Last Updated: July 8, 2026
Vytal AI ("we", "us", or "our") respects your privacy. This Privacy Policy explains what personal data we collect, why and on what legal basis we process it, who we share it with, where it is stored, and the rights you have over it. It applies to our website, dashboard, and mobile apps (the "Service").
We collect the following categories of data: (a) Account data — your name, email address, and hashed authentication credentials (we never store passwords in readable form). (b) Profile and fitness data — fitness goals, experience level, age, body measurements, weight, height, dietary preferences, workout logs, nutrition and food logs, progress photos, and mood check-ins. (c) Communication data — messages exchanged with your trainer and with the AI coach. (d) Usage and device data — device type, operating system, browser, app version, and interaction events. (e) Optional payment data — handled entirely by our payment processors (see Section 5); we do not store full card details.
We use your data to: create and manage your account; generate and personalize AI training plans, nutrition targets, and AI coach responses; track and display your progress; enable communication between clients and trainers; process subscriptions and send service and support notifications you have requested; maintain security and prevent fraud; and improve, debug, and develop the Service.
Where the EU/UK GDPR applies, we process your personal data on the following legal bases: (a) Performance of a contract — providing the Service you requested, including plans, logging, and coaching. (b) Consent — for optional features such as marketing communications, progress photos, and non-essential analytics; you may withdraw consent at any time. (c) Legal obligation — meeting accounting, tax, and record-keeping duties. (d) Legitimate interests — ensuring security, preventing abuse, and improving the Service, balanced against your privacy rights. For users in Saudi Arabia, processing follows the Personal Data Protection Law (PDPL) and is limited to the purposes described here.
Some data you may provide — such as body measurements, body-fat percentage, nutrition, and progress photos — can constitute health or special-category data under Article 9 of the GDPR, or health data under the Saudi PDPL. We process this data only to deliver the fitness features you requested, and we apply heightened safeguards including strict access controls and encryption. We do not use this data to make solely automated decisions with significant effects on you; AI-generated plans and coaching are recommendations you control and can override.
We rely on the following processors, each under data-protection terms: Google OAuth (sign-in; we receive your name and email only); Firebase (push notifications; device identifiers); Sentry (error monitoring and crash reporting; device and session identifiers); PostHog (product analytics; interaction data and device identifiers, consent-gated on the website); Amazon Web Services S3 (file storage for photos); DeepSeek AI (generating training plans and coach responses — your fitness profile and messages may be sent for processing); Stripe and Tap (subscription payments — they process card and transaction data; we receive only the subscription status). We do not sell your personal data.
Your data may be processed and stored outside your country of residence. AWS, Firebase, Google, Sentry, and PostHog are based in the United States; DeepSeek AI processes data in China; Stripe and Tap operate globally. Where this involves a transfer from the EU/UK/EEA or Saudi Arabia, we rely on appropriate safeguards such as Standard Contractual Clauses, a provider's certified data-protection-framework participation, or another valid transfer mechanism, and we require the same of our processors.
Databases use encryption at rest, and file uploads are stored in AWS S3 with private access controls. Access is limited to authorized personnel and is logged. We use secure tokens for authentication and apply industry-standard network and application security measures. No system is perfectly secure: in the event of a personal-data breach affecting you, we will notify the relevant supervisory authority and affected users without undue delay, as required by law.
We use essential cookies and tokens for authentication and session management, which are necessary for the Service. We use localStorage to remember your language and theme preferences. On our website and apps we use Sentry for error monitoring (always on) and PostHog for product analytics (on our website, only after you grant consent via our cookie banner; autocapture may include interaction data such as clicks). On our mobile and dashboard apps, PostHog and Sentry operate without a consent banner; you can exercise your rights under Section 12. We do not share browsing data with advertisers for ad targeting.
We do not sell, rent, or trade your personal data. Your fitness, progress, and diet data may be shared with your assigned trainer as part of providing the Service. We share data with the processors listed in Section 5 under strict data-protection agreements, and we may disclose data if required by law or to protect our rights and the safety of others.
Depending on your location, you may have the right to: access the personal data we hold about you; correct inaccurate data; delete your account and data (available in-app and via your account settings); restrict or object to certain processing; withdraw consent at any time without affecting processing already carried out; and receive a copy of your data in a portable format. To exercise any right, contact us at support@vytalai.io or use the in-app settings. If you are in the EU/UK, you may also lodge a complaint with your local data-protection supervisory authority.
We keep your data while your account is active. Account and billing records are kept for the life of the account and for the period required by tax and accounting laws after closure. Fitness, nutrition, communication, and usage data linked to your account is deleted when you delete your account, generally within 30 days. Anonymous or aggregated statistics may be retained indefinitely once they no longer identify you.
The Service is not intended for children under 16. We do not knowingly collect personal data from anyone under 16. If we learn we have collected such data, we will delete it promptly. By creating an account you confirm that you are at least 16 years old.
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification. Your continued use of the Service after a change takes effect constitutes acceptance of the updated policy.
For any privacy-related question, request, or complaint, contact us at support@vytalai.io. We will respond in accordance with applicable data-protection timeframes.