Privacy Policy

SynthVitals ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, password, timezone and unit preferences
• Health Data: Lab results, biomarker values, medical documents you upload
• Profile Information: Health goals, preferences, and settings
• Communications: Messages you send to us or through our AI assistant

1.2 Information from Connected Services

When you connect third-party services, we collect:

• Activity Data: Steps, active minutes, calories burned, workouts
• Sleep Data: Sleep duration, sleep stages, sleep quality scores
• Heart Data: Heart rate, heart rate variability (HRV), resting heart rate
• Body Measurements: Weight, body composition
• Glucose Data: Blood glucose readings from CGM devices
• Nutrition Data: Food logs, macronutrients, calorie intake

1.3 Automatically Collected Information

• Device Information: Browser type, operating system, device identifiers
• Usage Data: Pages visited, features used, timestamps
• Log Data: IP address, access times, referring URLs

2. How We Use Your Information

• Provide, maintain, and improve the Service
• Analyze your health data and generate personalized insights
• Power AI-driven recommendations and the chat assistant
• Sync data from connected third-party services
• Send you notifications about your health data and account
• Respond to your inquiries and provide customer support
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations

3. How We Share Your Information

We do not sell your personal information or health data. We may share your information:

• Service Providers: With vendors who help us operate the Service, bound by confidentiality agreements
• Connected Services: With third-party services you choose to connect
• Legal Requirements: When required by law, legal process, or government request
• Safety: To protect the rights, property, or safety of SynthVitals, our users, or others
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• Aggregated Data: We may share anonymized, aggregated data that cannot identify you

4. AI-Powered Data Processing

SynthVitals uses artificial intelligence to provide personalized health insights. With your explicit consent, the following data may be sent to our AI service for processing:

• Health questions and conversation messages you send to the Synthia AI assistant
• Relevant health metrics (activity, sleep, vitals, lab results) needed to generate contextual responses
• Food images for nutritional analysis (food recognition feature)
• Lab documents for automated data extraction

4.1 AI Service Provider

AI processing is performed by Amazon Web Services (AWS) Bedrock, which hosts the Claude language model by Anthropic. Our use of AWS Bedrock is covered under a HIPAA Business Associate Agreement (BAA), ensuring your health data receives the same level of protection required for protected health information.

4.2 Data Handling

• Encryption: All data sent to AWS Bedrock is encrypted in transit (TLS 1.2+) and at rest
• No Model Training: Your data is never used to train or improve AI models
• No Retention: AWS Bedrock does not retain your data after processing your request
• Regional Processing: Data is processed within AWS's US infrastructure

4.3 Consent

AI data processing requires your explicit opt-in consent, which you can grant during onboarding or in Settings. You may revoke consent at any time in your account settings, which will disable AI-powered features (chat, insights, food recognition, and AI recommendations) but will not affect other SynthVitals functionality.

5. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption of data in transit (TLS/HTTPS) and at rest (AES-256)
• Secure authentication and access controls
• Regular security assessments and monitoring
• Employee training on data protection

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. After account deletion, we may retain certain data for legal compliance, fraud prevention, and backup purposes for a limited time.

7. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data
• Portability: Request your data in a portable format
• Opt-Out: Opt out of marketing communications
• Withdraw Consent: Withdraw consent for data processing

To exercise these rights, contact us at privacy@synthvitals.com.

8. California Residents (CCPA/CPRA)

California residents have additional rights including the right to know, delete, correct, and opt-out of sale/sharing. We do not sell your personal information. To submit a request, email privacy@synthvitals.com with "California Privacy Request" in the subject line.

9. Washington Residents

Washington residents have specific rights under the My Health My Data Act. Please see our Consumer Health Data Privacy Policy for detailed information.

10. International Users (GDPR)

If you are located in the EEA, UK, or Switzerland, you have rights under GDPR including access, rectification, erasure, restriction, portability, and the right to lodge a complaint with a supervisory authority.

11. Children's Privacy

SynthVitals is not intended for users under 18 years of age. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service.

13. Contact Us

Last Updated: March 10, 2026