Vita — Privacy Policy
Last updated: 8 May 2026 Effective date: 8 May 2026
This Privacy Policy explains how TABA TASARIM İNŞAAT A.Ş. ("the Company", "we", "us") collects, uses, shares, and protects your personal data when you use Vita, our voice and text health-information companion app (the "Service").
Data controller TABA TASARIM İNŞAAT A.Ş. Şehit Şakir Elkovan Cad. No:3, Ataşehir, İstanbul, 34770, Türkiye Trade name (brand): Graviti Labs Privacy contact: [email protected] (subject: "Privacy") KVKK Veri Sorumlusu Sicil No.: [to be assigned upon VERBİS registration completion]
This document is intended to satisfy our transparency obligations under the Türkiye KVKK (Kişisel Verilerin Korunması Kanunu, Law No. 6698), the EU/EEA General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 / UK GDPR, and other applicable privacy laws in markets where the App is offered.
1. Summary at a glance
| Question | Answer |
|---|---|
| Who is the data controller? | TABA TASARIM İNŞAAT A.Ş. |
| What data? | Account info; health-related questions, photos, and PDFs you submit; voice recordings; conversation history; subscription status; device and diagnostic data. |
| Why? | To run the Service, generate answers, persist your conversations, deliver subscription functionality, secure the platform, and comply with law. |
| Do you sell my data? | No. Never. |
| Do you train AI on my data? | No. Not ours, not third parties'. |
| Do you share with third parties? | Only specific processors named in §6, under contractual obligations. |
| How long? | Until you delete it, with a 30-day backup window. Account data is removed within 30 days of account deletion. |
| Where is my data stored? | Primary: Hetzner servers in Germany (EU). Some processing transits via providers in the EU and the United States (see §6). |
| My rights? | Access, rectification, erasure, restriction, portability, objection, and consent withdrawal — see §9. |
| In one tap? | Yes. Settings → Memory & people, or Settings → Support → Other inquiries → Delete account. |
2. Data we collect
2.1 Information you provide directly
| Category | Examples | Why we collect it |
|---|---|---|
| Account identifiers | Email address, display name, hashed password (if email signup), Apple ID identifier, Google ID identifier | To create and authenticate your account |
| Subscription status | Plan tier (Basic/Plus/Family), renewal date, voice-minute balance, transaction history | To deliver paid features |
| Conversation content | Text questions, voice recordings (audio file), uploaded photos, uploaded PDFs, the AI-generated responses | To answer your question and let you review your conversation history |
| Memory entries | Per-person notes you create about yourself or family ("Mom — type-2 diabetes"), allergy notes, chronic-condition notes, attached medical documents | To keep Vita's context consistent across conversations |
| Cohort selection | The life-stage you choose (Pregnancy & Baby, Family Health, Adult, Senior) | To calibrate Vita's tone and guidance |
| Cohort subject | Identifier of the person a conversation is about (you, your child, your parent), if pinned | To inject the right memory context into that conversation |
2.2 Information collected automatically
| Category | Examples | Why |
|---|---|---|
| Device data | Device model, iOS version, app build, locale, time zone, language preference | To deliver the right App version, troubleshoot, and localise |
| Diagnostic and crash data | Crash logs, error events, performance traces (no content of your conversations) | To find and fix bugs |
| Telemetry events | Anonymous events such as "voice turn started", "paywall viewed", "app launched"; no question content | To understand product use and reliability |
| Network metadata | IP address (for security and abuse prevention), HTTP request logs | Security, fraud prevention, debugging |
| Audio session diagnostics (when enabled by you in support flows) | AVAudioSession state, route changes, decoder errors | To diagnose voice playback issues you report |
2.3 Information from third parties
| Source | What | Why |
|---|---|---|
| Apple App Store | Subscription status, transaction id, receipt | To verify entitlement |
| Apple Sign-In | Apple user identifier; email if you choose to share | Authentication |
| Google OAuth | Google user identifier, email | Authentication |
| Firebase Authentication (Google) | Authentication token | Authentication backplane |
2.4 Information we do NOT collect
We do not collect: - Your precise location. - Your contacts list. - Your photo library beyond photos you explicitly attach to a question. - Health data from Apple Health (HealthKit). Vita does not request HealthKit access. - Camera or microphone access except when you explicitly start a voice turn or take a product photo.
3. How we use your data — and the lawful basis
| Purpose | Lawful basis (GDPR / UK GDPR) | Lawful basis (KVKK) |
|---|---|---|
| Answering your questions in real time | Performance of the contract (Art. 6(1)(b)) and explicit consent for special-category health data (Art. 9(2)(a)) | Performance of contract (Art. 5(2)(c)) and explicit consent for sensitive data (Art. 6(2)) |
| Persisting your conversation history | Performance of the contract (Art. 6(1)(b)) | Performance of contract (Art. 5(2)(c)) |
| Maintaining "memory" entries for cross-conversation consistency | Performance of the contract; explicit consent for the health-context elements (allergies, conditions, medications) | Performance of contract; explicit consent for sensitive elements |
| Subscription billing | Performance of the contract; legal obligation for tax records (Art. 6(1)(c)) | Performance of contract; legal obligation |
| Abuse prevention, security, fraud detection | Legitimate interests (Art. 6(1)(f)) | Legitimate interests (Art. 5(2)(f)) |
| Diagnostic / crash data, anonymous telemetry | Legitimate interests (Art. 6(1)(f)) | Legitimate interests (Art. 5(2)(f)) |
| Compliance with regulators, courts, law enforcement | Legal obligation (Art. 6(1)(c)) | Legal obligation |
| Improving the Service (without using your conversation content) | Legitimate interests (Art. 6(1)(f)) | Legitimate interests |
We rely on explicit consent for processing health-related ("special category") personal data. You provide that consent the first time you use the App and when you accept the in-app disclaimer. You can withdraw consent at any time by deleting the relevant data or your account. Withdrawal does not affect processing already performed.
4. We do NOT train AI on your data
We do not use your conversation content, voice recordings, photos, PDFs, or memory entries to train, fine-tune, evaluate, or otherwise improve any AI model — neither ours nor any third party's. The third-party language-model providers we route requests to (see §6) are contractually prohibited from retaining or training on the data we send them, except for short-term abuse-prevention windows imposed by the provider for safety reasons (typically up to 30 days, never used to improve the model).
5. Disclosure of your data
We share your personal data only with the following categories of recipients, and only as strictly necessary:
5.1 Service providers (data processors)
These vendors process data on our behalf, under written data-processing agreements that bind them to confidentiality, security, and processing-only-on-our-instruction:
| Vendor | Role | Data shared | Location |
|---|---|---|---|
| Hetzner Online GmbH | Primary application hosting (database, app server, file storage) | All app data | Germany (EU) |
| Cloudflare, Inc. | DNS, edge security (WAF, rate limiting, TLS termination at edge) | IP addresses, request metadata | Global edge; primary processing US |
| Apple Inc. | App Store distribution; subscription billing; Sign-in-with-Apple | Apple ID, transaction data, email | Global |
| Google LLC | Firebase Authentication; AI language model (Gemini) for answer generation | Authentication token, question text, attached image/PDF (transient, not retained) | EU + US |
| Microsoft Corporation | Azure Cognitive Services (speech-to-text and text-to-speech) | Voice audio (transient), text segments to be spoken | EU (West Europe region) |
| SendGrid (Twilio Inc.) / Yandex SMTP | Transactional email (verification, password reset) | Email address, message body | US / Russia (depending on route) |
5.2 Cross-border transfers
When we transfer your data outside Türkiye, the EEA, or the UK to a country whose data-protection regime is not formally recognised as adequate, we rely on the following safeguards: - Standard Contractual Clauses (SCCs) issued by the European Commission, where applicable. - UK International Data Transfer Agreement (IDTA) for transfers from the UK. - KVKK explicit consent (Art. 9(1)(a)) where required for transfers from Türkiye, until KVKK adequacy decisions cover the destination. - Vendor self-certifications (e.g., the EU–US Data Privacy Framework where applicable).
You may obtain a copy of the relevant transfer safeguard by writing to [email protected] (subject: "Privacy — transfer safeguards").
5.3 Legal disclosures
We may disclose your personal data to law enforcement, regulators, or courts when: - We are required to by valid legal process binding on us in our place of establishment (Türkiye) or in the user's jurisdiction. - Necessary to protect the safety of any person, the security of the Service, or our legal rights.
We will challenge overbroad or unlawful requests where appropriate and will publish an aggregated transparency report on a periodic basis once we have meaningful figures to share.
5.4 Business transfers
If the Company is acquired or merges with another entity, your personal data may be transferred to the successor as part of that transaction. The successor will be bound by this Privacy Policy or a successor policy with at least equivalent protections.
5.5 What we do NOT do
We do not sell, rent, or otherwise commercialise your personal data to third parties for advertising, profiling, or any similar purpose.
6. AI processing — what each provider sees
When you ask Vita a question:
- iOS app on your device packages your question (text, plus optional image/PDF, or voice recording) and sends it to our backend over HTTPS.
- Our backend in Germany receives the request, attaches your conversation history (only for this account, only for this conversation), and applies the safety pipeline.
- For text generation, our backend forwards the question + cohort context + memory block to Google's Gemini API. Gemini returns the response. Google does not retain the request beyond a short abuse-prevention window and does not use it for training.
- For voice transcription, our backend forwards the audio file to Microsoft Azure Cognitive Services Speech, which returns a text transcript. Microsoft does not retain the audio beyond the request and does not use it for training.
- For voice playback, our backend sends the response text to Microsoft Azure Neural Text-to-Speech, which returns audio chunks. Microsoft does not retain the text or audio beyond the request.
- Our backend persists the question and the answer in your account's conversation history in our database.
- The iOS app plays the audio and shows the text in your chat thread.
No advertising IDs are involved in any of the above. Your IP address is masked from the AI providers (we proxy via our backend); the AI provider sees only the text content needed to fulfil your specific request.
7. Retention
| Data | Retention period |
|---|---|
| Account profile (email, display name) | Until account deletion + 30 days for backups |
| Conversation history (user questions + Vita's answers) | Until you delete the conversation, then + 30 days for backups; entire history removed within 30 days of account deletion |
| Voice recordings (audio file you sent) | Deleted from our servers within 24 hours of transcription (we keep the transcript, not the audio) |
| Uploaded photos and PDFs | Until you remove them or delete the conversation, + 30 days for backups |
| Memory entries (allergies, conditions, medications, attached medical documents) | Until you delete them in Settings → People, + 30 days for backups |
| Subscription transaction records | Up to 10 years, as required by Turkish tax law (Vergi Usul Kanunu) |
| Server access logs (IP, request metadata) | 90 days |
| Crash logs and diagnostic events | 12 months |
| Telemetry (anonymised event data) | Up to 24 months |
We may retain data longer if required by law (e.g. tax law on subscription receipts), or to enforce our Terms in connection with a specific dispute.
8. Security
We implement a layered security programme appropriate to the risk: - In transit: TLS 1.2+ on every connection; HSTS; certificate pinning at our edge. - At rest: Encrypted volumes; passwords stored as PBKDF2-SHA256 with 100,000 iterations; OAuth tokens stored only in iOS Keychain. - Authentication: HMAC-signed session cookies with HttpOnly + Secure + SameSite flags; CSRF double-submit pattern on every state-changing request. - Access controls: Role-based access to administrative tooling; production database accessible only via SSH-keyed bastion; audited admin actions. - Network: WAF and rate-limits at the edge (Cloudflare); per-user rate limits at the application layer. - Operational: Encrypted backups with 30-day retention; separation of staging/production; dependency vulnerability monitoring.
No system can be 100% secure. If we become aware of a breach affecting your personal data, we will notify you (and the relevant supervisory authority) in accordance with our legal obligations under KVKK, GDPR, UK GDPR, and the laws of your jurisdiction.
9. Your rights
9.1 GDPR / UK GDPR rights (residents of the EEA and the UK)
You have the right to: - Access the personal data we hold about you (Art. 15). - Rectification of inaccurate data (Art. 16). - Erasure ("right to be forgotten") (Art. 17). Most of this is one tap in the App. - Restriction of processing in defined circumstances (Art. 18). - Data portability — export of your data in a structured, machine-readable format (Art. 20). - Object to processing based on legitimate interests (Art. 21). - Withdraw consent at any time, where consent is the lawful basis (Art. 7(3)). Withdrawal does not affect processing already performed. - Lodge a complaint with a supervisory authority. The lead authority for our service is the Turkish Personal Data Protection Authority (KVKK Kurulu); EEA / UK residents may lodge with their national supervisory authority instead (e.g., the UK ICO at https://ico.org.uk/, or your national DPA).
9.2 KVKK rights (residents of Türkiye)
Under KVKK Article 11, you have the right to: - Learn whether your personal data is processed. - Request information about the processing. - Learn the purpose of the processing and whether the data is used in line with that purpose. - Learn the third parties to whom your data is transferred. - Request rectification of inaccurate data. - Request erasure or destruction of your data. - Request notification to third parties of any rectification, erasure, or destruction. - Object to outcomes of analysing your data exclusively through automated means that produce significant effects. - Demand compensation for damages caused by unlawful processing.
9.3 How to exercise your rights
In most cases the App lets you exercise these rights directly:
| Right | Where in the App |
|---|---|
| Access | Settings → Memory & people (full list); export available on request |
| Rectification | Edit any field on the relevant person/profile screen |
| Erasure | Per-conversation: drawer → swipe-delete. Per-memory-entry: Memory & people → tap entry → delete. Account: Settings → tap version 5× → Support → Other inquiries → Delete account |
| Restriction | Email us — we'll restrict processing within 30 days |
| Portability | Email us — we provide a JSON export within 30 days |
| Object | Email us with the specific processing you object to |
| Withdraw consent | Erasure of the relevant data + sign-out |
For requests that require manual handling (portability, restriction, complex erasure, escalations), email [email protected] with subject "Privacy". We respond within 30 days (or the period required by your local law, whichever is shorter). If we need to extend by up to 60 days for complex requests we will tell you why.
10. Children's privacy
Vita is intended for users 17 years of age or older. We do not knowingly collect personal data from children under 13 in any jurisdiction, and we do not knowingly collect personal data from minors below the age of consent in any jurisdiction (16 in most EU member states; 13 in others under member-state law; 13 in Türkiye for general consent purposes; 18 in some specific contexts). If we discover we have collected such data we will delete it promptly.
If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact [email protected].
11. Cookies and tracking
The Vita iOS app does not use cookies in the traditional web sense. The Vita web pages (this Privacy Policy, the Terms of Service, the marketing landing) use only strictly necessary cookies / local storage to deliver the page; they do not use analytics, advertising, or tracking cookies. The web app uses a Content Security Policy that restricts third-party scripts.
12. Do Not Track and Global Privacy Control
Vita does not use third-party advertising tracking. We respect Global Privacy Control (GPC) signals where they apply.
13. International users
If you are using Vita from a country outside Türkiye, your data will be transferred to and processed in Türkiye and the EEA (for primary application hosting) and may be processed in the US (for some specific provider services as set out in §5.1 / §5.2). By using Vita, you consent to the transfer of your data to these locations, subject to the safeguards described in §5.2.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will: - Post the new version at https://gravitilabs.com/vita/privacy with a revised "Last updated" date. - Notify active users in-app at next launch when changes are material. - Where the change materially expands the categories of data we collect or the purposes of processing, give you 30 days' notice and seek explicit re-consent.
15. Contact
For privacy questions, requests under §9, or to lodge a privacy concern with us:
TABA TASARIM İNŞAAT A.Ş. Şehit Şakir Elkovan Cad. No:3 Ataşehir, İstanbul, 34770, Türkiye [email protected] (subject: "Privacy")
For EU users, our designated contact for GDPR matters is the same address.
For UK users, our designated contact under UK GDPR is the same address.
Vita is a trademark of TABA TASARIM İNŞAAT A.Ş.