Privacy Policy

Mar 25, 2026

1. Introduction

Welcome to VitaSolace (referred to as "we," "us," or "our"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services.

This policy complies with the EU General Data Protection Regulation (GDPR) and applies to all users of the VitaSolace application. Please read it carefully. If you have questions, our contact details are in Section 11.


2. Who We Are

VitaSolace is the data controller responsible for your personal data. Our full legal details, including registered address and data protection contact, are provided in Section 11 of this policy.

Because we process special category health data at scale, we have designated a Data Protection Officer (DPO). You may contact our DPO directly at the address provided in Section 11.


3. Information We Collect

We collect the following categories of personal data:

 

Account Information

Your name, email address, and profile details when you create an account.

 

Health Data

Menstrual cycle data, symptoms, moods, and other health-related information you choose to log. This is special category data under Article 9 GDPR and is processed only with your explicit consent.

 

Usage Data

Information about how you interact with the app, including features used and time spent.

 

AI Assistant Conversations

Messages you send to the AI assistant. These are processed to generate your response and are subject to the AI sub-processor terms described in Section 6.

 

Community Communications

Messages you send through community features, where you have chosen to participate.


4. Legal Basis for Processing

We process your personal data under the following legal bases:

 

•       Explicit consent (Article 6(1)(a) and Article 9(2)(a) GDPR): We process your health data, including menstrual and symptom data, only after you have given us your explicit, informed consent. You may withdraw this consent at any time without affecting the lawfulness of prior processing.

•       Contract performance (Article 6(1)(b) GDPR): Processing your account information is necessary to provide the services you have signed up for.

•       Legitimate interests (Article 6(1)(f) GDPR): We process usage data to maintain the security and performance of our platform, where our interests are not overridden by your rights.

•       Legal obligation (Article 6(1)(c) GDPR): We may process data where required to comply with applicable law.

 

We will not process your health data for any purpose beyond those listed in Section 5 without first seeking your explicit consent again.


5. How We Use Your Information

We use your information only for the following purposes:

 

•       Providing, maintaining, and improving our services.

•       Generating personalised cycle predictions and health insights.

•       Powering the AI assistant to deliver relevant wellness guidance.

•       Enabling community features when you choose to use them.

•       Sending notifications and updates you have opted into.

•       Ensuring the security and integrity of our platform.

 

We do not use your health data for advertising, profiling for third-party commercial purposes, or any purpose unrelated to your direct use of VitaSolace.


6. AI Assistant and Sub-Processors

The VitaSolace AI assistant is powered by Google Gemini, operated by Google within the European Economic Area (EEA). We have a Data Processing Addendum (DPA) in place with Google that includes the following commitments:

 

•       Your data is processed exclusively within the EEA.

•       Google contractually guarantees that data submitted through VitaSolace is not used to train Google's public AI models.

•       Google acts as a data processor under our instructions and may not use your data for any purpose beyond delivering the AI assistant service.

 

Conversations with the AI assistant are not reviewed by Google employees for model improvement purposes. VitaSolace may review a limited sample of anonymised interactions solely to improve the quality of our service, under strict access controls.

AI assistant conversations are retained for 90 days, after which they are automatically deleted. You may delete them earlier through the app at any time.

A full list of our sub-processors is available on request by contacting us at the details in Section 11.


7. Data Storage and International Transfers

Your personal data is stored on servers located within the European Union, specifically in our primary data centre in the Netherlands. We do not transfer your personal data outside the EEA except as described below.

The Google Gemini AI processing described in Section 6 takes place within the EEA under an active DPA. No other cross-border transfers of your health data take place without appropriate safeguards, which may include Standard Contractual Clauses (SCCs) approved by the European Commission.


8. Data Sharing

We do not sell your personal information. We share your data only in the following limited circumstances:

 

With your explicit consent

For example, when you choose to use the partner sharing feature. You may revoke partner sharing at any time from within the app. Revoking access will immediately prevent your partner from accessing new data. You may also request deletion of previously shared data by contacting us.

 

Service providers

Trusted sub-processors who help us operate our services, including cloud hosting (Netherlands-based), the AI assistant (Google, EEA), and essential security tooling. All sub-processors are bound by data processing agreements consistent with GDPR requirements.

 

Legal requirements

Where we are required by law to disclose data, or to protect our legal rights. We will notify you of any such disclosure where we are legally permitted to do so.

 

Reproductive health data and law enforcement

We recognise that menstrual health data carries particular sensitivity in certain legal contexts. We will not voluntarily disclose your reproductive health data to law enforcement or government authorities without a lawful court order or other legally binding demand. Where we receive such a demand, we will seek legal advice, notify you where permitted, and limit disclosure to the minimum required by law.


9. Your Rights

Under GDPR, you have the following rights regarding your personal data:

 

•       Right of access: Request a copy of the personal data we hold about you.

•       Right to rectification: Correct inaccurate or incomplete data.

•       Right to erasure: Request deletion of your data, subject to legal retention requirements.

•       Right to data portability: Export your health data in a machine-readable format.

•       Right to withdraw consent: Withdraw your consent to health data processing at any time. Withdrawal does not affect the lawfulness of prior processing.

•       Right to restriction: Request that we limit how we process your data in certain circumstances.

•       Right to object: Object to processing based on legitimate interests or to automated decision-making.

•       Right to lodge a complaint: You have the right to complain to your national data protection supervisory authority. In Lithuania, this is the State Data Protection Inspectorate (www.ada.lt). In the Netherlands, it is the Autoriteit Persoonsgegevens (www.autoriteitpersoonsgegevens.nl).

 

You can exercise all of the above rights directly within the app under Settings > Privacy, where you will find options to download your data, delete specific records, and delete your account. You may also exercise any right by contacting us at the details in Section 11. We will respond to all requests within 30 days.


10. Data Retention

We retain your data for the following periods:

 

•       Account information: Retained for the duration of your account, and deleted within 30 days of account closure.

•       Health and cycle data: Retained for the duration of your account. You may delete individual entries at any time from within the app.

•       AI assistant conversations: Retained for 90 days, then automatically deleted.

•       Usage data: Retained in aggregated, anonymised form for up to 24 months for service improvement purposes.

•       Community posts: Retained until you delete them or close your account.

 

When you delete your account, we will delete all associated personal data within 30 days, except where retention is required by applicable law. Anonymised, non-identifiable data derived from your usage may be retained beyond this period.


11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR.

 

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34 GDPR. Notification will be provided through the app, by email, or by other appropriate means.


12. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

 

•       End-to-end encryption for health data in transit and at rest.

•       Role-based access controls limiting internal access to personal data.

•       Regular security audits and vulnerability assessments.

•       Sub-processor agreements requiring equivalent security standards.

 

Despite these measures, no system is completely secure. If you have concerns about the security of your account, please contact us immediately.


13. Children's Privacy

Our service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information without appropriate consent, we will take prompt steps to delete it.

 

For users aged 13 to 15, we may require parental or guardian consent for certain types of data processing, in accordance with applicable national law under Article 8 GDPR. We encourage parents and guardians to monitor their children's use of our app.


14. Automated Decision-Making

VitaSolace uses automated processing to generate cycle predictions and personalised health insights. This processing involves analysis of the health data you provide to identify patterns and produce forecasts.

 

These predictions are provided for informational purposes only and do not constitute medical advice. No automated decision produces legal effects or significantly affects you in a comparable way. If you have concerns about any automated output, you may contact us to request human review.

 

You may object to automated processing at any time by contacting us or adjusting your preferences in the app.


15. Changes to This Policy

We may update this Privacy Policy from time to time. For minor changes, we will update the "Last updated" date at the top of this page. For material changes, particularly those affecting how we process your health data, we will notify you in advance through the app and by email, and where required we will seek your renewed consent before the changes take effect.

 

We encourage you to review this policy periodically.


16. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or want to contact our Data Protection Officer, please reach out to us:

 

VitaSolace

Email: [email protected]

Data Protection Officer: [email protected]

 

We aim to respond to all privacy enquiries within 30 days.