supplement barcodes and product identifiers
- Product and ingredient data
- Nutrient intake logs and daily summaries
- Health-related inputs and preferences
- AI queries related to nutrition or supplements (see Section 11)
3.3 Device and Technical Data
- Device type and operating system
- App version
- Log data and crash reports
3.4 Payment Information
Subscriptions are processed by Apple App Store, Google Play Store, and RevenueCat. We do not store full payment card details.
4. Camera Access
VitaSum requires access to your device's camera to scan supplement barcodes. This is core to the app's functionality and cannot be performed without it.
What we access
- The camera is activated only when you initiate a scan within the app.
- We capture barcode data only. Raw camera images or video are never stored, transmitted, or retained by VitaSum.
- Barcode data is used solely to identify supplement products and retrieve ingredient information.
What we do not do
- We do not access your camera in the background.
- We do not store, upload, or share any photographs or images captured through the camera.
- We do not use camera data for any purpose other than barcode identification.
You may revoke camera permission at any time through your device settings. Doing so will disable barcode scanning but will not affect other app functionality.
5. How We Use Your Data
We use your data to:
- Provide core app functionality, including supplement scanning and nutrient tracking
- Calculate and summarize total nutrient intake across all supplements
- Generate clinical-style reports for personal use or healthcare provider sharing
- Enable AI-powered responses through the Ask VitaSum feature
- Manage family account profiles (where applicable)
- Process and manage subscriptions
- Improve app performance, features, and reliability
- Ensure security and prevent unauthorized access or misuse
6. Legal Basis for Processing (GDPR)
| Basis | When It Applies |
|---|---|
| Consent | Processing of health-related and sensitive data |
| Contract | Providing the core app service |
| Legitimate Interest | Analytics, security monitoring, and product improvements |
You may withdraw consent at any time by contacting us at hello@vitasum.health or by deleting your account within the app. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
7. Processing of Health Data
Nutrient intake logs, supplement records, and related health inputs are classified as sensitive personal data under GDPR.
We process this data only:
- With your explicit consent, obtained at account creation and prior to any sensitive data collection
- To deliver the core functionality of the app
- In accordance with this Privacy Policy
We do not sell your health data. We do not use it for advertising purposes. We do not share it with any third party except as described in Sections 8 and 9 of this policy.
8. Data Sharing
We may share data with the following categories of third parties only to the extent necessary to operate the service:
| Recipient | Purpose |
|---|---|
| AWS (Amazon Web Services) | Cloud infrastructure and data storage |
| RevenueCat | Subscription management and billing |
| Apple / Google | App Store billing and distribution |
| Anthropic, Inc. | AI-powered responses via the Ask VitaSum feature (see Section 11) |
| Analytics providers | Aggregated, anonymized app performance data (if used) |
| Healthcare providers | Only when you explicitly initiate a report share (see Section 9) |
We do not sell personal data to any third party. We do not share personal data for third-party advertising or marketing.
9. Healthcare Provider Report Sharing
VitaSum allows you to share your nutrient summary reports with healthcare providers. All sharing is voluntary, user-initiated, and requires your explicit action. We never share your health data with providers automatically or without your direction.
Sharing Methods
| Method | What Is Transmitted | Who Receives It |
|---|---|---|
| FHIR Push | Structured nutrient data in HL7 FHIR format | A connected healthcare provider's system, selected by you |
| Email PDF | A PDF report of your nutrient summary, sent to an email address you specify | The recipient you designate |
| Download PDF | A PDF report saved to your device | You, for distribution at your discretion |
Important: Once a report has been sent or downloaded, VitaSum does not control how the recipient stores, uses, or shares that information. We recommend sharing only with trusted healthcare providers and only when clinically relevant.
FHIR Data Transmission
When you use FHIR Push, structured health data is transmitted directly to the provider's designated endpoint. VitaSum acts as the data originator. Once the data is received by the provider's system, it is subject to that provider's own privacy and data governance policies, not VitaSum's.
10. Family Accounts
VitaSum supports family account management, allowing one account holder (the "Family Manager") to create and manage supplement profiles for other family members.
Age Requirements
- The Family Manager must be at least 18 years of age.
- Family member profiles may be created for individuals of any age, including minors, under the responsibility and consent of the Family Manager.
- By creating a profile for a minor, the Family Manager represents that they are the parent or legal guardian of that individual and consent to the collection and use of that minor's supplement and nutrient data as described in this policy.
Data Rights for Family Profiles
- The Family Manager holds full data rights over all profiles within their family account, including the right to access, correct, export, and delete data.
- Shared reports for a family member are initiated exclusively by the Family Manager.
- Upon deletion of the family account, all associated family member profiles and their data are also deleted.
If you believe a family member profile has been created for you without your consent, please contact us at hello@vitasum.health and we will promptly review and remove the profile.
11. AI-Powered Features (Ask VitaSum)
VitaSum includes an AI-powered chat feature called Ask VitaSum, which allows you to ask plain-language questions about your supplement data, nutrient totals, and related health topics.
How It Works
Ask VitaSum is powered by the Anthropic API. When you submit a query, your question and relevant nutrient context are transmitted to Anthropic's API servers to generate a response. Anthropic is a sub-processor of your data for this purpose.
What Is Transmitted
- The text of your query
- Relevant nutrient summary data needed to answer your question
- No personally identifying information beyond what your query itself contains
Anthropic's Data Handling
Anthropic processes data in accordance with their own privacy and API usage policies. VitaSum does not use Ask VitaSum queries to train AI models, and queries are not shared with any party other than Anthropic for the purpose of generating a response.
Note: Ask VitaSum is an informational tool and does not provide medical advice. Always consult a qualified healthcare provider for medical decisions.
12. International Data Transfers
Your data may be transferred to and processed in countries outside the EU/EEA, including the United States. In such cases, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Use of GDPR-compliant sub-processors with appropriate data processing agreements
13. Data Retention
We retain your data for as long as your account is active or until you request deletion. Upon account deletion, all personal data, health data, and family member profiles are permanently removed within 30 days, except where retention is required by applicable law.
Where we are required to retain limited data by law (for example, transaction records for tax purposes), we retain only the minimum data required and for no longer than legally mandated. This retained data is not used for any other purpose.
14. Your Rights
Under GDPR, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Delete your data (the "right to be forgotten")
- Restrict how we process your data
- Data portability in a machine-readable format
- Withdraw consent at any time without affecting prior lawful processing
- Object to processing based on legitimate interest
To exercise any of these rights, contact us at hello@vitasum.health. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
15. California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Opt Out of Sale: We do not sell personal information. No opt-out is required, but this right is available to you.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.
To make a CCPA request, contact us at hello@vitasum.health with the subject line "CCPA Request." We will verify your identity and respond within 45 days.
16. Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS) for all data transmitted between the app and our servers
- Encryption at rest for all stored personal and health data
- Secure cloud infrastructure with access controls and audit logging
- Role-based access controls limiting internal access to personal data on a need-to-know basis
No system is completely secure. If you believe your account has been compromised, contact us immediately at hello@vitasum.health.
17. Children's Privacy
VitaSum accounts may only be created by individuals who are 18 years of age or older (or 16 years of age where required under EU law). We do not knowingly permit minors to create their own VitaSum accounts.
Supplement data for minor family members may only be added and managed by a parent or legal guardian acting as the Family Manager of a family account. See Section 10 for full details on family accounts and parental consent.
If you believe a minor has independently created an account, please contact us at hello@vitasum.health and we will promptly delete the account and associated data.
18. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app or by email prior to the change taking effect. Continued use of VitaSum after notification constitutes acceptance of the updated policy.
The effective date at the top of this document always reflects the date of the most recent update.
19. Contact
For any privacy questions, requests, or concerns:
| hello@vitasum.health | |
| Mailing Address | VitaSum LLC, 100 East Easy Street, Unit 5383, Carefree, Arizona 85377, United States |