Privacy Policy
Effective Date: March 10, 2026
1. Overview
This Privacy Policy describes how Vaunted Labs LLC ("Company," "we," "us," or "our") collects, uses, and safeguards information when you interact with our Services. Vaunted Labs LLC is a limited liability company organized under the laws of the State of Delaware, United States.
This policy applies to the website at vauntedlabsllc.com and all mobile applications published under our Apple App Store developer account (collectively, the "Services"). By accessing or using any of our Services, you acknowledge and agree to the practices described in this policy.
Vaunted Labs LLC
254 Chapman Rd, Ste 208 #26689
Newark, Delaware 19702, United States
Email: admin@vauntedlabsllc.com
2. Information We Collect
We collect the following categories of information when you use our Services:
A) Account & Identity Data
- Email address (required for account creation via Supabase authentication)
- User ID (unique identifier generated by Supabase)
B) Health & Fitness Data (Special Category)
- Body metrics: weight, height, age
- Fitness objectives: weight loss, muscle gain, maintenance
- Physical activity level
- Dietary restrictions and food preferences
- Calculated nutritional targets: calories, proteins, carbohydrates, fats (macronutrients)
Sensitive Data Notice
Health and fitness data is classified as a sensitive category. This data is never sold to third parties, never used for advertising, and is processed solely to deliver core application functionality. See Section 6 for full details.
C) Device & Technical Data
- Device type, operating system, and app version
- IDFA (iOS Identifier for Advertisers) — collected only with explicit user consent via Apple's App Tracking Transparency (ATT) framework
- GAID (Google Advertising ID) — where applicable, with user consent
- Unique device identifiers
D) Usage & Behavioral Data
Features used, screens visited, session duration, in-app interactions and events (collected via PostHog analytics).
E) Purchase & Subscription Data
Subscription status, purchase history, transaction identifiers, and renewal dates (managed via RevenueCat and Apple/Google payment systems).
F) Crash & Performance Data
Error logs, stack traces, device state at time of crash, and application version (collected via Sentry).
G) Push Notification Tokens
Device tokens for sending meal reminders and application notifications (managed via OneSignal).
H) Marketing Attribution Data
Install source, campaign name, referral channel, and aggregated usage metrics (collected via Tenjin). Collection of IDFA-based attribution requires your prior consent through Apple's ATT framework.
I) AI Generation Parameters
Anonymized nutritional parameters sent to OpenAI API for meal plan generation. No directly identifiable personal data (name, email, user ID) is transmitted to OpenAI — only aggregated dietary preferences, macronutrient targets, and caloric goals.
J) Payment Data
Not collected directly. All payment processing is handled exclusively by Apple (App Store) or Google (Play Store). We do not collect or store payment card information.
3. How We Use Your Data
Information we collect is used for the following purposes:
- Provide and personalize core application features (meal plans, nutritional tracking, fitness recommendations).
- Calculate nutritional needs and generate AI-powered meal plans.
- Manage subscriptions and in-app purchases via RevenueCat.
- Send push notifications such as meal reminders and service updates (with your consent).
- Analyze usage patterns to improve the product experience (PostHog).
- Monitor, diagnose, and fix crashes and errors (Sentry).
- Measure marketing campaign effectiveness and attribution (Tenjin).
- Respond to support requests and inquiries.
- Comply with legal and regulatory obligations.
4. App Tracking Transparency (ATT) — iOS
Our iOS applications use Tenjin for mobile attribution analytics. Tenjin uses the IDFA (Identifier for Advertisers) to measure the effectiveness of marketing campaigns and attribute app installations to their source.
- On iOS 14.5 and later, our application requests explicit user consent via Apple's native App Tracking Transparency prompt before any IDFA collection occurs.
- If you grant permission, your IDFA will be used solely for install attribution and campaign measurement — never for cross-app advertising or behavioral targeting.
- If you deny permission, no IDFA-based tracking will occur. Only aggregated, anonymous attribution data will be collected.
- You can change your preference at any time via Settings > Privacy & Security > Tracking on your device.
- We do not serve third-party advertisements in our applications.
5. Third-Party Service Providers
We share data with the following third-party processors, each operating under their own privacy policies and data processing agreements:
Supabase Inc.
Database, Authentication & File Storage
Data shared: Email, user ID, health/fitness data, meal plans, dietary preferences
Privacy Policy →RevenueCat Inc.
Subscription & In-App Purchase Management
Data shared: User ID, subscription status, purchase history, transaction IDs, device info
Privacy Policy →PostHog Inc.
Product Analytics & Feature Flags
Data shared: User ID, device ID, usage events, feature interactions, session data
Privacy Policy →Tenjin Inc.
Mobile Attribution & Campaign Measurement
Data shared: Device ID, IDFA/GAID (with consent), install source, campaign data, aggregated usage metrics
Requires App Tracking Transparency consent on iOS 14.5+
Privacy Policy →Superwall Inc.
Paywall Management & A/B Testing
Data shared: Device ID, subscription status, paywall interaction events
Privacy Policy →Functional Software Inc. (Sentry)
Error Monitoring & Crash Reporting
Data shared: Crash logs, stack traces, device state, app version, anonymized user context
Privacy Policy →OneSignal Inc.
Push Notification Delivery
Data shared: Push notification tokens, device info, notification interaction data
Privacy Policy →OpenAI LLC
AI-Powered Content Generation (Meal Plans)
Data shared: Anonymized nutritional parameters only. No name, email, or directly identifiable data is transmitted.
Privacy Policy →We do not sell your personal information to any third party. Data is shared with the providers listed above solely for the purposes of operating, maintaining, and improving our Services.
6. Health Data — Special Protections
Health and fitness data (weight, height, age, fitness goals, dietary information, calculated macronutrients and calories) constitutes a special category of sensitive personal data. We are committed to the highest standard of protection for this data.
Our commitments regarding your health data:
- Never sold to any third party, under any circumstance.
- Never used for advertising targeting by any party.
- Never shared with insurers, employers, or government entities (except where required by court order or applicable law).
- Processed solely to deliver core application functionality (personalized meal plans and fitness recommendations).
- Encrypted in transit (TLS 1.3) and at rest (via Supabase infrastructure encryption).
- You can delete all health data at any time by deleting your account in-app or by contacting us.
7. International Data Transfers
All third-party service providers listed in Section 5 are based in the United States. Data is primarily processed and stored on servers located within the United States.
For users located in the European Union or European Economic Area (EU/EEA), personal data transferred to US-based service providers is protected by:
- The EU-U.S. Data Privacy Framework (DPF) for certified providers.
- Standard Contractual Clauses (SCCs) adopted by the European Commission for other providers.
You may request a copy of the applicable transfer safeguards by emailing admin@vauntedlabsllc.com.
8. Data Retention
We retain data only for as long as necessary to fulfill the purposes described in this policy. Specific retention periods by data category:
| Data Category | Retention Period |
|---|---|
| Account data (email, profile) | Active account duration + 30 days after deletion request |
| Health & fitness data | Active account duration; deleted within 30 days of account deletion |
| Subscription data | Duration of relationship + as required by applicable tax/financial regulations |
| Analytics data (PostHog) | 24 months rolling, then deleted |
| Attribution data (Tenjin) | 24 months maximum |
| Crash data (Sentry) | 90 days |
| Push tokens (OneSignal) | Until notification opt-out or account deletion |
| Support communications | 12 months after resolution |
9. Your Rights
For EU/EEA Users (GDPR)
- Right of access (Art. 15) — obtain a copy of your personal data.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — request deletion of your personal data.
- Right to restriction (Art. 18) — request limited processing under certain conditions.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest.
- Right to withdraw consent — at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- Right to lodge a complaint — with your local supervisory authority (e.g., CNIL in France, ICO in the UK, BfDI in Germany).
For California Residents (CCPA)
- Right to know — what personal information is collected, used, and shared.
- Right to know if data is sold or disclosed — we do not sell personal information.
- Right to delete — request deletion of your personal information.
- Right to opt-out of sale — not applicable (we do not sell personal data).
- Right to non-discrimination — equal service regardless of privacy choices.
For All Users
- Account deletion — available in-app via Profile > Delete Account, or by emailing admin@vauntedlabsllc.com.
All requests will be processed within 30 days. To submit a request, email admin@vauntedlabsllc.com with the subject line "Privacy Request."
10. Children's Privacy
Our Services are not intended for individuals under the age of 13. Our applications are rated 13+ on the Apple App Store. We do not knowingly collect personal information from children under 13.
If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at admin@vauntedlabsllc.com and we will take prompt steps to delete such information.
11. Security Measures
We implement industry-standard technical and organizational measures to protect your data, including:
- TLS 1.3 encryption for all data in transit.
- Encryption at rest for sensitive data (Supabase managed infrastructure).
- Supabase Row-Level Security (RLS) policies ensuring users can only access their own data.
- Principle of least privilege for all data access across internal systems.
- Regular monitoring and alerting via Sentry.
- RevenueCat PCI-compliant payment data handling.
- No direct storage of payment card information.
While no system can guarantee absolute security, we take reasonable and appropriate precautions to safeguard your data against unauthorized access, alteration, disclosure, or destruction.
12. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email or an in-app notification before the changes take effect. The Effective Date at the top of this page will be revised accordingly. Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated policy.
13. Contact
If you have questions, concerns, or wish to exercise your privacy rights, please contact us:
Vaunted Labs LLC
Email: admin@vauntedlabsllc.com
254 Chapman Rd, Ste 208 #26689
Newark, Delaware 19702, United States
For EU/EEA-related inquiries, please include "GDPR Request" in the subject line. For California-related inquiries, please include "CCPA Request" in the subject line.