Privacy policy

1. Introduction

Vitros is a health and wellness platform operated by Crow and Raven Inc. ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This privacy policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

This policy applies to all information collected through our website, mobile applications, and related services (collectively, the "Service"). By using our Service, you consent to the data practices described in this policy.

Effective Date: October 1, 2025
Company: Crow and Raven Inc., Boulder, CO

2. Information we collect

2.1 Personal identifiers

We collect the following personal identifiers to provide authentication and personalize your experience:

• Account information: Name, email address, account credentials, and profile information
• Contact information: Email address for communications and account recovery
• Demographic information: Age, gender (optional, for personalized insights)

Use: Authentication, account management, and personalized content delivery. This information is never shared with third parties for marketing purposes.

2.2 Commercial information

We collect payment and subscription information to process your purchases:

• Payment information: Credit card details (processed securely by Stripe)
• Purchase history: Subscription tier, billing history, and transaction records

Use: Account and financial purposes only. Payment card details are handled exclusively by Stripe and never stored on our servers.

2.3 Health and wellness data (sensitive personal information)

With your explicit consent, we collect health-related information to provide personalized insights:

• Activity tracking: Steps, exercise, sleep patterns, and daily routines
• Biometric data: Heart rate, weight, blood pressure (if provided)
• Nutrition information: Dietary habits and preferences
• Mental wellness: Mood tracking, journal entries, and wellness notes
• Health goals: Personal objectives and progress tracking
• Connected devices: Data from third-party health apps and wearables (with your permission)

Use: Providing personalized health insights, tracking your progress, and improving Service features. This sensitive information is never sold or shared with third parties. You have the right to limit our use of this information beyond what is necessary to provide the Service.

2.4 Internet activity and usage data

We automatically collect technical information to improve the app and user experience:

• Device information: Device type, operating system, browser type
• Usage data: Features used, time spent in app, user interactions
• Log data: IP address, access times, error logs
• Cookies: Authentication cookies and essential functionality cookies

Use: Tracked within the app to improve user experience, troubleshoot issues, and optimize performance. This data is not shared with third parties except as described in Section 4.

2.5 Geolocation data (optional)

With your explicit permission, we may collect location data:

• Precise location: GPS coordinates (only if you enable location services)
• Approximate location: City/region based on IP address

Use: Location data is used only to enhance your experience (e.g., local recommendations) and is never shared outside the app. You can disable location tracking at any time through your device settings.

3. How we use your information

We use the information we collect for the following specific purposes:

• Service delivery: Provide, maintain, and improve our Service features and functionality
• Personalization: Generate personalized health insights, recommendations, and content based on your activity and preferences
• Progress tracking: Track your progress toward health and wellness goals
• Communications: Send you important updates, notifications, and respond to your inquiries
• Customer support: Provide technical support and respond to your questions
• Research and analytics: Conduct anonymized research and analytics to improve our algorithms and Service (no personally identifiable information)
• Security: Ensure security, prevent fraud, and protect user accounts
• Legal compliance: Comply with legal obligations and enforce our terms

We will never use your health information for marketing purposes without your explicit consent.

4. Information sharing and disclosure

4.1 Service providers

We share limited information with trusted service providers who help us operate our Service:

• Cloud infrastructure: Vercel (for web hosting, data storage, and computing)
• Payment processing: Stripe (for secure payment handling - they never share your payment details with us)
• Analytics: Google Analytics and New Relic (anonymized usage data for app performance monitoring)
• Email communications: Resend (to send you service notifications and updates)

All service providers are bound by strict confidentiality agreements and are prohibited from using your data for any purpose other than providing services to us. They do not have access to your health and wellness data.

4.2 Marketing and advertising (sharing under CCPA)

For marketing purposes only, we may share limited, non-sensitive information:

• Email addresses: Shared with advertising platforms (Facebook, Instagram, LinkedIn, TikTok) for custom audience targeting and remarketing
• Anonymous identifiers: IP addresses and device IDs may be shared with analytics and advertising services

Important: We only share identifiers (email addresses, IP addresses, device IDs) for remarketing purposes. We never share:

• Your health and wellness data
• Journal entries or personal notes
• Biometric information
• Location data
• Any sensitive personal information

Under California law (CCPA/CPRA), this sharing of identifiers for advertising purposes may be considered "sharing" even though no money changes hands. You have the right to opt out of this sharing at any time. See Section 6 for details on exercising your privacy rights.

4.3 AI Processing Providers

To provide summaries, reflections, transcription, and other AI-powered features, Vitros securely transmits user-generated content (such as journal entries, activity descriptions, prompt responses, and optional audio recordings) to trusted third-party AI service providers, including OpenAI, LLC and/or Anthropic PBC.

These providers process the data solely to generate responses and insights within Vitros. They do not use your data for advertising and do not use your data to train their models.

Data is transmitted securely and processed only as necessary to provide app functionality. We do not grant AI providers access to your account information beyond what is required to fulfill your request.

4.4 Other sharing circumstances

• With your consent: When you explicitly authorize us to share information with healthcare providers, family members, or other third parties
• Legal requirements: When required by law, court order, subpoena, or government request
• Safety and security: To protect the rights, property, or safety of Vitros, our users, or others from harm
• Business transfers: In connection with a merger, acquisition, or sale of assets (your data will continue to be protected under this privacy policy)

5. Data security

We implement comprehensive security measures to protect your information:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access controls: Strict role-based access controls and multi-factor authentication
• Regular audits: Ongoing security assessments and penetration testing
• Data centers: SOC 2 Type II certified data centers with 24/7 monitoring
• Employee training: Regular privacy and security training for all staff
• Incident response: Comprehensive breach response and notification procedures

While we strive to protect your information, no method of transmission over the internet is 100% secure. We encourage you to use strong passwords and keep your account credentials confidential.

6. Your privacy rights

You have the following rights regarding your personal information:

6.1 General privacy rights

• Right to access: Request a copy of your personal information
• Right to correction: Update or correct inaccurate information
• Right to deletion: Request deletion of your personal information
• Right to portability: Export your data in a machine-readable format (JSON or CSV)
• Right to restriction: Limit how we process your information
• Right to object: Object to certain types of processing
• Right to withdraw consent: Withdraw consent for data processing at any time

6.2 California residents (CCPA/CPRA rights)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: Request information about the categories and specific pieces of personal information we collect, use, disclose, or sell
• Right to delete: Request deletion of your personal information (with certain exceptions)
• Right to correct: Request correction of inaccurate personal information
• Right to opt out: Opt out of the sale or sharing of your personal information for advertising purposes
• Right to limit: Limit the use and disclosure of sensitive personal information beyond what is necessary to provide our Service
• Right to non-discrimination: Not be discriminated against for exercising your privacy rights

6.3 How to exercise your rights

To exercise any of your privacy rights:

• Email: support@vitros.app (for general inquiries and support)
• Privacy requests: hello@vitros.app (for privacy-specific requests)
• Phone: Available upon request for California residents
• Account settings: Manage many preferences directly in your app settings
• Mail: Crow and Raven Inc., Attn: Privacy Officer, 630 Cree Cir, Boulder, CO 80303 USA

We will respond to your request within 45 days. For GDPR requests, we will respond within 30 days. If we need additional time, we will notify you and explain the reason for the delay.

6.4 Non-discrimination

We will not discriminate against you for exercising any of your privacy rights. We will not:

• Deny goods or services to you
• Charge different prices or rates for goods or services
• Provide a different level or quality of goods or services
• Suggest that you will receive a different price or quality of services

7. Data retention

We retain your information for as long as necessary to provide our Service and fulfill the purposes outlined in this policy. Here are our retention periods by data category:

• Account information: Retained while your account is active and for 3 years after account deletion (for legal and business purposes)
• Health and wellness data: Retained according to your preferences. You can request immediate deletion at any time through your account settings
• Payment and billing data: Retained for 7 years after your last transaction (for tax and accounting purposes)
• Usage and analytics data: Raw logs retained for 90 days; aggregated and anonymized data may be retained indefinitely for research
• Support communications: Retained for 3 years after your last interaction with our support team
• Marketing email lists: Retained until you unsubscribe or request deletion
• Legal requirements: Some data may be retained longer to comply with legal obligations, resolve disputes, or enforce our terms

You can request deletion of your data at any time through your account settings or by contacting us at hello@vitros.app. We will process deletion requests within 30 days.

Note: Even after deletion, anonymized data used for research and analytics may be retained indefinitely as it cannot be linked back to you.

8. International data transfers

Your information may be transferred to and processed in countries other than your own, including the United States. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for countries with equivalent privacy protections
• Certification schemes and codes of conduct
• Additional safeguards as required by applicable law (GDPR, etc.)

9. Children's privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@vitros.app and we will delete the information.

For users between 13 and 18, we require parental or guardian consent before collecting any health or sensitive information.

10. Changes to this privacy policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending you an email notification to the address associated with your account
• Displaying a prominent notice in our Service or mobile app

We encourage you to review this privacy policy periodically. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.

For significant changes that materially affect your rights, we may require your explicit consent before the changes take effect.