Privacy Policy

1. Scope and who we are

This Privacy Policy describes how Vitaeon Health Inc., a Delaware corporation ("Vitaeon," "we," "us," or "our"), handles personal information when you visit our website at vitaeon.health, use our mobile or web applications, interact with our Aeon AI coach, join our waitlist, communicate with us, or otherwise use our products and services (collectively, the "Service").

For the purpose of EEA and UK data protection law, Vitaeon is the controller of personal information collected through the Service, except where we act as a processor for an organization that provides the Service to you. Our Terms of Service govern your use of the Service.

2. Information we collect

2.1 Information you provide directly

• Account information. Name, email address, password, date of birth, sex assigned at birth, country, time zone, and profile preferences.
• Health and wellness information. Goals, symptoms, conditions, medications, supplements, allergies, menstrual cycle data, dietary preferences, exercise history, sleep patterns, mood, journal entries, and any other information you choose to share with Aeon or enter into the Service.
• Biometric and lab data. Body composition, blood pressure, heart rate, HRV, VO₂ max, glucose, lipid panels, hormone panels, micronutrient levels, and other measurements you upload or grant access to.
• Payment information. Where applicable, billing name, billing address, and payment-method tokens. We do not store full payment-card numbers; those are handled by our payment processors.
• Communications. Messages you send to support, survey responses, and feedback.
• Identity verification. If you participate in features that require it, we may collect a government-issued ID or other documentation, processed by a verification vendor.

2.2 Information collected automatically

• Device and technical data. Device model, operating system, browser type, language, IP address, mobile network, crash logs, performance metrics, and unique device identifiers.
• Usage data. Pages and features you view, actions you take in the Service, the dates and times of your visits, referring URLs, and the path you take through the Service.
• Approximate location. Derived from your IP address. We do not collect precise GPS location unless you explicitly enable a feature that requires it.
• Cookies and similar technologies. See Section 10.

2.3 Information from third parties and Connected Services

• Connected wearables and health platforms. When you connect Apple Health, Google Health Connect, Fitbit, Garmin, Oura, Whoop, a continuous glucose monitor, a smart scale, or another supported provider, we receive the data fields you authorize, which may include steps, sleep stages, heart rate, HRV, workouts, glucose readings, weight, and similar metrics.
• Lab and diagnostic providers. If you authorize a connection, we receive the lab results you elect to share.
• Authentication and identity providers. If you sign in with a third-party provider, we receive basic profile information from that provider.
• Service providers. Vendors that support our operations may share information with us (e.g., fraud-prevention vendors, communications providers).

3. How we collect information

We collect information when you give it to us directly, when it is generated automatically by your interactions with the Service, and when other parties — like Connected Services or service providers acting on our behalf — share it with us in accordance with their own terms and your authorizations.

4. How we use your information

We use information to:

• Provide the Service. Create and manage your account; ingest and display your data; calculate scores and trends; generate insights and prompts through Aeon; remember your preferences.
• Personalize your experience. Tailor content, coaching prompts, and recommendations to your goals, history, and signals.
• Communicate with you. Send transactional messages (account, security, billing, product updates), respond to inquiries, and send marketing where you have consented or where permitted by law.
• Improve the Service. Analyze usage to fix bugs, monitor performance, develop new features, and refine Aeon's models — using de-identified or aggregated data where possible.
• Protect Vitaeon, our users, and the public. Detect, investigate, and prevent fraud, abuse, security incidents, and other harmful or illegal activity; enforce our Terms.
• Comply with law. Respond to legal process, regulatory inquiries, and lawful requests from public authorities; meet record-keeping, tax, accounting, and audit obligations.
• Corporate transactions. Evaluate or carry out a merger, financing, restructuring, or sale of all or part of our business.

5. Legal bases for processing (EEA and UK)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases:

• Contract. To provide the Service you have requested under our Terms.
• Legitimate interests. To secure, improve, and grow the Service in ways consistent with your reasonable expectations and that do not override your rights — for example, fraud prevention and product analytics on de-identified data.
• Consent. For processing of health data, marketing where required, certain cookies, and other purposes that require it. You may withdraw consent at any time without affecting prior processing.
• Legal obligation. To comply with applicable laws and regulatory requirements.

6. How we treat health data

Health data is sensitive, and we treat it that way. We collect health data only with your consent or your explicit instruction, use it to provide the personalized features you have asked for, and store it under additional access controls and audit logging.

• We do not sell your health data.
• We do not share your individually identifiable health data with advertisers or data brokers.
• We do not use your individually identifiable health data to target advertising.
• We do not disclose your health data to your employer, insurer, or any third party except as expressly described in this Policy or with your explicit, separate consent.

You can disconnect Connected Services, delete specific entries, or delete your account and associated health data at any time through your account settings or by contacting us.

7. AI, models, and your data

Aeon's models are how we turn raw signals into actionable insight. We are committed to using your data for AI in a way that is transparent and aligned with your interests.

• Personalization. We use your data to personalize Aeon for you — to learn your baselines, recognize your patterns, and improve the relevance of the prompts you receive.
• Model improvement. Where permitted, we use de-identified or aggregated information to evaluate and improve our models. We apply technical safeguards to reduce the risk of re-identification.
• No third-party training. We do not provide your individually identifiable health data to third-party AI providers to train their general-purpose foundation models. Where we use third-party model providers to deliver Aeon outputs, we do so under contracts that prohibit them from using your data to train their own models.
• Opting out. You can opt out of having your de-identified data used for product and model improvement by emailing privacy@vitaeon.health. Opting out does not affect personalization for your own account.

8. How we share information

We share information only as described below.

• Service providers. Vendors that host our infrastructure, send communications, process payments, provide customer support, run analytics, secure the Service, and perform similar functions on our behalf. They may access your information only to perform their tasks for us and are bound by confidentiality and data-protection obligations.
• Connected Services you authorize. When you ask us to connect a wearable, lab, app, or platform, we exchange the data you have authorized with that service.
• Healthcare providers and coaches. If you choose to share data with a clinician, coach, or care team through the Service, we will share what you have selected with the recipient you specify. You control what is shared and may revoke access at any time.
• Legal and safety. We may disclose information to comply with applicable law, valid legal process, or governmental request; to enforce our Terms; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of Vitaeon, our users, or the public.
• Corporate transactions. If we are involved in a merger, acquisition, financing, restructuring, bankruptcy, or sale of assets, your information may be transferred as part of that transaction, subject to standard confidentiality obligations and continuing protection consistent with this Policy.
• With your consent. For any purpose disclosed to you at the time we ask for your consent.
• De-identified or aggregated data. We may share information that has been de-identified or aggregated such that it can no longer reasonably be used to identify you.

We do not sell your personal information for money, and we do not engage in cross-context behavioral advertising using your health data.

9. Third-party integrations

The Service connects with a number of third-party platforms, including wearables, continuous glucose monitors, lab providers, and payment processors. These third parties operate under their own privacy policies and terms, and Vitaeon does not control how they collect or process information independently of the Service. We encourage you to review the privacy practices of any third party before connecting it to the Service.

10. Apple HealthKit

If you use Vitaeon on an Apple device and choose to connect Apple HealthKit, this section governs how we handle the data we receive from the HealthKit framework. The commitments below apply in addition to, and prevail over, anything in this Policy that would otherwise be more permissive with respect to HealthKit data.

• HealthKit data is read only with your permission. We request access to specific HealthKit data types — such as steps, heart rate, HRV, sleep, workouts, and similar metrics — and only retrieve a category after you grant permission for it through the iOS HealthKit prompt. You can review or revoke any permission at any time in Settings → Health → Data Access & Devices → Vitaeon.
• HealthKit data is never used for marketing or advertising. We do not use information obtained through the HealthKit framework, or any data derived from it, for advertising, remarketing, similar services, or any data-mining purpose other than improving health management or for the purpose of health research with your separate consent.
• HealthKit data is not stored in iCloud. Information obtained through HealthKit is stored on your device and on Vitaeon's secure servers under our control. We do not write HealthKit data to iCloud or to any other Apple cloud-storage service.
• HealthKit data is not shared with third parties without your explicit, separate consent. We will not disclose information obtained through HealthKit to any third party without specific opt-in consent obtained from you for the disclosure in question. We do not sell HealthKit data, and we do not provide it to data brokers, advertisers, or analytics partners.
• We write back to HealthKit only at your direction. We write data to HealthKit (for example, computed metrics or imported lab values) only where you have explicitly enabled the corresponding write permission in the iOS HealthKit prompt.
• Apple terms also apply. Our use of HealthKit data is additionally governed by Apple's Health and Privacy Information available in the iOS Settings app and by the Apple Developer Program License Agreement. If any term of those Apple requirements conflicts with this Policy with respect to HealthKit data, the Apple terms control.

11. Cookies and similar technologies

We and our service providers use cookies, software development kits, pixel tags, and similar technologies to operate the Service, remember your preferences, secure your account, understand how the Service is used, and measure the effectiveness of our communications.

• Strictly necessary. Required to provide the Service, including authentication, security, load balancing, and remembering your session.
• Functional. Help us remember choices you make, such as language and display preferences.
• Analytics. Help us understand how users interact with the Service so we can improve it.
• Marketing. Used only on our marketing pages and only with your consent where required, to measure the performance of campaigns. We do not use marketing cookies inside the authenticated product.

You can control cookies through your browser settings, in-app cookie preferences, and platform-level controls (e.g., the App Tracking Transparency prompt on iOS). Blocking some cookies may affect your experience.

12. Analytics and advertising

We use product-analytics tools to understand engagement and improve the Service. We configure these tools to limit the personal information they collect and to honor opt-outs. We do not run third-party advertising inside the authenticated Service. Marketing campaigns on external platforms are based on aggregated audience characteristics, not on your individual health data.

13. Data retention

We retain personal information for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods depend on the category of data and the purpose for which it was collected.

• Account and health data. Retained while your account is active. After deletion, we delete or de-identify within 90 days, except where retention is required by law (for example, billing records).
• Communications. Retained for the period necessary to support our services and address inquiries.
• Logs and analytics. Retained for limited operational periods, typically 12 months or less.
• Backups. Encrypted backups may persist briefly after deletion before being overwritten in the normal course of operation.

14. Security

We use a combination of administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS) and at rest, network segmentation, the principle of least privilege, multi-factor authentication for our staff, vulnerability testing, and continuous monitoring.

No service is perfectly secure. You play an essential role in protecting your account: choose a strong, unique password, enable multi-factor authentication, keep your devices and software up to date, and notify us promptly at security@vitaeon.health of any suspected compromise.

15. International data transfers

Vitaeon is headquartered in the United States, and we and our service providers process information in the United States and other countries that may have data-protection laws different from those of your country. Where required, we use approved transfer mechanisms — such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum — and we apply supplementary safeguards as appropriate.

16. Your rights and choices

Subject to applicable law and verification of your identity, you have the right to:

• Access the personal information we hold about you;
• Correct information that is inaccurate or out of date;
• Delete your personal information, including your account and health data;
• Port your data — receive a copy in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible;
• Restrict or object to certain processing, including processing based on legitimate interests;
• Withdraw consent for any processing that relies on it, without affecting the lawfulness of prior processing;
• Opt out of marketing communications by using the unsubscribe link in any message or by updating your preferences in the Service;
• Lodge a complaint with your local data-protection authority.

You can exercise most of these rights directly in your account settings or by emailing privacy@vitaeon.health. We will not discriminate against you for exercising any of these rights. If we deny a request, we will explain why and how you can appeal.

17. U.S. state privacy disclosures

Several U.S. states — including California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Washington, and others — give residents specific privacy rights. The rights described in Section 15 are available to residents of these states to the extent the applicable law requires.

California "Shine the Light." California residents may request information about disclosures of personal information to third parties for direct-marketing purposes. We do not disclose personal information to third parties for their own direct-marketing purposes.

Sale and sharing. We do not "sell" personal information for money or "share" personal information for cross-context behavioral advertising as those terms are defined under California law. If this changes, we will update this Policy and provide a "Do Not Sell or Share My Personal Information" link.

Sensitive personal information. We collect categories of sensitive personal information — including health data and account credentials — to provide the Service you have requested. We do not use or disclose sensitive personal information for purposes that would entitle you to limit such use under California law.

Washington My Health My Data Act and similar laws. If you are a Washington resident, you have additional rights with respect to "consumer health data," including the right to confirm whether we are collecting, sharing, or selling your consumer health data, the right to access it, the right to withdraw consent, and the right to have it deleted. We obtain your consent before collecting consumer health data and a separate authorization before sharing it for purposes outside of providing the Service. We do not sell consumer health data.

Authorized agents. You may use an authorized agent to submit a rights request on your behalf. We will require the agent to provide proof of authorization and may require you to verify your identity.

18. EEA and UK disclosures

If you are located in the EEA, the UK, or Switzerland, your rights under the General Data Protection Regulation (GDPR) and the UK GDPR are described in Section 15. Our legal bases are described in Section 5. If you have unresolved concerns, you have the right to complain to your local supervisory authority.

19. A note about HIPAA

Vitaeon is a consumer wellness service. Except where we have entered into a written Business Associate Agreement to provide services to a HIPAA-covered entity, Vitaeon is not itself a "covered entity" or "business associate" under the U.S. Health Insurance Portability and Accountability Act, and the information you provide is generally not "protected health information" under HIPAA. We nevertheless apply rigorous protections to your health data as described in this Policy.

20. Children

The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18 without verifiable parental consent where required. If you believe a child has provided information to us, please contact privacy@vitaeon.health so we can investigate and delete the information.

21. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the Service or by email at least 14 days before the changes take effect, where reasonably feasible. The "Effective" date at the top of this Policy reflects the most recent revision. Your continued use of the Service after the effective date constitutes your acceptance of the updated Policy.

22. How to contact us

For privacy questions, requests, or complaints, please contact:

Vitaeon Health Inc.
Attention: Privacy Office
Privacy requests: privacy@vitaeon.health
Security incidents: security@vitaeon.health
General support: support@vitaeon.health
Legal notices: legal@vitaeon.health

If you are in the EEA or UK and would like to contact our designated representative, please email privacy@vitaeon.health and we will provide current contact details.