Privacy Policy

Last Updated: December 16, 2024

VitalSync Privacy Policy

At VitalSync, we understand that your health information is deeply personal and sensitive. This Privacy Policy explains how we collect, use, protect, and handle your health data when you use our mobile application ("VitalSync," "the App," "our Service"). By using VitalSync, you agree to the practices described in this policy.

1. Health Information We Collect

1.1 Health Data You Provide

When using VitalSync to manage your health, you may provide:

• Vital Signs: Blood pressure readings (systolic/diastolic), heart rate measurements, blood sugar/glucose levels, body temperature, weight, and other vital statistics.
• Medication Information: Medication names, dosages, schedules, prescription details, pharmacy information, and adherence tracking data.
• Health Profile: Age, gender, medical conditions, allergies, healthcare provider information, emergency contacts, and health goals.
• Symptoms & Notes: Custom health notes, symptom descriptions, mood tracking, and personal observations about your health.
• Account Information: Name, email address, date of birth, and encrypted password for account access.

1.2 Automatically Collected Data

• Device Information: Device model, operating system version, unique device identifiers, mobile network information, and app version.
• Usage Analytics: Features used, tracking frequency, app session duration, and interaction patterns (anonymized and aggregated).
• Performance Data: Crash reports, error logs, and app performance metrics to improve stability and user experience.
• Location Data (Optional): Approximate location for timezone adjustments and reminder delivery (only if you grant permission).

1.3 Health Data We Do NOT Collect

VitalSync does NOT collect:

• Genetic or DNA information
• Biometric data (fingerprints, facial recognition data)
• Insurance information or payment card details
• Social Security numbers or government IDs
• Audio or video recordings

2. How We Use Your Health Information

2.1 Core Health Tracking

• Store and organize your vital signs, medication schedules, and health records
• Generate personalized health insights and trend analysis
• Send medication reminders and health tracking notifications
• Create visualizations (charts, graphs) of your health data over time
• Export health reports for sharing with healthcare providers

2.2 AI-Powered Insights

• Analyze patterns in your health data to provide personalized recommendations
• Identify potential health trends and anomalies
• Generate predictive insights for better health management
• Provide educational content tailored to your health conditions

2.3 App Improvement

• Analyze usage patterns to enhance features and user experience
• Identify and fix bugs, crashes, and technical issues
• Develop new health tracking capabilities based on user needs
• Conduct research to improve AI algorithms (using anonymized, aggregated data only)

2.4 Communication

• Send important health-related notifications and reminders
• Respond to support requests and inquiries
• Provide updates about app features and improvements
• Share health tips and educational content (opt-in only)

3. HIPAA-Compliant Data Security

3.1 Industry-Leading Encryption

VitalSync employs multiple layers of security to protect your health data:

• Data at Rest: AES-256 encryption for all stored health data
• Data in Transit: TLS 1.3 encryption for all data transmission
• Database Security: Encrypted databases with role-based access controls
• Secure Authentication: Multi-factor authentication and biometric login options

3.2 HIPAA-Compliant Infrastructure

• All servers hosted in HIPAA-compliant data centers (AWS HIPAA-eligible services)
• Regular security audits and penetration testing
• Comprehensive disaster recovery and backup systems
• Strict access controls and employee training on health data privacy
• Business Associate Agreements (BAAs) with all service providers handling PHI

3.3 Data Retention

• Health Records: Retained as long as you maintain an active account, plus 7 years after account deletion (HIPAA requirement)
• Usage Analytics: Anonymized data retained for 24 months
• Crash Reports: Retained for 12 months for debugging purposes
• Account Information: Deleted within 30 days of account deletion request

3.4 Data Backup and Recovery

• Automatic encrypted backups to HIPAA-compliant cloud storage
• Multi-region backup redundancy for disaster recovery
• You can export your health data anytime in industry-standard formats (PDF, CSV, HL7 FHIR)

4. Data Sharing and Disclosure

4.1 We NEVER Sell Your Health Data

VitalSync will NEVER sell, rent, or trade your health information to third parties for marketing purposes. Your health data is not a commodity.

4.2 Sharing with Your Consent

We may share your health data ONLY with your explicit consent:

• Healthcare Providers: When you choose to export and share reports with your doctor
• Family Members/Caregivers: If you enable family sharing features
• Health Integrations: With your permission, sync data with Apple Health, Google Fit, or other health platforms

4.3 Service Providers (Business Associates)

We work with trusted service providers who help us operate VitalSync. All providers sign HIPAA Business Associate Agreements (BAAs):

• Cloud Hosting: AWS HIPAA-eligible services for secure data storage
• Analytics: Firebase Analytics (with health data anonymization and BAA)
• Customer Support: Zendesk with PHI protections and BAA
• Email Services: SendGrid with HIPAA compliance and BAA

4.4 Legal Requirements

We may disclose health information if required by law:

• In response to valid court orders, subpoenas, or legal processes
• To comply with HIPAA regulations and healthcare laws
• To protect against serious threats to public health or safety
• To report suspected abuse, neglect, or domestic violence as required by law
• To law enforcement in specific circumstances (with proper legal authorization)

4.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your health information may be transferred. We will notify you via email at least 30 days before any transfer and provide options to delete your data if you do not consent.

5. Your Privacy Rights

5.1 Access and Control

You have comprehensive rights over your health data:

• Right to Access: Request a copy of all your health data in a portable format
• Right to Correct: Request correction of inaccurate or incomplete health information
• Right to Delete: Request deletion of your account and all associated health data
• Right to Export: Download your complete health history in PDF, CSV, or HL7 FHIR format
• Right to Restrict: Limit how we use or disclose certain health information
• Right to Object: Object to certain uses of your health data
• Right to Accounting: Request a list of all disclosures of your health information

To exercise these rights, email support@vitalsync.health with "Privacy Request" in the subject line.

5.2 Notification Settings

You control all communications:

• Medication reminders (can be enabled/disabled per medication)
• Health tracking reminders (customizable frequency)
• Educational health tips (opt-in only)
• App updates and announcements (can be disabled)

5.3 Data Portability

Export your health data anytime:

• VitalSync → Settings → Export Data
• Choose format: PDF (visual reports), CSV (raw data), or HL7 FHIR (healthcare standard)
• Share directly with healthcare providers via secure email

5.4 Account Deletion

Delete your account and health data:

• VitalSync → Settings → Account → Delete Account
• Confirm deletion with password or biometric authentication
• All health data deleted within 30 days (except 7-year HIPAA retention for legal compliance)
• Receive confirmation email when deletion is complete

6. Children's Privacy

VitalSync is not intended for children under 13 years of age. We do not knowingly collect health information from children under 13. If you are a parent or guardian and believe your child has provided us with health information, contact us immediately at support@vitalsync.health, and we will delete the information promptly.

Parental Consent for Minors (13-17): For users aged 13-17, we require verified parental consent before collecting any health information. Parents have full access to manage their child's health data.

7. State-Specific Privacy Rights

7.1 California Privacy Rights (CCPA/CPRA)

California residents have additional rights:

• Right to Know: Request detailed disclosure of health information collected, used, and shared
• Right to Delete: Request deletion of health information (with HIPAA exceptions)
• Right to Opt-Out: Opt out of "sale" or "sharing" of personal information (Note: We do NOT sell health data)
• Right to Non-Discrimination: We will not discriminate for exercising privacy rights
• Right to Limit Sensitive Data: Limit use of sensitive personal information (health data)

To exercise CCPA rights, email support@vitalsync.health with "CCPA Request" in the subject.

7.2 European Privacy Rights (GDPR)

Users in the European Economic Area (EEA), UK, and Switzerland have rights under GDPR:

• Legal Basis for Processing: We process health data based on your explicit consent and contractual necessity
• Data Protection Officer: Contact our DPO at dpo@vitalsync.health
• Right to Withdraw Consent: Withdraw consent for data processing at any time
• Right to Lodge Complaint: File complaints with your local supervisory authority
• Right to Data Portability: Receive health data in machine-readable format
• Right to Erasure: Request deletion of health data (with legal retention exceptions)

7.3 Other State Laws

We comply with additional state privacy laws including Virginia CDPA, Colorado CPA, Connecticut CTDPA, and Utah UCPA. Contact us to exercise state-specific rights.

8. International Data Transfers

VitalSync operates globally. If you use the app outside the United States, your health information may be transferred to and processed in the US. We implement appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• HIPAA-compliant security measures for all data transfers
• Encryption of data in transit and at rest
• Regular security assessments of international data flows

9. Third-Party Services and Links

VitalSync may integrate with third-party health platforms (Apple Health, Google Fit) or contain links to external websites. These services have their own privacy policies. We are not responsible for their practices. Review their policies before sharing health data.

Apple Health Integration: If you enable Apple Health sync, data sharing is governed by Apple's Health app privacy policy. You control what data is shared.

10. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make changes:

• Update the "Last Updated" date at the top
• Notify you via email and in-app notification for material changes
• Provide at least 30 days' notice before implementing material changes affecting health data
• Request renewed consent if required by law

Your continued use after changes constitutes acceptance. If you disagree, you may delete your account.

11. Data Breach Notification

In the unlikely event of a data breach affecting your health information, we will:

• Notify you within 72 hours of discovering the breach (HIPAA requirement)
• Provide details about what information was affected
• Explain steps we're taking to address the breach
• Offer guidance on how you can protect yourself
• Report to relevant authorities as required by law

12. Contact Us

For privacy questions, concerns, or to exercise your rights:

For data subject requests, include:

• Your full name and email address
• Detailed description of your request
• Account verification information
• Country/region of residence

13. Your Health, Your Privacy