vyra Join beta

Privacy

Your health data stays yours.

We collect only what Vyra needs to work — and we never sell it or use it to train AI models.

Last updated June 2026

The short version. Your health data is encrypted in transit and at rest, never sold or shared with advertisers, and never used to train foundation models. You can export or delete it at any time.

Who we are

Vyra is operated by Vyra Health, Inc., a Delaware corporation (in formation) (“Vyra,” “we,” “us”). We are the controller of the personal data described here. For any privacy question or request, email [email protected].

What we collect

  • Account and authentication — your email address and the sign-in details needed to secure your account. We use passwordless sign-in (Google, Apple, or a one-time email code), so we never store a password.
  • Data you add — meals, hydration, weight, and the notes you choose to log or upload. Many people only ever log food.
  • Food photos — if you snap a meal, the image is stored in Amazon Web Services (AWS) S3, encrypted with a customer-managed key (SSE-KMS), under a per-user prefix.
  • Device-platform health (stays on your device) — when you connect Apple HealthKit or Android Health Connect, the raw values stay on your device. Only a derived signal (for example, “weight goal hit today”) is sent to us — never the underlying readings.
  • Purchases and subscription entitlements — whether you have an active subscription, handled through RevenueCat. Your card details never touch our servers.
  • Usage and analytics events — privacy-safe, health-free product events that help us understand which features work and keep Vyra reliable.
  • Crash diagnostics — error and crash reports, scrubbed of health data, so we can fix problems.

We do not buy health data about you from third parties.

How we use it

  • Provide the core service: splitting your meals into macros, computing nutrition targets, and showing your trends.
  • Generate AI insights from your meal logs and trends so you can see what’s working.
  • Maintain security, prevent abuse, and improve reliability.
  • Send you essential service messages (and, only with your consent, product updates).

Who processes your data (sub-processors)

We use a small set of vetted service providers to run Vyra. None of them receives your raw health data — analytics and crash tools get only health-free events, hashed identifiers, and scrubbed error contexts. Each operates under a data-processing agreement.

  • AWS (RDS, S3, Bedrock, KMS) — our primary data plane, where your account and health data live, encrypted. Region us-east-1.
  • AWS Bedrock (Claude) — runs the AI that recognizes food and reads documents. Configured zero-retention and no-training: your inputs are not retained by the model provider or used to train models.
  • PostHog Cloud EU (Frankfurt) — product analytics. Health-free events only, with hashed user IDs. This website also uses PostHog for privacy-friendly, cookieless analytics — aggregate page-visit counts only, with no cookies, no tracking across sites, and no personal data, so no cookie banner is needed.
  • Sentry Cloud EU (Frankfurt) — crash and error monitoring. A beforeSend step scrubs health data, and user IDs are hashed.
  • RevenueCat (US) — subscription entitlements. No health data, and card details never touch our servers.
  • Cloudflare — serves this site and forwards waitlist email. No health data.

Data residency and international transfers

Your data is hosted in the United States, in the AWS us-east-1 region. If you are in the EU, UK, or another country without a dedicated Vyra region, your data is currently processed in the US under Standard Contractual Clauses, with GDPR-grade disclosure and protections. Our storage region is a single configurable value, so we can host in additional regions as we expand.

How AI processing works

Vyra uses AI to turn your data into specific, practical insights. Your inputs are processed to produce your results only. The AI is configured zero-retention and no-training — we do not use your health data to train foundation models, and we do not share it with model providers for their own training.

AI outputs are informational only. They are never a diagnosis, treatment, or prescription. Vyra organizes and visualizes your data so that you can see patterns and discuss them with your clinician — it never tells you what is wrong or what to do.

What we never do

  • Sell your personal or health data.
  • Share it with advertisers or data brokers.
  • Use your health data to train AI models.

Security

Data is encrypted in transit (TLS) and at rest with a customer-managed encryption key (KMS). Each user’s data is isolated at the database level. Access is limited to the people and systems that need it to operate the service, protected by authentication and audit controls. We do not write your health data to our logs, analytics, or crash reports.

Your rights

You can access, correct, export, or permanently delete your data from within the app, or by emailing [email protected]. Depending on where you live, you may have additional rights:

  • EU / UK (GDPR / UK GDPR). You have the right to access, rectify, erase, and port your data, to object to or restrict processing, to withdraw consent, and to lodge a complaint with your supervisory authority.
  • California (CCPA / CPRA). You have the right to know, delete, and correct your personal information, and to opt out of its sale or sharing. We do not sell or share your personal information.
  • Washington (My Health My Data Act). You have the right to access and delete your consumer health data and to withdraw consent. We do not sell your health data.
  • UAE residents. You may exercise access, correction, and deletion rights consistent with applicable UAE data-protection law; contact us using the email above.

We honor these requests and will not discriminate against you for exercising them.

Retention

We keep your data while your account is active. When you delete your account, we delete your personal and health data within a reasonable period, except where we must retain limited records to meet legal obligations.

Children

Vyra is built for adults and is not intended for anyone under 18. We do not knowingly collect data from anyone under 18.

Changes

If we make a material change to this policy, we’ll notify you in the app or by email before it takes effect.

Contact

Questions about privacy? Email [email protected]. This policy is governed by the laws of the State of Delaware, United States, with the regional rights described above for EU/UK, California, Washington, and UAE residents.