What we do and don't with your data.

Vayl exists to organize the transcript your body has been writing for years. To do that, you trust us with categories of data that are sensitive by every legal definition that matters — biometric, health-adjacent, and behavioral.

This page is intentionally short. It's the truth about how your data flows, and it will get longer (subprocessor list, retention windows, DPA) as Vayl ships paid plans. Every addition will be in the public changelog.

Data we collect

• Account: email, hashed password (Supabase Auth), display name if provided.
• Logs you create: training sessions, meals, substance doses, supplement logs, sleep, biomarkers, weight, HRV/RHR.
• Wearable imports: only if you explicitly connect a source (HealthKit, Apple Watch). Vayl reads what you authorize, nothing else.
• Anonymous usage telemetry (PostHog, planned): page views, feature engagement. No PII, no log content.

Where it lives

Supabase Postgres in Frankfurt (eu-central-1), encrypted at rest. Sync via PowerSync (read-only mirror). Logs you create on iOS are stored locally in SQLite and synced when online — your phone is offline-first.

What we never do

• Sell or rent your data. Not to advertisers, not to insurers, not to anyone.
• Train AI models on individual user data without explicit, granular consent per dataset.
• Share with third parties beyond the subprocessors required to run the product (hosting, auth, sync).
• Retain data after you delete your account (30-day grace for accidental deletion, then hard-deleted).

Your rights

You can export everything you've logged (PDF + CSV) at any time from Settings → Export. You can request deletion by emailing privacy@vayl.pro. Under GDPR (EU) and LGPD (BR) you have the right to access, rectification, erasure, portability, and objection to processing.

Contact

João Batisti, founder. Lisbon, Portugal. privacy@vayl.pro.

Last updated · 2026-05-09