Privacy Policy

Your Data. Your Control.

At VitalXCare, privacy isn't an afterthoughtβ€”it's our foundation. This policy explains how we handle your data with respect and transparency.

Effective Date: January 1, 2024 Last Updated: January 15, 2026

Quick Navigation

Summary Data Collection How We Use Data Data Storage Data Sharing Your Rights Security Measures Cookies Children's Privacy Policy Changes Contact Us

Our Privacy Principles

What makes VitalXCare different

πŸ“±

Local-First Storage

All your health readings are stored locally on your device by default. We don't upload your data to the cloud unless you explicitly choose to enable cloud backup.

πŸ”’

No Data Monetization

We make money by selling devices and services, not by selling your data. Your health information will never be sold to advertisers or third parties.

πŸ‘€

No Account Required

You can use VitalXCare devices and the mobile app without creating an account. Anonymous usage is fully supported.

🌍

GDPR Native

Built for European privacy standards from day one. Full compliance with GDPR, including data portability and the right to deletion.

πŸ”

End-to-End Encryption

When you do share data (e.g., with your doctor), it's encrypted end-to-end. Only you and your intended recipient can read it.

πŸ—‘οΈ

Easy Data Deletion

Delete all your data from the app with one tap. No waiting periods, no hoops to jump through. Your data, your choice.

1. What Data We Collect

1.1 Health Data (Collected Locally)

When you use VitalXCare devices, the following health measurements are stored on your smartphone or tablet:

  • Blood Pressure: Systolic, diastolic, pulse rate, measurement timestamp
  • Temperature: Body temperature readings, measurement timestamp
  • SpO2 (if applicable): Oxygen saturation, pulse rate, perfusion index
  • ECG (if applicable): Heart rhythm data, timestamp
  • Metadata: Device used, battery level, measurement quality indicators

Important: This data is stored locally on your device by default. It is NOT automatically uploaded to our servers.

1.2 Account Information (Optional)

If you choose to create an account for cloud backup or healthcare provider sharing:

  • Email address
  • Name (optional)
  • Date of birth (optional, for age-based health insights)
  • Gender (optional, for health norms)
  • Password (encrypted, never stored in plain text)

1.3 Technical Data

To provide and improve our services, we automatically collect:

  • Device Information: Device model, operating system version, app version
  • Usage Analytics: App screens visited, features used, app crashes (anonymized)
  • Network Information: IP address (for website visitors only), general location (country-level)

Note: Analytics are anonymized and aggregated. We cannot identify individual users from this data.

1.4 Website Data

When you visit our website, we collect:

  • Pages visited and time spent
  • Referring website
  • Browser type and language preferences
  • Cookies (see Cookie Policy section below)

2. How We Use Your Data

2.1 Primary Purposes

  • Display Health Insights: Show you trends, averages, and WHO/AHA classifications
  • Generate Reports: Create PDF reports for doctor visits (at your request)
  • Send Reminders: Medication reminders and measurement prompts (if enabled)
  • Sync Across Devices: Keep your data in sync if you use multiple devices (requires cloud backup)
  • Improve Our Products: Anonymized usage data helps us improve the app and devices

2.2 We Do NOT Use Your Data For:

  • ❌ Advertising or marketing to you based on health data
  • ❌ Selling to data brokers or third parties
  • ❌ Insurance risk assessment
  • ❌ Employment screening
  • ❌ Behavioral profiling or surveillance

2.3 Legal Basis (GDPR)

We process your data based on:

  • Contract Performance: Providing you with the service you purchased
  • Legitimate Interest: Improving our products and preventing fraud
  • Consent: When you opt-in to cloud backup or data sharing
  • Legal Obligation: Complying with applicable laws (e.g., financial record-keeping)

3. Where Your Data is Stored

3.1 Local Storage (Default)

By default, all health readings are stored in a local SQLite database on your smartphone or tablet. This data never leaves your device unless you explicitly enable cloud backup or share reports with healthcare providers.

3.2 Cloud Backup (Optional)

If you enable optional cloud backup:

  • Location: EU data centers (Frankfurt, Germany or Amsterdam, Netherlands)
  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit
  • Provider: AWS Frankfurt region (certified under EU-US Data Privacy Framework)
  • Retention: Data stored until you delete your account or request deletion

Data Sovereignty: European users' data never leaves the EU. We do not transfer health data to the United States or other non-EU countries.

3.3 Backups and Retention

  • Local Data: Retained until you uninstall the app or manually delete
  • Cloud Data: Retained until account deletion, then deleted within 30 days
  • Backups: Encrypted backups kept for 30 days for disaster recovery, then permanently deleted
  • Analytics: Anonymized aggregates kept for 2 years for trend analysis

4. When We Share Your Data

4.1 You Control All Sharing

VitalXCare will NEVER share your health data without your explicit permission. You control every instance of data sharing.

4.2 Healthcare Provider Sharing (Your Choice)

When you use the "Share with Doctor" feature:

  • You generate a PDF report or secure link
  • You choose the date range and metrics to include
  • You control how it's shared (email, print, or secure portal)
  • Data is encrypted end-to-end during transmission

4.3 Service Providers (Limited)

We work with trusted service providers who help us operate VitalXCare:

  • Cloud Infrastructure: AWS (EU-only, for optional cloud backup)
  • Email Delivery: SendGrid (for account emails, not health data)
  • Analytics: Self-hosted Matomo (anonymized, no third-party tracking)
  • Payment Processing: Stripe (payment data only, not health data)

All service providers are bound by data processing agreements (DPAs) and cannot use your data for their own purposes.

4.4 Legal Requirements

We may disclose data if required by law:

  • Court orders or subpoenas
  • Emergency situations (threat to life)
  • Legal obligations under EU or Dutch law

We will notify you of such requests unless legally prohibited, and we will challenge overly broad requests.

4.5 We Do NOT Share With:

  • ❌ Advertisers or marketing companies
  • ❌ Data brokers or aggregators
  • ❌ Insurance companies
  • ❌ Employers or recruiters
  • ❌ Social media platforms
  • ❌ Government agencies (unless legally required)

5. Your Privacy Rights

Under GDPR and Dutch law, you have the following rights:

Right to Access

Request a copy of all data we hold about you. We'll provide it in a machine-readable format (JSON or CSV) within 30 days.

Right to Deletion

Delete all your data from our systems. In the app: Settings β†’ Privacy β†’ Delete All Data. No questions asked.

Right to Portability

Export your health data to use with other apps or services. Export formats: PDF, CSV, JSON, HL7 FHIR.

Right to Correction

Correct inaccurate data. You can edit or delete individual readings in the app, or contact us for account data corrections.

Right to Restriction

Limit how we process your data while we investigate a complaint or dispute.

Right to Object

Object to data processing based on legitimate interest. We'll stop unless we have compelling reasons.

Right to Withdraw Consent

Withdraw consent for cloud backup or analytics at any time. Settings β†’ Privacy β†’ Manage Consent.

Right to Lodge a Complaint

File a complaint with your national data protection authority if you believe we've violated GDPR.

Exercising Your Rights: Contact us at [email protected] or use in-app privacy settings. We respond within 30 days.

6. Security Measures

We employ industry-standard security practices to protect your data:

6.1 Technical Measures

  • Encryption at Rest: AES-256 for cloud-stored data, SQLCipher for local database
  • Encryption in Transit: TLS 1.3 for all network communications
  • Bluetooth Security: BLE pairing with PIN codes, no data stored on devices
  • Password Protection: bcrypt hashing with salts, minimum 8 characters
  • Two-Factor Authentication: Optional 2FA via authenticator apps
  • Secure Development: Regular security audits, penetration testing, code reviews

6.2 Organizational Measures

  • Employee background checks and confidentiality agreements
  • Principle of least privilege (employees access only what they need)
  • Regular security training for all staff
  • Incident response plan with 72-hour breach notification
  • ISO 27001 information security management certification

6.3 Data Breach Protocol

In the unlikely event of a data breach:

  1. We'll notify affected users within 72 hours
  2. We'll notify the Dutch Data Protection Authority (AP)
  3. We'll provide details on what data was affected and steps we're taking
  4. We'll offer assistance (e.g., credit monitoring if financial data was exposed)

7. Cookies and Tracking

7.1 Website Cookies

Our website uses minimal cookies:

  • Essential Cookies: Session management, security (cannot be disabled)
  • Analytics Cookies: Self-hosted Matomo for website improvement (opt-in only)
  • Preference Cookies: Remember your language and display preferences

No Third-Party Tracking: We do NOT use Google Analytics, Facebook Pixel, or any third-party advertising cookies.

7.2 Mobile App Tracking

The VitalXCare app does NOT use:

  • Advertising identifiers (IDFA/GAID)
  • Third-party analytics SDKs
  • Cross-app tracking
  • Behavioral profiling

Usage analytics are first-party only, anonymized, and can be disabled in Settings.

7.3 Managing Cookies

Control cookies via:

  • Browser settings (block all third-party cookies)
  • Our cookie consent banner (first visit)
  • Cookie preferences link in the footer

8. Children's Privacy

VitalXCare can be used to monitor children's health (e.g., fever tracking), but we require parental consent:

  • Users under 16 must have a parent/guardian create the account
  • Parents control all data sharing and account settings
  • We do not knowingly collect data from children without parental consent
  • Parents can delete their child's data at any time

If you believe we've inadvertently collected data from a child without consent, contact [email protected] immediately.

9. International Data Transfers

EU Users: Your data stays in the EU. We use EU-based servers exclusively for European customers.

Non-EU Users: Data may be stored in your region or the EU, depending on our service provider availability. All transfers comply with applicable data protection laws.

We do NOT transfer health data to countries without adequate data protection laws unless required by law and with your explicit consent.

10. Changes to This Policy

We may update this privacy policy to reflect:

  • New features or services
  • Changes in data protection laws
  • Improvements to our privacy practices

Notification of Changes:

  • Material changes: 30 days advance notice via email and in-app notification
  • Minor updates: Posted on this page with updated "Last Updated" date
  • Major changes requiring consent: Opt-in required before new policy takes effect

Continued use of VitalXCare after changes constitutes acceptance of the new policy.

11. Contact Us

For privacy questions, requests, or concerns:

Data Protection Officer:
Email: [email protected]
Phone: +31 20 123 4567
Mailing Address:
VitalXCare Technologies B.V.
Privacy Department
Keizersgracht 123
1015 CJ Amsterdam
Netherlands
Supervisory Authority:
Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
Website: autoriteitpersoonsgegevens.nl

Our Certifications

πŸ‡ͺπŸ‡Ί GDPR Compliant
πŸ”’ ISO 27001
βœ“ HIPAA Ready
πŸ“œ CE MDR Certified