Back to Home

Privacy Policy & Data Handling

Last updated: March 15, 2026

End-to-End Encrypted
GDPR Compliant
Row-Level Security
No Data Selling

1. Introduction

Vayl ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our biometric tracking and health optimization platform (the "Service").

We believe your health data is deeply personal. We will never sell, rent, or share your data with advertisers, data brokers, or any third party for commercial purposes.

2. Information We Collect

Account Information

  • Email address (for authentication)
  • Name (optional)
  • Profile information: birth date, gender, height

Health and Biometric Data

  • Body measurements and circumferences
  • Lab test results and biomarkers
  • Workout templates and exercise logs
  • Diet plans and meal logs
  • Substance protocol information (steroids, supplements, medications)
  • Symptom tracking data
  • Progress photos (optional, stored in encrypted storage)

Usage Data

  • Device information and browser type
  • Features used and pages visited
  • Time and date of visits

What we do NOT collect: We do not track your location, access your contacts, read your messages, or collect any data beyond what you explicitly provide to the Service.

3. How We Use Your Information

  • To provide and maintain the Service
  • To analyze correlations in your biometric data (processed entirely within our database)
  • To generate health reports and trend analysis
  • To process payments for Pro subscriptions
  • To send important updates and notifications
  • To improve our Service and develop new features
  • To comply with legal obligations

We never use your health data for advertising, profiling, or selling to third parties.

4. Data Storage and Security

Your data is stored using Supabase, a PostgreSQL database platform with enterprise-grade security. We implement multiple layers of protection:

Encryption

All data encrypted in transit (HTTPS/TLS 1.3) and at rest (AES-256). Database connections use SSL certificates.

Row-Level Security (RLS)

Every database table uses RLS policies. You can only access your own data. Even if a bug existed, the database itself enforces isolation.

Authentication

Secure authentication via Supabase Auth with JWT tokens. Sessions are cookie-based with HTTP-only secure flags.

Infrastructure

Hosted on secure infrastructure with regular security patches, DDoS protection, and automated backups.

5. OCR & Lab Result Processing

When you upload lab results for OCR (Optical Character Recognition) processing:

  • Your lab result image is sent to Google's Gemini API for text extraction
  • The image is processed in memory and not stored by Google after processing
  • Only the extracted text data (marker names, values, reference ranges) is saved to your account
  • The original image is not permanently stored unless you choose to attach a PDF to the lab test
  • Google's API is used under their enterprise terms which prohibit using your data for training

Important: If you prefer not to use OCR, you can always enter lab results manually. The OCR feature is entirely optional.

6. Third-Party Services

We use the following third-party services:

  • Supabase: Database, authentication, and file storage
  • Stripe: Payment processing (we never see or store your card details)
  • Google Gemini: OCR processing for lab results (optional feature)

These services have their own privacy policies. We share only the minimum data necessary for them to provide their services.

7. Coach Access to Data

If you link your account to a coach, they will have read-only access to the modules you choose to share. You control what data your coach sees through granular privacy settings, and you can unlink at any time. Coaches cannot edit, delete, or export your data.

8. Your Rights

Under GDPR and similar privacy regulations, you have the right to:

Access

View and request a copy of all your personal data

Portability

Export your data in JSON or CSV format at any time via Settings

Erasure

Delete your account and all associated data via Settings

Rectification

Edit or correct any of your data at any time

You can exercise your data portability and erasure rights directly from the Settings page. No need to contact us or wait for manual processing.

9. Data Retention

  • Active accounts: data retained as long as your account is active
  • Deleted accounts: all data is permanently purged within 30 days of account deletion
  • Payment records: retained for 7 years as required by tax regulations
  • Server logs: automatically deleted after 90 days

10. Cookies

We use essential cookies only for authentication and session management. We do not use tracking cookies, analytics cookies, or third-party advertising cookies. No cookie consent banner is needed because we only use strictly necessary cookies.

11. Children's Privacy

Our Service is not intended for users under 18 years of age. We do not knowingly collect data from children under 18. If you believe we have collected data from a minor, please contact us immediately.

12. Changes to Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes, we will also notify you via email or in-app notification.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how your data is handled, please contact us through the application or email us at privacy@vayl.pro

© 2026 Vayl. All rights reserved.

Terms of ServiceMedical Disclaimer
    Privacy Policy | Vayl