Last updated:
March 10, 2026
VYO Health Privacy Policy
1. Introduction
VYO Health (“VYO Health”, “we”, “us”, or “our”) respects and protects the privacy of users of the VYO Health mobile application, website, and related services (collectively, the “Service”).
This Privacy Policy explains how we collect, use, store, protect, and process personal data and health-related data when users access or use the Service.
VYO Health is designed as a preventive, educational, and lifestyle support platform and does not provide medical diagnosis or treatment.
Our data protection practices follow internationally recognized standards and applicable data protection laws, including:
Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)
Applicable EU data protection laws and international privacy standards
GDPR-aligned safeguards supporting global users, including those located in the United States
2. Data Controller
The controller responsible for the processing of personal data described in this Privacy Policy is:
VYO Health LLC
Ukraine, 79052,
Str. Roksolyana 87/47, Lviv
Email: privacy@vyohealth.com
VYO Health acts as the Data Controller for personal and health-related data processed through the Service.
Definitions
For this Privacy Policy purposes:
Personal Data
Any information relating to an identified or identifiable natural person (“data subject”).
Processing
Any operation performed on personal data, whether or not by automated means, including collection, storage, use, disclosure, or deletion.
Special Category Data (Health Data)
Personal data concerning physical or mental health, including reproductive and hormonal health information, as defined under Article 9 GDPR.
Categories of Data We Collect
We collect several categories of data necessary to provide and improve the Service.
4.1 Personal Identification Data
When creating an account or interacting with the Service, users may provide:
Name
Email address
Age or age group
Account identifiers
Communication preferences
Users may choose to use the application with minimal personal identifiers or pseudonymous identifiers, where technically feasible.
4.2 Health and Wellness Data (Special Category Data)
The Service allows users to voluntarily record health-related information, which may include:
Menstrual cycle information
Reproductive and hormonal health information
Pregnancy or childbirth history
Symptoms and symptom severity
Pain levels
Lifestyle and wellness information (for example, age and body metrics, product and nutrition preferences, shopping lists, etc.)
Preventive health indicators
Diagnosis information voluntarily entered by the user
Data imported from wearable devices or integrations such as Apple Health Kit and others
This data constitutes special category personal data under Article 9 GDPR and is processed only with explicit user consent.
4.3 Technical and Usage Data
When users interact with the Service, certain technical information may be collected automatically, including:
Device type and operating system
App usage patterns
Log data and performance metrics
Anonymous identifiers
System diagnostics and security logs
This information is used to ensure service functionality, security, and technical improvement.
How We Use Personal Data
We process personal and health-related data for the following purposes:
Providing the core functionality of the Service
Generating preventive health insights and recommendations
Supporting lifestyle and wellness monitoring
Improving application functionality and user experience
Maintaining service security and reliability
Conducting internal research and development of preventive methodologies
Supporting anonymized scientific or statistical analysis
The Service does not provide medical diagnosis, treatment, or clinical decision support.
Legal Bases for Processing
Under GDPR, we process personal data based on the following legal bases:
Consent – Article 6(1)(a) GDPR
Users provide consent for:
creation and use of their account
operation of the Service
communication related to their use of the Service
Explicit Consent – Article 9(2)(a) GDPR
Explicit consent is required for processing health-related data and other special category data.
Users may withdraw consent at any time by contacting us or deleting their account.
Data Minimization and Privacy-by-Design
VYO Health is designed with privacy-by-design and privacy-by-default principles, in line with Article 25 of the GDPR.
This includes:
collecting only the data necessary to operate the Service
reducing the use of direct identifiers where possible
applying pseudonymization techniques to sensitive datasets
limiting internal access to authorized personnel and systems only
Data Storage, Infrastructure, and Protection
VYO Health uses secure cloud infrastructure to host and process data.
Primary infrastructure is expected to be hosted on secure servers (cloud infrastructure) used by our service providers. We use Supabase for authentication, database, and file storage. subject to final infrastructure configuration. Your data is stored in the European Economic Area (EEA): our primary database is located in West EU (Ireland), eu-west-1. When data may be processed outside the EEA, we use providers that offer adequate safeguards (e.g. standard contractual clauses, certifications).
Security measures include:
encryption of data in transit and at rest
access control mechanisms
system monitoring and logging
secure development practices
Some of the information processed in the app may qualify as health data under applicable data protection laws. We apply additional safeguards when processing such data, including restricted access, secure storage, and processing only for the purposes necessary to provide the service.
Security practices are designed in alignment with recognized standards, including ISO 27001 security principles and safeguards commonly applied to sensitive health data.
8.1 Where Your Data Is Stored
We use Supabase to manage authentication, our database, and file storage (such as profile images). Our primary database is located in the European Economic Area (EEA), in the West EU region (Ireland).
In some cases, data may be processed outside the EEA. In such cases, we rely on providers that implement appropriate safeguards required under applicable data protection laws (such as standard contractual clauses).
Within our system, your information may be stored in the following areas:
profiles – account information and body metrics
medical_data – menstrual cycle information and health questionnaire responses
diagnosis_results – assessment scores and related results
user_product_settings – personal preferences (e.g. deleted products or vegetarian/vegan settings)
shopping_lists – saved lists and dates
auth.users – authentication records used to manage your account
Profile images are stored separately in secure object storage.
Some limited data (such as authentication tokens and basic app state) may be stored locally on your device to keep you signed in and improve app performance. This data is removed when you sign out or delete the app.
8.2 How We Protect Your Data
We implement appropriate technical and organizational measures to protect personal data.
Access to data is restricted to authorized personnel and systems necessary to operate the app.
We use standard security practices, including:
encrypted data transmission (e.g., TLS)
secure authentication
access control mechanisms
Our database also uses row-level security, ensuring users can access only their own data.
8.3 Pseudonymization and Data Separation
We implement privacy-by-design principles to protect user data and minimize the risk of identification.
Personal account information (such as name and email address) is stored in our authentication system and managed separately from health-related information.
Health and sensitive data (such as menstrual cycle information, symptoms, questionnaire responses, and assessment results) are stored in dedicated application tables. These records are linked to user accounts through an internal system identifier (user ID) rather than directly through personal identifiers.
This approach allows health data to be processed without directly exposing personal identity information.
Access to these datasets is restricted through strict access controls and database security policies, including row-level security, which ensures that users and application services can only access data that belongs to the relevant account.
This architecture reduces the risk of unauthorized access and supports compliance with applicable data protection regulations, including the principles of data minimization and pseudonymization under the GDPR.
8.4 How Long We Keep Your Data
We retain your data while your account is active and as needed to provide our services.
If your account remains inactive for three years, we will delete or anonymize your personal data.
In all cases, personal data is not retained longer than five years, after which it is deleted.
You may request deletion of your data at any time, for instance, by deleting your account. We will delete or anonymize your data unless we are required to retain certain information for legal reasons.
8.5 Deleting Your Account
You can delete your account at any time in the app:
Profile → Personal → Delete account
You will be asked to confirm this action. Once completed, it cannot be reversed.
When your account is deleted, your authentication record is permanently removed. As a result, the following data is also deleted:
profile information (name, email, avatar, body metrics, onboarding status, quiz progress, consent records)
all health and wellness data (from cycle information, symptoms, pain details, diagnoses, reports, or any product preferences, etc.)
Deleted data is either permanently removed or irreversibly anonymized. Deleting your account permanently removes your personal data from our systems in accordance with this policy.
Data Sharing and Processors
VYO Health does not sell personal data or health data.
Personal data may be shared only in limited circumstances:
with service providers acting as data processors that support infrastructure, analytics, or technical operations
when required to comply with legal obligations
when explicitly authorized by the user
All processors are contractually required to:
process data only under our instructions
comply with applicable data protection laws, including GDPR
implement appropriate technical and organizational safeguards
Health data is not shared with advertising platforms or data brokers.
International Data Transfers
In some cases, data processing may involve infrastructure or service providers located outside the European Economic Area (EEA).
When such transfers occur, we implement appropriate safeguards, which may include:
Standard Contractual Clauses approved by the European Commission
contractual data protection commitments
additional technical safeguards such as encryption and pseudonymization
User Rights
Users have the following rights under applicable data protection laws, including GDPR:
Right of access to personal data
Right to correct inaccurate data
Right to deletion (“right to be forgotten”)
Right to restrict processing
Right to object to processing
Right to data portability
Right to withdraw consent at any time
Requests can be submitted to:
We will respond to requests within the timeframe required by applicable law.
Users also have the right to lodge a complaint with their local data protection authority.
Data Security
VYO Health implements technical and organizational security measures designed to protect personal data from unauthorized access, disclosure, alteration, or destruction.
Security safeguards may include:
encryption of data in transit (for example, TLS)
encryption of stored data where supported by the underlying infrastructure
pseudonymization of certain sensitive datasets
restricted access controls and database security policies
secure cloud infrastructure and basic system monitoring
While we implement strong safeguards to protect personal data, no system can guarantee absolute security.
Research and Preventive Health Insights
To improve preventive health methodologies and the quality of the Service, VYO Health may use aggregated or anonymized data for research and statistical analysis.
Such data:
cannot identify individual users
does not contain personal identifiers
may contribute to the scientific understanding of preventive health patterns
Any research involving identifiable personal data would require separate explicit consent.
Evidence-Based Methodology
Insights and recommendations provided through the Service are based on scientific and evidence-based methodologies.
These may include:
peer-reviewed scientific literature
recognized clinical and academic research
expert input from qualified medical and scientific professionals
Internal documentation describing the research methodology and validation framework may be maintained and shared with relevant partners, certification bodies, or regulatory authorities where appropriate.
Medical Disclaimer
VYO Health is a preventive, educational, and lifestyle support application.
The Service:
does not provide a medical diagnosis
does not provide medical treatment
does not replace professional medical advice
All information provided through the Service is for informational and educational purposes only.
Users should consult qualified healthcare professionals for medical decisions.
VYO Health assumes no liability for health decisions or outcomes resulting from reliance on the Service.
The Service is not intended to be classified as a regulated medical device under applicable EU or U.S. medical device regulations.
Children’s Privacy
The Service is not intended for children or underage individuals.
Users must be at least:
16 years old, or
the minimum age required by applicable law in their jurisdiction (for example, if you are located in the United States, you cannot use the VYO Health app if you are under 13 years old)
We do not knowingly collect personal data from children who do not meet the applicable minimum age. If we become aware that such data has been collected, we will take steps to delete it.
Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in:
legal requirements
technology
data processing practices
service functionality
If material changes occur, users will be notified through the Service or by email where appropriate.
The latest version will always be available within the Service or on our website.
Contact
For questions about this Privacy Policy or our data protection practices:
Last updated:
March 10, 2026
VYO Health Privacy Policy
1. Introduction
VYO Health (“VYO Health”, “we”, “us”, or “our”) respects and protects the privacy of users of the VYO Health mobile application, website, and related services (collectively, the “Service”).
This Privacy Policy explains how we collect, use, store, protect, and process personal data and health-related data when users access or use the Service.
VYO Health is designed as a preventive, educational, and lifestyle support platform and does not provide medical diagnosis or treatment.
Our data protection practices follow internationally recognized standards and applicable data protection laws, including:
Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)
Applicable EU data protection laws and international privacy standards
GDPR-aligned safeguards supporting global users, including those located in the United States
2. Data Controller
The controller responsible for the processing of personal data described in this Privacy Policy is:
VYO Health LLC
Ukraine, 79052,
Str. Roksolyana 87/47, Lviv
Email: privacy@vyohealth.com
VYO Health acts as the Data Controller for personal and health-related data processed through the Service.
Definitions
For this Privacy Policy purposes:
Personal Data
Any information relating to an identified or identifiable natural person (“data subject”).
Processing
Any operation performed on personal data, whether or not by automated means, including collection, storage, use, disclosure, or deletion.
Special Category Data (Health Data)
Personal data concerning physical or mental health, including reproductive and hormonal health information, as defined under Article 9 GDPR.
Categories of Data We Collect
We collect several categories of data necessary to provide and improve the Service.
4.1 Personal Identification Data
When creating an account or interacting with the Service, users may provide:
Name
Email address
Age or age group
Account identifiers
Communication preferences
Users may choose to use the application with minimal personal identifiers or pseudonymous identifiers, where technically feasible.
4.2 Health and Wellness Data (Special Category Data)
The Service allows users to voluntarily record health-related information, which may include:
Menstrual cycle information
Reproductive and hormonal health information
Pregnancy or childbirth history
Symptoms and symptom severity
Pain levels
Lifestyle and wellness information (for example, age and body metrics, product and nutrition preferences, shopping lists, etc.)
Preventive health indicators
Diagnosis information voluntarily entered by the user
Data imported from wearable devices or integrations such as Apple Health Kit and others
This data constitutes special category personal data under Article 9 GDPR and is processed only with explicit user consent.
4.3 Technical and Usage Data
When users interact with the Service, certain technical information may be collected automatically, including:
Device type and operating system
App usage patterns
Log data and performance metrics
Anonymous identifiers
System diagnostics and security logs
This information is used to ensure service functionality, security, and technical improvement.
How We Use Personal Data
We process personal and health-related data for the following purposes:
Providing the core functionality of the Service
Generating preventive health insights and recommendations
Supporting lifestyle and wellness monitoring
Improving application functionality and user experience
Maintaining service security and reliability
Conducting internal research and development of preventive methodologies
Supporting anonymized scientific or statistical analysis
The Service does not provide medical diagnosis, treatment, or clinical decision support.
Legal Bases for Processing
Under GDPR, we process personal data based on the following legal bases:
Consent – Article 6(1)(a) GDPR
Users provide consent for:
creation and use of their account
operation of the Service
communication related to their use of the Service
Explicit Consent – Article 9(2)(a) GDPR
Explicit consent is required for processing health-related data and other special category data.
Users may withdraw consent at any time by contacting us or deleting their account.
Data Minimization and Privacy-by-Design
VYO Health is designed with privacy-by-design and privacy-by-default principles, in line with Article 25 of the GDPR.
This includes:
collecting only the data necessary to operate the Service
reducing the use of direct identifiers where possible
applying pseudonymization techniques to sensitive datasets
limiting internal access to authorized personnel and systems only
Data Storage, Infrastructure, and Protection
VYO Health uses secure cloud infrastructure to host and process data.
Primary infrastructure is expected to be hosted on secure servers (cloud infrastructure) used by our service providers. We use Supabase for authentication, database, and file storage. subject to final infrastructure configuration. Your data is stored in the European Economic Area (EEA): our primary database is located in West EU (Ireland), eu-west-1. When data may be processed outside the EEA, we use providers that offer adequate safeguards (e.g. standard contractual clauses, certifications).
Security measures include:
encryption of data in transit and at rest
access control mechanisms
system monitoring and logging
secure development practices
Some of the information processed in the app may qualify as health data under applicable data protection laws. We apply additional safeguards when processing such data, including restricted access, secure storage, and processing only for the purposes necessary to provide the service.
Security practices are designed in alignment with recognized standards, including ISO 27001 security principles and safeguards commonly applied to sensitive health data.
8.1 Where Your Data Is Stored
We use Supabase to manage authentication, our database, and file storage (such as profile images). Our primary database is located in the European Economic Area (EEA), in the West EU region (Ireland).
In some cases, data may be processed outside the EEA. In such cases, we rely on providers that implement appropriate safeguards required under applicable data protection laws (such as standard contractual clauses).
Within our system, your information may be stored in the following areas:
profiles – account information and body metrics
medical_data – menstrual cycle information and health questionnaire responses
diagnosis_results – assessment scores and related results
user_product_settings – personal preferences (e.g. deleted products or vegetarian/vegan settings)
shopping_lists – saved lists and dates
auth.users – authentication records used to manage your account
Profile images are stored separately in secure object storage.
Some limited data (such as authentication tokens and basic app state) may be stored locally on your device to keep you signed in and improve app performance. This data is removed when you sign out or delete the app.
8.2 How We Protect Your Data
We implement appropriate technical and organizational measures to protect personal data.
Access to data is restricted to authorized personnel and systems necessary to operate the app.
We use standard security practices, including:
encrypted data transmission (e.g., TLS)
secure authentication
access control mechanisms
Our database also uses row-level security, ensuring users can access only their own data.
8.3 Pseudonymization and Data Separation
We implement privacy-by-design principles to protect user data and minimize the risk of identification.
Personal account information (such as name and email address) is stored in our authentication system and managed separately from health-related information.
Health and sensitive data (such as menstrual cycle information, symptoms, questionnaire responses, and assessment results) are stored in dedicated application tables. These records are linked to user accounts through an internal system identifier (user ID) rather than directly through personal identifiers.
This approach allows health data to be processed without directly exposing personal identity information.
Access to these datasets is restricted through strict access controls and database security policies, including row-level security, which ensures that users and application services can only access data that belongs to the relevant account.
This architecture reduces the risk of unauthorized access and supports compliance with applicable data protection regulations, including the principles of data minimization and pseudonymization under the GDPR.
8.4 How Long We Keep Your Data
We retain your data while your account is active and as needed to provide our services.
If your account remains inactive for three years, we will delete or anonymize your personal data.
In all cases, personal data is not retained longer than five years, after which it is deleted.
You may request deletion of your data at any time, for instance, by deleting your account. We will delete or anonymize your data unless we are required to retain certain information for legal reasons.
8.5 Deleting Your Account
You can delete your account at any time in the app:
Profile → Personal → Delete account
You will be asked to confirm this action. Once completed, it cannot be reversed.
When your account is deleted, your authentication record is permanently removed. As a result, the following data is also deleted:
profile information (name, email, avatar, body metrics, onboarding status, quiz progress, consent records)
all health and wellness data (from cycle information, symptoms, pain details, diagnoses, reports, or any product preferences, etc.)
Deleted data is either permanently removed or irreversibly anonymized. Deleting your account permanently removes your personal data from our systems in accordance with this policy.
Data Sharing and Processors
VYO Health does not sell personal data or health data.
Personal data may be shared only in limited circumstances:
with service providers acting as data processors that support infrastructure, analytics, or technical operations
when required to comply with legal obligations
when explicitly authorized by the user
All processors are contractually required to:
process data only under our instructions
comply with applicable data protection laws, including GDPR
implement appropriate technical and organizational safeguards
Health data is not shared with advertising platforms or data brokers.
International Data Transfers
In some cases, data processing may involve infrastructure or service providers located outside the European Economic Area (EEA).
When such transfers occur, we implement appropriate safeguards, which may include:
Standard Contractual Clauses approved by the European Commission
contractual data protection commitments
additional technical safeguards such as encryption and pseudonymization
User Rights
Users have the following rights under applicable data protection laws, including GDPR:
Right of access to personal data
Right to correct inaccurate data
Right to deletion (“right to be forgotten”)
Right to restrict processing
Right to object to processing
Right to data portability
Right to withdraw consent at any time
Requests can be submitted to:
We will respond to requests within the timeframe required by applicable law.
Users also have the right to lodge a complaint with their local data protection authority.
Data Security
VYO Health implements technical and organizational security measures designed to protect personal data from unauthorized access, disclosure, alteration, or destruction.
Security safeguards may include:
encryption of data in transit (for example, TLS)
encryption of stored data where supported by the underlying infrastructure
pseudonymization of certain sensitive datasets
restricted access controls and database security policies
secure cloud infrastructure and basic system monitoring
While we implement strong safeguards to protect personal data, no system can guarantee absolute security.
Research and Preventive Health Insights
To improve preventive health methodologies and the quality of the Service, VYO Health may use aggregated or anonymized data for research and statistical analysis.
Such data:
cannot identify individual users
does not contain personal identifiers
may contribute to the scientific understanding of preventive health patterns
Any research involving identifiable personal data would require separate explicit consent.
Evidence-Based Methodology
Insights and recommendations provided through the Service are based on scientific and evidence-based methodologies.
These may include:
peer-reviewed scientific literature
recognized clinical and academic research
expert input from qualified medical and scientific professionals
Internal documentation describing the research methodology and validation framework may be maintained and shared with relevant partners, certification bodies, or regulatory authorities where appropriate.
Medical Disclaimer
VYO Health is a preventive, educational, and lifestyle support application.
The Service:
does not provide a medical diagnosis
does not provide medical treatment
does not replace professional medical advice
All information provided through the Service is for informational and educational purposes only.
Users should consult qualified healthcare professionals for medical decisions.
VYO Health assumes no liability for health decisions or outcomes resulting from reliance on the Service.
The Service is not intended to be classified as a regulated medical device under applicable EU or U.S. medical device regulations.
Children’s Privacy
The Service is not intended for children or underage individuals.
Users must be at least:
16 years old, or
the minimum age required by applicable law in their jurisdiction (for example, if you are located in the United States, you cannot use the VYO Health app if you are under 13 years old)
We do not knowingly collect personal data from children who do not meet the applicable minimum age. If we become aware that such data has been collected, we will take steps to delete it.
Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in:
legal requirements
technology
data processing practices
service functionality
If material changes occur, users will be notified through the Service or by email where appropriate.
The latest version will always be available within the Service or on our website.
Contact
For questions about this Privacy Policy or our data protection practices:
Last updated:
March 10, 2026
VYO Health Privacy Policy
1. Introduction
VYO Health (“VYO Health”, “we”, “us”, or “our”) respects and protects the privacy of users of the VYO Health mobile application, website, and related services (collectively, the “Service”).
This Privacy Policy explains how we collect, use, store, protect, and process personal data and health-related data when users access or use the Service.
VYO Health is designed as a preventive, educational, and lifestyle support platform and does not provide medical diagnosis or treatment.
Our data protection practices follow internationally recognized standards and applicable data protection laws, including:
Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)
Applicable EU data protection laws and international privacy standards
GDPR-aligned safeguards supporting global users, including those located in the United States
2. Data Controller
The controller responsible for the processing of personal data described in this Privacy Policy is:
VYO Health LLC
Ukraine, 79052,
Str. Roksolyana 87/47, Lviv
Email: privacy@vyohealth.com
VYO Health acts as the Data Controller for personal and health-related data processed through the Service.
Definitions
For this Privacy Policy purposes:
Personal Data
Any information relating to an identified or identifiable natural person (“data subject”).
Processing
Any operation performed on personal data, whether or not by automated means, including collection, storage, use, disclosure, or deletion.
Special Category Data (Health Data)
Personal data concerning physical or mental health, including reproductive and hormonal health information, as defined under Article 9 GDPR.
Categories of Data We Collect
We collect several categories of data necessary to provide and improve the Service.
4.1 Personal Identification Data
When creating an account or interacting with the Service, users may provide:
Name
Email address
Age or age group
Account identifiers
Communication preferences
Users may choose to use the application with minimal personal identifiers or pseudonymous identifiers, where technically feasible.
4.2 Health and Wellness Data (Special Category Data)
The Service allows users to voluntarily record health-related information, which may include:
Menstrual cycle information
Reproductive and hormonal health information
Pregnancy or childbirth history
Symptoms and symptom severity
Pain levels
Lifestyle and wellness information (for example, age and body metrics, product and nutrition preferences, shopping lists, etc.)
Preventive health indicators
Diagnosis information voluntarily entered by the user
Data imported from wearable devices or integrations such as Apple Health Kit and others
This data constitutes special category personal data under Article 9 GDPR and is processed only with explicit user consent.
4.3 Technical and Usage Data
When users interact with the Service, certain technical information may be collected automatically, including:
Device type and operating system
App usage patterns
Log data and performance metrics
Anonymous identifiers
System diagnostics and security logs
This information is used to ensure service functionality, security, and technical improvement.
How We Use Personal Data
We process personal and health-related data for the following purposes:
Providing the core functionality of the Service
Generating preventive health insights and recommendations
Supporting lifestyle and wellness monitoring
Improving application functionality and user experience
Maintaining service security and reliability
Conducting internal research and development of preventive methodologies
Supporting anonymized scientific or statistical analysis
The Service does not provide medical diagnosis, treatment, or clinical decision support.
Legal Bases for Processing
Under GDPR, we process personal data based on the following legal bases:
Consent – Article 6(1)(a) GDPR
Users provide consent for:
creation and use of their account
operation of the Service
communication related to their use of the Service
Explicit Consent – Article 9(2)(a) GDPR
Explicit consent is required for processing health-related data and other special category data.
Users may withdraw consent at any time by contacting us or deleting their account.
Data Minimization and Privacy-by-Design
VYO Health is designed with privacy-by-design and privacy-by-default principles, in line with Article 25 of the GDPR.
This includes:
collecting only the data necessary to operate the Service
reducing the use of direct identifiers where possible
applying pseudonymization techniques to sensitive datasets
limiting internal access to authorized personnel and systems only
Data Storage, Infrastructure, and Protection
VYO Health uses secure cloud infrastructure to host and process data.
Primary infrastructure is expected to be hosted on secure servers (cloud infrastructure) used by our service providers. We use Supabase for authentication, database, and file storage. subject to final infrastructure configuration. Your data is stored in the European Economic Area (EEA): our primary database is located in West EU (Ireland), eu-west-1. When data may be processed outside the EEA, we use providers that offer adequate safeguards (e.g. standard contractual clauses, certifications).
Security measures include:
encryption of data in transit and at rest
access control mechanisms
system monitoring and logging
secure development practices
Some of the information processed in the app may qualify as health data under applicable data protection laws. We apply additional safeguards when processing such data, including restricted access, secure storage, and processing only for the purposes necessary to provide the service.
Security practices are designed in alignment with recognized standards, including ISO 27001 security principles and safeguards commonly applied to sensitive health data.
8.1 Where Your Data Is Stored
We use Supabase to manage authentication, our database, and file storage (such as profile images). Our primary database is located in the European Economic Area (EEA), in the West EU region (Ireland).
In some cases, data may be processed outside the EEA. In such cases, we rely on providers that implement appropriate safeguards required under applicable data protection laws (such as standard contractual clauses).
Within our system, your information may be stored in the following areas:
profiles – account information and body metrics
medical_data – menstrual cycle information and health questionnaire responses
diagnosis_results – assessment scores and related results
user_product_settings – personal preferences (e.g. deleted products or vegetarian/vegan settings)
shopping_lists – saved lists and dates
auth.users – authentication records used to manage your account
Profile images are stored separately in secure object storage.
Some limited data (such as authentication tokens and basic app state) may be stored locally on your device to keep you signed in and improve app performance. This data is removed when you sign out or delete the app.
8.2 How We Protect Your Data
We implement appropriate technical and organizational measures to protect personal data.
Access to data is restricted to authorized personnel and systems necessary to operate the app.
We use standard security practices, including:
encrypted data transmission (e.g., TLS)
secure authentication
access control mechanisms
Our database also uses row-level security, ensuring users can access only their own data.
8.3 Pseudonymization and Data Separation
We implement privacy-by-design principles to protect user data and minimize the risk of identification.
Personal account information (such as name and email address) is stored in our authentication system and managed separately from health-related information.
Health and sensitive data (such as menstrual cycle information, symptoms, questionnaire responses, and assessment results) are stored in dedicated application tables. These records are linked to user accounts through an internal system identifier (user ID) rather than directly through personal identifiers.
This approach allows health data to be processed without directly exposing personal identity information.
Access to these datasets is restricted through strict access controls and database security policies, including row-level security, which ensures that users and application services can only access data that belongs to the relevant account.
This architecture reduces the risk of unauthorized access and supports compliance with applicable data protection regulations, including the principles of data minimization and pseudonymization under the GDPR.
8.4 How Long We Keep Your Data
We retain your data while your account is active and as needed to provide our services.
If your account remains inactive for three years, we will delete or anonymize your personal data.
In all cases, personal data is not retained longer than five years, after which it is deleted.
You may request deletion of your data at any time, for instance, by deleting your account. We will delete or anonymize your data unless we are required to retain certain information for legal reasons.
8.5 Deleting Your Account
You can delete your account at any time in the app:
Profile → Personal → Delete account
You will be asked to confirm this action. Once completed, it cannot be reversed.
When your account is deleted, your authentication record is permanently removed. As a result, the following data is also deleted:
profile information (name, email, avatar, body metrics, onboarding status, quiz progress, consent records)
all health and wellness data (from cycle information, symptoms, pain details, diagnoses, reports, or any product preferences, etc.)
Deleted data is either permanently removed or irreversibly anonymized. Deleting your account permanently removes your personal data from our systems in accordance with this policy.
Data Sharing and Processors
VYO Health does not sell personal data or health data.
Personal data may be shared only in limited circumstances:
with service providers acting as data processors that support infrastructure, analytics, or technical operations
when required to comply with legal obligations
when explicitly authorized by the user
All processors are contractually required to:
process data only under our instructions
comply with applicable data protection laws, including GDPR
implement appropriate technical and organizational safeguards
Health data is not shared with advertising platforms or data brokers.
International Data Transfers
In some cases, data processing may involve infrastructure or service providers located outside the European Economic Area (EEA).
When such transfers occur, we implement appropriate safeguards, which may include:
Standard Contractual Clauses approved by the European Commission
contractual data protection commitments
additional technical safeguards such as encryption and pseudonymization
User Rights
Users have the following rights under applicable data protection laws, including GDPR:
Right of access to personal data
Right to correct inaccurate data
Right to deletion (“right to be forgotten”)
Right to restrict processing
Right to object to processing
Right to data portability
Right to withdraw consent at any time
Requests can be submitted to:
We will respond to requests within the timeframe required by applicable law.
Users also have the right to lodge a complaint with their local data protection authority.
Data Security
VYO Health implements technical and organizational security measures designed to protect personal data from unauthorized access, disclosure, alteration, or destruction.
Security safeguards may include:
encryption of data in transit (for example, TLS)
encryption of stored data where supported by the underlying infrastructure
pseudonymization of certain sensitive datasets
restricted access controls and database security policies
secure cloud infrastructure and basic system monitoring
While we implement strong safeguards to protect personal data, no system can guarantee absolute security.
Research and Preventive Health Insights
To improve preventive health methodologies and the quality of the Service, VYO Health may use aggregated or anonymized data for research and statistical analysis.
Such data:
cannot identify individual users
does not contain personal identifiers
may contribute to the scientific understanding of preventive health patterns
Any research involving identifiable personal data would require separate explicit consent.
Evidence-Based Methodology
Insights and recommendations provided through the Service are based on scientific and evidence-based methodologies.
These may include:
peer-reviewed scientific literature
recognized clinical and academic research
expert input from qualified medical and scientific professionals
Internal documentation describing the research methodology and validation framework may be maintained and shared with relevant partners, certification bodies, or regulatory authorities where appropriate.
Medical Disclaimer
VYO Health is a preventive, educational, and lifestyle support application.
The Service:
does not provide a medical diagnosis
does not provide medical treatment
does not replace professional medical advice
All information provided through the Service is for informational and educational purposes only.
Users should consult qualified healthcare professionals for medical decisions.
VYO Health assumes no liability for health decisions or outcomes resulting from reliance on the Service.
The Service is not intended to be classified as a regulated medical device under applicable EU or U.S. medical device regulations.
Children’s Privacy
The Service is not intended for children or underage individuals.
Users must be at least:
16 years old, or
the minimum age required by applicable law in their jurisdiction (for example, if you are located in the United States, you cannot use the VYO Health app if you are under 13 years old)
We do not knowingly collect personal data from children who do not meet the applicable minimum age. If we become aware that such data has been collected, we will take steps to delete it.
Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in:
legal requirements
technology
data processing practices
service functionality
If material changes occur, users will be notified through the Service or by email where appropriate.
The latest version will always be available within the Service or on our website.
Contact
For questions about this Privacy Policy or our data protection practices: