Privacy Notice
Last updated: 18 July 2026
1. Who we are
This app ("My Vitals Log", the "App") is operated by Vaise Patu ("we", "us", "our"), the seller and data controller responsible for your personal data. You can reach us at the contact details provided in the App or via the support links on this site.
2. Personal data we collect
- Account data: email address, display name, password hash, authentication provider IDs (e.g. Google sign-in).
- Health log data you enter: blood pressure, temperature, weight, notes, timestamps.
- Uploaded clinical reports: images you upload and the extracted text / AI-generated summaries.
- Voice input (if used): short audio captured on your device and transcribed to text. Audio is processed for transcription only and is not retained after transcription.
- Subscription & order data: subscription status, plan, billing period (we do not see or store your card details).
- Technical data: IP address, device/browser identifiers, basic usage logs, error logs.
3. Purposes and legal bases
- Provide the App (account creation, storing your logs, generating summaries) — performance of a contract.
- Process payments and manage subscriptions — performance of a contract.
- Security, fraud prevention, and abuse detection — legitimate interests.
- Improve the App and fix bugs — legitimate interests.
- Comply with legal obligations (tax, accounting, lawful requests) — legal obligation.
- Marketing communications (only if you opt in) — consent.
4. How we store and secure your data
All data is stored encrypted at rest. Row-level security ensures only you can access your own records. Uploaded report images are stored in a private bucket and only accessible through short-lived signed URLs. We apply appropriate technical and organisational measures including encryption in transit (HTTPS), access controls, and audit logging.
5. AI processing
When you upload a report or use voice input, the content is sent to a hosted AI provider acting as our processor for the sole purpose of text extraction, transcription, and summarization. We do not use your data to train AI models.
6. Who we share your data with
- Paddle.com Market Limited ("Paddle") — our Merchant of Record. Paddle processes all payments, manages subscriptions, calculates and remits sales tax/VAT/consumption tax, and issues invoices and refunds. For order-related data, Paddle acts as an independent data controller under its own privacy policy: paddle.com/legal/privacy.
- Cloud hosting & database provider (processor) — stores your account and health data on our behalf.
- AI provider (processor) — performs text extraction, transcription, and summarization.
- Email/authentication providers (processors) — for sign-in, password reset, and transactional emails.
- Professional advisers (accountants, lawyers) where reasonably necessary.
- Authorities where required by law.
We do not sell your personal data.
7. International transfers
Some of our processors may be located outside your country of residence (including outside Japan). Where this is the case, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions, where applicable. For users in Japan, transfers to third countries are made in accordance with the Act on the Protection of Personal Information (APPI / 個人情報保護法).
8. Data retention
We retain your account and health data for as long as your account is active. If you delete your account, we delete or anonymise your personal data within 30 days, except where we are required to retain certain records (e.g. transaction and tax records) for up to 7 years to comply with legal obligations. Backups are rotated on a 30-day cycle.
9. Your rights
Depending on where you live, you may have the right to: access your data, correct it, delete it, restrict or object to processing, request portability, and withdraw consent at any time. You can exercise most of these rights yourself from the Settings page (export as CSV, delete records, delete your account). For anything else, contact us. You also have the right to lodge a complaint with your local data protection authority (in Japan: the Personal Information Protection Commission, PPC / 個人情報保護委員会).
10. Cookies
We use only essential cookies and local storage required to keep you signed in and remember your language preference. We do not use advertising or third-party tracking cookies.
11. Children
The App is not directed to children under the age of 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will delete it.
12. Changes to this notice
We may update this Privacy Notice from time to time. Material changes will be communicated through the App or by email.