Legal

Privacy policy

VitaZAlert continuously analyses heart-rhythm signals from your wearable to detect possible cardiac events and warn the people who can act in time. This policy explains what we collect to do that, who we share it with, how long we keep it, and the rights you have over your data.

Last updated: 4 May 2026.

Who we are

VitaZAlert (“VitaZAlert”, “we”, “our”) operates the VitaZAlert mobile and web application and the partner dashboards used by caregivers, clinicians, and participating insurers. We act as the data controller for personal data you provide directly to the consumer app. When VitaZAlert is delivered as part of an insurer or employer-sponsored programme, that organisation may act as a joint controller for the parts of the experience they fund and configure; the relevant programme owner is named in the consent screen you accepted during enrolment.

Scope of this policy

This policy covers the VitaZAlert mobile applications, the web portal, the marketing website at vitazalert.com, the partner dashboards used by caregivers and insurers, and any direct communications we send you about the service. It does not cover the wearable manufacturer’s own privacy practices, your caregiver’s personal use of an alert once it has been delivered to them, or third-party emergency services we may notify on your behalf.

What we collect

To monitor your heart safely and send timely alerts to the right people, we collect the following categories of data. Optional items are clearly marked; everything else is required for the core monitoring service to work.

  • Account & identity. Name, email address, phone number, password hash, date of birth, and the language and country you select. Used to create and secure your account and to comply with health-data regulations that depend on your jurisdiction.
  • Health profile. Self-reported information you choose to provide — for example weight, height, sex, relevant medical history (such as prior arrhythmia, hypertension, or implanted cardiac devices), current medications, and known allergies. This calibrates detection thresholds and helps avoid false alarms.
  • Wearable cardiac signals. Heart rate, heart-rate variability, single-lead ECG segments where supported, blood oxygen saturation (SpO₂), respiratory rate, skin temperature, motion and accelerometer data, and sleep stages, streamed continuously or in batches from your paired device. This is the data our detection models analyse to identify potential cardiac events such as suspected atrial fibrillation, sustained tachy- or bradycardia, ECG morphology anomalies, and falls.
  • Detection outputs & alert history. Each evaluation produces a record containing the rule or model that fired, the underlying biometric values at that moment, a confidence score, the UTC timestamp, the alert severity, the channels we attempted (push, SMS, voice call, email), the delivery state on each channel, and any acknowledgement from a caregiver or clinician.
  • Caregiver & emergency-contact details. The names, phone numbers, and email addresses of people you nominate to receive alerts, together with the relationship, priority order, and the categories of alert each contact should receive. Please obtain their consent before adding them.
  • Approximate & precise location (optional, alert-time only). When you enable emergency-location sharing, we capture your approximate or precise coordinates at the moment a high-severity alert is generated, so caregivers and emergency services can reach you. We do not track your location continuously.
  • Device & technical data. Device model, operating system version, app version, paired-wearable model and firmware, IP address, crash and diagnostic logs, and pseudonymous identifiers used for security and abuse prevention.
  • Insurance programme data (if enrolled). Member identifier, plan or cohort code, programme start and end dates, and the engagement metrics defined by your programme (such as wear time and alert acknowledgement rate). We never share raw biometric streams with insurers — see “Sharing” below.
  • Support & communications. Messages you send to [email protected] or [email protected], feedback you submit in-app, and our responses.
  • Website analytics. When you visit vitazalert.com we receive standard request data (IP, user agent, referrer) and Google Analytics measurement data via the G-HCVX8FYMLW property. See “Cookies and analytics on the marketing website” below.

How we use your data

  • Run the continuous detection pipeline that turns wearable signals into a risk assessment and, where warranted, an alert.
  • Notify the caregivers, clinicians, and emergency contacts you have nominated through the channels and priority order you have set.
  • Tune detection thresholds to your personal baseline so that alerts are timely without being noisy.
  • Show you and your caregivers a history of alerts and acknowledgements so the events can be reviewed and discussed with a clinician.
  • Operate the insurer-facing programme for which you enrolled, using only the de-identified or aggregated metrics defined in your consent.
  • Keep the service secure: detect abuse, prevent fraudulent account takeover, investigate incidents, and meet our legal obligations.
  • Improve our detection models, with two strict guardrails: (1) we use de-identified data by default, and (2) any use of identifiable health data for model improvement requires your separate, explicit opt-in, which you can withdraw at any time.
  • Send you transactional messages about your account, alerts, and meaningful changes to the service. We do not sell your data and we do not use your health information for advertising.

Legal bases for processing

Where the GDPR or comparable laws apply, we rely on the following legal bases:

  • Explicit consent (Art. 9(2)(a)) for the processing of your health and biometric data, for sharing with caregivers and insurers, and for any optional features such as emergency-location sharing or research opt-in.
  • Performance of a contract (Art. 6(1)(b)) with you, to deliver the monitoring service you signed up for.
  • Vital interests (Art. 6(1)(d) and 9(2)(c)) when we deliver a high-severity alert to an emergency contact or emergency service to protect your life or that of another person.
  • Legitimate interests (Art. 6(1)(f)) for security monitoring, fraud prevention, and de-identified service-improvement analytics, balanced against your rights and freedoms.
  • Legal obligation (Art. 6(1)(c)) where we must retain or disclose data to comply with applicable law.

Where Nigeria’s NDPR applies to a deployment, we rely on equivalent lawful bases under that Act and the NDPA 2023 and register the relevant data-processing activities with the regulator as required.

Who we share data with

We share the minimum amount of data necessary, with named categories of recipients, and only with your explicit consent or another lawful basis described above.

  • Caregivers and emergency contacts you nominate. They receive alert notifications and the contextual information you have authorised: alert severity, suspected event type, timestamp, your name, and — when you enable location-sharing — your location at the moment of the alert. They do not receive your continuous biometric stream.
  • Clinicians you connect to your account. If you link a treating clinician, they can review the alert history and the underlying signals you grant them access to. You can revoke this access at any time.
  • Emergency services. When you trigger an emergency or a high-severity event meets the criteria you have configured, we may transmit your name, contact details, and alert details to local emergency services.
  • Participating insurers and employer programmes. If you are enrolled in a sponsored programme, the sponsor receives only the metrics defined in your consent — typically de-identified cohort statistics, wear time, programme-engagement indicators, and adverse-event counts. Insurers do not receive raw ECG or heart-rate streams, and we do not allow them to use VitaZAlert data for underwriting decisions that disadvantage you.
  • Service providers (processors). Cloud hosting, data storage, push notification delivery, SMS and voice gateways, email delivery, error-tracking, customer support tooling, and analytics. These providers act on our written instructions under data-processing agreements that meet the requirements of the GDPR and other applicable laws.
  • Professional advisers and authorities. Auditors, insurers, and legal counsel under confidentiality, and regulators or law-enforcement bodies where we are legally compelled to disclose.
  • Successors. If VitaZAlert is involved in a merger, acquisition, or asset sale, your data may transfer to the successor entity, which will remain bound by this policy or a notice we send you with at least equivalent protections.

We do not sell personal information, we do not share health data with advertising networks, and we do not use your data to train third-party AI models.

International data transfers

We host data in regional facilities aligned with the deployment you are part of (for example EU data stays in the EU; Nigerian data stays in country where required). Where data must cross borders — for example to reach a caregiver abroad or to use a global support tool — we rely on Standard Contractual Clauses, adequacy decisions, or equivalent safeguards, and we apply additional technical measures such as encryption and pseudonymisation in transit.

Data retention

  • Continuous wearable signals are retained in full resolution for ninety days and in down-sampled form for up to twenty-four months, so that clinicians and you can review context around past events.
  • Alert logs — UTC timestamps, triggered rules, biometric values at the time of evaluation, per-channel delivery states, and caregiver acknowledgements — are retained for twelve months unless a longer period is required by your regulator or by your insurer programme contract.
  • Account records are retained for the life of your account and for up to twenty-four months afterwards to handle disputes, fraud investigations, and audit obligations.
  • De-identified data used for service improvement and statistical reporting may be kept indefinitely once it can no longer be linked back to you.
  • Marketing-website analytics follow the retention windows configured for the Google Analytics property.

How we protect your data

  • TLS 1.3 in transit and AES-256 at rest for health telemetry, derived features, and account records.
  • Strict role-based access control, single-sign-on with multi-factor authentication for our staff, and just-in-time elevation for any access to identifiable health data.
  • Pseudonymisation of biometric data in our analytics and model-development environments.
  • Continuous logging, anomaly detection, and a documented incident-response process. We will notify you and the relevant supervisory authority of a personal-data breach within the statutory timelines that apply.
  • Independent penetration testing and code review of the detection pipeline and partner dashboards on at least an annual cadence.

Your rights and choices

You can exercise the following rights at any time. Most are available as self-service controls inside the app; for the rest, email [email protected] and we will respond within thirty days.

  • Access & portability. Download your alert history, account data, and the wearable data we hold as CSV, PDF, or a structured JSON export, typically within seventy-two hours.
  • Rectification. Correct inaccurate health profile, contact, or caregiver information.
  • Erasure (“right to be forgotten”). Delete your account and the personal data linked to it within thirty days of an authenticated request, subject to legal retention obligations.
  • Restriction & objection. Pause specific processing activities, including model-improvement use, while keeping the core monitoring service running.
  • Withdraw consent. Turn off optional features such as emergency-location sharing, insurer programme participation, or research opt-in. Withdrawing consent does not affect the lawfulness of processing carried out beforehand.
  • Disable monitoring. Pause alert generation at any time from inside the app. We will keep notifying you that monitoring is paused so it cannot be left off accidentally.
  • Lodge a complaint. You can complain to your local data-protection authority — for EU residents, the authority in your country of residence; for Nigerian policyholders, the Nigeria Data Protection Commission.

Children’s data

VitaZAlert is intended for adults. We do not knowingly create accounts for children under sixteen, and we do not market the service to children. Where the service is offered to a minor as part of a clinical or family-care arrangement, it is enrolled by a parent or legal guardian who provides consent on the child’s behalf and who acts as the primary caregiver in the app.

Cookies and analytics on the marketing website

The marketing website at vitazalert.com uses Google Analytics (property G-HCVX8FYMLW) to understand which pages help people decide to enrol or partner with us. Analytics data is separate from the in-app health data described above. You can opt out at the browser level using Google’s opt-out tools, or by blocking cookies for this site. Strictly necessary cookies that keep the site working are always set; analytics cookies are only set where the law allows or where you have consented through the cookie banner if one is displayed in your jurisdiction.

Automated decisions

Our detection pipeline uses automated rules and machine-learning models to decide when to raise an alert. These decisions support and prompt human action — they are not used to make legal or similarly significant decisions about you, such as insurance underwriting or medical diagnosis. A clinician should always interpret an alert in the context of your clinical history.

Not a medical device

VitaZAlert is not a certified medical device and does not diagnose, treat, cure, or prevent disease. Alerts are risk signals designed to prompt timely conversations with qualified clinicians or, when warranted, emergency services. Do not rely on VitaZAlert as a substitute for medical care.

Changes to this policy

We may update this policy as the service evolves. When we make material changes — for example new categories of data, new sharing recipients, or new retention periods — we will notify you in-app and by email before the change takes effect, so you have a meaningful chance to review or withdraw consent.

Contact us

For privacy questions, data-subject requests, or to reach our data protection officer, email [email protected]. For partnership and pilot enquiries, email [email protected]. For general product questions, [email protected].